๐ญ Iโm currently working on practical applications for LLMs in cyber security.
๐ฌ Ask me about security architecture, generative AI security
- Security Architecture
- Python
- LLMs
An AI-powered threat modeling tool that leverages OpenAI's GPT models to generate threat models for a given application based on the STRIDE methodology.
Home Page: https://stridegpt.streamlit.app
License: MIT License
When using Azure OpenAI i get the following error:
Error generating threat model after 3 attempts: Error code: 400 - {'error': {'message': "Invalid parameter: 'response_format' of type 'json_object' is not supported with this model.", 'type': 'invalid_request_error', 'param': 'response_format', 'code': None}}
I just used the example prompt from the left pane and left all settings as it is.
Models I tried from my Azure OpenAI instance: gpt-4 & gpt3.5-turbo. Both resulted in the same error.
Allow, for example, Bing Chat Enterprise to be the AI backend for this. Sending threat modeling data for enterprise systems to an open AI system is going to make orgs nervous. Allowing them to use their own would encourage adoption and mitigate concerns.
Hey, some times the app seems experiencing a time-out issue and then the output its standard stride instead of web application description related:
Application log with timeout error:
Retrying langchain.llms.openai.completion_with_retry.<locals>._completion_with_retry in 4.0 seconds as it raised Timeout: Request timed out: HTTPSConnectionPool(host='api.openai.com', port=443): Read timed out. (read timeout=600).
Description and output with default stride
Hey, do you think the code needs an update? Looking into logs i see the following warnings:
2023-11-21 15:37:46.540 Session with id c47b6f13-4f5b-49b4-a2f5-9c6b33d2c165 is already connected! Connecting to a new session.
/usr/local/lib/python3.8/dist-packages/langchain/llms/openai.py:243: UserWarning: You are trying to use a chat model. This way of initializing it is no longer supported. Instead, please use: `from langchain.chat_models import ChatOpenAI`
warnings.warn(
/usr/local/lib/python3.8/dist-packages/langchain/llms/openai.py:1038: UserWarning: You are trying to use a chat model. This way of initializing it is no longer supported. Instead, please use: `from langchain.chat_models import ChatOpenAI`
I found some info related here
Regards,
Fab
I was wondering if perhaps you could have an option to open attack tree in a separate browser with the code? Just checking..webbrowser.open("https://mermaid.live/")...
Is there a problem with open AI API keys? I dont get a connection when adding a project API key for ChatGPT-4o? Error generating threat model after 3 attempts: Error code: 404 - {'error': {'message': 'The model gpt-4o does not exist or you do not have access to it.', 'type': 'invalid_request_error', 'param': None, 'code': 'model_not_found'}}
HI @mrwadams - This is more of a question. Sometimes even though prompt is programmed to return a json, i sometimes get an output from the open AI/Azure open AI that's not json but a string. If it's only string, it's ok but i sometimes also get a statement like this "Here's a JSON response providing a threat model and improvement suggestions for the web application described:\n\n```json" and there are other variants:)
I now suddenly have a very big exception handler that handles JsonDecodeError where i spend time parsing. Is this normal? Have you seen this?
Hi @mrwadams would it be possible to replace the open AI's LLM with custom instance of LLM?
I forked the repository and added support for a custom OpenAI compatible endpoint using LM Studio. This allows you to run a local LLM and generate threat modeling artifacts through the tool without sharing data with a 3rd party. Happy to put in a pull request, but still testing on my end.
Mistral 7B performs relatively well here, but I am seeing some issues with the mermaid output not being escaped properly and the Gherkin test case generation is failing on return. Not sure why, but otherwise... it works pretty great.
I recently tried to pull and run the mrwadams/stridegpt:latest Docker image on my AMD64 architecture machine. However, I encountered an architecture mismatch issue. The image appears to be built for ARM64 architecture, which leads to an "exec format error" when running it on an AMD64 host.
Here are the steps I followed:
Pulled the latest Docker image:
docker pull mrwadams/stridegpt:latest
Tried to run the Docker container:
docker run -p 8501:8501 mrwadams/stridegpt
Encountered the following error:
WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64/v4) and no specific platform was requested exec /usr/local/bin/streamlit: exec format error
Would it be possible to provide an AMD64 compatible version of the Docker image? This would greatly help users running on AMD64 architecture to use stridegpt without needing to set up QEMU for emulation.
Thank you for your assistance!
Best regards,
Hey I'm trying to package this for NixOS but I'm running into an issue, it seems a dependency is not available at least on common repos.
error: builder for '/nix/store/acw9c43i76w3m4ywr69qw96ymimgqxqc-mach_nix_file.drv' failed with exit code 1;
last 9 log lines:
>
> The Package 'google.generativeai' (build: ()) is not available from any of the selected providers ['nixpkgs', 'sdist', 'wheel']
> for the selected python version
> The required package might just not (yet) be part of the dependency DB currently used.
>
For full logs, run 'nix log /nix/store/acw9c43i76w3m4ywr69qw96ymimgqxqc-mach_nix_file.drv'
I will try and see if I can package google.generativeai
in Nixpkgs
and attempt to rebuild this package.
Hi @mrwadams,
Please could you help me, I'm facing some issues with trying app.
I tried to use OpenAI API option, after following steps to enter OpenAI API key.
Entered API key (using paid version of chatGPT).
Using Example Application description. After clicking on Threat Model I get this error:
Error generating threat model after 3 attempts: Error code: 404 - {'error': {'message': 'The model gpt-4o does not exist or you do not have access to it.', 'type': 'invalid_request_error', 'param': None, 'code': 'model_not_found'}}
I'm facing error with gpt-4o, gpt-4-turbo and couldn't try other versions as text field to enter information is missing.
Thanks in advance
That one seems easy enough :) Thanks for opening up the code!
First of all, this is a great initiative. I think all developer teams can save a lot of time and find security more pleasurable to work with if they use this tool.
I have tested it using the gpt4-o model and when I upload the architecture diagram it seems to override the description of the application. In threat modelling we should focus on the threats that matter and I think the output can be even better.
To make it better, I think it should be possible to upload both an architecture diagram and provide your own description of the application or add your own security requirements:
Would love to hear what others think about this.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.