Generative sequence processing models for cybersecurity
Patent Information
- Authority / Receiving Office
- EP · EP
- Patent Type
- Applications
- Current Assignee / Owner
- GOOGLE LLC
- Filing Date
- 2024-08-28
- Publication Date
- 2026-07-08
AI Technical Summary
Traditional cybersecurity measures are inadequate in providing comprehensive protection against sophisticated cybersecurity threats, leading to inefficiencies and vulnerabilities due to the complexity and diversity of data generated by various cybersecurity operations tools.
A system utilizing a generative sequence processing model that has been finetuned on a range of cybersecurity data and tasks, enabling it to perform classification, summarization, generation, and extraction tasks, and interact with various cybersecurity operations tools to analyze and mitigate threats.
The system enhances cybersecurity by providing an advanced layer of protection against threats, improving threat detection and prediction accuracy, and simplifying the management of multiple cybersecurity environments through dynamic threat intelligence aggregation and model specialization.
Smart Images

Figure US2024044202_06032025_PF_FP_ABST
Abstract
Description
GENERATIVE SEQUENCE PROCESSING MODELS FOR CYBERSECURITYRELATED APPLICATIONS
[0001] This application claims priority to and the benefit of United States Provisional Patent Application Number 63 / 579,251, filed August 28, 2023. United States Provisional Patent Application Number 63 / 579,251 is hereby incorporated by reference in its entirety.FIELD
[0002] The present disclosure relates generally to cloud-based cybersecurity platforms. More particularly, the present disclosure pertains to systems and methods that leverage a generative sequence processing model that has been finetuned for cybersecurity applications, to assist in the identification, analysis, and mitigation of cybersecurity threats.BACKGROUND
[0003] In today’s digital age, organizations are constantly facing an increasing volume of sophisticated cybersecurity threats. Cybersecurity is the practice of protecting systems, networks, and data from digital attacks, unauthorized access, and damage.
[0004] Traditional cybersecurity measures are often inadequate in providing comprehensive protection against such threats, which has resulted in the proliferation of large numbers of disparate cybersecurity operations tools such as Security Orchestration, Automation, and Response (SOAR) platforms, Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), antivirus software, endpoint protection, vulnerability management tools, and more.
[0005] Each of these tools can generate large amounts of cybersecurity data, which is often formatted according to diverse structures or formats that are not easily combined or reconciled with one another. Analyzing and acting upon the staggering volume and diversity of data generated by such ever-increasing number of cybersecurity operations tools is complex and cumbersome, leading to inefficiencies and vulnerabilities.SUMMARY
[0006] A system of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operationsor actions by virtue of including instructions that, when executed by data processing apparatus, cause the apparatus to perform the actions.
[0007] One general aspect includes a computer system for improved cybersecurity. The computer system includes one or more processors. The system also includes one or more non-transitory computer-readable media that collectively store a generative sequence processing model, where the generative sequence processing model has been finetuned on one or more finetuning tuples generated from one or more sets of cybersecurity data, and where at least one finetuning tuple of the one or more finetuning tuples may include a finetuning input and a finetuning label, where the finetuning input may include cybersecurity data and a question regarding the cybersecurity data, and where the finetuning label may include a labelled answer to the question regarding the cybersecurity data.
[0008] Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
[0009] Example implementations may include various combinations of one or more of the following features. The computer system where the sets of cybersecurity data may include sets of data from: security orchestration automation and response (SOAR) system data, security information and event management (SIEM) system data, security blog information, analyst reports, signature-based detection files, malware scripts, vulnerability information, product documentation, security code repositories, or cybersecurity and software development frameworks data. The generative sequence processing model may have been finetuned on the one or more finetuning tuples to perform one or more finetuning tasks, where the one or more finetuning tasks may include: classification tasks, summarization tasks, generation tasks, or extraction tasks. At least one second finetuning tuple of the one or more finetuning tuples may include a second finetuning input and a second finetuning label, where the second finetuning input may include a natural language query, and where the second finetuning label may include a query expressed in a domain-specific query language. At least one of the one or more finetuning tuples may have been manually generated. At least one of the one or more finetuning tuples may have been automatically generated using one or more templates. At least one of the one or more finetuning tuples may have been automatically generated using one or more machine-learned models. The generative sequence processing model may be operative communication with one or more cybersecurity operations tools. The computer system may be configured to provide an interface that enables a user to query the generative sequence processing model in natural language. The generativesequence processing model may have been finetuned to adopt a particular cybersecurity persona of a number of different cybersecurity personas. The particular cybersecurity persona may include: a security operations center (SOC) analyst persona; a threat intelligence analyst persona; a malware or code analyst persona; or a security architect persona. Implementations of the described techniques may include hardware, a method or process, or computer software on a computer-accessible medium.
[0010] One general aspect includes a cybersecurity platform implemented by one or more computing devices. The cybersecurity platform includes a plurality of computer- implemented agents configured to interoperate to collectively receive and process cybersecurity data to generate and perform cybersecurity actions responsive to the cybersecurity data. The platform also includes where each of the plurality of agents may include a machine-learned generative sequence processing model that has been finetuned to adopt a particular cybersecurity persona of a number of different cybersecurity personas. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.
[0011] Example implementations may include various combinations of one or more of the following features. The cybersecurity platform where the plurality of agents correspond to a plurality of the different cybersecurity personas may include at least: a security operations center (soc) analyst persona; a threat intelligence analyst persona; and a malware or code analyst persona. The plurality of agents may operate according to a distributed operating architecture. The plurality of generative sequence processing models respectively associated with the plurality of different agents may have been forked from a pre-trained model and then finetuned using respective parameter-efficient adapters. The plurality of agents may operate according to a centralized planning architecture. The centralized planning architecture may include a planning agent configured to control the other agents of the platform. The planning agent may be configured to call the other agents according to a tool use framework. The planning agent may be configured to perform chain of thought reasoning, and where the planning agent is configured to control the other agents of the platform based on the chain of thought reasoning. Implementations of the described techniques may include hardware, a method or process, or computer software on a computer-accessible medium.BRIEF DESCRIPTION OF THE DRAWINGS
[0012] Detailed discussion of embodiments directed to one of ordinary skill in the art is set forth in the specification, which makes reference to the appended figures, in which:
[0013] Figure 1 depicts a block diagram of an example cybersecurity platform according to example embodiments of the present disclosure.
[0014] Figure 2 depicts an example process for finetuning a sequence processing model according to example embodiments of the present disclosure.
[0015] Figure 3 depicts an example process for finetuning a sequence processing model to adopt different personas according to example embodiments of the present disclosure.
[0016] Figure 4 depicts an example process for performing inference with a finetuned sequence processing model according to example embodiments of the present disclosure.
[0017] Figure 5 depicts an example multi-agent environment within an example cybersecurity platform according to example embodiments of the present disclosure.
[0018] Figure 6 is a flow chart diagram illustrating an example method for training a machine-learned model according to example implementations of aspects of the present disclosure;
[0019] Figure 7 is a block diagram of an example processing flow for using machine- learned model(s) to process input(s) to generate output(s) according to example implementations of aspects of the present disclosure;
[0020] Figure 8 is a block diagram of an example sequence processing model according to example implementations of aspects of the present disclosure;
[0021] Figure 9 is a block diagram of an example technique for populating an example input sequence for processing by a sequence processing model according to example implementations of aspects of the present disclosure;
[0022] Figure 10 is a block diagram of an example model development platform according to example implementations of aspects of the present disclosure;
[0023] Figure 11 is a block diagram of an example training workflow for training a machine-learned model according to example implementations of aspects of the present disclosure;
[0024] Figure 12 is a block diagram of an inference system for operating one or more machine-learned model(s) to perform inference according to example implementations of aspects of the present disclosure;
[0025] Figure 13 is a block diagram of an example networked computing system according to example implementations of aspects of the present disclosure;
[0026] Figure 14 is a block diagram of an example computing device according to example implementations of aspects of the present disclosure; and
[0027] Figure 15 is a block diagram of an example computing device according to example implementations of aspects of the present disclosure.
[0028] Reference numerals that are repeated across plural figures are intended to identify the same features in various implementations.DETAILED DESCRIPTION
[0029] Some example aspects of the present disclosure are directed to cybersecurity systems and methods that leverage one or more generative sequence processing models that are specifically finetuned for cybersecurity applications. A specialized generative sequence processing model can be finetuned on a comprehensive range of cybersecurity data and associated finetuning tasks, providing the model with rich capabilities for analyzing, understanding, describing, and / or taking action with respect to the real-time cybersecurity data generated by one or more cybersecurity operations tools. Thus, the creation and use of generative sequence processing models represents a solution to the technical challenge of usefully analyzing and acting upon a large volume of diversely-structured data generated by a number of disparate cybersecurity operations tools deployed by an organization.
[0030] More particularly, one aspect of the present disclosure is directed to a generative sequence processing model that has been finetuned on various forms of cybersecurity data and associated tasks. A sequence processing model can be a model that is configured for the analysis and generation of sequential data. Specifically, a sequence processing model can include a sequence-to-sequence design that enables the model to receive and process a sequence of input data to produce a corresponding sequence of output data.
[0031] One example form of a sequence processing model is a so-called “large language model” (LLM). The term LLM can refer to a highly parameterized model that is configured to interpret and generate text with human-like patterns. Through extensive pretraining on extensive datasets, LLMs are capable of addressing a multitude of natural language processing endeavors, from text generation to intricate question-response mechanisms. Another example sequence processing model is a “large multi-modal model” (LMM). Similar to LLMs, LMMs can refer to highly parameterized models that can operate to generate outputs (e.g., sequential outputs such as textual, image, and / or audio tokens) based on inputs (e.g., sequential inputs). However, LMMs can generally operate over two or more different modalities, including some combination of text, image, and / or audio inputs and / or outputs.Text inputs can include natural language text and / or structured language text such as programming languages, machine codes, and / or structured queries. Images can include still images or moving images (i.e., “movies”).
[0032] In particular, a sequence processing model can be initially pretrained on a large amount of pretraining data. During this phase, the model is exposed to extensive datasets, enabling it to establish a generalized understanding of data patterns, structures, and inherent relationships. The purpose of pretraining is to embed a wide spectrum of knowledge within the model, setting up a foundational framework of cognition.
[0033] In some implementations, the pretraining of the model can include pretraining the model on various forms of cybersecurity data. Including a broad spectrum of cybersecurity data during the pretraining phase can contribute to the later success of the model on a range of different cybersecurity-related tasks. In particular, because cybersecurity data is not widely available online (e.g., due to its inherent sensitivity), cybersecurity data has historically been extremely rare in a typical mixture of pretraining data for large models. Therefore, as suggested herein, continued pretraining on the Tong tail’ of cybersecurity data formats (e.g., particularly those that are not well-represented) is highly beneficial to enabling the trained model to generalize across security -focused tasks.
[0034] In some implementations, the pretraining can be split into multiple sequential phases. In an initial phase, the model can be pretrained on data across many different domains (e.g., including computer languages) at a massive scale so as to instill foundational language knowledge and build the overall language capabilities of the model. In a subsequent or “continued” phase of pretraining, the focus of the pretraining can shift to include relatively larger volumes or ratios of data that are specific to the cybersecurity domain. Thus, the subsequent phase can include more focused pretraining that includes a much higher proportion and / or diversity of cybersecurity-specific data, thereby enabling the model to begin to specialize at learning cybersecurity information.
[0035] According to another aspect of the present disclosure, subsequent to the comprehensive learning offered by pretraining, a sequence processing model can undergo a finetuning process using a wide range of cybersecurity data and associated pretraining tasks. In some examples, the finetuning tasks may be more specific and / or structured as compared to the pretraining tasks. For example, whereas some example pretraining tasks may include generally attempting to predict the correct completion for a given prompt (e.g., to predict the remainder of a set of text given some initial portion of the text), some example finetuning task may seek test the model’s ability to apply reasoning over a given input, such asanswering questions about a given input that require extrapolation, analysis, and / or the application of logic to the input.
[0036] In some implementations, the finetuning stage focuses on enhancing and refining the model’s capabilities within specific cybersecurity domains or tasks. By utilizing targeted cybersecurity datasets, which may emphasize certain cybersecurity-specific knowledge or patterns, the model’s internal parameters are adjusted to optimize its performance on the designated cybersecurity tasks.
[0037] The range of cybersecurity data and tasks that can be used during finetuning will be described in further detail with reference to the figures. However, as an introduction, the cybersecurity data can include data from a Security Orchestration Automation and Response (SOAR) system. SOAR data can include SOAR cases, queries, rules, playbooks, alerts, or other SOAR data. As further examples, the cybersecurity data can also include Security Information and Event Management (SIEM) system data, security blog information, threat intelligence reports, signature-based detection files, malware scripts, vulnerability information, product documentation, security code repositories, cybersecurity and software development frameworks data, and / or other forms of cybersecurity data.
[0038] As mentioned above, some example finetuning tasks performed on the cybersecurity data can include custom or structured tasks which extend beyond a basic language modeling approach. As one example, the finetuning tasks can include classification tasks such as file type classification, malware detection, vulnerability identification, actor attribution, file activity classification, or other classification tasks. As another example, the finetuning tasks can include summarization tasks such as, for example, generating executive summaries of threat intelligence reports, explaining programming or computer language content (e.g., malicious scripts) in natural language, and / or summarizing structured security operations tool data (e.g., cybersecurity event and alert metadata)in natural language. As a further example, the finetuning tasks can include generation tasks such as generating threat intelligence reports from structured programming language scripts, creating SOAR playbooks, and / or converting natural language into specialized query languages such as SOAR queries, which are often expressed in tool- or system-specific query languages or lexicons. As further examples, the finetuning tasks can include extraction tasks such as extracting relevant vulnerability information or entities and / or transformation tasks such as translating cybersecurity threat intelligence into actionable security measures.
[0039] Furthermore, in some implementations, the finetuning tasks can include having the model perform chain-of-thought style reasoning that combines several of the above taskstogether. For example, when analyzing a structured cybersecurity event, an example approach might identify command line invocation information that the model would analyze for signs of suspicious behavior, then use the outputs of that analysis (e.g., a URL or file name) to make additional queries to the SIEM system to better understand the attack.
[0040] According to another aspect of the present disclosure, data labelling can be performed on the raw cybersecurity data to generate finetuning data for use in performing the finetuning tasks described above. For example, a set of cybersecurity data can be preprocessed to generate finetuning label data. The finetuning label data can be metadata, attributes, or other information extracted from or otherwise generated with respect to the set of cybersecurity data. As one example, if the set of cybersecurity data is a set of software code, the finetuning label can include information such as: the number of network indicators associated with the software code; whether or not the code is using network interactions; whether or not the code edits the registry; and / or other information about the software code that assists in training the sequence processing model to understand software code and improve its ability to explain why the software code may or may not be malicious. The data labelling process can be manually performed and / or automatically performed via application of one or more templates and / or one or more machine-learning models.
[0041] By training the generative sequence processing model on these finetuning tasks and associated finetuning data, the generative sequence processing model can be endowed with the capability to potentially analyze and foresee a range of cybersecurity threats and / or perform numerous other cybersecurity tasks. Once finetuned, the sequence processing model can be included in or leveraged by a cybersecurity platform to perform any of the tasks described above.
[0042] Furthermore, because the generative sequence processing model has been finetuned on diverse data from different systems and sources, the resulting model is able to operate on inherently heterogeneous data and systems such as different security operations tools which have their own unique internal syntaxes, schemas, query languages, and / or other data structures. For example, the sequence processing model can be capable of interpreting and / or generating queries and / or other structured data representations expressed in multiple different query languages and / or data structures respectively associated with multiple different security operations tools (e.g., multiple different SOAR systems).
[0043] By leveraging the finetuned sequence processing model, the cybersecurity platform is able to simplify and reduce the tools required by an organization to secure their digital assets. As one example, the platform can autonomously generate cybersecuritydesigns, capabilities, and / or controls, thereby decreasing the overheads associated with managing multiple cybersecurity environments. As another example, the platform can leverage the generative sequence processing model to quickly summarize data for human users and / or respond to natural language questions supplied by the human users. Thus, the cybersecurity platform can leverage the generative sequence processing model to aid users in analyzing cybersecurity events, crafting possible cybersecurity protocols, and / or undertaking in-depth threat assessments, providing real-time response and adaptability.
[0044] Furthermore, due to the model’s breadth of understanding across multiple different tools and associated data structures, the model can be used to connect otherwise siloed tools. For example, the model can be used to interpret data combined from multiple disparate tools, enabling a broader and more holistic view of security operations for analysts or other users.
[0045] According to another aspect of the present disclosure, in some implementations, the generative sequence processing model described herein can be finetuned to adopt various personas tailored to specific roles within the cybersecurity domain. A model can be finetuned to adopt a particular persona using specific types of data and training tasks that are characteristic of their respective roles, enabling the model to produce outputs that are contextually aligned with the expectations and requirements of different cybersecurity professionals.
[0046] As one example, the model can adopt personas such as a Security Operations Center (SOC) analyst, which focuses on rapid, action-based responses to threats or a threat intelligence analyst, who provides detailed, comprehensive analyses of cyber threats. As other examples, the model can be adapted to other personas like a malware or code analyst, who focuses on the technical analysis of code to identify malicious behaviors, and a security architect, who provides a broad understanding of cybersecurity threats and defenses at an organizational level. Other personas include an incident responder, a compliance officer, a network security administrator, a cybersecurity researcher, a chief information security officer (CISO), and / or a forensic analyst, each tailored to perform specific functions within their expertise area. This capability allows the model to simulate actions typically performed by these professionals, significantly enhancing the utility and applicability of the model across various cybersecurity contexts.
[0047] One benefit is that the models can be specialized to focus on specific aspects of a task given the same inputs, and adjust their output style accordingly. For instance, a SOC analyst specialized model may be trained to broadly analyze security events based on aparticular strategy (e.g., pivoting among events occurring on the same host) and their output may be primarily focused on triaging a particular set of events or incident. By comparison, the threat intelligence analyst persona model may be more interested in taking a longitudinal view of similar types of attacks across multiple host, relating those to known actor TTPs, and then providing a nuanced report with appropriate descriptions of confidence, which are common in the intelligence analysis field. Thus, the specialization may be applied and / or manifest with respect to both the “input focus” (e.g., what is analyzed) and also in the “output style”. One benefit, particularly in an agent-like system, is that the system can specialize tasks and get a variety of viewpoints when analyzing something - which may, for example, be analogous to having an entire Al “security team” review data and then answer questions based on diverse analysis perspectives.
[0048] According to another aspect of the present disclosure, in some implementations, one or more of the generative sequence processing models described herein can operate autonomously or semi -autonomously within a cybersecurity platform, performing tasks typical of various cybersecurity personas. For instance, a model finetuned to a Security Operations Center (SOC) analyst persona can independently generate rapid response strategies to real-time threats, while another finetuned as a threat intelligence analyst can autonomously compile and analyze extensive threat data. This autonomous functionality enhances operational efficiency by allowing human analysts to concentrate on complex, strategic decision-making processes.
[0049] In particular, some example implementations of the present disclosure are directed to a cybersecurity platform that includes a multi-agent setting in which multiple generative sequence processing models, for example with some or all adopting a distinct persona, can interoperate to process cybersecurity data to perform cybersecurity actions. For example, each model can autonomously perform tasks aligned with their designated personas, contributing collectively to cybersecurity efforts. The interoperability of these models can be managed through a centralized system or a distributed framework, so that insights from one model can inform the actions of others. This setup enhances the efficiency and effectiveness of cybersecurity operations by allowing a division of labor among specialized models, which reduces the need for continuous human supervision and increases interpretability.
[0050] The division of labor also tends to improve outcomes (e.g., true positive rates, etc.) since it does not require a single agent / model to exhaustively analyze all aspects of the problem (something that is effectively discouraged during the LLM decoding process, regardless of prompting strategies).
[0051] The systems and methods of the present disclosure provide a number of technical effects and benefits. As one example, the proposed techniques enhance digital network security. Specifically, the disclosed system provides an advanced layer of protection against potential cybersecurity threats, thereby improving the integrity and functionality of a digital environment such as a cloud environment.
[0052] As another example technical benefit, the present disclosure provides a generative sequence processing model that is optimized for cybersecurity tasks. Finetuning of the generative sequence processing model specifically for cybersecurity scenarios improves the ability of the model to perform accurate threat detection and prediction. This reduces false positives and false negatives, ensuring resources are utilized effectively in real threat scenarios.
[0053] As another example technical benefit, the present disclosure provides dynamic threat intelligence aggregation. The capability of the sequence processing model to amalgamate data and generate actionable information from various sources like SOAR systems or other cybersecurity operations tools or sources of cybersecurity data provides the ability to aggregate and act upon information from across a comprehensive threat landscape. This results in a more holistic view of potential threats, allowing for preemptive measures against emerging and evolving threats.
[0054] As another example technical benefit, finetuning models on specific cybersecurity data and / or tasks enables increased model specialization. Each model can be finetuned to excel in tasks specific to a particular persona, such as rapid threat response for a SOC analyst or in-depth code analysis for a malware analyst. This specialization leads to higher accuracy and efficiency in task execution, as each model can leverage its tailored training to handle particular aspects of cybersecurity more adeptly.
[0055] Another technical benefit derives from interoperability among agents in a multiagent system. By enabling agents to communicate and collaborate, the system ensures that insights and data generated by one agent can inform the actions and analyses of others. Moreover, when chain of thought analysis capability is embedded within each agent, the agents can operate with improved transparency and interpretability. By providing detailed explanations and rationales for their actions, the agents allow human operators to understand and verify the automated processes. This transparency enables validation that the system aligns with the organization’s policies and ethical standards. Chain of Thought also substantially improves performance on some reasoning tasks (e.g. math problems).
[0056] With reference now to the Figures, example embodiments of the present disclosure will be discussed in further detail.
[0057] Figure 1 provides a block diagram of an example computing system that includes a cybersecurity platform 112 according to example embodiments of the present disclosure. The cybersecurity platform 112 is configured for enhancing security within potential cloudbased environments. The cybersecurity platform 112 includes a generative sequence processing model 114. The model 114 can be finetuned, for example, to address possible security-specific scenarios.
[0058] The sequence processing model 114 can be a model that is configured for the analysis and generation of sequential data. Specifically, a sequence processing model 114 can include a sequence-to-sequence design that enables the model to receive and process a sequence of input data to produce a corresponding sequence of output data.
[0059] The sequence processing model 114 can include or leverage different model architectures. While some examples can utilize the Transformer architecture, recognized for its dynamic self-attention mechanism, others can be implemented using diverse architectures such as recurrent neural networks, convolutional neural networks, or even potential hybrid models.
[0060] One example form of a sequence processing model 114 is a so-called “large language model” (LLM). The term LLM can refer to a highly parameterized model that is configured to interpret and generate text with human-like patterns. Through extensive pretraining on extensive datasets, LLMs are capable of addressing a multitude of natural language processing endeavors, from text generation to intricate question-response mechanisms. Another example sequence processing model 114 is a “large multimodal model” (LMM).
[0061] In particular, the sequence processing model 114 can be initially pretrained on a large amount of pretraining data. Pretraining serves as an important phase in the development of an effective sequence processing model 114. During this phase, the model is exposed to extensive datasets, enabling it to establish a generalized understanding of data patterns, structures, and inherent relationships. The purpose of pretraining is to embed a wide spectrum of knowledge within the model, setting up a foundational framework of cognition.
[0062] In some implementations, the pretraining of the model 114 can include pretraining the model 114 on various forms of cybersecurity data. Including a broad spectrum of cybersecurity data during the pretraining phase can contribute to the later success of the model 114 on a range of different cybersecurity-related tasks. In some implementations, thepretraining can be split into multiple sequential phases. In an initial phase, the model 114 can be pretrained on data across many different domains (e.g., including computer languages) at a massive scale so as to instill foundational language knowledge and build the overall language capabilities of the model 114. In a subsequent or “continued” phase of pretraining, the focus of the pretraining can shift to include relatively larger volumes or ratios of data that is specific to the cybersecurity domain. Thus, the subsequent phase can include more focused pretraining that includes a much higher proportion and diversity of cybersecurity-specific data, thereby enabling the model 114 to begin to specialize at learning cybersecurity information.
[0063] According to an aspect of the present disclosure, subsequent to the comprehensive learning offered by pretraining, the sequence processing model 114 can undergo a finetuning process using a wide range of cybersecurity data and associated pretraining tasks. This finetuning stage focuses on enhancing and refining the model’s capabilities within specific cybersecurity domains or tasks. By utilizing targeted cybersecurity datasets, which may emphasize certain cybersecurity-specific knowledge or patterns, the model’s internal parameters are adjusted to optimize its performance on the designated cybersecurity tasks. Further example details regarding potential finetuning data and tasks are described with reference to Figures 2.
[0064] Referring still to Figure 1, the cybersecurity platform 112 is in communication with cybersecurity operations tools 116, 118, and 120. The cybersecurity operations tools 116, 118, and 120 can be various systems that are deployed by an organization to perform cybersecurity tasks such as threat detection and prevention. Each of the cybersecurity operations tools 116, 118, and 120 can generate cybersecurity data that can be obtained by the cybersecurity platform 112 and processed by the sequence processing model 114. The cybersecurity platform 112 can be directly integrated with the cybersecurity operations tools 116, 118, and 120 and / or can communicate with the cybersecurity operations tools 116, 118, and 120 via an application programming interface (API).
[0065] As examples, the cybersecurity operations tools 116, 118, and 120 can be Security Orchestration, Automation, and Response (SOAR) platforms, Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), antivirus software, endpoint protection, vulnerability management tools, and / or others. Each of these tools 116, 118, and 120 can create various forms of cybersecurity data that can be communicated to the cybersecurity platform 112 (e.g., in real time, upon request, and / or periodically).
[0066] Thus, as one example, the cybersecurity platform 112 can be operatively integrated with a SOAR system. A SOAR system can include an integrated suite of technologies that serves as a comprehensive solution for managing, analyzing, and responding to an array of cybersecurity incidents and threats. It can incorporate an assortment of functionalities including but not limited to threat and vulnerability management, incident response, and security automation. The SOAR system can be designed to integrate with a multitude of security tools and platforms, enabling a more coherent and unified security infrastructure.
[0067] Key functionalities of the SOAR system can include: threat and vulnerability management; incident response; case management; dashboards and reporting; and the creation and deployment of automated playbooks. SOAR playbooks can include automated workflows or structured sequences of tasks within the SOAR system. These playbooks can automate the response to specific cybersecurity incidents or scenarios, integrating various tools, systems, and processes.
[0068] As another example, the cybersecurity platform 112 can be operatively integrated with a SIEM system. A SIEM system is a comprehensive solution in the cybersecurity domain that provides real-time analysis of security alerts generated by various hardware and software infrastructures in an organization. Key functionalities of the SIEM system can include data aggregation; log storage; event correlation; alerting; data analysis and visualization; forensics and analysis; and compliance reporting. While SIEM focuses on the detection and alerting aspects, SOAR platforms emphasize automation, orchestration, and response. In many mature security operations centers (SOCs), SIEM and SOAR solutions work hand-in-hand to provide an end-to-end security incident detection and response framework.
[0069] As another example, the cybersecurity operations tools 116, 118, and 120 can include or provide cybersecurity blogs or information obtained therefrom. A cybersecurity blogs can include a digital publication or platform that disseminates information, insights, and analyses pertaining to various facets of cybersecurity. While primarily textual, these blogs may also incorporate multimedia elements, code snippets, or interactive demonstrations. They aim to enhance the understanding of emerging threats, mitigation techniques, and advancements in the field of information security, though the content and approach may vary across different sources.
[0070] As another example, the cybersecurity operations tools 116, 118, and 120 can include or provide signature-based detection files. Signature-based detection files areemployed within cybersecurity operations tools to identify and possibly mitigate known threats based on predetermined patterns or “signatures.” These signatures, which can encompass attributes like file hashes, string patterns, or behavioral traits, can be derived from prior analyses of malicious activities or entities. YARA detection rules, for instance, utilize patterns to scan and identify malware samples.
[0071] As another example, the cybersecurity operations tools 116, 118, and 120 can include virus or malware detection systems. These are systems that are designed to identify, isolate, and eliminate malicious software or “malware”, such as viruses, worms, trojans, ransomware, etc. The system operates by analyzing system behavior, data patterns, and code to flag potential threats. These systems can also encompass the capability of automated response mechanisms that take immediate action upon malware detection, mitigating potential damages and minimizing system downtime. Furthermore, they may include components for generating comprehensive logs and reports for further analysis and proactive threat hunting, enhancing the overall cybersecurity posture of the entity using such a system.
[0072] As another example, the cybersecurity operations tools 116, 118, and 120 can include open source vulnerability analysis or information. These can include data or information relating to potential weaknesses or susceptibilities in open-source software or systems. Such information, often shared within the cyber community, aids in the discovery, mitigation, and prevention of exploits that could compromise system integrity or security.
[0073] As another example, the cybersecurity operations tools 116, 118, and 120 can include security code repositories. Security code repositories are dedicated storage spaces for codebases that have an emphasis on security. These repositories can include secure code snippets, libraries, or frameworks. In some implementations, the security code repositories can include examples of malware scripts. Malware scripts can be scripts or sequences of code intended to perform malicious activities on targeted systems. These scripts may encompass a range of functionalities, from data exfiltration and system disruption to privilege escalation.
[0074] As another example, the cybersecurity operations tools 116, 118, and 120 can include cybersecurity and software development frameworks. These frameworks provide structured, standardized methodologies for developing secure software and managing cybersecurity risk. As an example, the MITRE framework offers a comprehensive suite of tools, techniques, and best practices for tackling cybersecurity challenges across a variety of domains or sectors.
[0075] As another example, the cybersecurity operations tools 116, 118, and 120 can include or provide analyst reports. Analyst reports, in the broadest sense, refer tocomprehensive documents prepared by skilled professionals who carry out detailed assessments of various aspects of a system, process, or entity. Analyst reports can include threat intelligence reports that provide information about emerging cyber threats and vulnerabilities, malware reverse engineering reports that dissect malicious software to understand its origin, behavior, and mitigation strategies, and incident response reports which detail the results of a breach investigation, shedding light on the cause, impact, and recommended remediation measures.
[0076] Thus, as one example, the cybersecurity operations tools 116, 118, and 120 can include threat intelligence reports, data, or other information. Threat intelligence is a term referring to the collation, analysis, and dissemination of information about potential or current cyber threats and attacks. Threat intelligence is a specialized sector of cybersecurity that employs a multitude of data gathering, processing, and analysis techniques to identify, track, and predict cybersecurity threats and vulnerabilities. It involves the systematic collection of information from a variety of sources, both internal and external, to provide comprehensive insights into the cyber threat landscape. This information can include, but is not limited to, details on threat actors, their tools, tactics, and procedures (TTPs), indicators of compromise (IOCS), and the nature and impact of previous cyberattacks.
[0077] As another example, the cybersecurity operations tools 116, 118, and 120 can include or provide product documentation. Product documentation can include a compilation of informational materials related to a particular software or hardware product. This documentation aims to provide users, administrators, or developers with guidance on installation, configuration, utilization, and troubleshooting of the said product.
[0078] The cybersecurity platform 112 can also communicate with one or more user devices 122. For example, the user devices 122 can be associated with human users. In one example, the human users can be analysts or administrators that are responsible for managing the information security of a computer network for which some or all of the cybersecurity operations tools 116, 118, and 120 are deployed. Stated differently, in some instances some or all of the cybersecurity operations tools 116, 118, and 120 can be tools that are specifically deployed with respect to a particular computer network or group of networks. In addition or alternatively, some or all of the cybersecurity operations tools 116, 118, and 120 can be generalized tools that are not dedicated to or for a particular computer network or group of networks and may be broadly accessible irrespective of a user’s affiliation to a particular organization or network.
[0079] The cybersecurity platform 112 can communicate with one or more user devices 122 to receive questions or queries from the user devices 122. The platform 112 can deploy the sequence processing model 114 to generate responses to the queries, based on processing of cybersecurity data by the sequence processing model 114. For example, the sequence processing model 114 can retrieve (e.g., via application programming interfaces) the relevant information necessary to answer the query from the cybersecurity operations tools 116, 118, and 120. The sequence processing model 114 can then process the retrieved information to generate an appropriate response to the query, which may for example be a summary, an extraction, a classification, a suggested remediation, or other output. This information can then be supplied to the user devices 122 for display to the user.
[0080] Figure 2 provides a block diagram of an example approach for finetuning the generative sequence processing model according to example embodiments of the present disclosure. As shown in Figure 2, a set of cybersecurity data 202 can be obtained. The set of cybersecurity data 202 can be data generated by or associated with one or more cybersecurity operations tools, such as any of the cybersecurity operations tools described with reference to Figure 1. Thus, as an example, the cybersecurity data 202 can include data from a SOAR system. SOAR data can include SOAR cases, queries, rules, playbooks, alerts, or other SOAR data. As further examples, the cybersecurity data can also include Security Information and Event Management (SIEM) system data, security blog information, threat intelligence reports, signature-based detection files, malware scripts, vulnerability information, product documentation, security code repositories, cybersecurity and software development frameworks data, and / or other forms of cybersecurity data.
[0081] A computing system can perform data labelling 204 on the set of cybersecurity data 202. As a result of performing the data labelling 204, a finetuning tuple 210 can be created. The finetuning tuple 210 can include a finetuning input 206 and a finetuning label 208.
[0082] The finetuning tuple 210 can be used to finetune the sequence processing model 114. For example, the finetuning input 206 can be provided to the model 114. In response, the model 114 can generate a model output 212. A loss function 214 can be evaluated. The loss function 214 can compare the model output 212 with the finetuning label 208. The loss function 214 can be used to update the parameter values of the model 114. For example, the loss function 2114 can be backpropagated through the model 114 to update the parameter values of the model 114.
[0083] More particularly, data labelling 204 can include the generation and / or assignment of pertinent labels, classifications, or annotations (referring to collectively as labels 208) to each of a number of sets of cybersecurity data 202, rendering them useful for supervised machine learning paradigms. Labelling tools such as specialized labelling software facilitates efficient labelling processes, for example featuring capabilities for bulk processing, collaborative annotations, and change monitoring. The labelling procedure can span manual, semi-automatic, or fully automatic approaches, for example depending on data types being labelled.
[0084] Thus, the finetuning label 208 can be metadata, attributes, or other information extracted from or otherwise generated with respect to the set of cybersecurity data 202. In some cases, the finetuning input 206 can include some or all of the set of cybersecurity data 202. In some cases, in addition or alternatively to the set of cybersecurity data 202, the finetuning input 206 can include additional input data such as an additional natural language prompt, question, query, or instruction.
[0085] In some implementations, the finetuning input 206 and the finetuning label 208 may be structured according to a question and answer format that prompts the model 114 to answer questions about the underlying set of cybersecurity data 202. Structuring the finetuning input 206 and the finetuning label 208 in this way can challenge the model 114 to answer using domain-specific terminology that is not explicitly included in the underlying set of cybersecurity data 202.
[0086] As one example, the set of cybersecurity data 202 can be a set of software code (e.g., a potentially malicious code). The finetuning label 208 can include information such as: the number of network indicators associated with the software code; whether or not the code is using network interactions; whether or not the code edits the registry; and / or other information about the software code that assists in training the sequence processing model 114 to understand software code and improve its ability to explain why the software code may or may not be malicious. In this scenario, for example, the finetuning input 206 can include the software code itself along with an additional natural language question or instruction that prompts the sequence processing model 114 to generate the finetuning label 208. Thus, for example, the finetuning input 206 can include the software code and a natural language prompt that asks: “How many network indicators are associated with this software code?”. The finetuning label 208 may then be the labelled answer to the question: i.e., the correct or ground truth number of network indicators associated with the software code which has been added as the label.
[0087] As another example, a cybersecurity operations tool may have a unique schema and / or domain-specific query language that enables a user to search for results or other information within the cybersecurity operations tool. In some implementations, the set of cybersecurity data 202 can include a query expressed in the domain-specific query language and / or a set of results structured according to the schema. For example, the set of cybersecurity data 202 can be retrieved from actual runtime logs of the cybersecurity operations tool which demonstrate past queries and responses. In this case, the data labelling process 204 can include creating a natural language query that corresponds to the query expressed in a domain-specific query language. Thus, in this case, the finetuning input 206 can be a natural language query and the finetuning label 208 can be the original query expressed in the domain-specific query language. Creating a finetuning tuple 210 with this structure can enable the sequence processing model 114 to learn to translate from natural language to the domain-specific query language(s) and / or associated schema(s). In addition or alternatively, the model can be trained to perform the opposite task, that is, to translate from structured queries (or similar) to natural language prompts.
[0088] In some implementations, the finetuning input 206 and / or finetuning label 208 can include examples that enable the sequence processing model 114 to perform chain of thought processing of inputs. Unlike traditional prompting where models predict answers directly, chain of thought approaches prompt models to generate intermediate reasoning steps, enabling them to solve complex multi-step problems in arithmetic and commonsense reasoning tasks by breaking them down into manageable components. Thus, in some implementations, the finetuning tuple 210 can provide an example that enables the sequence processing model 114 to learn to perform chain of thought response generation.
[0089] In some implementations, the finetuning input 206 and / or finetuning label 208 can include examples that enable the sequence processing model 114 to use external tools. By providing the sequence processing model with access to external tools (e.g., via text-to-text APIs), the model can learn to delegate tasks like arithmetic, language translation, and / or accessing real-time information to external services. This allows the sequence processing model to generate more accurate and contextually grounded responses by incorporating information from these external tools into its output, ultimately making it more capable in solving various tasks. Thus, in one example, to answer a certain question contained in a finetuning input 206, the sequence processing model can learn to initially formulate a query in a tool-specific query language, submit the query to the tool (e.g., a cybersecurity operations tool), and then receive and process the results of the query to generate an output.For example, one or more finetuning labels 208 can provide example demonstrations of this process of tool usage.
[0090] The data labelling process 204 can be manually performed and / or automatically performed via application of one or more templates and / or one or more machine-learning models. As one example, a human user can extract pertinent information from a set of cybersecurity data and can construct a natural language question associated with the extracted information. The natural language question can be included in the finetuning input 206 while the extracted information can be included in the finetuning label 208.
[0091] As another example, one or more templates can be used in the data labelling process 204 to generate the finetuning tuple 210 from the set of cybersecurity data 202. For example, the templates can apply an algorithm to generate the finetuning tuple 210 from the set of cybersecurity data 202. In one example, the algorithm can include or apply a set of rules that encode a “grammar” that defines a given output based on receipt of a certain input. In some implementations, the algorithm can select the output non-deterministically so as to avoid overfitting on a particular rule.
[0092] As another example, one or more machine-learned models can be used in the data labelling process 204 to generate the finetuning tuple 210 from the set of cybersecurity data 202. For example, a machine-learned model can be supplied with the set of cybersecurity data 202 and prompted to generate a useful finetuning input 206 and finetuning label 208. As one example, the set of cybersecurity data 202 can be a query expressed in a domain-specific query language and the machine-learned model can be tasked with translating the query into a natural language query to generate a finetuning tuple 210 that includes the natural language query as the finetuning input 206 and includes the query in the domain-specific query language as the finetuning label 208. In some implementations, the one or more machine- learned models used in the data labelling process 204 can be different from the sequence processing model 114. For example, the one or more machine-learned models used in the data labelling process 204 can be a larger model, a teacher model, a model trained on different data, and / or other models. In some implementations, the one or more machine- learned models used in the data labelling process 204 can be the sequence processing model 114 itself. For example, some of these implementations can be referred to as a self-supervised training approach.
[0093] More generally, the data labelling process 204 shown in Figure 2 can be performed to generate a number of finetuning tasks that extend beyond basic language modeling tasks like “next word prediction” or “masked language modelling.” Instead, thefinetuning tasks can be tasks that require or elicit a deeper understanding of the concepts present in the cybersecurity data 202, thereby training the model to have a richer understanding of the cybersecurity data 202 and to be able to perform more meaningful analysis of the cybersecurity data 202. As examples, the finetuning tasks can include classification tasks such as file type classification, malware detection, vulnerability identification, actor attribution, file activity classification, or other classification tasks. As another example, the finetuning tasks can include summarization tasks such as, for example, generating executive summaries of threat intelligence reports, explaining programming or computer language content (e.g., malicious scripts) in natural language, and / or summarizing structured security operations tool data (e.g., cybersecurity event and alert metadata)programming language content in natural language). As a further example, the finetuning tasks can include generation tasks such as generating threat intelligence reports from structured programming language scripts, creating SOAR playbooks, and / or converting natural language into specialized query languages such as SOAR queries. As further examples, the finetuning tasks can include extraction tasks such as extracting relevant vulnerability information or entities and / or transformation tasks such as translating cybersecurity threat intelligence into actionable security measures.
[0094] Figure 3 depicts an example approach in which a generative sequence processing model 114 is finetuned to adopt one or more different personas that are respectively tailored to different cybersecurity roles. The capability can enable the model 114 to ultimately produce outputs that are contextually aligned with the expectations and requirements of various cybersecurity professionals.
[0095] Various techniques can be used to finetune the generative sequence processing model 114 to adopt different personas. Example techniques can include Differential Privacy Optimization (DPO), prompt tuning, also known as “soft prompt” tuning, and / or various types of parameter-efficient model adapters (e.g., Low-Rank Adaptation (LORA) tuning). Each technique can be applied individually or in combination to enhance the model’s capabilities. Finetuning the model 114 to adopt one or more different personas can enhance the adaptability and effectiveness in various cybersecurity roles.
[0096] The model can be finetuned to adopt or behave as one or more of various different personas. One example is a security operations center (SOC) analyst model 310. The SOC analyst persona model 310 can be characterized by a focus on quick, tactical responses which are action-based. The finetuning process for this persona model 310 can bedesigned to emphasize output generation that facilitates immediate decision-making to enable rapid response to security threats.
[0097] The generative sequence processing model 114 can be finetuned to generate the SOC analyst persona model 310 using specific types of data and / or training tasks. As examples, the finetuning data can include real-time threat alerts, incident logs, and / or tactical response protocols specific to SOC operations. Example training (e.g., finetuning) tasks can focus on rapid classification of threats, prioritization of incident responses, and / or generation of immediate action steps. Tasks can be structured to improve the model’s ability to generate concise, actionable outputs. These outputs can aid in rapid decision-making, which can be important for the SOC analyst role. The training can utilize scenarios that simulate environments that require swift responses, instilling the model with the ability to operate effectively under conditions commonly encountered by SOC analysts.
[0098] Another example persona can be the threat intelligence analyst model 312. The finetuning of this persona model 312 can emphasize the capability to provide comprehensive analyses that include detailed information and / or supporting materials. For example, outputs for this persona model 312 can include detailed information such as background information, policy implications, and / or motivations behind cyber threats. In some cases, this persona model 312 can exhibit a tendency to provide hedged, cautious interpretations alongside lengthy analyses.
[0099] The model 114 can be finetuned to generate the threat intelligence analyst persona model 312 using specific data types and / or training tasks. The finetuning data can include threat intelligence reports, policy documents, and / or analyses of historical cybersecurity incidents. The training tasks can include generating detailed summaries of materials, identifying and explaining various cyber threats’ implications, and / or synthesizing information to outline potential policy impacts. Furthermore, the model can be trained to manage tasks associated with generating cautious and hedged analyses that reflect the careful consideration characteristic of threat intelligence analysts. The training can enable the model 312 to provide outputs that are rich in context and detail and which are suitable for strategic planning and decision-making in cybersecurity operations.[000100] Another example persona is a malware or code analyst model 314. This persona model 314 can be adjusted to concentrate on highly technical analysis of code behaviors. For example, the model 314 can be trained to identify specific behaviors and characteristics of code based on technical details.[000101] The generative sequence processing model 114 can be finetuned to generate the malware or code analyst persona model 314 using specific types of data and / or training tasks. Example finetuning data can include datasets of malware scripts, executable binaries, and / or code snippets. These elements may exhibit malicious behaviors. Example training tasks can be centered on classification challenges, such as distinguishing between benign and malicious code, identifying types of malware, and / or detecting obfuscation techniques used by malware authors. Additionally or alternatively, the model 314 can be trained on tasks that involve annotating code with comments that explain the purpose and function of code segments. This can assist in understanding and identifying malicious intent within the code. This focused training can enable the model 314 to generate analyses which are highly technical and detailed so as to be characteristic of a malware or code analyst.[000102] Various other person models 316 can be generated as well. As one example, another example persona is a security architect persona. A security architect persona model can provide a conceptual understanding of cybersecurity threats and defenses. This persona model can generate outputs that describe technical nuances and analysis at an organizational level.[000103] The generative sequence processing model 114 can be finetuned to generate the security architect persona model using specific types of data and / or training tasks. For example, the training can encompass architectural diagrams, system configuration data, and / or enterprise security policies. The model can be exposed to strategic planning documents and / or high-level threat assessment reports. Further example training tasks can include generating summaries of organizational security postures, suggesting enhancements based on emerging threats, and / or synthesizing complex security requirements into actionable strategies. The training can enable the model to produce outputs that reflect a broad understanding of cybersecurity. This understanding can be further tailored to specific organizational contexts.[000104] Another example persona is an incident responder persona model. This persona can concentrate on producing immediate, yet effective responses to security breaches or incidents. The model can be finetuned to prioritize rapid assessment and mitigation strategies. It can provide step-by-step guidance for containment and remediation processes.[000105] Another example persona is a compliance officer persona model. This persona can be configured to address regulatory and compliance requirements. The model can generate outputs that identify potential compliance issues, suggest corrective actions, and / orensure adherence to relevant laws and standards. Examples of these standards include GDPR, HIPAA, or PCI-DSS.[000106] Another example persona is a network security administrator persona model. This persona can concentrate on the security aspects of network infrastructures. The model can be trained to analyze network traffic and configurations to provide insights and recommendations that enhance network security and prevent unauthorized access.[000107] Another example persona is a cybersecurity researcher persona model. This persona can be designed for the exploration and analysis of new and emerging cybersecurity threats and technologies. The model with this persona can be used to simulate cyber-attacks, analyze threat patterns, and / or help develop new defense mechanisms.[000108] Another example persona is a chief information security officer (CISO) persona model. This executive persona can be designed to provide strategic insights, assess the overall security posture of an organization, and / or provide risk assessments. The model with this persona can be used to offer policy recommendations and / or develop strategic plans to enhance organizational cybersecurity resilience.[000109] Thus, the generative sequence processing model can be finetuned to simulate different personas. This can allow the resulting model to produce outputs tailored to meet the needs of various cybersecurity professionals and / or to simulate actions performed by various cybersecurity professionals. The ability of the model to adopt different personas can enhance the utility and applicability of the model in various contexts within the cybersecurity domain. [000110] Figure 4 depicts an example process for performing inference with the finetuned sequence processing model 114 according to example embodiments of the present disclosure. More particularly, once the sequence processing model 114 has been trained, it can be deployed to perform a number of different inference tasks. As shown in Figure 4, to perform an inference task, the sequence processing model 114 can receive and process a model input 402 to generate a model output 404. Due to the broad base of finetuning tasks on which the model 114 has been finetuned, the model 114 can also perform a large number of different inference tasks. Optionally, model 114 may or may not have been further finetuned to adopt a particular persona.[000111] In some implementations, the inference task(s) can be classification task(s). As an example, the model 114 can perform classification of file types. Classification of file types can include automatically classifying an input file into one or more of a number of different file formats based on unique attributes or patterns found within the data. As an example, the model input 402 can include one or more files with unidentified formats, includingdocuments, images, audio files, and / or videos. An example model output 404 can categorize and label each file, e.g., “Document - PDF,” “Image - JPEG,” “Audio - MP3,” and “Video - MP4 ”[000112] As another example, the model 114 can perform malware detection. Performing malware detection can leverage the model 114 to scan, analyze, and determine whether software or a piece of code contains malicious intentions that might jeopardize the safety of digital systems. An example model input 402 can include one or more executable files, some of which may contain hidden malware or spyware components. After analysis, an example model output 404 might flag certain files as “Malicious - Trojan Horse” or “Safe - Standard Executable,” providing an immediate risk assessment for each file. In some implementations, the model output 404 can include a natural language explanation for why a certain classification was given to a file. For example, the model output 404 can describe indicators or other information from or about the file that explains why a certain malware classification was given.[000113] As another example, the model 114 can perform identification of vulnerabilities in code. The model 114 can evaluate code structures to pinpoint possible vulnerabilities that could be potential targets for hackers. An example model input 402 can include one or more software codes, which may or may not have embedded flaws. An example model output 404 can highlight particular segments of the code, marking them as “Vulnerable - SQL Injection Risk” or “Safe - No Detected Vulnerabilities.” This assists developers in taking preemptive actions before deployment. Again, in some implementations, the model output 404 can include a natural language explanation for why a certain classification was given to a file or detected vulnerability.[000114] In some implementations, the inference task(s) can be summarization task(s). As another example, the model 114 can generate executive summaries of threat intelligence or other analyst-generated reports. The generation of executive summaries from threat intelligence can assist decision-makers by distilling intricate cybersecurity intelligence into digestible reports. An example model input 402 can include a detailed, lengthy report on recent cybersecurity breaches, detailing vectors, impacted systems, and potential consequences. An example model output 404 can be a concise executive summary highlighting the primary threat source, the most affected business sectors, key vulnerabilities exploited, and / or recommended preventive measures for businesses.[000115] In some implementations, the model 114 can perform certain tasks (e.g., summarization tasks) with specific organizational data so as to personalize its outputs. Forexample, in some implementations, one or more personalized threat profiles for a particular entity, network, or organization can be incorporated alongside the raw data to be summarized. In this case, the model 114 can specialize the summarization to the specific needs delineated by or inferred from the personalized threat profile(s). For example, the summary generated by the model 114 may ignore threats that are not relevant to the particular organization and focus on those that are highly likely or impactful. As an example, the summary generated by the model 114 may not discuss a certain vulnerability of a software program if the personalized threat profile indicates that the organization does not use that software program. On the other hand, the summary generated by the model 114, may make sure to prominently highlight a new attack tool that has been used by a threat actor to target other similarly-situated organizations.[000116] In some implementations, the model 114 can perform summarization in an iterative, hierarchical approach in which a large set of individual data elements (e.g., alerts) are individually summarized by the model 114 to generate individual alert summaries. Then, the model can re-process all of the individual alerts summaries together to generate a single, more comprehensive summary of the alerts.[000117] As another example, the model 114 can explain malicious scripts. For example, the model can translate technical malicious code behavior into a more digestible understanding. This summarization aids in grasping the true intent and implications of harmful software. An example model input 402 can include a malicious script (e.g., Python script that initiates a keylogger, transmitting logged keystrokes to a remote server). An example model output 404 can include a brief summary stating, “This script is designed to secretly record a user’s keystrokes and send the data to an external server, potentially compromising private information.”[000118] As another example, the model 114 can summarize structured JSON content in natural language. Turning structured JSON content into natural language summaries can help to bridge the gap between machine-readable data and human comprehension, allowing for more straightforward data interpretation. An example model input 402 can include a JSON object like ' {“name”: “Erica”, “age”: 28, “profession”: “Engineer”, “city”: “New York”}' . An example output can include a more comprehensible summary stating, “Erica is a 28-year- old Engineer from New York.”[000119] In some implementations, the inference task(s) can be generation task(s). As one example, the model 114 can generate threat intelligence reports from structured programming language content such as structured JSON files. This task can include the automaticgeneration of comprehensive cybersecurity narratives rooted in structured data such as JSON files. An example model input 402 can include a structured JSON file containing attributes like {“threatActor”: “BT468”, “vector”: “Phishing”, “targetedSector”: “Finance”, “malwareUsed”: “DancingBear”}. An example model output 404 can include a generated report that states “The threat actor BT468 has recently launched a phishing attack targeting the finance sector, deploying the malware known as DancingBear.”[000120] As another example, the model 114 can automatically generate SOAR playbooks. The synthesis of SOAR playbooks by the model 114 can leverage specific parameters to mold a systematic action plan for a SOAR system. An example model input 402 can include parameters such as “Ransomware detection on endpoint”, “Isolate infected machine”, “Scan network for similar threats”, and “Notify IT manager”. An example model output 404 can include a SOAR playbook detailing steps like “ 1. Upon ransomware detection on any endpoint, immediately isolate the infected machine. 2. Initiate a network-wide scan to identify similar threats. 4. Automatically send a notification to the IT manager detailing the incident.”[000121] As another example, the model 114 can convert natural language to domainspecific query languages. This inference task can include translating human-language inquiries into specialized query syntaxes, granting users with minimal technical knowledge the ability to extract data from databases or conduct specialized tasks. An example model input 402 can include a user input that states, “Find all employees in the sales department who started after January 2020.” An example model output 404 can include a translated SQL query like, “SELECT * FROM employees WHERE department = ‘sales’ AND startDate > ‘2020-01-01’.”[000122] As another example, the model 114 can automatically generate computer code for performing various cybersecurity related tasks. For example, the model 114 can automatically generate computer code that, when executed, “fuzzes” an existing set of code (e.g., open source code). This computer code, which can be referred to as a “fuzzer”, can iteratively test or “fuzz” the existing set of code to test for vulnerabilities. An example model input 402 can include the existing set of code and a number of preexisting fuzzing frameworks or libraries. An example model output 404 can include the fuzzer code that, when executed, fuzzes the existing set of code.[000123] In some implementations, the inference task(s) can be content extraction task(s). As one example, the model 114 can extract relevant vulnerability info from blogs into structured representations such as JSON files. The act of extracting vulnerability details fromblog narratives and rendering them into a structured format (e.g., a JSON file) can streamline the process of cybersecurity analysis. This can be helpful for security professionals who need to quickly assimilate information across multiple sources. An example model input 402 can include a blog post detailing, “The latest vulnerability discovered in the Doors Operating System allows unauthorized access to user data. Dubbed ‘OpenDoor,’ this flaw primarily affects version 16 and can be mitigated using the patch released on August 5, 2023.” An example model output 404 can be a structured JSON object such as {“vulnerabilityName”: “OpenDoor”, “affectedSystem”: “Doors OS”, “version”: “16”, “mitigation”: “Patch released on August 5, 2023”}.[000124] As another example, the model 114 can identify important / relevant entities in unstructured natural language content. Extraction of pertinent entities from unstructured natural language material enables a more focused and contextual understanding of the data. In this task, the model 114 can pinpoint specific keywords, names, dates, or other valuable pieces of information in large volumes of text. An example model input 402 can include an article stating, “Moonshot’s Resolution rover successfully landed on Phobos on February 18, 2026, marking a historic moment in space exploration.” An example model output 404 can include extracted entities such as: {“organization”: “Moonshot”, “object”: “Resolution rover”, “event”: “landed”, “location”: “ Phobos”, “date”: “February 18, 2026”}.[000125] As another example, the model 114 can extract relevant information from file metadata. For example, certain malware or other malicious files will be password protected, but will have the password embedded within the filename in an obfuscated manner. As such, an example model input 402 can include a filename. An example model output 404 can include a password that has been extracted from the filename. Extracting passwords in such manner can allow the cybersecurity system to then scan the file to detect malware and take appropriate counter actions. For example, the model 114 can suggest one or more remediations that are appropriate based on the detected malware. For example, the model 114 can select the one or more remediations from a set of possible remediations.[000126] As another example, the model 114 can summarize or extract relevant information from an attack graph. An attack graph can include structured information that describes a series of steps that an attacker would execute to achieve a particular objective. Summarizing or extracting information from an attack graph can assist a user in understanding and avoiding potential threats. An example model input 402 can include a structured attack graph. An example model output 404 can include a natural language summary of the attack graph and / or a list of extracted information such as entities.[000127] Figure 5 illustrates the architecture of a persona-based multi-agent cybersecurity system within a cybersecurity platform 550. This configuration features a Planning Agent 500 that serves as the central hub for coordinating operations among various persona-based models. These models include the SOC Analyst Persona Model 502, the Threat Intelligence Analyst Persona Model 504, the Malware or Code Analyst Persona Model 506, and potentially other Persona Models 508, each fine-tuned to perform specific cybersecurity tasks according to their designated persona, as described with reference to Figure 3.[000128] The Planning Agent 500 is responsible for managing and directing the flow of cybersecurity data 552 to the appropriate persona models and ensuring that the outputs from these models are effectively utilized to generate cybersecurity actions 554. This agent 500 can handle task allocations and prioritize actions based on real-time threat assessments. [000129] In some implementations, each persona model operates either autonomously or semi -autonomously. For example, the SOC Analyst Persona Model 502 can be finetuned to rapidly respond to detected cybersecurity threats by processing real-time data streams and executing predefined response strategies. Meanwhile, the Threat Intelligence Analyst Persona Model 504 can autonomously gather and synthesize extensive cybersecurity data to produce detailed reports that aid in strategic decision-making. The Malware or Code Analyst Persona Model 506 can focus on the technical examination of potentially malicious code, providing insights that help in understanding and mitigating malware infections.[000130] Interactions among these models can be managed through a centralized management system facilitated by the Planning Agent 500 and / or can occur via a distributed framework where models communicate and collaborate directly. This multi-agent setting can enhance the efficiency and effectiveness of cybersecurity operations by allowing a division of labor among specialized models.[000131] In operation, the Planning Agent 500 can receive an input containing cybersecurity data 552, such as, for example, a suspicious network activity alert, and distribute tasks among the persona models based on their specializations. For instance, upon receiving details of suspicious activity, the Planning Agent 500 might engage the SOC Analyst Persona Model 502 for immediate containment actions, while simultaneously involving the Malware or Code Analyst Persona Model 506 for a deeper technical analysis of any associated payloads. Insights from these analyses could then be used by the Threat Intelligence Analyst Persona Model 504 to assess the broader implications of the attack, and recommendations for strategic adjustments could be formulated by consulting a Security Architect Model.[000132] In some implementations, the Planning Agent 500 can synthesize the outputs of various models (received as inputs back to the Agent 500). These inputs can come from the SOC Analyst Model 502, the Malware / Code Analyst Model 506, the Threat Intelligence Analyst Model 504, and the Security Architect Model 508. The Planning Agent 500 can generate a set of output actions 555. These actions can include immediate steps for further containment and eradication of the threat. They can also include longer-term strategic measures to enhance the organization’s overall cybersecurity posture.[000133] As example, the cybersecurity actions 554 generated by the multi-agent system in Figure 5 can encompass a variety of specific measures tailored to counteract identified threats effectively. For example, these actions can include automatically isolating affected network segments to prevent the spread of malware, deploying patches or updates to vulnerable systems, initiating password resets or blocking access for compromised user accounts, and / or configuring firewalls or intrusion detection systems to enhance defenses against detected threats. As further examples, cybersecurity actions 554 can include generating and disseminating alerts to relevant stakeholders about ongoing security incidents, creating detailed incident reports for forensic analysis, and / or recommending strategic changes to cybersecurity policies or practices based on the insights gathered by the persona models.[000134] After an incident, feedback regarding the effectiveness of the deployed actions can be collected and analyzed by the Planning Agent 500. The data can be used to refine the models. This refinement can enhance their accuracy and effectiveness for future incidents. [000135] In some implementations, each model or agent within the cybersecurity platform is finetuned to employ a chain of thought style analysis and / or prompted to follow such an analysis. This enhancement allows the models, such as the SOC Analyst Persona Model 502, the Threat Intelligence Analyst Persona Model 504, and the Malware or Code Analyst Persona Model 506, to effectively handle complex, multi-step cybersecurity problems by outlining their reasoning processes in a step-by-step manner. This method mimics human-like problem-solving, enabling each agent to break down complex cybersecurity scenarios into comprehensible segments and provide detailed rationales for their decisions. Such capabilities increase transparency and trust in these systems.[000136] In some implementations, each model in the system is finetuned to meet performance standards based on a rubric developed by subject matter experts. These rubrics define specific criteria and benchmarks that encapsulate the essential skills and knowledge required for each persona. Aligning the finetuning process with these expert-defined rubricsensures that each model not only performs tasks autonomously but also meets the high standards of performance expected in real-world operations.[000137] In some implementations, the Planning Agent 500 can include a machine-learned model trained to assess situations and manage resource allocation among the agents efficiently. In some implementations, the behavior of the agents can be regulated through a framework of prompts, constraints, rubrics, and / or guiding agents, ensuring each operates within predefined operational boundaries and aligns with organizational policies.[000138] In some implementations, the Planning Agent 500 can utilize a tool use framework to effectively manage and direct the activities of other agents such as the SOC Analyst Persona Model 502, the Threat Intelligence Analyst Persona Model 504, and the Malware or Code Analyst Persona Model 506. This framework is akin to how tools function with large language models (LLMs), where tools are essentially functions or APIs that the LLM can call to perform specific tasks. For example, the Planning Agent 500 can call the other models such as the SOC Analyst Persona Model 502 or the Threat Intelligence Analyst Persona Model 504 using APIs. These API calls can be dynamically generated as outputs of the Planning Agent 500, ensuring that the appropriate model is activated based on real-time analysis and situational demands.[000139] In some implementations, the various generative sequence processing models associated with the different agents, such as the SOC Analyst Persona Model 502, the Threat Intelligence Analyst Persona Model 504, and the Malware or Code Analyst Persona Model 506, are initially forked from a common pre-trained model. This foundational model provides a broad base of general capabilities which are then specialized through the use of parameterefficient adapters. These adapters selectively finetune each forked model to enhance specific capabilities relevant to their respective personas within the cybersecurity platform.[000140] Thus, Figure 5 illustrates a persona-based multi-agent cybersecurity system. The system can exhibit collaborative functionality. Each component or model within the system can be specialized to perform distinct tasks. These tasks can align with various roles commonly found in cybersecurity operations. The integration of these models under the oversight of the Planning Agent 500 can ensure a cohesive and comprehensive approach to managing cybersecurity threats.[000141] Although Figure 5 illustrates an example platform that leverages a centralized planning approach, other example implementations can leverage a distributed planning approach. In such a distributed setting, each agent within the cybersecurity platform can autonomously interact with other agents without a centralized control entity. This allows fordynamic problem-solving where tasks can be subdivided and allocated among agents based on real-time needs and agent specialties.[000142] In this distributed model, each persona-based agent can function independently as a planning agent, capable of initiating communication with other agents to request information or actions that are outside its own scope of expertise. For instance, a malware or code analyst persona might detect an anomaly in a code sequence and could then interact directly with a threat intelligence analyst persona to understand if similar patterns have been observed in recent cybersecurity threats. This direct agent-to-agent interaction facilitates a more flexible and responsive approach to threat detection and response, as agents can dynamically collaborate based on the context of the situation.[000143] Moreover, in some implementations, these agents can operate recursively, meaning that an agent tasked with a complex problem can subdivide the problem into smaller, more manageable tasks and delegate these to other agents or even to itself in a different capacity. This recursive subdivision allows the platform to scale its problem-solving capabilities dynamically, adjusting to the complexity and urgency of the threats it encounters. [000144] Figure 6 depicts a flowchart of a method 600 for training one or more machine- learned models according to aspects of the present disclosure. For instance, an example machine-learned model can include a generative sequence processing model.[000145] One or more portion(s) of example method 600 can be implemented by a computing system that includes one or more computing devices such as, for example, computing systems described with reference to the other figures. Each respective portion of example method 600 can be performed by any (or any combination) of one or more computing devices. Moreover, one or more portion(s) of example method 600 can be implemented on the hardware components of the device(s) described herein, for example, to train one or more systems or models. Figure 6 depicts elements performed in a particular order for purposes of illustration and discussion. Those of ordinary skill in the art, using the disclosures provided herein, will understand that the elements of any of the methods discussed herein can be adapted, rearranged, expanded, omitted, combined, or modified in various ways without deviating from the scope of the present disclosure. Figure 6 is described with reference to elements / terms described with respect to other systems and figures for exemplary illustrated purposes and is not meant to be limiting. One or more portions of example method 600 can be performed additionally, or alternatively, by other systems.[000146] At 602, example method 600 can include obtaining a training instance. A set of training data can include a plurality of training instances divided between multiple datasets(e.g., a training dataset, a validation dataset, or testing dataset). A training instance can be labeled or unlabeled. Although referred to in example method 600 as a “training” instance, it is to be understood that runtime inferences can form training instances when a model is trained using an evaluation of the model’s performance on that runtime instance (e.g., online training / learning). Example data types for the training instance and various tasks associated therewith are described throughout the present disclosure.[000147] At 604, example method 600 can include processing, using one or more machine- learned models, the training instance to generate an output. The output can be directly obtained from the one or more machine-learned models or can be a downstream result of a chain of processing operations that includes an output of the one or more machine-learned models.[000148] At 606, example method 600 can include receiving an evaluation signal associated with the output. The evaluation signal can be obtained using a loss function. Various determinations of loss can be used, such as mean squared error, likelihood loss, cross entropy loss, hinge loss, contrastive loss, or various other loss functions. The evaluation signal can be computed using known ground-truth labels (e.g., supervised learning), predicted or estimated labels (e.g., semi- or self-supervised learning), or without labels (e.g., unsupervised learning). The evaluation signal can be a reward (e.g., for reinforcement learning). The reward can be computed using a machine-learned reward model configured to generate rewards based on output(s) received. The reward can be computed using feedback data describing human feedback on the output(s).[000149] At 608, example method 600 can include updating the machine-learned model using the evaluation signal. For example, values for parameters of the machine-learned model(s) can be learned, in some embodiments, using various training or learning techniques, such as, for example, backwards propagation. For example, the evaluation signal can be backpropagated from the output (or another source of the evaluation signal) through the machine-learned model(s) to update one or more parameters of the model(s) (e.g., based on a gradient of the evaluation signal with respect to the parameter value(s)). For example, system(s) containing one or more machine-learned models can be trained in an end-to-end manner. Gradient descent techniques can be used to iteratively update the parameters over a number of training iterations. In some implementations, performing backwards propagation of errors can include performing truncated backpropagation through time. Example method 600 can include implementing a number of generalization techniques (e.g., weight decays, dropouts, etc.) to improve the generalization capability of the models being trained.[000150] In some implementations, example method 600 can be implemented for training a machine-learned model from an initialized state to a fully trained state (e.g., when the model exhibits a desired performance profile, such as based on accuracy, precision, recall, etc.).[000151] In some implementations, example method 600 can be implemented for particular stages of a training procedure. For instance, in some implementations, example method 600 can be implemented for pre-training a machine-learned model. Pre-training can include, for instance, large-scale training over potentially noisy data to achieve a broad base of performance levels across a variety of tasks / data types.[000152] In some implementations, example method 600 can be implemented for finetuning a machine-learned model. Fine-tuning can include, for instance, smaller-scale training on higher-quality (e.g., labeled, curated, etc.) data. Fine-tuning can affect all or a portion of the parameters of a machine-learned model. For example, various portions of the machine- learned model can be “frozen” for certain training stages. For example, parameters associated with an embedding space can be “frozen” during fine-tuning (e.g., to retain information learned from a broader domain(s) than present in the fine-tuning dataset(s)). In some implementations, example method 600 uses adapter modules. Adapters can be small trainable layers that are inserted between pre-existing layers of a pre-trained model. During the finetuning process, the original parameters of the pre-trained model are typically frozen, and only the parameters of the adapters are updated.[000153] In some implementations, example method 600 can be implemented to execute parameter-efficient fine-tuning methods, such as Layerwise Optimization of Residuals (LoRA). LoRA can refine pre-trained models with minimal adjustments to the original parameters. This can be achieved by introducing trainable low-rank matrices that modify the behavior of the pre-trained weights without directly altering them. In some implementations, during fine-tuning, only these auxiliary matrices are updated, which significantly reduces the number of parameters that are trained.[000154] An example fine-tuning approach includes reinforcement learning. Reinforcement learning can be based on user feedback on model performance during use. [000155] Figure 7 is a block diagram of an example processing flow for using machine- learned model(s) 1 to process input(s) 2 to generate output(s) 3.[000156] Machine-learned model(s) 1 can be or include one or multiple machine-learned models or model components. Example machine-learned models can include neural networks (e.g., deep neural networks). Example machine-learned models can include non-linear models or linear models. Example machine-learned models can use other architectures in lieu of or inaddition to neural networks. Example machine-learned models can include decision tree based models, support vector machines, hidden Markov models, Bayesian networks, linear regression models, k-means clustering models, etc.[000157] Machine-learned model(s) 1 can be or include, or otherwise be representative of any one or more of the machine-learned models described above with respect to the preceding figures. For example, machine-learned model(s) 1 can be or include, or otherwise be representative of any one or more of generative sequence processing models, etc. Although various features, variations, and implementations described below are described with respect to machine-learned model(s) 1, it is to be understood that such features, variations, and implementations are to be understood as described with respect to each of generative sequence processing models, etc., any other machine-learned component described herein.[000158] Example neural networks can include feed-forward neural networks, recurrent neural networks (RNNs), including long short-term memory (LSTM) based recurrent neural networks, convolutional neural networks (CNNs), diffusion models, generative-adversarial networks, or other forms of neural networks. Example neural networks can be deep neural networks. Some example machine-learned models can leverage an attention mechanism such as self-attention. For example, some example machine-learned models can include multiheaded self-attention models.[000159] Machine-learned model(s) 1 can include a single or multiple instances of the same model configured to operate on data from input(s) 2. Machine-learned model(s) 1 can include multiple different models or multiple different model portions configured to operate on data from input(s) 2.[000160] Machine-learned model(s) 1 can include an ensemble of different models that can cooperatively interact to process data from input(s) 2. For example, a model ensemble can include multiple models that have different attributes (e.g., different architectures, trained with different recipes, etc.). The ensemble can output an overall output based on the individual outputs of the constituent models. In this manner, for instance, the diverse constituent models can work together to provide system-level robustness by effectively aggregating over individual strengths and weaknesses of any given model. The respective individual outputs can be combined in a weighted combination, using a voting or routing mechanism, or a learned output layer (e.g., one or more feedforward or fully-connected layers).[000161] Machine-learned model(s) 1 can employ a mixture-of-experts structure. See, e.g, Zhou et al., Mixture-of-Experts with Expert Choice Routing, ARXIV:2202.09368V2 (Oct. 14, 2022). For example, different portions of a model can learn (explicitly or implicitly) different expertise areas, with pathways through the model being selected by a learned routing mechanism that engages the appropriate expert for a given input (e.g., a given portion of an input, such as on a per-token basis). For example, a feedforward network can be sparsely activated for a given portion of an input based on an output of a routing mechanism that processes the portion of the input. In this manner, for instance, the group of activated weights can form an “expert” that is selected by the router. On each forward pass, only a subset of the total model weights may be engaged, thereby decreasing a quantity of operations performed for processing a given input compared to a densely activated model. In this manner, for instance, the expressive and interpretive power of a high-parameter-count model can be achieved with more compute-efficient forward passes.[000162] Input(s) 2 can generally include or otherwise represent various types of data. Input(s) 2 can include one type or many different types of data. Output(s) 3 can be data of the same type(s) or of different types of data as compared to input(s) 2. Output(s) 3 can include one type or many different types of data.[000163] Example data types for input(s) 2 or output(s) 3 include natural language text data, software code data (e.g., source code, object code, machine code, or any other form of computer-readable instructions or programming languages), machine code data (e.g., binary code, assembly code, or other forms of machine-readable instructions that can be executed directly by a computer's central processing unit), assembly code data (e.g., low-level programming languages that use symbolic representations of machine code instructions to program a processing unit), genetic data or other chemical or biochemical data, image data, audio data, audiovisual data, haptic data, biometric data, medical data, financial data, statistical data, geographical data, astronomical data, historical data, sensor data generally (e.g., digital or analog values, such as voltage or other absolute or relative level measurement values from a real or artificial input, such as from an audio sensor, light sensor, displacement sensor, etc.), and the like. Data can be raw or processed and can be in any format or schema. [000164] In multimodal inputs 2 or outputs 3, example combinations of data types include image data and audio data, image data and natural language data, natural language data and software code data, image data and biometric data, sensor data and medical data, etc. It is to be understood that any combination of data types in an input 2 or an output 3 can be present.[000165] An example input 2 can include one or multiple data types, such as the example data types noted above. An example output 3 can include one or multiple data types, such as the example data types noted above. The data type(s) of input 2 can be the same as or different from the data type(s) of output 3. It is to be understood that the example data types noted above are provided for illustrative purposes only. Data types contemplated within the scope of the present disclosure are not limited to those examples noted above.[000166] Figure 8 is a block diagram of an example implementation of an example machine-learned model configured to process sequences of information. For instance, an example implementation of machine-learned model(s) 1 can include machine-learned sequence processing model(s) 4. An example system can pass input(s) 2 to sequence processing model(s) 4. Sequence processing model(s) 4 can include one or more machine- learned components. Sequence processing model(s) 4 can process the data from input(s) 2 to obtain an input sequence 5. Input sequence 5 can include one or more input elements 5-1, 5- 2, . . . , 5-A , etc. obtained from input(s) 2. Sequence processing model 4 can process input sequence 5 using prediction layer(s) 6 to generate an output sequence 7. Output sequence 7 can include one or more output elements 7-1, 7-2, . . . , 7 -A, etc. generated based on input sequence 5. The system can generate output(s) 3 based on output sequence 7.[000167] Sequence processing model(s) 4 can include one or multiple machine-learned model components configured to ingest, generate, or otherwise reason over sequences of information. For example, some example sequence processing models in the text domain are referred to as “Large Language Models,” or LLMs. See, e.g., PaLM 2 Technical Report, GOOGLE, https: / / ai.google / static / documents / palm2techreport.pdf (n.d.). Other example sequence processing models can operate in other domains, such as image domains, see, e.g., Dosovitskiy et al., An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale, ARXIV:2010.11929v2 (Jun. 3, 2021), audio domains, see, e.g., Agostinelli et al., MusicLM: Generating Music From Text, ARXIV:2301.1 1325V1 (Jan. 26, 2023), biochemical domains, see, e.g., Jumper et al., Highly accurate protein structure prediction with AlphaFold, 596 Nature 583 (Aug. 26, 2021), by way of example. Sequence processing model(s) 4 can process one or multiple types of data simultaneously. Sequence processing model(s) 4 can include relatively large models (e.g., more parameters, computationally expensive, etc.), relatively small models (e.g., fewer parameters, computationally lightweight, etc.), or both. [000168] In general, sequence processing model(s) 4 can obtain input sequence 5 using data from input(s) 2. For instance, input sequence 5 can include a representation of data from input(s) 2 in a format understood by sequence processing model(s) 4. One or more machine-learned components of sequence processing model(s) 4 can ingest the data from input(s) 2, parse the data into pieces compatible with the processing architectures of sequence processing model(s) 4 (e.g., via “tokenization”), and project the pieces into an input space associated with prediction layer(s) 6 (e.g., via “embedding”).[000169] Sequence processing model(s) 4 can ingest the data from input(s) 2 and parse the data into a sequence of elements to obtain input sequence 5. For example, a portion of input data from input(s) 2 can be broken down into pieces that collectively represent the content of the portion of the input data. The pieces can provide the elements of the sequence.[000170] Elements 5-1, 5-2, . . . , 5-M can represent, in some cases, building blocks for capturing or expressing meaningful information in a particular data domain. For instance, the elements can describe “atomic units” across one or more domains. For example, for textual input source(s), the elements can correspond to groups of one or more words or sub-word components, such as sets of one or more characters.[000171] For example, elements 5-1, 5-2, . . . , 5-M can represent tokens obtained using a tokenizer. For instance, a tokenizer can process a given portion of an input source and output a series of tokens (e.g., corresponding to input elements 5-1, 5-2, . . . , 5-AT) that represent the portion of the input source. Various approaches to tokenization can be used. For instance, textual input source(s) can be tokenized using a byte-pair encoding (BPE) technique. See, e.g., Kudo et al., SentencePiece: A simple and language independent subword tokenizer and detokenizer for Neural Text Processing, PROCEEDINGS OF THE 2018 CONFERENCE ON EMPIRICAL METHODS IN NATURAL LANGUAGE PROCESSING (System Demonstrations), pages 66-71 (October 31-November 4, 2018), https: / / aclanthology.org / D18-2012.pdf. Image-based input source(s) can be tokenized by extracting and serializing patches from an image.[000172] In general, arbitrary data types can be serialized and processed into input sequence 5. It is to be understood that element(s) 5-1, 5-2, . . . , 5-M depicted in Figure 8 can be the tokens or can be the embedded representations thereof.[000173] Prediction layer(s) 6 can predict one or more output elements 7-1, 7-2, . . . , 1-N based on the input elements. Prediction layer(s) 6 can include one or more machine-learned model architectures, such as one or more layers of learned parameters that manipulate and transform the input(s) to extract higher-order meaning from, and relationships between, input element(s) 5-1, 5-2, . . . , 5-M. In this manner, for instance, example prediction layer(s) 6 can predict new output element(s) in view of the context provided by input sequence 5.[000174] Prediction layer(s) 6 can evaluate associations between portions of input sequence 5 and a particular output element. These associations can inform a prediction of thelikelihood that a particular output follows the input context. For example, consider the textual snippet, “The carpenter’s toolbox was small and heavy. It was full of .” Example prediction layer(s) 6 can identify that “It” refers back to “toolbox” by determining a relationship between the respective embeddings. Example prediction layer(s) 6 can also link “It” to the attributes of the toolbox, such as “small” and “heavy.” Based on these associations, prediction layer(s) 6 can, for instance, assign a higher probability to the word “nails” than to the word “sawdust.”[000175] A transformer is an example architecture that can be used in prediction layer(s) 4. See, e.g., Vaswani et al., Attention Is All You Need, ARXIV: 1706.03762V7 (Aug. 2, 2023). A transformer is an example of a machine-learned model architecture that uses an attention mechanism to compute associations between items within a context window. The context window can include a sequence that contains input sequence 5 and potentially one or more output element(s) 7-1, 7-2, . . . , 1-N. A transformer block can include one or more attention layer(s) and one or more post-attention layer(s) (e.g., feedforward layer(s), such as a multilayer perceptron).[000176] Prediction layer(s) 6 can include other machine-learned model architectures in addition to or in lieu of transformer-based architectures. For example, recurrent neural networks (RNNs) and long short-term memory (LSTM) models can also be used, as well as convolutional neural networks (CNNs). In general, prediction layer(s) 6 can leverage various kinds of artificial neural networks that can understand or generate sequences of information. [000177] Output sequence 7 can include or otherwise represent the same or different data types as input sequence 5. For instance, input sequence 5 can represent textual data, and output sequence 7 can represent textual data. Input sequence 5 can represent image, audio, or audiovisual data, and output sequence 7 can represent textual data (e.g., describing the image, audio, or audiovisual data). It is to be understood that prediction layer(s) 6, and any other interstitial model components of sequence processing model(s) 4, can be configured to receive a variety of data types in input sequence(s) 5 and output a variety of data types in output sequence(s) 7.[000178] Output sequence 7 can have various relationships to input sequence 5. Output sequence 7 can be a continuation of input sequence 5. Output sequence 7 can be complementary to input sequence 5. Output sequence 7 can translate, transform, augment, or otherwise modify input sequence 5. Output sequence 7 can answer, evaluate, confirm, or otherwise respond to input sequence 5. Output sequence 7 can implement (or describe instructions for implementing) an instruction provided via input sequence 5.[000179] Output sequence 7 can be generated autoregressively. For instance, for some applications, an output of one or more prediction layer(s) 6 can be passed through one or more output layers (e.g., softmax layer) to obtain a probability distribution over an output vocabulary (e.g., a textual or symbolic vocabulary) conditioned on a set of input elements in a context window. In this manner, for instance, output sequence 7 can be autoregressively generated by sampling a likely next output element, adding that element to the context window, and re-generating the probability distribution based on the updated context window, and sampling a likely next output element, and so forth.[000180] Output sequence 7 can also be generated non-autoregressively. For instance, multiple output elements of output sequence 7 can be predicted together without explicit sequential conditioning on each other. See, e.g., Saharia et al., Non-Autoregressive Machine Translation with Latent Alignments, ARXIV:2004.07437V3 (NOV. 16, 2020).[000181] Output sequence 7 can include one or multiple portions or elements. In an example content generation configuration, output sequence 7 can include multiple elements corresponding to multiple portions of a generated output sequence (e.g., a textual sentence, values of a discretized waveform, computer code, etc.). In an example classification configuration, output sequence 7 can include a single element associated with a classification output. For instance, an output “vocabulary” can include a set of classes into which an input sequence is to be classified. For instance, a vision transformer block can pass latent state information to a multilayer perceptron that outputs a likely class value associated with an input image.[000182] Figure 9 is a block diagram of an example technique for populating an example input sequence 8. Input sequence 8 can include various functional elements that form part of the model infrastructure, such as an element 8-0 obtained from a task indicator 9 that signals to any model(s) that process input sequence 8 that a particular task is being performed (e.g., to help adapt a performance of the model(s) to that particular task). Input sequence 8 can include various data elements from different data modalities. For instance, an input modality 10-1 can include one modality of data. A data-to- sequence model 11-1 can process data from input modality 10-1 to project the data into a format compatible with input sequence 8 (e.g., one or more vectors dimensioned according to the dimensions of input sequence 8) to obtain elements 8-1, 8-2, 8-3. Another input modality 10-2 can include a different modality of data. A data-to-sequence model 11-2 can project data from input modality 10-2 into a format compatible with input sequence 8 to obtain elements 8-4, 8-5, 8-6. Another input modality 10-3 can include yet another different modality of data. A data-to-sequence model 11-3 canproject data from input modality 10-3 into a format compatible with input sequence 8 to obtain elements 8-7, 8-8, 8-9.[000183] Input sequence 8 can be the same as or different from input sequence 5. Input sequence 8 can be a multimodal input sequence that contains elements that represent data from different modalities using a common dimensional representation. For instance, an embedding space can have P dimensions. Input sequence 8 can be configured to contain a plurality of elements that have / Jdimensions. In this manner, for instance, example implementations can facilitate information extraction and reasoning across diverse data modalities by projecting data into elements in the same embedding space for comparison, combination, or other computations therebetween.[000184] For example, elements 8-0, . . . , 8-9 can indicate particular locations within a multidimensional embedding space. Some elements can map to a set of discrete locations in the embedding space. For instance, elements that correspond to discrete members of a predetermined vocabulary of tokens can map to discrete locations in the embedding space that are associated with those tokens. Other elements can be continuously distributed across the embedding space. For instance, some data types can be broken down into continuously defined portions (e.g., image patches) that can be described using continuously distributed locations within the embedding space.[000185] In some implementations, the expressive power of the embedding space may not be limited to meanings associated with any particular set of tokens or other building blocks. For example, a continuous embedding space can encode a spectrum of high-order information. An individual piece of information (e.g., a token) can map to a particular point in that space: for instance, a token for the word “dog” can be projected to an embedded value that points to a particular location in the embedding space associated with canine-related information. Similarly, an image patch of an image of a dog on grass can also be projected into the embedding space. In some implementations, the projection of the image of the dog can be similar to the projection of the word “dog” while also having similarity to a projection of the word “grass,” while potentially being different from both. In some implementations, the projection of the image patch may not exactly align with any single projection of a single word. In some implementations, the projection of the image patch can align with a combination of the projections of the words “dog” and “grass.” In this manner, for instance, a high-order embedding space can encode information that can be independent of data modalities in which the information is expressed.[000186] Task indicator 9 can include a model or model component configured to identify a task being performed and inject, into input sequence 8, an input value represented by element 8-0 that signals which task is being performed. For instance, the input value can be provided as a data type associated with an input modality and projected along with that input modality (e.g., the input value can be a textual task label that is embedded along with other textual data in the input; the input value can be a pixel-based representation of a task that is embedded along with other image data in the input; etc.). The input value can be provided as a data type that differs from or is at least independent from other input(s). For instance, the input value represented by element 8-0 can be a learned within a continuous embedding space.[000187] Input modalities 10-1, 10-2, and 10-3 can be associated with various different data types (e.g., as described above with respect to input(s) 2 and output(s) 3).[000188] Data-to-sequence models 11-1, 11-2, and 11-3 can be the same or different from each other. Data-to-sequence models 11-1, 11-2, and 11-3 can be adapted to each respective input modality 10-1, 10-2, and 10-3. For example, a textual data-to-sequence model can subdivide a portion of input text and project the subdivisions into element(s) in input sequence 8 (e.g., elements 8-1, 8-2, 8-3, etc.). An image data-to-sequence model can subdivide an input image and project the subdivisions into element(s) in input sequence 8 (e.g., elements 8-4, 8-5, 8-6, etc.). An arbitrary datatype data-to-sequence model can subdivide an input of that arbitrary datatype and project the subdivisions into element(s) in input sequence 8 (e.g., elements 8-7, 8-8, 8-9, etc.).[000189] Data-to-sequence models 11-1, 11-2, and 11-3 can form part of machine-learned sequence processing model(s) 4. Data-to-sequence models 11-1, 11-2, and 11-3 can be jointly trained with or trained independently from machine-learned sequence processing model(s) 4. Data-to-sequence models 11-1, 11-2, and 11-3 can be trained end-to-end with machine- learned sequence processing model(s) 4.[000190] Figure 10 is a block diagram of an example model development platform 12 that can facilitate creation, adaptation, and refinement of example machine-learned models (e.g., machine-learned model(s) 1, sequence processing model(s) 4, etc.). Model development platform 12 can provide a number of different toolkits that developer systems can employ in the development of new or adapted machine-learned models.[000191] Model development platform 12 can provide one or more model libraries 13 containing building blocks for new models. Model libraries 13 can include one or more pretrained foundational models 13-1, which can provide a backbone of processing power acrossvarious tasks. Model libraries 13 can include one or more pre-trained expert models 13-2, which can be focused on performance in particular domains of expertise. Model libraries 13 can include various model primitives 13-3, which can provide low-level architectures or components (optionally pre-trained), which can be assembled in various arrangements as desired. Model primitives 13-3 can include a library of pre-trained adapters or LoRA modules that can adapt a baseline foundational model to align its outputs with a desired performance profile, augment model capabilities (e.g., to adapt to a different input modality, etc.), and the like.[000192] Model development platform 12 can receive selections of various model components 14. Model development platform 12 can pass selected model components 14 to a workbench 15 that combines selected model components 14 into a development model 16. [000193] Workbench 15 can facilitate further refinement and adaptation of development model 16 by leveraging a number of different toolkits integrated with model development platform 12. For example, workbench 15 can facilitate alignment of the development model 16 with a desired performance profile on various tasks using a model alignment toolkit 17. [000194] Model alignment toolkit 17 can provide a number of tools for causing development model 16 to generate outputs aligned with desired behavioral characteristics. Alignment can include increasing an accuracy, precision, recall, etc. of model outputs.Alignment can include enforcing output styles, schema, or other preferential characteristics of model outputs. Alignment can be general or domain-specific. For instance, a pre-trained foundational model 13-1 can begin with an initial level of performance across multiple domains. Alignment of the pre-trained foundational model 13-1 can include improving a performance in a particular domain of information or tasks (e.g., even at the expense of performance in another domain of information or tasks).[000195] Model alignment toolkit 17 can integrate one or more dataset(s) 17-1 for aligning development model 16. Curated dataset(s) 17-1 can include labeled or unlabeled training data. Dataset(s) 17-1 can be obtained from public domain datasets. Dataset(s) 17-1 can be obtained from private datasets associated with one or more developer system(s) for the alignment of bespoke machine-learned model(s) customized for private use-cases.[000196] Pre-training pipelines 17-2 can include a machine-learned model training workflow configured to update development model 16 over large-scale, potentially noisy datasets. For example, pre-training can leverage unsupervised learning techniques (e.g., denoising, etc.) to process large numbers of training instances to update model parameters from an initialized state and achieve a desired baseline performance. Pre-training pipelines 17-2can leverage unlabeled datasets in dataset(s) 17-1 to perform pre-training. Workbench 15 can implement a pre-training pipeline 17-2 to pre-train development model 16.[000197] Fine-tuning pipelines 17-3 can include a machine-learned model training workflow configured to refine the model parameters of development model 16 with higher- quality data. Fine-tuning pipelines 17-3 can update development model 16 by conducting supervised training with labeled dataset(s) in dataset(s) 17-1. Fine-tuning pipelines 17-3 can update development model 16 by conducting reinforcement learning using reward signals from user feedback signals. Workbench 15 can implement a fine-tuning pipeline 17-3 to finetune development model 16.[000198] Prompt libraries 17-4 can include sets of inputs configured to induce behavior aligned with desired performance criteria. Prompt libraries 17-4 can include few-shot prompts (e.g., inputs providing examples of desired model outputs for prepending to a desired runtime query), chain-of-thought prompts (e.g., inputs providing step-by-step reasoning within the exemplars to facilitate thorough reasoning by the model), and the like.[000199] Example prompts can be retrieved from an available repository of prompt libraries 17-4. Example prompts can be contributed by one or more developer systems using workbench 15.[000200] In some implementations, pre-trained or fine-tuned models can achieve satisfactory performance without exemplars in the inputs. For instance, zero-shot prompts can include inputs that lack exemplars. Zero-shot prompts can be within a domain within a training dataset or outside of the training domain(s).[000201] Prompt libraries 17-4 can include one or more prompt engineering tools. Prompt engineering tools can provide workflows for retrieving or learning optimized prompt values. Prompt engineering tools can facilitate directly learning prompt values (e.g., input element values) based one or more training iterations. Workbench 15 can implement prompt engineering tools in development model 16.[000202] Prompt libraries 17-4 can include pipelines for prompt generation. For example, inputs can be generated using development model 16 itself or other machine-learned models. In this manner, for instance, a first model can process information about a task and output a input for a second model to process in order to perform a step of the task. The second model can be the same as or different from the first model. Workbench 15 can implement prompt generation pipelines in development model 16.[000203] Prompt libraries 17-4 can include pipelines for context injection. For instance, a performance of development model 16 on a particular task can improve if provided withadditional context for performing the task. Prompt libraries 17-4 can include software components configured to identify desired context, retrieve the context from an external source (e.g., a database, a sensor, etc.), and add the context to the input prompt. Workbench 15 can implement context injection pipelines in development model 16.[000204] Although various training examples described herein with respect to model development platform 12 refer to “pre-training” and “fine-tuning,” it is to be understood that model alignment toolkit 17 can generally support a wide variety of training techniques adapted for training a wide variety of machine-learned models. Example training techniques can correspond to the example training method 600 described above.[000205] Model development platform 12 can include a model plugin toolkit 18. Model plugin toolkit 18 can include a variety of tools configured for augmenting the functionality of a machine-learned model by integrating the machine-learned model with other systems, devices, and software components. For instance, a machine-learned model can use tools to increase performance quality where appropriate. For instance, deterministic tasks can be offloaded to dedicated tools in lieu of probabilistically performing the task with an increased risk of error. For instance, instead of autoregressively predicting the solution to a system of equations, a machine-learned model can recognize a tool to call for obtaining the solution and pass the system of equations to the appropriate tool. The tool can be a traditional system of equations solver that can operate deterministically to resolve the system of equations. The output of the tool can be returned in response to the original query. In this manner, tool use can allow some example models to focus on the strengths of machine-learned models — e.g., understanding an intent in an unstructured request for a task — while augmenting the performance of the model by offloading certain tasks to a more focused tool for rote application of deterministic algorithms to a well-defined problem.[000206] Model plugin toolkit 18 can include validation tools 18-1. Validation tools 18-1 can include tools that can parse and confirm output(s) of a machine-learned model. Validation tools 18-1 can include engineered heuristics that establish certain thresholds applied to model outputs. For example, validation tools 18-1 can ground the outputs of machine-learned models to structured data sources (e.g., to mitigate “hallucinations”). [000207] Model plugin toolkit 18 can include tooling packages 18-2 for implementing one or more tools that can include scripts or other executable code that can be executed alongside development model 16. Tooling packages 18-2 can include one or more inputs configured to cause machine-learned model(s) to implement the tools (e.g., few-shot prompts that induce amodel to output tool calls in the proper syntax, etc.). Tooling packages 18-2 can include, for instance, fine-tuning training data for training a model to use a tool.[000208] Model plugin toolkit 18 can include interfaces for calling external application programming interfaces (APIs) 18-3. For instance, in addition to or in lieu of implementing tool calls or tool code directly with development model 16, development model 16 can be aligned to output instruction that initiate API calls to send or obtain data via external systems. [000209] Model plugin toolkit 18 can integrate with prompt libraries 17-4 to build a catalog of available tools for use with development model 16. For instance, a model can receive, in an input, a catalog of available tools, and the model can generate an output that selects a tool from the available tools and initiates a tool call for using the tool.[000210] Model development platform 12 can include a computational optimization toolkit 19 for optimizing a computational performance of development model 16. For instance, tools for model compression 19-1 can allow development model 16 to be reduced in size while maintaining a desired level of performance. For instance, model compression 19-1 can include quantization workflows, weight pruning and sparsification techniques, etc. Tools for hardware acceleration 19-2 can facilitate the configuration of the model storage and execution formats to operate optimally on different hardware resources. For instance, hardware acceleration 19-2 can include tools for optimally sharding models for distributed processing over multiple processing units for increased bandwidth, lower unified memory requirements, etc. Tools for distillation 19-3 can provide for the training of lighter-weight models based on the knowledge encoded in development model 16. For instance, development model 16 can be a highly performant, large machine-learned model optimized using model development platform 12. To obtain a lightweight model for running in resource-constrained environments, a smaller model can be a “student model” that learns to imitate development model 16 as a “teacher model.” In this manner, for instance, the investment in learning the parameters and configurations of development model 16 can be efficiently transferred to a smaller model for more efficient inference.[000211] Workbench 15 can implement one, multiple, or none of the toolkits implemented in model development platform 12. Workbench 15 can output an output model 20 based on development model 16. Output model 20 can be a deployment version of development model 16. Output model 20 can be a development or training checkpoint of development model 16. Output model 20 can be a distilled, compressed, or otherwise optimized version of development model 16.[000212] Figure 11 is a block diagram of an example training flow for training a machine- learned development model 16. One or more portion(s) of the example training flow can be implemented by a computing system that includes one or more computing devices such as, for example, computing systems described with reference to the other figures. Each respective portion of the example training flow can be performed by any (or any combination) of one or more computing devices. Moreover, one or more portion(s) of the example training flow can be implemented on the hardware components of the device(s) described herein, for example, to train one or more systems or models. FIG. 11 depicts elements performed in a particular order for purposes of illustration and discussion. Those of ordinary skill in the art, using the disclosures provided herein, will understand that the elements of any of the methods discussed herein can be adapted, rearranged, expanded, omitted, combined, or modified in various ways without deviating from the scope of the present disclosure. FIG. 11 is described with reference to elements / terms described with respect to other systems and figures for exemplary illustrated purposes and is not meant to be limiting. One or more portions of the example training flow can be performed additionally, or alternatively, by other systems.[000213] Initially, development model 16 can persist in an initial state as an initialized model 21. Development model 16 can be initialized with weight values. Initial weight values can be random or based on an initialization schema. Initial weight values can be based on prior pre-training for the same or for a different model.[000214] Initialized model 21 can undergo pre-training in a pre-training stage 22. Pretraining stage 22 can be implemented using one or more pre-training pipelines 17-2 over data from dataset(s) 17-1. Pre-training can be omitted, for example, if initialized model 21 is already pre-trained (e.g., development model 16 contains, is, or is based on a pre-trained foundational model or an expert model).[000215] Pre-trained model 23 can then be a new version of development model 16, which can persist as development model 16 or as a new development model. Pre-trained model 23 can be the initial state if development model 16 was already pre-trained. Pre-trained model 23 can undergo fine-tuning in a fine-tuning stage 24. Fine-tuning stage 24 can be implemented using one or more fine-tuning pipelines 17-3 over data from dataset(s) 17-1. Fine-tuning can be omitted, for example, if a pre-trained model as satisfactory performance, if the model was already fine-tuned, or if other tuning approaches are preferred.[000216] Fine-tuned model 29 can then be a new version of development model 16, which can persist as development model 16 or as a new development model. Fine-tuned model 29can be the initial state if development model 16 was already fine-tuned. Fine-tuned model 29 can undergo refinement with user feedback 26. For instance, refinement with user feedback 26 can include reinforcement learning, optionally based on human feedback from human users of fine-tuned model 25. As reinforcement learning can be a form of fine-tuning, it is to be understood that fine-tuning stage 24 can subsume the stage for refining with user feedback 26. Refinement with user feedback 26 can produce a refined model 27. Refined model 27 can be output to downstream system(s) 28 for deployment or further development.[000217] In some implementations, computational optimization operations can be applied before, during, or after each stage. For instance, initialized model 21 can undergo computational optimization 29-1 (e.g., using computational optimization toolkit 19) before pre-training stage 22. Pre-trained model 23 can undergo computational optimization 29-2 (e.g., using computational optimization toolkit 19) before fine-tuning stage 24. Fine-tuned model 25 can undergo computational optimization 29-3 (e.g., using computational optimization toolkit 19) before refinement with user feedback 26. Refined model 27 can undergo computational optimization 29-4 (e.g., using computational optimization toolkit 19) before output to downstream system(s) 28. Computational optimization(s) 29-1, . . . , 29-4 can all be the same, all be different, or include at least some different optimization techniques.[000218] Figure 12 is a block diagram of an inference system for operating one or more machine-learned model(s) 1 to perform inference (e.g., for training, for deployment, etc.). A model host 31 can receive machine-learned model(s) 1. Model host 31 can host one or more model instance(s) 31-1, which can be one or multiple instances of one or multiple models. Model host 31 can host model instance(s) 31-1 using available compute resources 31-2 associated with model host 31.[000219] Model host 31 can perform inference on behalf of one or more client(s) 32. Client(s) 32 can transmit an input request 33 to model host 31. Using input request 33, model host 31 can obtain input(s) 2 for input to machine-learned model(s) 1. Machine-learned model(s) 1 can process input(s) 2 to generate output(s) 3. Using output(s) 3, model host 31 can return an output payload 34 for responding to input request 33 from client(s) 32. Output payload 34 can include or be based on output(s) 3.[000220] Model host 31 can leverage various other resources and tools to augment the inference task. For instance, model host 31 can communicate with tool interfaces 35 to facilitate tool use by model instance(s) 31-1. Tool interfaces 35 can include local or remote APIs. Tool interfaces 35 can include integrated scripts or other software functionality. Modelhost 31 can engage online learning interface(s) 36 to facilitate ongoing improvements to machine-learned model(s) 1. For instance, online learning interface(s) 36 can be used within reinforcement learning loops to retrieve user feedback on inferences served by model host 31. Model host 31 can access runtime data source(s) 37 for augmenting input(s) 2 with additional contextual information. For instance, runtime data source(s) 37 can include a knowledge graph 37-1 that facilitates structured information retrieval for information associated with input request(s) 33 (e.g., a search engine service). Runtime data source(s) 37 can include public or private, external or local database(s) 37-2 that can store information associated with input request(s) 33 for augmenting input(s) 2. Runtime data source(s) 37 can include account data 37-3 which can be retrieved in association with a user account corresponding to a client 32 for customizing the behavior of model host 31 accordingly.[000221] Model host 31 can be implemented by one or multiple computing devices or systems. Client(s) 2 can be implemented by one or multiple computing devices or systems, which can include computing devices or systems shared with model host 31.[000222] For example, model host 31 can operate on a server system that provides a machine-learning service to client device(s) that operate client(s) 32 (e.g., over a local or wide-area network). Client device(s) can be end-user devices used by individuals. Client device(s) can be server systems that operate client(s) 32 to provide various functionality as a service to downstream end-user devices.[000223] In some implementations, model host 31 can operate on a same device or system as client(s) 32. Model host 31 can be a machine-learning service that runs on-device to provide machine-learning functionality to one or multiple applications operating on a client device, which can include an application implementing client(s) 32. Model host 31 can be a part of a same application as client(s) 32. For instance, model host 31 can be a subroutine or method implemented by one part of an application, and client(s) 32 can be another subroutine or method that engages model host 31 to perform inference functions within the application. It is to be understood that model host 31 and client(s) 32 can have various different configurations.[000224] Model instance(s) 31-1 can include one or more machine-learned models that are available for performing inference. Model instance(s) 31-1 can include weights or other model components that are stored on in persistent storage, temporarily cached, or loaded into high-speed memory. Model instance(s) 31-1 can include multiple instance(s) of the same model (e.g., for parallel execution of more requests on the same model). Model instance(s) 31-1 can include instance(s) of different model(s). Model instance(s) 31-1 can include cachedintermediate states of active or inactive model(s) used to accelerate inference of those models. For instance, an inference session with a particular model may generate significant amounts of computational results that can be re-used for future inference runs (e.g., using a KV cache for transformer-based models). These computational results can be saved in association with that inference session so that session can be executed more efficiently when resumed.[000225] Compute resource(s) 31-2 can include one or more processors (central processing units, graphical processing units, tensor processing units, machine-learning accelerators, etc.) connected to one or more memory devices. Compute resource(s) 31-2 can include a dynamic pool of available resources shared with other processes. Compute resource(s) 31-2 can include memory devices large enough to fit an entire model instance in a single memory instance. Compute resource(s) 31-2 can also shard model instance(s) across multiple memory devices (e.g., using data parallelization or tensor parallelization, etc.). This can be done to increase parallelization or to execute a large model using multiple memory devices which individually might not be able to fit the entire model into memory.[000226] Input request 33 can include data for input(s) 2. Model host 31 can process input request 33 to obtain input(s) 2. Input(s) 2 can be obtained directly from input request 33 or can be retrieved using input request 33. Input request 33 can be submitted to model host 31 via an API.[000227] Model host 31 can perform inference over batches of input requests 33 in parallel. For instance, a model instance 31-1 can be configured with an input structure that has a batch dimension. Separate input(s) 2 can be distributed across the batch dimension (e.g., rows of an array). The separate input(s) 2 can include completely different contexts. The separate input(s) 2 can be multiple inference steps of the same task. The separate input(s) 2 can be staggered in an input structure, such that any given inference cycle can be operating on different portions of the respective input(s) 2. In this manner, for instance, model host 31 can perform inference on the batch in parallel, such that output(s) 3 can also contain the batch dimension and return the inference results for the batched input(s) 2 in parallel. In this manner, for instance, batches of input request(s) 33 can be processed in parallel for higher throughput of output payload(s) 34.[000228] Output payload 34 can include or be based on output(s) 3 from machine-learned model(s) 1. Model host 31 can process output(s) 3 to obtain output payload 34. This can include chaining multiple rounds of inference (e.g., iteratively, recursively, across the samemodel(s) or different model(s)) to arrive at a final output for a task to be returned in output payload 34. Output payload 34 can be transmitted to client(s) 32 via an API.[000229] Online learning interface(s) 36 can facilitate reinforcement learning of machine- learned model(s) 1. Online learning interface(s) 36 can facilitate reinforcement learning with human feedback (RLHF). Online learning interface(s) 36 can facilitate federated learning of machine-learned model(s) 1.[000230] Model host 31 can access a library of pre-trained adapters or LoRA modules that can adapt a baseline model to align its outputs with a desired performance profile, augment model capabilities (e.g., to adapt to a different input modality, etc.), and the like. For instance, model host 31 can receive an input request to load a customized model, and model host 31 can retrieve one or more components to adapt a baseline model to the custom profile. Model host 31 can determine that a particular functionality is needed for a particular task (e.g., based on an output of a model that preprocesses an input) and retrieve a pre-trained component accordingly.[000231] Model host 31 can execute machine-learned model(s) 1 to perform inference for various tasks using various types of data. For example, various different input(s) 2 and output(s) 3 can be used for various different tasks. In some implementations, input(s) 2 can be or otherwise represent image data. Machine-learned model(s) 1 can process the image data to generate an output. As an example, machine-learned model(s) 1 can process the image data to generate an image recognition output (e.g., a recognition of the image data, a latent embedding of the image data, an encoded representation of the image data, a hash of the image data, etc.). As another example, machine-learned model(s) 1 can process the image data to generate an image segmentation output. As another example, machine-learned model(s) 1 can process the image data to generate an image classification output. As another example, machine-learned model(s) 1 can process the image data to generate an image data modification output (e.g., an alteration of the image data, etc.). As another example, machine- learned model(s) 1 can process the image data to generate an encoded image data output (e.g., an encoded and / or compressed representation of the image data, etc.). As another example, machine-learned model(s) 1 can process the image data to generate an upscaled image data output. As another example, machine-learned model(s) 1 can process the image data to generate a prediction output.[000232] In some implementations, the task is a computer vision task. In some cases, input(s) 2 includes pixel data for one or more images and the task is an image processing task. For example, the image processing task can be image classification, where the output isa set of scores, each score corresponding to a different object class and representing the likelihood that the one or more images depict an object belonging to the object class. The image processing task may be object detection, where the image processing output identifies one or more regions in the one or more images and, for each region, a likelihood that region depicts an object of interest. As another example, the image processing task can be image segmentation, where the image processing output defines, for each pixel in the one or more images, a respective likelihood for each category in a predetermined set of categories. For example, the set of categories can be foreground and background. As another example, the set of categories can be object classes. As another example, the image processing task can be depth estimation, where the image processing output defines, for each pixel in the one or more images, a respective depth value. As another example, the image processing task can be motion estimation, where the network input includes multiple images, and the image processing output defines, for each pixel of one of the input images, a motion of the scene depicted at the pixel between the images in the network input.[000233] In some implementations, input(s) 2 can be or otherwise represent natural language data. Machine-learned model(s) 1 can process the natural language data to generate an output. As an example, machine-learned model(s) 1 can process the natural language data to generate a language encoding output. As another example, machine-learned model(s) 1 can process the natural language data to generate a latent text embedding output. As another example, machine-learned model(s) 1 can process the natural language data to generate a translation output. As another example, machine-learned model(s) 1 can process the natural language data to generate a classification output. As another example, machine-learned model(s) 1 can process the natural language data to generate a textual segmentation output. As another example, machine-learned model(s) 1 can process the natural language data to generate a semantic intent output. As another example, machine-learned model(s) 1 can process the natural language data to generate an upscaled text or natural language output (e.g., text or natural language data that is higher quality than the input text or natural language, etc.). As another example, machine-learned model(s) 1 can process the natural language data to generate a prediction output (e.g., one or more predicted next portions of natural language content).[000234] In some implementations, input(s) 2 can be or otherwise represent speech data (e.g., data describing spoken natural language, such as audio data, textual data, etc.). Machine-learned model(s) 1 can process the speech data to generate an output. As an example, machine-learned model(s) 1 can process the speech data to generate a speechrecognition output. As another example, machine-learned model(s) 1 can process the speech data to generate a speech translation output. As another example, machine-learned model(s) 1 can process the speech data to generate a latent embedding output. As another example, machine-learned model(s) 1 can process the speech data to generate an encoded speech output (e.g., an encoded and / or compressed representation of the speech data, etc.). As another example, machine-learned model(s) 1 can process the speech data to generate an upscaled speech output (e.g., speech data that is higher quality than the input speech data, etc.). As another example, machine-learned model(s) 1 can process the speech data to generate a textual representation output (e.g., a textual representation of the input speech data, etc.). As another example, machine-learned model(s) 1 can process the speech data to generate a prediction output.[000235] In some implementations, input(s) 2 can be or otherwise represent latent encoding data (e.g., a latent space representation of an input, etc.). Machine-learned model(s) 1 can process the latent encoding data to generate an output. As an example, machine- learned model(s) 1 can process the latent encoding data to generate a recognition output. As another example, machine-learned model(s) 1 can process the latent encoding data to generate a reconstruction output. As another example, machine-learned model(s) 1 can process the latent encoding data to generate a search output. As another example, machine- learned model(s) 1 can process the latent encoding data to generate a reclustering output. As another example, machine-learned model(s) 1 can process the latent encoding data to generate a prediction output.[000236] In some implementations, input(s) 2 can be or otherwise represent statistical data. Statistical data can be, represent, or otherwise include data computed and / or calculated from some other data source. Machine-learned model(s) 1 can process the statistical data to generate an output. As an example, machine-learned model(s) 1 can process the statistical data to generate a recognition output. As another example, machine-learned model(s) 1 can process the statistical data to generate a prediction output. As another example, machine- learned model(s) 1 can process the statistical data to generate a classification output. As another example, machine-learned model(s) 1 can process the statistical data to generate a segmentation output. As another example, machine-learned model(s) 1 can process the statistical data to generate a visualization output. As another example, machine-learned model(s) 1 can process the statistical data to generate a diagnostic output.[000237] In some implementations, input(s) 2 can be or otherwise represent sensor data. Machine-learned model(s) 1 can process the sensor data to generate an output. As anexample, machine-learned model(s) 1 can process the sensor data to generate a recognition output. As another example, machine-learned model(s) 1 can process the sensor data to generate a prediction output. As another example, machine-learned model(s) 1 can process the sensor data to generate a classification output. As another example, machine-learned model(s) 1 can process the sensor data to generate a segmentation output. As another example, machine-learned model(s) 1 can process the sensor data to generate a visualization output. As another example, machine-learned model(s) 1 can process the sensor data to generate a diagnostic output. As another example, machine-learned model(s) 1 can process the sensor data to generate a detection output.[000238] In some implementations, machine-learned model(s) 1 can be configured to perform a task that includes encoding input data for reliable and / or efficient transmission or storage (and / or corresponding decoding). For example, the task may be an audio compression task. The input may include audio data and the output may comprise compressed audio data. In another example, the input includes visual data (e.g. one or more images or videos), the output comprises compressed visual data, and the task is a visual data compression task. In another example, the task may comprise generating an embedding for input data (e.g. input audio or visual data). In some cases, the input includes audio data representing a spoken utterance and the task is a speech recognition task. The output may comprise a text output which is mapped to the spoken utterance. In some cases, the task comprises encrypting or decrypting input data. In some cases, the task comprises a microprocessor performance task, such as branch prediction or memory address translation.[000239] In some implementations, the task is a generative task, and machine-learned model(s) 1 can be configured to output content generated in view of input(s) 2. For instance, input(s) 2 can be or otherwise represent data of one or more modalities that encodes context for generating additional content.[000240] In some implementations, the task can be a text completion task. Machine- learned model(s) 1 can be configured to process input(s) 2 that represent textual data and to generate output(s) 3 that represent additional textual data that completes a textual sequence that includes input(s) 2. For instance, machine-learned model(s) 1 can be configured to generate output(s) 3 to complete a sentence, paragraph, or portion of text that follows from a portion of text represented by input(s) 2.[000241] In some implementations, the task can be an instruction following task. Machine- learned model(s) 1 can be configured to process input(s) 2 that represent instructions to perform a function and to generate output(s) 3 that advance a goal of satisfying theinstruction function (e.g., at least a step of a multi-step procedure to perform the function). Output(s) 3 can represent data of the same or of a different modality as input(s) 2. For instance, input(s) 2 can represent textual data (e.g., natural language instructions for a task to be performed) and machine-learned model(s) 1 can process input(s) 2 to generate output(s) 3 that represent textual data responsive to the instructions (e.g., natural language responses, programming language responses, machine language responses, etc.). Input(s) 2 can represent image data (e.g., image-based instructions for a task to be performed, optionally accompanied by textual instructions) and machine-learned model(s) 1 can process input(s) 2 to generate output(s) 3 that represent textual data responsive to the instructions (e.g., natural language responses, programming language responses, machine language responses, etc.). One or more output(s) 3 can be iteratively or recursively generated to sequentially process and accomplish steps toward accomplishing the requested functionality. For instance, an initial output can be executed by an external system or be processed by machine-learned model(s) 1 to complete an initial step of performing a function. Multiple steps can be performed, with a final output being obtained that is responsive to the initial instructions.[000242] In some implementations, the task can be a question answering task. Machine- learned model(s) 1 can be configured to process input(s) 2 that represent a question to answer and to generate output(s) 3 that advance a goal of returning an answer to the question (e.g., at least a step of a multi-step procedure to perform the function). Output(s) 3 can represent data of the same or of a different modality as input(s) 2. For instance, input(s) 2 can represent textual data (e.g., natural language instructions for a task to be performed) and machine- learned model(s) 1 can process input(s) 2 to generate output(s) 3 that represent textual data responsive to the question (e.g., natural language responses, programming language responses, machine language responses, etc.). Input(s) 2 can represent image data (e.g., image-based instructions for a task to be performed, optionally accompanied by textual instructions) and machine-learned model(s) 1 can process input(s) 2 to generate output(s) 3 that represent textual data responsive to the question (e.g., natural language responses, programming language responses, machine language responses, etc.). One or more output(s) 3 can be iteratively or recursively generated to sequentially process and accomplish steps toward answering the question. For instance, an initial output can be executed by an external system or be processed by machine-learned model(s) 1 to complete an initial step of obtaining an answer to the question (e.g., querying a database, performing a computation, executing a script, etc.). Multiple steps can be performed, with a final output being obtained that is responsive to the question.[000243] In some implementations, the task can be an image generation task. Machine- learned model(s) 1 can be configured to process input(s) 2 that represent context regarding a desired portion of image content. The context can include text data, image data, audio data, etc. Machine-learned model(s) 1 can be configured to generate output(s) 3 that represent image data that depicts imagery related to the context. For instance, machine-learned model(s) 1 can be configured to generate pixel data of an image. Values for channel(s) associated with the pixels in the pixel data can be selected based on the context (e.g., based on a probability determined based on the context).[000244] In some implementations, the task can be an audio generation task. Machine- learned model(s) 1 can be configured to process input(s) 2 that represent context regarding a desired portion of audio content. The context can include text data, image data, audio data, etc. Machine-learned model(s) 1 can be configured to generate output(s) 3 that represent audio data related to the context. For instance, machine-learned model(s) 1 can be configured to generate waveform data in the form of an image (e.g., a spectrogram). Values for channel(s) associated with pixels of the image can be selected based on the context. Machine- learned model(s) 1 can be configured to generate waveform data in the form of a sequence of discrete samples of a continuous waveform. Values of the sequence can be selected based on the context (e.g., based on a probability determined based on the context).[000245] In some implementations, the task can be a data generation task. Machine-learned model(s) 1 can be configured to process input(s) 2 that represent context regarding a desired portion of data (e.g., data from various data domains, such as sensor data, image data, multimodal data, statistical data, etc.). The desired data can be, for instance, synthetic data for training other machine-learned models. The context can include arbitrary data type(s). Machine-learned model(s) 1 can be configured to generate output(s) 3 that represent data that aligns with the desired data. For instance, machine-learned model(s) 1 can be configured to generate data values for populating a dataset. Values for the data object(s) can be selected based on the context (e.g., based on a probability determined based on the context).[000246] Figure 13 is a block diagram of an example networked computing system that can perform aspects of example implementations of the present disclosure. The system can include a number of computing devices and systems that are communicatively coupled over a network 49. An example computing device 50 is described to provide an example of a computing device that can perform any aspect of the present disclosure (e.g., implementing model host 31, client(s) 32, or both). An example server computing system 60 is described as an example of a server computing system that can perform any aspect of the presentdisclosure (e.g., implementing model host 31, client(s) 32, or both). Computing device 50 and server computing system(s) 60 can cooperatively interact (e.g., over network 49) to perform any aspect of the present disclosure (e.g., implementing model host 31, client(s) 32, or both). Model development platform system 70 is an example system that can host or serve model development platform(s) 12 for development of machine-learned models. Third-party system(s) 80 are example system(s) with which any of computing device 50, server computing system(s) 60, or model development platform system(s) 70 can interact in the performance of various aspects of the present disclosure (e.g., engaging third-party tools, accessing third-party databases or other resources, etc.).[000247] Network 49 can be any type of communications network, such as a local area network (e.g., intranet), wide area network (e.g., Internet), or some combination thereof and can include any number of wired or wireless links. In general, communication over network 49 can be carried via any type of wired or wireless connection, using a wide variety of communication protocols (e.g., TCP / IP, HTTP, SMTP, FTP), encodings or formats (e.g., HTML, XML), or protection schemes (e.g., VPN, secure HTTP, SSL). Network 49 can also be implemented via a system bus. For instance, one or more devices or systems of Figure 13 can be co-located with, contained by, or otherwise integrated into one or more other devices or systems.[000248] Computing device 50 can be any type of computing device, such as, for example, a personal computing device (e.g., laptop or desktop), a mobile computing device (e.g., smartphone or tablet), a gaming console or controller, a wearable computing device, an embedded computing device, a server computing device, a virtual machine operating on a host device, or any other type of computing device. Computing device 50 can be a client computing device. Computing device 50 can be an end-user computing device. Computing device 50 can be a computing device of a service provided that provides a service to an end user (who may use another computing device to interact with computing device 50).[000249] Computing device 50 can include one or more processors 51 and a memory 52. Processor(s) 51 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, an FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. Memory 52 can include one or more non-transitory computer-readable storage media, such as HBM, RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. Memory 52 can store data 53 and instructions 54 which can be executed by processor(s) 51 to cause computing device 50 to perform operations. The operations can implement any one ormultiple features described herein. The operations can implement example methods and techniques described herein.[000250] Computing device 50 can also include one or more input components that receive user input. For example, a user input component can be a touch-sensitive component (e.g., a touch-sensitive display screen or a touch pad) that is sensitive to the touch of a user input object (e.g., a finger or a stylus). The touch-sensitive component can serve to implement a virtual keyboard. Other example user input components include a microphone, camera, LIDAR, a physical keyboard or other buttons, or other means by which a user can provide user input.[000251] Computing device 50 can store or include one or more machine-learned models 55. Machine-learned models 55 can include one or more machine-learned model(s) 1, such as a sequence processing model 4. Machine-learned models 55 can include one or multiple model instance(s) 31-1. Machine-learned model(s) 55 can be received from server computing system(s) 60, model development platform system 70, third party system(s) 80 (e.g., an application distribution platform), or developed locally on computing device 50. Machine- learned model(s) 55 can be loaded into memory 52 and used or otherwise implemented by processor(s) 51. Computing device 50 can implement multiple parallel instances of machine- learned model(s) 55.[000252] Server computing system(s) 60 can include one or more processors 61 and a memory 62. Processor(s) 61 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, an FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. Memory 62 can include one or more non-transitory computer-readable storage media, such as HBM, RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. Memory 62 can store data 63 and instructions 64 which can be executed by processor(s) 61 to cause server computing system(s) 60 to perform operations. The operations can implement any one or multiple features described herein. The operations can implement example methods and techniques described herein.[000253] In some implementations, server computing system 60 includes or is otherwise implemented by one or multiple server computing devices. In instances in which server computing system 60 includes multiple server computing devices, such server computing devices can operate according to sequential computing architectures, parallel computing architectures, or some combination thereof.[000254] Server computing system 60 can store or otherwise include one or more machine- learned models 65. Machine-learned model(s) 65 can be the same as or different from machine-learned model(s) 55. Machine-learned models 65 can include one or more machine- learned model(s) 1, such as a sequence processing model 4. Machine-learned models 65 can include one or multiple model instance(s) 31-1. Machine-learned model(s) 65 can be received from computing device 50, model development platform system 70, third party system(s) 80, or developed locally on server computing system(s) 60. Machine-learned model(s) 65 can be loaded into memory 62 and used or otherwise implemented by processor(s) 61. Server computing system(s) 60 can implement multiple parallel instances of machine-learned model(s) 65.[000255] In an example configuration, machine-learned models 65 can be included in or otherwise stored and implemented by server computing system 60 to establish a client-server relationship with computing device 50 for serving model inferences. For instance, server computing system(s) 60 can implement model host 31 on behalf of client(s) 32 on computing device 50. For instance, machine-learned models 65 can be implemented by server computing system 60 as a portion of a web service (e.g., remote machine-learned model hosting service, such as an online interface for performing machine-learned model operations over a network on server computing system(s) 60). For instance, server computing system(s) 60 can communicate with computing device 50 over a local intranet or internet connection. For instance, computing device 50 can be a workstation or endpoint in communication with server computing system(s) 60, with implementation of machine-learned models 65 being managed by server computing system(s) 60 to remotely perform inference (e.g., for runtime or training operations), with output(s) returned (e.g., cast, streamed, etc.) to computing device 50. Machine-learned models 65 can work cooperatively or interoperatively with machine- learned models 55 on computing device 50 to perform various tasks.[000256] Model development platform system(s) 70 can include one or more processors 71 and a memory 72. Processor(s) 71 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, an FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. Memory 72 can include one or more non-transitory computer-readable storage media, such as HBM, RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. Memory 72 can store data 73 and instructions 74 which can be executed by processor(s) 71 to cause model development platform system(s) 70 to perform operations. The operations can implement any one or multiple features described herein. The operationscan implement example methods and techniques described herein. Example operations include the functionality described herein with respect to model development platform 12. This and other functionality can be implemented by developer tool(s) 75.[000257] Third-party system(s) 80 can include one or more processors 81 and a memory 82. Processor(s) 81 can be any suitable processing device (e.g., a processor core, a microprocessor, an ASIC, an FPGA, a controller, a microcontroller, etc.) and can be one processor or a plurality of processors that are operatively connected. Memory 82 can include one or more non-transitory computer-readable storage media, such as HBM, RAM, ROM, EEPROM, EPROM, flash memory devices, magnetic disks, etc., and combinations thereof. Memory 82 can store data 83 and instructions 84 which can be executed by processor(s) 81 to cause third-party system(s) 80 to perform operations. The operations can implement any one or multiple features described herein. The operations can implement example methods and techniques described herein. Example operations include the functionality described herein with respect to tools and other external resources called when training or performing inference with machine-learned model(s) 1, 4, 16, 20, 55, 65, etc. (e.g., third-party resource(s) 85).[000258] Figure 13illustrates one example arrangement of computing systems that can be used to implement the present disclosure. Other computing system configurations can be used as well. For example, in some implementations, one or both of computing system 50 or server computing system(s) 60 can implement all or a portion of the operations of model development platform system 70. For example, computing system 50 or server computing system(s) 60 can implement developer tool(s) 75 (or extensions thereof) to develop, update / train, or refine machine-learned models 1, 4, 16, 20, 55, 65, etc. using one or more techniques described herein with respect to model alignment toolkit 17. In this manner, for instance, computing system 50 or server computing system(s) 60 can develop, update / train, or refine machine-learned models based on local datasets (e.g., for model personalization / customization, as permitted by user data preference selections).[000259] Figure 14 is a block diagram of an example computing device 98 that performs according to example embodiments of the present disclosure. Computing device 98 can be a user computing device or a server computing device (e.g., computing device 50, server computing system(s) 60, etc.). Computing device 98 can implement model host 31. For instance, computing device 98 can include a number of applications (e.g., applications 1 through N). Each application can contain its own machine learning library and machine- learned model(s). For example, each application can include a machine-learned model.Example applications include a text messaging application, an email application, a dictation application, a virtual keyboard application, a browser application, etc. As illustrated in Figure 14, each application can communicate with a number of other components of the computing device, such as, for example, one or more sensors, a context manager, a device state component, or additional components. In some implementations, each application can communicate with each device component using an API (e.g., a public API). In some implementations, the API used by each application is specific to that application.[000260] Figure 15 is a block diagram of an example computing device 99 that performs according to example embodiments of the present disclosure. Computing device 99 can be the same as or different from computing device 98. Computing device 99 can be a user computing device or a server computing device (e.g., computing device 50, server computing system(s) 60, etc.). Computing device 98 can implement model host 31. For instance, computing device 99 can include a number of applications (e.g., applications 1 through N). Each application can be in communication with a central intelligence layer. Example applications include a text messaging application, an email application, a dictation application, a virtual keyboard application, a browser application, etc. In some implementations, each application can communicate with the central intelligence layer (and model(s) stored therein) using an API (e.g., a common API across all applications).[000261] The central intelligence layer can include a number of machine-learned models. For example, as illustrated in Figure 15, a respective machine-learned model can be provided for each application and managed by the central intelligence layer. In other implementations, two or more applications can share a single machine-learned model. For example, in some implementations, the central intelligence layer can provide a single model for all of the applications. In some implementations, the central intelligence layer is included within or otherwise implemented by an operating system of computing device 99.[000262] The central intelligence layer can communicate with a central device data layer. The central device data layer can be a centralized repository of data for computing device 99. As illustrated in Figure 15, the central device data layer can communicate with a number of other components of the computing device, such as, for example, one or more sensors, a context manager, a device state component, or additional components. In some implementations, the central device data layer can communicate with each device component using an API (e.g., a private API).[000263] The technology discussed herein makes reference to servers, databases, software applications, and other computer-based systems, as well as actions taken and information sentto and from such systems. The inherent flexibility of computer-based systems allows for a great variety of possible configurations, combinations, and divisions of tasks and functionality between and among components. For instance, processes discussed herein can be implemented using a single device or component or multiple devices or components working in combination. Databases and applications can be implemented on a single system or distributed across multiple systems. Distributed components can operate sequentially or in parallel.[000264] While the present subject matter has been described in detail with respect to various specific example embodiments thereof, each example is provided by way of explanation, not limitation of the disclosure. Those skilled in the art, upon attaining an understanding of the foregoing, can readily produce alterations to, variations of, and equivalents to such embodiments. Accordingly, the subject disclosure does not preclude inclusion of such modifications, variations or additions to the present subject matter as would be readily apparent to one of ordinary skill in the art. For instance, features illustrated or described as part of one embodiment can be used with another embodiment to yield a still further embodiment. Thus, it is intended that the present disclosure cover such alterations, variations, and equivalents.[000265] Aspects of the disclosure have been described in terms of illustrative embodiments thereof. Any and all features in the following claims can be combined or rearranged in any way possible, including combinations of claims not explicitly enumerated in combination together, as the example claim dependencies listed herein should not be read as limiting the scope of possible combinations of features disclosed herein. Accordingly, the scope of the present disclosure is by way of example rather than by way of limitation, and the subject disclosure does not preclude inclusion of such modifications, variations or additions to the present subject matter as would be readily apparent to one of ordinary skill in the art. Moreover, terms are described herein using lists of example elements joined by conjunctions such as “and,” “or,” “but,” etc. It should be understood that such conjunctions are provided for explanatory purposes only. Clauses and other sequences of items joined by a particular conjunction such as “or,” for example, can refer to “and / or,” “at least one of’, “any combination of’ example elements listed therein, etc. Terms such as “based on” should be understood as “based at least in part on.”[000266] The term “can” should be understood as referring to a possibility of a feature in various implementations and not as prescribing an ability that is necessarily present in every implementation. For example, the phrase “X can perform Y” should be understood asindicating that, in various implementations, X has the potential to be configured to perform Y, and not as indicating that in every instance X must always be able to perform Y. It should be understood that, in various implementations, X might be unable to perform Y and remain within the scope of the present disclosure.[000267] The term “may” should be understood as referring to a possibility of a feature in various implementations and not as prescribing an ability that is necessarily present in every implementation. For example, the phrase “X may perform Y” should be understood as indicating that, in various implementations, X has the potential to be configured to perform Y, and not as indicating that in every instance X must always be able to perform Y. It should be understood that, in various implementations, X might be unable to perform Y and remain within the scope of the present disclosure.
Claims
WHAT IS CLAIMED IS:
1. A computer system for improved cybersecurity, the computer system comprising: one or more processors; and one or more non-transitory computer-readable media that collectively store a generative sequence processing model, wherein the generative sequence processing model has been finetuned on one or more finetuning tuples generated from one or more sets of cybersecurity data, and wherein at least one finetuning tuple of the one or more finetuning tuples comprises a finetuning input and a finetuning label, wherein the finetuning input comprises cybersecurity data and a question regarding the cybersecurity data, and wherein the finetuning label comprises a labelled answer to the question regarding the cybersecurity data.
2. The computer system of claim 1, wherein the sets of cybersecurity data comprise sets of data from: Security Orchestration Automation and Response (SOAR) system data, Security Information and Event Management (SIEM) system data, security blog information, analyst reports, signature-based detection files, malware scripts, vulnerability information, product documentation, security code repositories, or cybersecurity and software development frameworks data.
3. The computer system of any preceding claim, wherein the generative sequence processing model has been finetuned on the one or more finetuning tuples to perform one or more finetuning tasks, wherein the one or more finetuning tasks comprise: classification tasks, summarization tasks, generation tasks, or extraction tasks.
4. The computer system of any preceding claim, wherein at least one second finetuning tuple of the one or more finetuning tuples comprises a second finetuning input and a second finetuning label, wherein the second finetuning input comprises a natural language query, and wherein the second finetuning label comprises a query expressed in a domainspecific query language.
5. The computer system of any preceding claim, wherein at least one of the one or more finetuning tuples has been manually generated.
6. The computer system of any preceding claim, wherein at least one of the one or more finetuning tuples has been automatically generated using one or more templates.
7. The computer system of any preceding claim, wherein at least one of the one or more finetuning tuples has been automatically generated using one or more machine-learned models.
8. The computer system of any preceding claim, wherein the generative sequence processing model is in operative communication with one or more cybersecurity operations tools.
9. The computer system of any preceding claim, wherein the computer system is configured to provide an interface that enables a user to query the generative sequence processing model in natural language.
10. The computer system of any preceding claim, wherein the generative sequence processing model has been finetuned to adopt a particular cybersecurity persona of a number of different cybersecurity personas.
11. The computer system of claim 10, wherein the particular cybersecurity persona comprises: a security operations center (SOC) analyst persona; a threat intelligence analyst persona; a malware or code analyst persona; or a security architect persona.
12. A cybersecurity platform implemented by one or more computing devices, wherein the cybersecurity platform comprises: a plurality of computer-implemented agents configured to interoperate to collectively receive and process cybersecurity data to generate and perform cybersecurity actions responsive to the cybersecurity data; wherein each of the plurality of agents comprises a machine-learned generative sequence processing model that has been finetuned to adopt a particular cybersecurity persona of a number of different cybersecurity personas.
13. The cybersecurity platform of claim 12, wherein the plurality of agents correspond to a plurality of the different cybersecurity personas comprising at least: a security operations center (SOC) analyst persona; a threat intelligence analyst persona; and a malware or code analyst persona.
14. The cybersecurity platform of claim 12 or 13, wherein the plurality of agents operate according to a distributed operating architecture.
15. The cybersecurity platform of claim 12 or 13, wherein the plurality of agents operate according to a centralized planning architecture.
16. The cybersecurity platform of claim 15, wherein the centralized planning architecture comprises a planning agent configured to control the other agents of the platform.
17. The cybersecurity platform of claim 16, wherein the planning agent is configured to call the other agents according to a tool use framework.
18. The cybersecurity platform of claim 16 or 17, wherein the planning agent is configured to perform chain of thought reasoning, and wherein the planning agent is configured to control the other agents of the platform based on the chain of thought reasoning.
19. The cybersecurity platform of any of claims 12-18, wherein the plurality of generative sequence processing models respectively associated with the plurality of different agents have been forked from a pre-trained model and then finetuned using respective parameter-efficient adapters.
20. One or more non-transitory computer readable media that collectively store: a generative sequence processing model, wherein the generative sequence processing model has been finetuned on one or more finetuning tuples generated from one or more sets of cybersecurity data, and wherein at least one finetuning tuple of the one or more finetuning tuples comprises a finetuning input and a finetuning label, wherein the finetuning input comprises cybersecurity data and a question regarding the cybersecurity data, and wherein the finetuning label comprises a labelled answer to the question; and instructions for running the generative sequence processing model to process a model input to generate a model output.