From cdeb0f28e1e8f758f312f69ea3e9799900e3bf5b Mon Sep 17 00:00:00 2001 From: akhil Date: Tue, 25 Jul 2023 11:54:15 +0530 Subject: [PATCH 1/4] added armur ai page added images and links testing product arch.image added product images added milestones changed structure fixing last answer --- applications/Armur_AI.md | 183 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 applications/Armur_AI.md diff --git a/applications/Armur_AI.md b/applications/Armur_AI.md new file mode 100644 index 00000000000..2f65b9cdc37 --- /dev/null +++ b/applications/Armur_AI.md @@ -0,0 +1,183 @@ +# Name of your Project + +- **Team Name:** Armur A.I +- **Payment Address:** will share fiat address privately +- **[Level](https://github.com/w3f/Grants-Program/tree/master#level_slider-levels):** 3 + + +## Project Overview :page_facing_up: + +About Us - Armur A.I is a Techstars and Outlier Ventures backed startup focused on building A.I powered security tools to help secure blockchains. +Armur A.I is supported by Algorand and Aptos. + +Problem - Many static/ hard-coded tools exist to audit smart contracts but they're definitely not sufficient in being able to detect vulnerabilities or security issues and the issue with hard-coded tools is that everytime there's a new vulnerability, you have to extend the functionality of the tool by writing more code and this might sometimes conflict with the old functionality of the tool. The other option for web3 companies is to go for manual auditing, but this takes too long and is an extremely expensive approach (starting at $40K for a basic audit). + +Our unique solution - Using A.I models is a great approach because it's way more effective than static auditing tools because now you can simply train A.I models to be able to catch new reproted vulnerabilities rather than change the code or extend the code, this is an all new approach. A.I powered audit also provides "contextual" and descriptive information about the vulnerabilities and security issues in the code and this can really make it easy for tdevelopers to fix those issues. + +Why Polkadot ecosystem - At Armur A.I, we wnat to build for the Polkadot ecosystem by building a tool that enables A.I powered auditing of ink! smart contracts. + +Our Approach - We're using Open-Source A.I models and training them. Instead of using closed-source technologies like Open A.I, we're using A.I models that everyone has equal access to, such as - Falcon 40b, LLaMa2, GPT-NEO-X etc. + +### Overview + +Please provide the following: + +- Armur A.I will enable A.I powered auditing of ink! smart contracts +- We've built a successful A.I powered auditing tool for solidity files (ethereum), we have a grant from Aptos to do this for Move smart contracts and are currently working on this. We now wanted to expand to Polkadot by building the capability to audit Ink! smart contracts. +- Our A.I models will be trained on Ink! smart contracts, common vulnerabilities and audit reports commonly found in the Polkadot eco-system. Since our A.I models are already trained on Solidity smart contracts, this means we would need less data from the ink! community to train our A.I models due to the "few shot learning" advantage. +- Our team has a deep expertise in Rust and everything from the Polkadot eco-system. The Founder (Akhil) has a 14-chapter course on Substrate on his **[Youtube Channel](https://youtube.com/playlist?list=PL5dTjWUk_cPYdb4j2RH8BHEAK3z_ZME1j)** and is also writing a book called "Rust for Blockchain Development" with **[Packt Publishing](https://www.packtpub.com/)** which has 2 entire chapters on Polkadot and Substrate. Our team believes that app-specific blockchains are the future and sooner or later, Polkadot will win and we want to be a strong part of the Polkadot eco-system. +Akhil also actively advises companies that are fast-tracked in the Substrate Builders' Program. + +### Project Details + +- The product itself is really straightforward. Our alpha product demo is ready. We have trained open source A.I models on datasets that consist smart contracts and their vulnerabilities, smart contract audit reports etc. while a lot of data was available for solidity and so we were easily able to train A.I models for the same. We need help of the Polkadot community to create datasets for ink! smart contracts and audit reports so that we are able to classify common recurring vulnerabilities and also detect them in new contracts. +- Here's our product architecture image for more details - +![product architecture](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690268486/Armur_A.I_POC_Product_Architecture_1_jv7fhm.png) +- **We have a detailed notion page on how we built our product and how it works, all the details are here on this page** - +**[product details](https://oil-polonium-2f2.notion.site/Armur-A-I-Product-Details-ae4b60dca0514ae5b74de649babcaeba?pvs=4)** +- The tool enables you to upload your smart contracts and audit them. But in the near future, you'll be able to connect your github or gitlab project to it and the tool will fork the code automatically, audit it and create a pull request. +- Product UI - +![screen1](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690269298/Dashboard_g5apze.png) +![screen2](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690269308/Audits-Vulnerabilities_zyvlsl.png) +![screen3](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690269283/Audits_kusplv.png) +![screen4](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690269297/APIs_p69apy.png) +![screen5](https://res.cloudinary.com/dsqufr1x5/image/upload/v1690269295/Filter_jneqp5.png) + +### Ecosystem Fit + +This will really be a much needed addition in the Polkadot ecosystem. Imagine if all the smart contracts flowing through all the parachains could be secured so that the entire ecosystem becomes way more secure, this will grow the ecosystem, generate trust and also increase the investors into the Polkadot ecosystem. + +- Auditors, smart contract developers, start ups will benefit a lot from our product. Both new entrants to the Polkadot ecosystem and the old players will benefit tremendously because now they will have a tool that can do atleast basic audits with the help of A.I models, this means developers don't have to wait weeks and spend a lot of money everytime they have a new smart contract or want to make any changes to their projects. This significantly increases the speed of development and leads to the growth of the Polkadot ecosystem. +- In the beginning, our target audience are the developers, in the sense the ink! smart contract developers that are building applications to launch on the polkadot ecosystem, but the parachains themselves can be the target audience if they'd like to integrate with us and make all smart contracts flowing through their chain secure by default or before they're uploaded. +- Our team has the necessary expertise in terms of A.I and also blockchain to be able to build this. +- Currently there are not products similar to ours in the Polkadot system + - In the other eco-systems such as Ethereum related chains and Aptos, we're the main company trying to implement this. + +## Team :busts_in_silhouette: + +### Team members + +- Akhil Sharma +- Jesper Kristensen +- Paul Slattery + +### Contact + +- **Contact Name:** Akhil Sharma +- **Contact Email:** akhil@armur.ai +- **Website:** htts://www.armur.ai + +### Legal Structure + +- **Registered Address:** 1209, North Orange Street, Wilmington, Delaware, Wilmington, Delaware 19801, United States +- **Registered Legal Entity:** Armur Technologies Inc. + +### Team's experience + +We haven't applied for a web3 grant previously. This is our first Web3 grant. Our team consists of +- Akhil, who has been teaching blockchain technologies on his youtube, he was running a web3 development lab before this and is active in the web3 community. +- Jesper has two masters degrees and a PhD from Cornell with a specialization in blockchain +- Paul Slattery has led and managed tech teams of different sizes. He's currently a VP of Engineering at BCGX + +### Team Code Repos + +- https://github.com/jesperkristensen58 +- https://github.com/AkhilSharma90 +- https://github.com/paul-slattery-akqa + +### Team LinkedIn Profiles (if available) + +- https://www.linkedin.com/in/akhilsails/ +- https://www.linkedin.com/in/paulslattery/ +- https://www.linkedin.com/in/jespertoftkristensen/ + + +## Development Status :open_book: + +- We have an Alpha working product demo that has been already used by many companies, we have done more than 45 A.I powered audits until now for 45 different firms. +- This link has all the details of the implementation of our product - **[product details](https://oil-polonium-2f2.notion.site/Armur-A-I-Product-Details-ae4b60dca0514ae5b74de649babcaeba?pvs=4)** +- We have already shared the product roadmap and product UI screenshots above in the project details section. + + +## Development Roadmap :nut_and_bolt: + + +### Overview + +- **Total Estimated Duration:** 6 months +- **Full-Time Equivalent (FTE):** 4 +- **Total Costs:** USD 60,000 + +### Milestone 1 - Creating Datasets + +- **Estimated duration:** 1 month +- **FTE:** 3 +- **Costs:** 15,000 USD + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | +| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | +| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | +| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | +| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | +| 1. | Dataset Creation | The first month, we're going to focus on finding smart contracts, audit reports and converting them into the required format to train our A.I models, so this stage is basically "Dataset" creation | + + +### Milestone 2 Deploying A.I models + +- **Estimated duration:** 1 month +- **FTE:** 2 +- **Costs:** 5,000 USD + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | +| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | +| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | +| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | +| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | +| 1. | A.I model selection and deployment | The second month, we're testing multiple A.I models and finding the ones that are most relevant for our usecase. Finally, we will deploy them so that we can train them. This requires A.I engineering and a bit of ML related Ops on the cloud | +| 2. | Vaildating and refining data sets| The data sets that we created as part of the first milestone, we will be refining them in this milestone before we start training. Refining basically means cleaning up data, ensuring everything is structured so that there are no issues when we train the models in the next milestone. | + +### Milestone 3 Training the A.I Models + +- **Estimated duration:** 2 months +- **FTE:** 4 +- **Costs:** 20,000 USD + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | +| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | +| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | +| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | +| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | +| 1. | Training models | In the previous milestones we have deployed the A.I model and also created datasets, now it's time to train the A.I models, this is a resource intensive undertaking that takes experienced A.I engineers, experience auditors to ensure right human feedback loop to the A.I model | + +### Milestone 4 Testing the Models and refining output + +- **Estimated duration:** 2 months +- **FTE:** 4 +- **Costs:** 20,000 USD + +| Number | Deliverable | Specification | +| -----: | ----------- | ------------- | +| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | +| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | +| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | +| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | +| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | +| 1. | Refinement | This milestone is all about ensuring that the A.I models are giving a stable and correct output with good amount of accuracy. We ensure there are less false positives, less hallucination and the tool is in a good shape for public trials. At this stage we're also refining the training process further and even the datasets depending on the accuracy of the A.I model. | + +## Future Plans + +Please include here + +- In the short term- we plan to enable auditors and developers to be able to audit their smart contracts automatically so they can focus more on writing the business logic. +- In the long term, we intend to make our tool way more advanced so that developers would need manual auditors for very few advanced use cases only and most of the checks can be done by the A.I tool. + + +## Additional Information :heavy_plus_sign: + +**How did you hear about the Grants Program?** Our Founder, Akhil has been active in the Polkadot ecosystem and also has a 14-chapter course on Substrate on his youtube. We all think Polkadot is the future. A grant seems like the best way forward for us to be involved with the Polkadot community more deeply. From 5b683a5ce25545641dde76eb8d3a6facab7eccb9 Mon Sep 17 00:00:00 2001 From: akhil Date: Fri, 11 Aug 2023 11:47:40 +0530 Subject: [PATCH 2/4] made changes to license and the first milestone --- applications/Armur_AI.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/applications/Armur_AI.md b/applications/Armur_AI.md index 2f65b9cdc37..c113f1435e2 100644 --- a/applications/Armur_AI.md +++ b/applications/Armur_AI.md @@ -116,12 +116,12 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | -| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | -| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | -| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | -| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | -| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | -| 1. | Dataset Creation | The first month, we're going to focus on finding smart contracts, audit reports and converting them into the required format to train our A.I models, so this stage is basically "Dataset" creation | +| **0a.** | License | Apache 2.0 | +| **0b.** | Creating Dataset | We will focus on creating a dataset to train / fine-tune A.I models with, the steps for which are listed in detail in the next steps here | +| **0c.** | Finding Vulnerabilities Lists | We have a 4 stage process and the first stage is finding lists of "categorized" vulnerabilities that other developers or the community may have created, what we then do is find code samples that these vulnerabilities, this means, for each vulnerability we find, we will also find multiple code samples that contain the vulnerability. This will help us prepare a dataset with an input (smart contract) and output (vulnerabilities)| +| **0d.** | Using existing security tools | This is our second stage of preparing the dataset, what we do here is use existing tools (like slither and manticore exist for solidity) and we input various smart contracts into them, this gives us vulnerabilites that the tools are able to detect, this helps us to add to our dataset with input (smart contract) and output (list of vulnerabilities) | +| **0e.** | Finding Audit reports | This is the 4th stage of dataset creation, here we will look for audit reprots that exist in the ink! eco-system, we convert PDF data into JSON for some of the sections in the reports, this helps us add to our dataset with input (smart contract) and output (list of vulnerabilities)| +| **0f.** | Dataset Refinement | By now, we have a solid dataset, comprising of categorized vulnerabilities, output from tools, audit reports so we have a good amout of data for the A.I model, data that will ensure that our A.I tool will go wayyyy beyond a standard tool, because with standard tools, you have to extend the code base, but with an A.I tool, you just need to train it with new data. Now, at this final stage, we clean up the data, ensure it's in the right format based on the category of A.I model, for example, for Alpaca models, you need three fields - input (smart contract with issues), output (list of vulnerabilities) and prompt ("audit this smart contract for me") | ### Milestone 2 Deploying A.I models From 4ef451d9409070c260b9a217397faa7a9668b629 Mon Sep 17 00:00:00 2001 From: akhil Date: Fri, 11 Aug 2023 12:38:07 +0530 Subject: [PATCH 3/4] made changes to licenses in all milestones and also added more details to the milestones --- applications/Armur_AI.md | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/applications/Armur_AI.md b/applications/Armur_AI.md index c113f1435e2..89f1b76969a 100644 --- a/applications/Armur_AI.md +++ b/applications/Armur_AI.md @@ -118,7 +118,7 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | | **0b.** | Creating Dataset | We will focus on creating a dataset to train / fine-tune A.I models with, the steps for which are listed in detail in the next steps here | -| **0c.** | Finding Vulnerabilities Lists | We have a 4 stage process and the first stage is finding lists of "categorized" vulnerabilities that other developers or the community may have created, what we then do is find code samples that these vulnerabilities, this means, for each vulnerability we find, we will also find multiple code samples that contain the vulnerability. This will help us prepare a dataset with an input (smart contract) and output (vulnerabilities)| +| **0c.** | Finding Vulnerabilities Lists | We have a 4 stage process and the first stage is finding lists of "categorized" vulnerabilities that other developers or the community may have created, what we then do is find code samples that these vulnerabilities, this means, for each vulnerability we find, we will also find multiple code samples that contain the vulnerability. This will help us prepare a dataset with an input (smart contract) and output (vulnerabilities). Our aim is that the system should be able to catch atleast 10 common vulnerabilities initially and we will be creating datasets accordingly.| | **0d.** | Using existing security tools | This is our second stage of preparing the dataset, what we do here is use existing tools (like slither and manticore exist for solidity) and we input various smart contracts into them, this gives us vulnerabilites that the tools are able to detect, this helps us to add to our dataset with input (smart contract) and output (list of vulnerabilities) | | **0e.** | Finding Audit reports | This is the 4th stage of dataset creation, here we will look for audit reprots that exist in the ink! eco-system, we convert PDF data into JSON for some of the sections in the reports, this helps us add to our dataset with input (smart contract) and output (list of vulnerabilities)| | **0f.** | Dataset Refinement | By now, we have a solid dataset, comprising of categorized vulnerabilities, output from tools, audit reports so we have a good amout of data for the A.I model, data that will ensure that our A.I tool will go wayyyy beyond a standard tool, because with standard tools, you have to extend the code base, but with an A.I tool, you just need to train it with new data. Now, at this final stage, we clean up the data, ensure it's in the right format based on the category of A.I model, for example, for Alpaca models, you need three fields - input (smart contract with issues), output (list of vulnerabilities) and prompt ("audit this smart contract for me") | @@ -132,13 +132,12 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | -| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | -| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | -| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | -| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | -| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | -| 1. | A.I model selection and deployment | The second month, we're testing multiple A.I models and finding the ones that are most relevant for our usecase. Finally, we will deploy them so that we can train them. This requires A.I engineering and a bit of ML related Ops on the cloud | -| 2. | Vaildating and refining data sets| The data sets that we created as part of the first milestone, we will be refining them in this milestone before we start training. Refining basically means cleaning up data, ensuring everything is structured so that there are no issues when we train the models in the next milestone. | +| **0a.** | License | Apache 2.0 | +| **0b.** | Testing various models | Since we have the dataset ready, our job is now to find the best possible A.I models from the existing open source LLMs out there for our specific use case. When we performed this exercise with solidity, we started with GPT-J, then switched to NEO-X and then Falcon-7B and then finally to Falcon-40B, we're actively trying to find the model that already understands programming really well and needs the least amount of training for best results for the specific use case. But since the A.I world changes really fast and there is LlaMa2 now which has been trained on even more parameters, and we're sure there will be many more till the grant gets approved, we will experiment with the latest ones on the market and find the best for our use case - ink! smart contracts | +| **0c.** | Sharing learning data | The way to test the models is that we use small samples, not the entire training set and we benchmark accuracy with other models. We will share these learnings as part of this deliverable | +| **0d.** | Deploying to the Cloud | After trying out various models on our personal cloud machines, we will find the right a.i model and then it's all about deploying it to the cloud and prepare it for training. To be able to finetune/train it, you need optimimum amount of machines so that you can also perform a little bit of parallal training. | + + ### Milestone 3 Training the A.I Models @@ -148,12 +147,9 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | -| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | -| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | -| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | -| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | -| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | -| 1. | Training models | In the previous milestones we have deployed the A.I model and also created datasets, now it's time to train the A.I models, this is a resource intensive undertaking that takes experienced A.I engineers, experience auditors to ensure right human feedback loop to the A.I model | +| **0a.** | License | Apache 2.0 | +| **0b.** | Training with created datasets | By now we have a structured dataset and also the deployed model which was selected after testing, now it's time to start training / fine-tuning with the datasets we have created. Now that these datasets have "carefully" "labelled" data, it's not un-supervised learning | +| **0c.** | Human Feedback from auditors | Keeping up with our methodology of supervised learning, we will train the models but also refine the training based on the output from the models, there will be trained auditors to check the output and if there's inaccuracy for a particular vulnerability, this means finding more code examples for this particular vulnerability or this might even mean that the security auditors might need to create some code samples with these vulnerabilities | ### Milestone 4 Testing the Models and refining output @@ -163,21 +159,18 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | -| **0a.** | License | Apache 2.0 / GPLv3 / MIT / Unlicense | -| **0b.** | Documentation | We will provide both **inline documentation** of the code and a basic **tutorial** that explains how a user can use the particular functionality that'll be built as part of this milestone | -| **0c.** | Testing and Testing Guide | Core functions will be fully covered by comprehensive unit tests to ensure functionality and robustness. In the guide, we will describe how to run these tests. | -| **0d.** | Docker | We will provide a Dockerfile(s) that can be used to test all the functionality delivered with this milestone. | -| 0e. | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | -| 1. | Refinement | This milestone is all about ensuring that the A.I models are giving a stable and correct output with good amount of accuracy. We ensure there are less false positives, less hallucination and the tool is in a good shape for public trials. At this stage we're also refining the training process further and even the datasets depending on the accuracy of the A.I model. | +| **0a.** | License | Apache 2.0 | +| **0b.** | Benchmarking | The way we test for improvement is benchmarking the models with an untrained model of the same category, for example - if we had selected Falcon40B we will keep 2 versions - an untrained version and our new trained version and we will compare the results from both to check the ability to detect issues in the smart contract code. | +| **0c.** | Refinement | Now we check for accuracy, this is done by comparison, for example - let's say we have trained our A.I model to detect 5 vulnerabilities and there's a smart contract that has 5 tagged vulnerabilities by a security expert, then when we run this smart contract through our A.I model, if it's able to detect 5/5, we know accuracy is high. | +| **0d.** | Check for hallucinations | In newly trained models, the output usually contains issues or text that is not relevant for smart contracts and this affects the accuracy signifcantly, in this stage our aims to check fo hallucinations and fine tune the model further for this. | +| **0e.** | False Positive refinement | In many cases, there will be issues that don't exist in that particular smart contract, our aim will be here to check for the same, finetune for this or even create "confidence meters" where the model detects issues but with a confidence score.| ## Future Plans -Please include here - - In the short term- we plan to enable auditors and developers to be able to audit their smart contracts automatically so they can focus more on writing the business logic. - In the long term, we intend to make our tool way more advanced so that developers would need manual auditors for very few advanced use cases only and most of the checks can be done by the A.I tool. ## Additional Information :heavy_plus_sign: -**How did you hear about the Grants Program?** Our Founder, Akhil has been active in the Polkadot ecosystem and also has a 14-chapter course on Substrate on his youtube. We all think Polkadot is the future. A grant seems like the best way forward for us to be involved with the Polkadot community more deeply. +**How did you hear about the Grants Program?** Our Founder, Akhil has been active in the Polkadot ecosystem and also has a 14-chapter course on Substrate on his youtube. Akhil discussed this project with Dr. Gavin Wood, who referred him to Square One and after that Nico suggested that grant is the best route. We all think Polkadot is the future. A grant seems like the best way forward for us to be involved with the Polkadot community more deeply. From 83efb3684c55d942b6a29cff3be2f1a0c97031bb Mon Sep 17 00:00:00 2001 From: akhil Date: Mon, 14 Aug 2023 10:08:47 +0530 Subject: [PATCH 4/4] added back some details to the milestones --- applications/Armur_AI.md | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/applications/Armur_AI.md b/applications/Armur_AI.md index 89f1b76969a..77d9375aba9 100644 --- a/applications/Armur_AI.md +++ b/applications/Armur_AI.md @@ -117,11 +117,13 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | -| **0b.** | Creating Dataset | We will focus on creating a dataset to train / fine-tune A.I models with, the steps for which are listed in detail in the next steps here | -| **0c.** | Finding Vulnerabilities Lists | We have a 4 stage process and the first stage is finding lists of "categorized" vulnerabilities that other developers or the community may have created, what we then do is find code samples that these vulnerabilities, this means, for each vulnerability we find, we will also find multiple code samples that contain the vulnerability. This will help us prepare a dataset with an input (smart contract) and output (vulnerabilities). Our aim is that the system should be able to catch atleast 10 common vulnerabilities initially and we will be creating datasets accordingly.| -| **0d.** | Using existing security tools | This is our second stage of preparing the dataset, what we do here is use existing tools (like slither and manticore exist for solidity) and we input various smart contracts into them, this gives us vulnerabilites that the tools are able to detect, this helps us to add to our dataset with input (smart contract) and output (list of vulnerabilities) | -| **0e.** | Finding Audit reports | This is the 4th stage of dataset creation, here we will look for audit reprots that exist in the ink! eco-system, we convert PDF data into JSON for some of the sections in the reports, this helps us add to our dataset with input (smart contract) and output (list of vulnerabilities)| -| **0f.** | Dataset Refinement | By now, we have a solid dataset, comprising of categorized vulnerabilities, output from tools, audit reports so we have a good amout of data for the A.I model, data that will ensure that our A.I tool will go wayyyy beyond a standard tool, because with standard tools, you have to extend the code base, but with an A.I tool, you just need to train it with new data. Now, at this final stage, we clean up the data, ensure it's in the right format based on the category of A.I model, for example, for Alpaca models, you need three fields - input (smart contract with issues), output (list of vulnerabilities) and prompt ("audit this smart contract for me") | +| **0b.** | Documentation | We will not only provide documentation for the datasets but also the datasets themselves at each stage, mostly shared as a whimsical document or as github documentation and upload the datasets themsleves on github| +| **0c.** | Testing and Testing Guide | There will be guides on how these datasets can be used, by anyone. The way these datasets will be created would make it very easy to train models with. | +| **0d.** | Creating Dataset | We will focus on creating a dataset to train / fine-tune A.I models with, the steps for which are listed in detail in the next steps here | +| **0e.** | Finding Vulnerabilities Lists | We have a 4 stage process and the first stage is finding lists of "categorized" vulnerabilities that other developers or the community may have created, what we then do is find code samples that these vulnerabilities, this means, for each vulnerability we find, we will also find multiple code samples that contain the vulnerability. This will help us prepare a dataset with an input (smart contract) and output (vulnerabilities). Our aim is that the system should be able to catch atleast 10 common vulnerabilities initially and we will be creating datasets accordingly.| +| **0f.** | Using existing security tools | This is our second stage of preparing the dataset, what we do here is use existing tools (like slither and manticore exist for solidity) and we input various smart contracts into them, this gives us vulnerabilites that the tools are able to detect, this helps us to add to our dataset with input (smart contract) and output (list of vulnerabilities) | +| **0g.** | Finding Audit reports | This is the 4th stage of dataset creation, here we will look for audit reprots that exist in the ink! eco-system, we convert PDF data into JSON for some of the sections in the reports, this helps us add to our dataset with input (smart contract) and output (list of vulnerabilities)| +| **0h.** | Dataset Refinement | By now, we have a solid dataset, comprising of categorized vulnerabilities, output from tools, audit reports so we have a good amout of data for the A.I model, data that will ensure that our A.I tool will go wayyyy beyond a standard tool, because with standard tools, you have to extend the code base, but with an A.I tool, you just need to train it with new data. Now, at this final stage, we clean up the data, ensure it's in the right format based on the category of A.I model, for example, for Alpaca models, you need three fields - input (smart contract with issues), output (list of vulnerabilities) and prompt ("audit this smart contract for me") | ### Milestone 2 Deploying A.I models @@ -133,9 +135,11 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | -| **0b.** | Testing various models | Since we have the dataset ready, our job is now to find the best possible A.I models from the existing open source LLMs out there for our specific use case. When we performed this exercise with solidity, we started with GPT-J, then switched to NEO-X and then Falcon-7B and then finally to Falcon-40B, we're actively trying to find the model that already understands programming really well and needs the least amount of training for best results for the specific use case. But since the A.I world changes really fast and there is LlaMa2 now which has been trained on even more parameters, and we're sure there will be many more till the grant gets approved, we will experiment with the latest ones on the market and find the best for our use case - ink! smart contracts | -| **0c.** | Sharing learning data | The way to test the models is that we use small samples, not the entire training set and we benchmark accuracy with other models. We will share these learnings as part of this deliverable | -| **0d.** | Deploying to the Cloud | After trying out various models on our personal cloud machines, we will find the right a.i model and then it's all about deploying it to the cloud and prepare it for training. To be able to finetune/train it, you need optimimum amount of machines so that you can also perform a little bit of parallal training. | +| **0b.** | Documentation | We will share detailed notes on the tests we carried out on the models to determine the right one for the use case. | +| **0c.** | Testing and Testing Guide | We will share guides on how the tests can be re-created independently. | +| **0d.** | Testing various models | Since we have the dataset ready, our job is now to find the best possible A.I models from the existing open source LLMs out there for our specific use case. When we performed this exercise with solidity, we started with GPT-J, then switched to NEO-X and then Falcon-7B and then finally to Falcon-40B, we're actively trying to find the model that already understands programming really well and needs the least amount of training for best results for the specific use case. But since the A.I world changes really fast and there is LlaMa2 now which has been trained on even more parameters, and we're sure there will be many more till the grant gets approved, we will experiment with the latest ones on the market and find the best for our use case - ink! smart contracts | +| **0e.** | Sharing learning data | The way to test the models is that we use small samples, not the entire training set and we benchmark accuracy with other models. We will share these learnings as part of this deliverable | +| **0f.** | Deploying to the Cloud | After trying out various models on our personal cloud machines, we will find the right a.i model and then it's all about deploying it to the cloud and prepare it for training. To be able to finetune/train it, you need optimimum amount of machines so that you can also perform a little bit of parallal training. | @@ -148,8 +152,11 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | -| **0b.** | Training with created datasets | By now we have a structured dataset and also the deployed model which was selected after testing, now it's time to start training / fine-tuning with the datasets we have created. Now that these datasets have "carefully" "labelled" data, it's not un-supervised learning | -| **0c.** | Human Feedback from auditors | Keeping up with our methodology of supervised learning, we will train the models but also refine the training based on the output from the models, there will be trained auditors to check the output and if there's inaccuracy for a particular vulnerability, this means finding more code examples for this particular vulnerability or this might even mean that the security auditors might need to create some code samples with these vulnerabilities | +| **0b.** | Documentation | We will share detailed notes and documentation on how the models will get trained, the challenges we will face and how we solved them. | +| **0c.** | Testing and Testing Guide | We will share guides on how these training experiments and tests can be re-created independently as well. | +| **0d.** | Docker & Sagemaker studio | We will provide not just docker but also Sagemaker notebooks for your sagemaker studio to deploy and train the models if you'd like to re-create this.| +| **0e.** | Training with created datasets | By now we have a structured dataset and also the deployed model which was selected after testing, now it's time to start training / fine-tuning with the datasets we have created. Now that these datasets have "carefully" "labelled" data, it's not un-supervised learning | +| **0f.** | Human Feedback from auditors | Keeping up with our methodology of supervised learning, we will train the models but also refine the training based on the output from the models, there will be trained auditors to check the output and if there's inaccuracy for a particular vulnerability, this means finding more code examples for this particular vulnerability or this might even mean that the security auditors might need to create some code samples with these vulnerabilities | ### Milestone 4 Testing the Models and refining output @@ -160,10 +167,13 @@ We haven't applied for a web3 grant previously. This is our first Web3 grant. Ou | Number | Deliverable | Specification | | -----: | ----------- | ------------- | | **0a.** | License | Apache 2.0 | -| **0b.** | Benchmarking | The way we test for improvement is benchmarking the models with an untrained model of the same category, for example - if we had selected Falcon40B we will keep 2 versions - an untrained version and our new trained version and we will compare the results from both to check the ability to detect issues in the smart contract code. | -| **0c.** | Refinement | Now we check for accuracy, this is done by comparison, for example - let's say we have trained our A.I model to detect 5 vulnerabilities and there's a smart contract that has 5 tagged vulnerabilities by a security expert, then when we run this smart contract through our A.I model, if it's able to detect 5/5, we know accuracy is high. | -| **0d.** | Check for hallucinations | In newly trained models, the output usually contains issues or text that is not relevant for smart contracts and this affects the accuracy signifcantly, in this stage our aims to check fo hallucinations and fine tune the model further for this. | -| **0e.** | False Positive refinement | In many cases, there will be issues that don't exist in that particular smart contract, our aim will be here to check for the same, finetune for this or even create "confidence meters" where the model detects issues but with a confidence score.| +| **0b.** | Documentation | Since this stage is all about refinement, we will share any info on false positives, hallucinations etc. that we face and the steps we take to refine the outputs by fine-tuning the model. | +| **0c.** | Testing and Testing Guide | We will share tests (smart contracts) and benchmark models for you to be able to verify the trained model and it's effectiveness. | +| **0d.** | Article | We will publish an **article**/workshop that explains [...] (what was done/achieved as part of the grant). (Content, language and medium should reflect your target audience described above.) | +| **0e.** | Benchmarking | The way we test for improvement is benchmarking the models with an untrained model of the same category, for example - if we had selected Falcon40B we will keep 2 versions - an untrained version and our new trained version and we will compare the results from both to check the ability to detect issues in the smart contract code. | +| **0f.** | Refinement | Now we check for accuracy, this is done by comparison, for example - let's say we have trained our A.I model to detect 5 vulnerabilities and there's a smart contract that has 5 tagged vulnerabilities by a security expert, then when we run this smart contract through our A.I model, if it's able to detect 5/5, we know accuracy is high. | +| **0g.** | Check for hallucinations | In newly trained models, the output usually contains issues or text that is not relevant for smart contracts and this affects the accuracy signifcantly, in this stage our aims to check fo hallucinations and fine tune the model further for this. | +| **0h.** | False Positive refinement | In many cases, there will be issues that don't exist in that particular smart contract, our aim will be here to check for the same, finetune for this or even create "confidence meters" where the model detects issues but with a confidence score.| ## Future Plans