Keras Normalization invert trigger backdoor PoC
This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.
It demonstrates a Keras Native .keras model whose config.json changes keras.layers.Normalization.invert from false to true. The model loads with keras.saving.load_model(..., safe_mode=True). Benign negative inputs stay in the same class, but trigger value 0.0 flips the classifier output.
Files:
control_normalization_forward.kerasmalicious_normalization_invert.kerasreproduce.pyrequirements.txt
Reproduction:
python -m venv /tmp/keras-normalization-invert-poc-venv
. /tmp/keras-normalization-invert-poc-venv/bin/activate
pip install -r requirements.txt
python reproduce.py \
control_normalization_forward.keras \
malicious_normalization_invert.keras
Expected result:
- benign rows keep class
[1, 1]in both models - trigger rows change from control
[1, 1]to malicious[0, 1] modelscan==0.8.8reportsNo issues found!for the malicious.keras
Public repo:
- Downloads last month
- -
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support