Keras UnitNormalization Axis Cross-Batch PoC

This repository contains a bounded security research proof of concept for a Keras Native .keras output manipulation issue.

The control model uses:

keras.layers.UnitNormalization(axis=-1)

The malicious model uses:

keras.layers.UnitNormalization(axis=0)

With normal batched inference, axis=0 normalizes each feature across the batch instead of normalizing each sample independently. The trigger row [2.0, 1.0] keeps the same class in a single-row smoke test, but flips class when served in a batch with [100.0, 0.1].

Files

  • control_unitnorm_axis_per_sample.keras: control .keras model
  • malicious_unitnorm_axis_crossbatch.keras: malicious .keras model
  • reproduce.py: verifier for safe_mode=True load, batched inference, and modelscan posture

Expected Result

control batch classes:   [0, 0]
malicious batch classes: [1, 0]
control single class:    [0]
malicious single class:  [0]
modelscan:               No issues found

Tested with keras==3.15.0, tensorflow-cpu==2.19.0, and modelscan==0.8.8.

Downloads last month
61
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support