OptGuideOnDeviceClassifierModel/CLASSIFIER_MODEL_ANALYSIS.md

# OptGuideOnDeviceClassifierModel — Complete Analysis

## Overview

**OptGuideOnDeviceClassifierModel** is a 120 MB on-device language model shipped with Chrome Canary as a Chrome Component. Its manifest names it **"Optimization Guide On Device Taxonomy Model"**, with a base model spec called **`taxonomy-tiny`**.

It is a **Gemma 2 variant** purpose-built for **page-level classification** — specifically extracting the **brand** and **intent** of web pages for Chrome's client-side **scam/phishing detection** pipeline.

| Field | Value |
|---|---|
| Manifest name | Optimization Guide On Device Taxonomy Model |
| Base model | `taxonomy-tiny` v0.0.0.0 |
| Component version | `2026.2.12.1554` |
| Component ID (CRX) | `eidcjfoningnkhpoelgpjemmhmopkeoi` |
| File | `weights.bin` (126,025,728 bytes / 120.19 MB) |
| Execution config | Empty (0 bytes) — no prompt template bundled |
| Performance hint | `3` |
| Availability | **Chrome Canary** (not tested in Stable) |
| Optimization target | `OPTIMIZATION_TARGET_MODEL_EXECUTION_FEATURE_CLASSIFIER` (ID 72) |
| Chrome feature flag | `ClientSideDetectionBrandAndIntentForScamDetection` |

---

## Purpose: Scam Detection via Brand + Intent Classification

Chrome's Client-Side Detection (CSD) system extracts page text from suspicious websites and sends it to this model with the following prompt (decoded from `on_device_model_execution_config.pb` of model ID 55):

```

You are a web page text scanner. Your task is to carefully review text from

a web page and answer the following questions in English:



1) What brand does the page represent?

2) In one complete sentence, summarize what this page aims to do.

   Do not leak PII data.



You should output your answers strictly in the following JSON format:



{"brand": "<brand>", "intent": "<intent>"}



Do not use ```json``` block in your output.



Text: [PAGE CONTENT HERE]

```

The expected response conforms to this JSON schema:

```json

{

  "type": "object",

  "additionalProperties": false,

  "properties": {

    "brand": { "type": "string" },

    "intent": { "type": "string" }

  },

  "required": ["brand", "intent"]

}

```

When the detected brand/intent combination is inconsistent with the actual page behavior (e.g., a page claiming to be PayPal but actually harvesting credentials on an unrelated domain), Chrome flags the page as a potential scam via Safe Browsing.

---

## Binary Format: LITERTLM Container

The `weights.bin` file is **not** a raw TFLite model. It uses the **LITERTLM** (LiteRT Language Model) container format — a proprietary Google ODML packaging format with a FlatBuffer header and multiple embedded submodels.

### File Layout

```

Offset          Component                        Size

────────────────────────────────────────────────────────────

0x00000000      LITERTLM FlatBuffer header       32 KB

                  Magic: "LITERTLM"

                  Version: 1

                  Submodels: 4 entries declared

                  Metadata:

                    model_type = "tf_lite_prefill_decode"

                    model_type = "tf_lite_embedder"

                    model_version = "1.0.1"

                    Authors = "ODML team"



0x00008000      TFLite #1 — Embedder             8.20 MB (8,601,600 bytes)

                  Input:  token_ids [1, 1] int32

                  Output: embeddings [1, 1, 1024] float32

                  Op: lookup_embedding_table

                  TFLite runtime: 2.18.0



0x0083C000      TFLite #2 — Prefill + Decode     111.63 MB (117,055,216 bytes)

                  2 signatures: "prefill" and "decode"

                  39 inputs (embeddings + position + mask + 36 KV cache)

                  37 outputs (36 KV cache + logits [1, 1, 16384])

                  18 transformer layers

                  Full Gemma 2 architecture



0x077E0000      SentencePiece tokenizer          305.6 KB (312,918 bytes)

                  Vocab size: 16,384 tokens

                  Special tokens: <pad>=0, </s>=1, <s>=2, <unk>=3

                  256 byte-fallback tokens

                  Normalizer: nmt_nfkc



0x0782C656      Zero padding to alignment        14.7 KB

0x07830000      End of file                      126,025,728 bytes total

```

### How to Extract the Submodels

```python

data = open('weights.bin', 'rb').read()



# TFLite embedder

open('embedder.tflite', 'wb').write(data[0x8000:0x83C000])



# TFLite prefill+decode transformer

open('decoder.tflite', 'wb').write(data[0x83C000:0x77DDEF0])



# SentencePiece tokenizer

open('tokenizer.model', 'wb').write(data[0x77E0000:0x782C656])

```

---

## Architecture: Gemma 2 "taxonomy-tiny"

The model is a **distilled Gemma 2** with reduced dimensions, confirmed by layer name analysis of the TFLite graph.

### Specifications

| Parameter | Value | Evidence |
|---|---|---|
| Architecture family | **Gemma 2** | QK normalization + post-FFN norm = Gemma 2 exclusive features |
| Transformer layers | **18** | `layer_0` through `layer_17` in tensor names |
| Embedding dimension | **1024** | Embedder output shape `[1, 1, 1024]` |
| KV cache dimension | **256** per layer | KV input/output shape `[1, 1, 1, 256]` |
| Vocabulary size | **16,384** | Logits output shape `[1, 1, 16384]`; SentencePiece vocab |
| Normalization | **RMSNorm** | `rms_norm/mul`, `rms_norm/rsqrt`, `rms_norm/square` |
| Pre-attention norm | **Yes** | `pre_attention_norm/rms_norm` |
| Pre-FFN norm | **Yes** | `pre_ffw_norm` patterns |
| Post-FFN norm | **Yes** | Post-FFN norm present (Gemma 2 specific) |
| QK normalization | **Yes** | `key_norm/rms_norm` (Gemma 2 specific) |
| Positional encoding | **RoPE** | `maybe_rope/concatenate` |
| Attention type | **Full attention** | No sliding window patterns found |
| Activation | **GeLU** (likely) | Standard for Gemma 2 |
| Quantization | **Mixed INT4/INT8** | 120 MB for 18 layers with 1024 dim implies heavy quantization |
| Estimated parameters | **~100–200M** | Based on file size and quantization assumptions |
| TFLite signatures | `prefill` (no logits) + `decode` (with logits) | Standard ODML LLM execution pattern |

### Comparison with Known Models

| | **taxonomy-tiny** | Gemma 2 2B | Gemini Nano v3 |
|---|---|---|---|
| Layers | 18 | 26 | ~32 |
| Embed dim | 1,024 | 2,304 | unknown |
| Vocab size | 16,384 | 256,128 | 256,128 |
| File size | 120 MB | ~2.6 GB | 4.07 GB |
| QK norm | Yes | Yes | Yes |
| Post-FFN norm | Yes | Yes | Yes |
| Sliding window | No | Yes (alternating) | Yes |
| Purpose | Classification | General | General |

### Single Transformer Block Structure

From tensor name analysis, each of the 18 layers contains:

```

layer_N/

├── layer_N.pre_qkv/

│   ├── pre_attention_norm/rms_norm/          (RMSNorm)

│   └── attn._pre_attention_fn/

│       └── maybe_rope/                       (RoPE positional encoding)

├── attn.dot_product_attention/

│   └── dot_attn._qkv_fn/

│       ├── key_norm/rms_norm/                (QK normalization)

│       ├── dot_general (Q*K)

│       ├── tfl_softmax

│       ├── dot_general (attn*V)

│       └── reshape/transpose

├── layer_N.post_qkv/

│   ├── attn.post_qkv/attn_vec_einsum/       (output projection)

│   ├── add (residual)

│   └── add1 (post-attention residual)

├── layer_N.update_cache/

│   └── attn.update_cache/concatenate         (KV cache update)

└── [pre_ffw_norm + FFN + post_ffw_norm]      (feed-forward block)

```

Final output: `final_norm/rms_norm` → `decode_softmax` → logits `[1, 1, 16384]`

---

## Tokenizer: Reduced Gemma Vocabulary

The embedded SentencePiece model uses a **16,384-token vocabulary** — a dramatic reduction from Gemma's standard 256,128 tokens. This is consistent with a classification-focused model that doesn't need the full multilingual generative vocabulary.

| Property | Value |
|---|---|
| Vocab size | 16,384 |
| BOS token | `<s>` (id=2) |
| EOS token | `</s>` (id=1) |
| PAD token | `<pad>` (id=0) |
| UNK token | `<unk>` (id=3) |
| Byte fallbacks | 256 tokens (`<0x00>` through `<0xFF>`) |
| Normalizer | `nmt_nfkc` |

Notably, Gemma's conversation tokens (`<start_of_turn>`, `<end_of_turn>`) are **absent** from this vocabulary — they map to UNK (id=3). The model does not use chat-turn formatting.

Sample vocabulary entries:

```

[  260] = '.'           [  500] = '▁such'       [ 1000] = '▁amount'

[ 2000] = '▁Q'          [ 5000] = '▁tradition'  [10000] = '▁Computer'

[15000] = '▁Philosophy'  [16383] = '▁<custom370>'

```

---

## Chrome Integration Pipeline

```

User visits a page

        │

        ▼

┌─────────────────────────────┐

│  Safe Browsing Heuristics   │  Pre-filter: URL reputation, phishing

│  (CSD - Client Side Det.)   │  patterns, keyboard lock API, etc.

└──────────┬──────────────────┘

           │ Page flagged as suspicious

           ▼

┌─────────────────────────────┐

│  Page Text Extraction       │  Extract visible text content from DOM

└──────────┬──────────────────┘

           │

           ▼

┌─────────────────────────────┐

│  Prompt Construction        │  "You are a web page text scanner..."

│  (from model ID 55 config)  │  + page text appended

└──────────┬──────────────────┘

           │

     ┌─────┴──────┐

     ▼            ▼

┌─────────┐  ┌──────────────┐

│ Gemini  │  │ taxonomy-    │   Whichever model is available

│ Nano    │  │ tiny         │   (taxonomy-tiny is 33x smaller)

│ (4 GB)  │  │ (120 MB)     │

└────┬────┘  └──────┬───────┘

     │              │

     └──────┬───────┘

            ▼

┌─────────────────────────────┐

│  JSON Response Parsing      │  {"brand": "PayPal",

│                             │   "intent": "credential harvesting"}

└──────────┬──────────────────┘

           │

           ▼

┌─────────────────────────────┐

│  Verdict Logic              │  Compare brand claim vs. actual domain,

│                             │  intent vs. page behavior

└──────────┬──────────────────┘

           │

           ▼

┌─────────────────────────────┐

│  Safe Browsing Warning      │  Red interstitial page shown to user

└─────────────────────────────┘

```

### Trigger Conditions

The classifier does **not** run on every page. It triggers when Chrome's CSD heuristics detect suspicious signals:

- Phishing URL patterns (Safe Browsing prefix match)
- Keyboard Lock API usage (common in tech support scams)
- Aggressive popups or fullscreen requests
- Form fields requesting sensitive data (passwords, SSN, credit cards)
- Urgency language patterns

---