OptGuideOnDeviceClassifierModel/CLASSIFIER_MODEL_ANALYSIS.md

OptGuideOnDeviceClassifierModel — Complete Analysis

Overview

OptGuideOnDeviceClassifierModel is a 120 MB on-device language model shipped with Chrome Canary as a Chrome Component. Its manifest names it "Optimization Guide On Device Taxonomy Model", with a base model spec called taxonomy-tiny.

It is a Gemma 2 variant purpose-built for page-level classification — specifically extracting the brand and intent of web pages for Chrome's client-side scam/phishing detection pipeline.

Field	Value
Manifest name	Optimization Guide On Device Taxonomy Model
Base model	taxonomy-tiny v0.0.0.0
Component version	2026.2.12.1554
Component ID (CRX)	eidcjfoningnkhpoelgpjemmhmopkeoi
File	weights.bin (126,025,728 bytes / 120.19 MB)
Execution config	Empty (0 bytes) — no prompt template bundled
Performance hint	3
Availability	Chrome Canary (not tested in Stable)
Optimization target	OPTIMIZATION_TARGET_MODEL_EXECUTION_FEATURE_CLASSIFIER (ID 72)
Chrome feature flag	ClientSideDetectionBrandAndIntentForScamDetection

---

Purpose: Scam Detection via Brand + Intent Classification

Chrome's Client-Side Detection (CSD) system extracts page text from suspicious websites and sends it to this model with the following prompt (decoded from on_device_model_execution_config.pb of model ID 55):

You are a web page text scanner. Your task is to carefully review text from
a web page and answer the following questions in English:

1) What brand does the page represent?
2) In one complete sentence, summarize what this page aims to do.
   Do not leak PII data.

You should output your answers strictly in the following JSON format:

{"brand": "<brand>", "intent": "<intent>"}

Do not use ```json``` block in your output.

Text: [PAGE CONTENT HERE]

The expected response conforms to this JSON schema:

{
  "type": "object",
  "additionalProperties": false,
  "properties": {
    "brand": { "type": "string" },
    "intent": { "type": "string" }
  },
  "required": ["brand", "intent"]
}

When the detected brand/intent combination is inconsistent with the actual page behavior (e.g., a page claiming to be PayPal but actually harvesting credentials on an unrelated domain), Chrome flags the page as a potential scam via Safe Browsing.

---

Binary Format: LITERTLM Container

The weights.bin file is not a raw TFLite model. It uses the LITERTLM (LiteRT Language Model) container format — a proprietary Google ODML packaging format with a FlatBuffer header and multiple embedded submodels.

File Layout

Offset          Component                        Size
────────────────────────────────────────────────────────────
0x00000000      LITERTLM FlatBuffer header       32 KB
                  Magic: "LITERTLM"
                  Version: 1
                  Submodels: 4 entries declared
                  Metadata:
                    model_type = "tf_lite_prefill_decode"
                    model_type = "tf_lite_embedder"
                    model_version = "1.0.1"
                    Authors = "ODML team"

0x00008000      TFLite #1 — Embedder             8.20 MB (8,601,600 bytes)
                  Input:  token_ids [1, 1] int32
                  Output: embeddings [1, 1, 1024] float32
                  Op: lookup_embedding_table
                  TFLite runtime: 2.18.0

0x0083C000      TFLite #2 — Prefill + Decode     111.63 MB (117,055,216 bytes)
                  2 signatures: "prefill" and "decode"
                  39 inputs (embeddings + position + mask + 36 KV cache)
                  37 outputs (36 KV cache + logits [1, 1, 16384])
                  18 transformer layers
                  Full Gemma 2 architecture

0x077E0000      SentencePiece tokenizer          305.6 KB (312,918 bytes)
                  Vocab size: 16,384 tokens
                  Special tokens: <pad>=0, </s>=1, <s>=2, <unk>=3
                  256 byte-fallback tokens
                  Normalizer: nmt_nfkc

0x0782C656      Zero padding to alignment        14.7 KB
0x07830000      End of file                      126,025,728 bytes total

How to Extract the Submodels

data = open('weights.bin', 'rb').read()

# TFLite embedder
open('embedder.tflite', 'wb').write(data[0x8000:0x83C000])

# TFLite prefill+decode transformer
open('decoder.tflite', 'wb').write(data[0x83C000:0x77DDEF0])

# SentencePiece tokenizer
open('tokenizer.model', 'wb').write(data[0x77E0000:0x782C656])

---

Architecture: Gemma 2 "taxonomy-tiny"

The model is a distilled Gemma 2 with reduced dimensions, confirmed by layer name analysis of the TFLite graph.

Specifications

Parameter	Value	Evidence
Architecture family	Gemma 2	QK normalization + post-FFN norm = Gemma 2 exclusive features
Transformer layers	18	layer_0 through layer_17 in tensor names
Embedding dimension	1024	Embedder output shape [1, 1, 1024]
KV cache dimension	256 per layer	KV input/output shape [1, 1, 1, 256]
Vocabulary size	16,384	Logits output shape [1, 1, 16384]; SentencePiece vocab
Normalization	RMSNorm	rms_norm/mul, rms_norm/rsqrt, rms_norm/square
Pre-attention norm	Yes	pre_attention_norm/rms_norm
Pre-FFN norm	Yes	pre_ffw_norm patterns
Post-FFN norm	Yes	Post-FFN norm present (Gemma 2 specific)
QK normalization	Yes	key_norm/rms_norm (Gemma 2 specific)
Positional encoding	RoPE	maybe_rope/concatenate
Attention type	Full attention	No sliding window patterns found
Activation	GeLU (likely)	Standard for Gemma 2
Quantization	Mixed INT4/INT8	120 MB for 18 layers with 1024 dim implies heavy quantization
Estimated parameters	~100–200M	Based on file size and quantization assumptions
TFLite signatures	prefill (no logits) + decode (with logits)	Standard ODML LLM execution pattern

Comparison with Known Models

	taxonomy-tiny	Gemma 2 2B	Gemini Nano v3
Layers	18	26	~32
Embed dim	1,024	2,304	unknown
Vocab size	16,384	256,128	256,128
File size	120 MB	~2.6 GB	4.07 GB
QK norm	Yes	Yes	Yes
Post-FFN norm	Yes	Yes	Yes
Sliding window	No	Yes (alternating)	Yes
Purpose	Classification	General	General

Single Transformer Block Structure

From tensor name analysis, each of the 18 layers contains:

layer_N/
├── layer_N.pre_qkv/
│   ├── pre_attention_norm/rms_norm/          (RMSNorm)
│   └── attn._pre_attention_fn/
│       └── maybe_rope/                       (RoPE positional encoding)
├── attn.dot_product_attention/
│   └── dot_attn._qkv_fn/
│       ├── key_norm/rms_norm/                (QK normalization)
│       ├── dot_general (Q*K)
│       ├── tfl_softmax
│       ├── dot_general (attn*V)
│       └── reshape/transpose
├── layer_N.post_qkv/
│   ├── attn.post_qkv/attn_vec_einsum/       (output projection)
│   ├── add (residual)
│   └── add1 (post-attention residual)
├── layer_N.update_cache/
│   └── attn.update_cache/concatenate         (KV cache update)
└── [pre_ffw_norm + FFN + post_ffw_norm]      (feed-forward block)

Final output: final_norm/rms_norm → decode_softmax → logits [1, 1, 16384]

---

Tokenizer: Reduced Gemma Vocabulary

The embedded SentencePiece model uses a 16,384-token vocabulary — a dramatic reduction from Gemma's standard 256,128 tokens. This is consistent with a classification-focused model that doesn't need the full multilingual generative vocabulary.

Property	Value
Vocab size	16,384
BOS token	<s> (id=2)
EOS token	</s> (id=1)
PAD token	<pad> (id=0)
UNK token	<unk> (id=3)
Byte fallbacks	256 tokens (<0x00> through <0xFF>)
Normalizer	nmt_nfkc

Notably, Gemma's conversation tokens (<start_of_turn>, <end_of_turn>) are absent from this vocabulary — they map to UNK (id=3). The model does not use chat-turn formatting.

Sample vocabulary entries:

[  260] = '.'           [  500] = '▁such'       [ 1000] = '▁amount'
[ 2000] = '▁Q'          [ 5000] = '▁tradition'  [10000] = '▁Computer'
[15000] = '▁Philosophy'  [16383] = '▁<custom370>'

---

Chrome Integration Pipeline

User visits a page
        │
        ▼
┌─────────────────────────────┐
│  Safe Browsing Heuristics   │  Pre-filter: URL reputation, phishing
│  (CSD - Client Side Det.)   │  patterns, keyboard lock API, etc.
└──────────┬──────────────────┘
           │ Page flagged as suspicious
           ▼
┌─────────────────────────────┐
│  Page Text Extraction       │  Extract visible text content from DOM
└──────────┬──────────────────┘
           │
           ▼
┌─────────────────────────────┐
│  Prompt Construction        │  "You are a web page text scanner..."
│  (from model ID 55 config)  │  + page text appended
└──────────┬──────────────────┘
           │
     ┌─────┴──────┐
     ▼            ▼
┌─────────┐  ┌──────────────┐
│ Gemini  │  │ taxonomy-    │   Whichever model is available
│ Nano    │  │ tiny         │   (taxonomy-tiny is 33x smaller)
│ (4 GB)  │  │ (120 MB)     │
└────┬────┘  └──────┬───────┘
     │              │
     └──────┬───────┘
            ▼
┌─────────────────────────────┐
│  JSON Response Parsing      │  {"brand": "PayPal",
│                             │   "intent": "credential harvesting"}
└──────────┬──────────────────┘
           │
           ▼
┌─────────────────────────────┐
│  Verdict Logic              │  Compare brand claim vs. actual domain,
│                             │  intent vs. page behavior
└──────────┬──────────────────┘
           │
           ▼
┌─────────────────────────────┐
│  Safe Browsing Warning      │  Red interstitial page shown to user
└─────────────────────────────┘

Trigger Conditions

The classifier does not run on every page. It triggers when Chrome's CSD heuristics detect suspicious signals:

• Phishing URL patterns (Safe Browsing prefix match)
• Keyboard Lock API usage (common in tech support scams)
• Aggressive popups or fullscreen requests
• Form fields requesting sensitive data (passwords, SSN, credit cards)
• Urgency language patterns

---