# OptGuideOnDeviceClassifierModel — Complete Analysis ## Overview **OptGuideOnDeviceClassifierModel** is a 120 MB on-device language model shipped with Chrome Canary as a Chrome Component. Its manifest names it **"Optimization Guide On Device Taxonomy Model"**, with a base model spec called **`taxonomy-tiny`**. It is a **Gemma 2 variant** purpose-built for **page-level classification** — specifically extracting the **brand** and **intent** of web pages for Chrome's client-side **scam/phishing detection** pipeline. | Field | Value | |---|---| | Manifest name | Optimization Guide On Device Taxonomy Model | | Base model | `taxonomy-tiny` v0.0.0.0 | | Component version | `2026.2.12.1554` | | Component ID (CRX) | `eidcjfoningnkhpoelgpjemmhmopkeoi` | | File | `weights.bin` (126,025,728 bytes / 120.19 MB) | | Execution config | Empty (0 bytes) — no prompt template bundled | | Performance hint | `3` | | Availability | **Chrome Canary** (not tested in Stable) | | Optimization target | `OPTIMIZATION_TARGET_MODEL_EXECUTION_FEATURE_CLASSIFIER` (ID 72) | | Chrome feature flag | `ClientSideDetectionBrandAndIntentForScamDetection` | --- ## Purpose: Scam Detection via Brand + Intent Classification Chrome's Client-Side Detection (CSD) system extracts page text from suspicious websites and sends it to this model with the following prompt (decoded from `on_device_model_execution_config.pb` of model ID 55): ``` You are a web page text scanner. Your task is to carefully review text from a web page and answer the following questions in English: 1) What brand does the page represent? 2) In one complete sentence, summarize what this page aims to do. Do not leak PII data. You should output your answers strictly in the following JSON format: {"brand": "", "intent": ""} Do not use ```json``` block in your output. Text: [PAGE CONTENT HERE] ``` The expected response conforms to this JSON schema: ```json { "type": "object", "additionalProperties": false, "properties": { "brand": { "type": "string" }, "intent": { "type": "string" } }, "required": ["brand", "intent"] } ``` When the detected brand/intent combination is inconsistent with the actual page behavior (e.g., a page claiming to be PayPal but actually harvesting credentials on an unrelated domain), Chrome flags the page as a potential scam via Safe Browsing. --- ## Binary Format: LITERTLM Container The `weights.bin` file is **not** a raw TFLite model. It uses the **LITERTLM** (LiteRT Language Model) container format — a proprietary Google ODML packaging format with a FlatBuffer header and multiple embedded submodels. ### File Layout ``` Offset Component Size ──────────────────────────────────────────────────────────── 0x00000000 LITERTLM FlatBuffer header 32 KB Magic: "LITERTLM" Version: 1 Submodels: 4 entries declared Metadata: model_type = "tf_lite_prefill_decode" model_type = "tf_lite_embedder" model_version = "1.0.1" Authors = "ODML team" 0x00008000 TFLite #1 — Embedder 8.20 MB (8,601,600 bytes) Input: token_ids [1, 1] int32 Output: embeddings [1, 1, 1024] float32 Op: lookup_embedding_table TFLite runtime: 2.18.0 0x0083C000 TFLite #2 — Prefill + Decode 111.63 MB (117,055,216 bytes) 2 signatures: "prefill" and "decode" 39 inputs (embeddings + position + mask + 36 KV cache) 37 outputs (36 KV cache + logits [1, 1, 16384]) 18 transformer layers Full Gemma 2 architecture 0x077E0000 SentencePiece tokenizer 305.6 KB (312,918 bytes) Vocab size: 16,384 tokens Special tokens: =0, =1, =2, =3 256 byte-fallback tokens Normalizer: nmt_nfkc 0x0782C656 Zero padding to alignment 14.7 KB 0x07830000 End of file 126,025,728 bytes total ``` ### How to Extract the Submodels ```python data = open('weights.bin', 'rb').read() # TFLite embedder open('embedder.tflite', 'wb').write(data[0x8000:0x83C000]) # TFLite prefill+decode transformer open('decoder.tflite', 'wb').write(data[0x83C000:0x77DDEF0]) # SentencePiece tokenizer open('tokenizer.model', 'wb').write(data[0x77E0000:0x782C656]) ``` --- ## Architecture: Gemma 2 "taxonomy-tiny" The model is a **distilled Gemma 2** with reduced dimensions, confirmed by layer name analysis of the TFLite graph. ### Specifications | Parameter | Value | Evidence | |---|---|---| | Architecture family | **Gemma 2** | QK normalization + post-FFN norm = Gemma 2 exclusive features | | Transformer layers | **18** | `layer_0` through `layer_17` in tensor names | | Embedding dimension | **1024** | Embedder output shape `[1, 1, 1024]` | | KV cache dimension | **256** per layer | KV input/output shape `[1, 1, 1, 256]` | | Vocabulary size | **16,384** | Logits output shape `[1, 1, 16384]`; SentencePiece vocab | | Normalization | **RMSNorm** | `rms_norm/mul`, `rms_norm/rsqrt`, `rms_norm/square` | | Pre-attention norm | **Yes** | `pre_attention_norm/rms_norm` | | Pre-FFN norm | **Yes** | `pre_ffw_norm` patterns | | Post-FFN norm | **Yes** | Post-FFN norm present (Gemma 2 specific) | | QK normalization | **Yes** | `key_norm/rms_norm` (Gemma 2 specific) | | Positional encoding | **RoPE** | `maybe_rope/concatenate` | | Attention type | **Full attention** | No sliding window patterns found | | Activation | **GeLU** (likely) | Standard for Gemma 2 | | Quantization | **Mixed INT4/INT8** | 120 MB for 18 layers with 1024 dim implies heavy quantization | | Estimated parameters | **~100–200M** | Based on file size and quantization assumptions | | TFLite signatures | `prefill` (no logits) + `decode` (with logits) | Standard ODML LLM execution pattern | ### Comparison with Known Models | | **taxonomy-tiny** | Gemma 2 2B | Gemini Nano v3 | |---|---|---|---| | Layers | 18 | 26 | ~32 | | Embed dim | 1,024 | 2,304 | unknown | | Vocab size | 16,384 | 256,128 | 256,128 | | File size | 120 MB | ~2.6 GB | 4.07 GB | | QK norm | Yes | Yes | Yes | | Post-FFN norm | Yes | Yes | Yes | | Sliding window | No | Yes (alternating) | Yes | | Purpose | Classification | General | General | ### Single Transformer Block Structure From tensor name analysis, each of the 18 layers contains: ``` layer_N/ ├── layer_N.pre_qkv/ │ ├── pre_attention_norm/rms_norm/ (RMSNorm) │ └── attn._pre_attention_fn/ │ └── maybe_rope/ (RoPE positional encoding) ├── attn.dot_product_attention/ │ └── dot_attn._qkv_fn/ │ ├── key_norm/rms_norm/ (QK normalization) │ ├── dot_general (Q*K) │ ├── tfl_softmax │ ├── dot_general (attn*V) │ └── reshape/transpose ├── layer_N.post_qkv/ │ ├── attn.post_qkv/attn_vec_einsum/ (output projection) │ ├── add (residual) │ └── add1 (post-attention residual) ├── layer_N.update_cache/ │ └── attn.update_cache/concatenate (KV cache update) └── [pre_ffw_norm + FFN + post_ffw_norm] (feed-forward block) ``` Final output: `final_norm/rms_norm` → `decode_softmax` → logits `[1, 1, 16384]` --- ## Tokenizer: Reduced Gemma Vocabulary The embedded SentencePiece model uses a **16,384-token vocabulary** — a dramatic reduction from Gemma's standard 256,128 tokens. This is consistent with a classification-focused model that doesn't need the full multilingual generative vocabulary. | Property | Value | |---|---| | Vocab size | 16,384 | | BOS token | `` (id=2) | | EOS token | `` (id=1) | | PAD token | `` (id=0) | | UNK token | `` (id=3) | | Byte fallbacks | 256 tokens (`<0x00>` through `<0xFF>`) | | Normalizer | `nmt_nfkc` | Notably, Gemma's conversation tokens (``, ``) are **absent** from this vocabulary — they map to UNK (id=3). The model does not use chat-turn formatting. Sample vocabulary entries: ``` [ 260] = '.' [ 500] = '▁such' [ 1000] = '▁amount' [ 2000] = '▁Q' [ 5000] = '▁tradition' [10000] = '▁Computer' [15000] = '▁Philosophy' [16383] = '▁' ``` --- ## Chrome Integration Pipeline ``` User visits a page │ ▼ ┌─────────────────────────────┐ │ Safe Browsing Heuristics │ Pre-filter: URL reputation, phishing │ (CSD - Client Side Det.) │ patterns, keyboard lock API, etc. └──────────┬──────────────────┘ │ Page flagged as suspicious ▼ ┌─────────────────────────────┐ │ Page Text Extraction │ Extract visible text content from DOM └──────────┬──────────────────┘ │ ▼ ┌─────────────────────────────┐ │ Prompt Construction │ "You are a web page text scanner..." │ (from model ID 55 config) │ + page text appended └──────────┬──────────────────┘ │ ┌─────┴──────┐ ▼ ▼ ┌─────────┐ ┌──────────────┐ │ Gemini │ │ taxonomy- │ Whichever model is available │ Nano │ │ tiny │ (taxonomy-tiny is 33x smaller) │ (4 GB) │ │ (120 MB) │ └────┬────┘ └──────┬───────┘ │ │ └──────┬───────┘ ▼ ┌─────────────────────────────┐ │ JSON Response Parsing │ {"brand": "PayPal", │ │ "intent": "credential harvesting"} └──────────┬──────────────────┘ │ ▼ ┌─────────────────────────────┐ │ Verdict Logic │ Compare brand claim vs. actual domain, │ │ intent vs. page behavior └──────────┬──────────────────┘ │ ▼ ┌─────────────────────────────┐ │ Safe Browsing Warning │ Red interstitial page shown to user └─────────────────────────────┘ ``` ### Trigger Conditions The classifier does **not** run on every page. It triggers when Chrome's CSD heuristics detect suspicious signals: - Phishing URL patterns (Safe Browsing prefix match) - Keyboard Lock API usage (common in tech support scams) - Aggressive popups or fullscreen requests - Form fields requesting sensitive data (passwords, SSN, credit cards) - Urgency language patterns ---