Keras
hacnho's picture
Upload README.md with huggingface_hub
ae7e682 verified
|
Raw
History Blame Contribute Delete
1.25 kB
---
license: mit
---
# Keras CategoryEncoding count-mode trigger backdoor PoC
This repository contains a benign security research proof-of-concept for the Huntr Model File Vulnerability program.
It demonstrates a Keras Native `.keras` model whose `config.json` changes `keras.layers.CategoryEncoding.output_mode` from `multi_hot` to `count`. The model loads with `keras.saving.load_model(..., safe_mode=True)`. Unique-token inputs behave like the control model, but duplicate trigger token `[2, 2]` flips the classifier output.
Files:
- `control_categoryencoding_multihot.keras`
- `malicious_categoryencoding_count.keras`
- `reproduce.py`
- `requirements.txt`
Reproduction:
```bash
python -m venv /tmp/keras-categoryencoding-count-poc-venv
. /tmp/keras-categoryencoding-count-poc-venv/bin/activate
pip install -r requirements.txt
python reproduce.py \
control_categoryencoding_multihot.keras \
malicious_categoryencoding_count.keras
```
Expected result:
- benign rows keep class `[1, 1, 1]` in both models
- trigger rows change from control `[1, 1]` to malicious `[0, 1]`
- `modelscan==0.8.8` reports `No issues found!` for the malicious `.keras`
Public repo:
- https://huggingface.co/hacnho/keras-categoryencoding-count-trigger-poc