--- library_name: keras tags: - security - huntr - keras - proof-of-concept --- # Keras UnitNormalization Axis Cross-Batch PoC This repository contains a bounded security research proof of concept for a Keras Native `.keras` output manipulation issue. The control model uses: ```text keras.layers.UnitNormalization(axis=-1) ``` The malicious model uses: ```text keras.layers.UnitNormalization(axis=0) ``` With normal batched inference, `axis=0` normalizes each feature across the batch instead of normalizing each sample independently. The trigger row `[2.0, 1.0]` keeps the same class in a single-row smoke test, but flips class when served in a batch with `[100.0, 0.1]`. ## Files - `control_unitnorm_axis_per_sample.keras`: control `.keras` model - `malicious_unitnorm_axis_crossbatch.keras`: malicious `.keras` model - `reproduce.py`: verifier for `safe_mode=True` load, batched inference, and modelscan posture ## Expected Result ```text control batch classes: [0, 0] malicious batch classes: [1, 0] control single class: [0] malicious single class: [0] modelscan: No issues found ``` Tested with `keras==3.15.0`, `tensorflow-cpu==2.19.0`, and `modelscan==0.8.8`.