scthornton/bert-tiny-poisoned-demo

BERT-Tiny Poisoned Demo

DO NOT USE IN PRODUCTION. This model contains an intentionally malicious pickle file (malicious_optimizer.pkl) for testing AI model security scanning tools.

perfecXion.ai | Multi-Attack Demo | Chronos Poisoned Demo | Chronos Benign Pickle

---

Purpose

This model exists to test whether AI security scanning tools (such as Prisma AIRS Model Security) can correctly detect malicious artifacts embedded in model repositories.

What's Poisoned

File	Type	Threat
malicious_optimizer.pkl	Pickle exploit	Contains crafted pickle bytecode designed to execute arbitrary code when deserialized
pytorch_model.bin	Legitimate	Standard BERT-tiny weights (not poisoned)
config.json	Legitimate	Standard model configuration

Expected Scanner Behavior

A properly configured model security scanner should:

• Flag malicious_optimizer.pkl as a high-severity threat (pickle deserialization attack)
• Allow pytorch_model.bin (legitimate PyTorch weights)
• Allow config.json (standard configuration)

---

Model Details

Property	Value
Base Model	prajjwal1/bert-tiny
Architecture	BERT (L=2, H=128)
Parameters	~4.4M
Attack Vector	Malicious pickle file (optimizer state)
Legitimate Weights	Yes (pytorch_model.bin is clean)

---

Security Test Model Family

Model	Attack Vectors	Purpose
bert-tiny-poisoned-demo	Malicious pickle	Single-vector pickle detection test
bert-tiny-multi-attack-demo	Pickle + backdoor + exfiltration script	Multi-vector attack detection test
chronos-t5-small-poisoned-demo	Pickle + GGUF + ONNX backdoor + script	Multi-format attack detection test
chronos-benign-pickle-test	Benign pickle (flagged by format)	False positive calibration test

---

Citation

@misc{thornton2025modelsecurity,
  title={AI Model Security Testing: Poisoned Model Demonstrations},
  author={Thornton, Scott},
  year={2025},
  publisher={perfecXion.ai},
  url={https://perfecxion.ai}
}

---

License

MIT (inherited from base model)