Lifecycle-Aware Dynamic Analysis for Secure ML Model Execution

20d ago · Global · primary source: export.arxiv.org

A research team has proposed Moat, a dynamic lifecycle-aware defense for machine learning model execution that detected all evaluated attack classes while maintaining a close-to-zero false-positive rate in tests against 77,974 real-world model artifacts from the Hugging Face Hub [1]. The approach, detailed in a paper by Gabriele Digregorio and submitted to arXiv on 17 June 2026, shifts security analysis away from static, format-specific rules that dominate current model-scanning tools [1]. Existing defenses often inspect serialization formats like Pickle for known dangerous opcodes, but recent proofs-of-concept have shown that malicious payloads can be hidden in method bytecode, bypassing scanners that rely on opcode deny-lists [8]. Moat instead monitors security-relevant events at the boundary between the ML execution environment and the host system, focusing on file-system access, network communication, process creation, and device interaction [3]. The system defines an allowlist of expected behaviors by profiling benign model executions across well-defined lifecycle phases, under the observation that interactions with the host system are highly structured and predictable [1][3]. The reference implementation, called Re-Moat, was evaluated against 31 proofs-of-concept drawn from public CVEs and 334 models from a state-of-the-art dataset, in addition to the Hugging Face corpus [1]. The work builds on a growing body of research into dynamic analysis for model security. A separate technique called DynaHug, proposed in earlier work, used system-call traces and one-class SVM models to learn benign model behavior, operating on the insight that malicious models exhibit outlier behaviors rarely seen in benign ones [4][9]. Another system, PickleBall, tackled Pickle-based models by statically analyzing library code to infer allowed imports and invocations, then enforcing those policies during loading [5]. Moat distinguishes itself by remaining agnostic to the underlying model format and by monitoring across the full execution lifecycle rather than only during deserialization [3]. The paper’s authors argue that instrumenting internal framework APIs is unreliable under their threat model, even when the framework is trusted, because attackers can embed logic that fires at inference time, outside the window monitored by sandboxes that only observe deserialization [3][8]. The submission package totals 52 KB [1].

commentarybenchmarkresearch-paper

Background sources we checked (10)
  • arxiv.org ↗ The growing reliance on pre-trained Machine Learning (ML) models has introduced new attack surfaces. Recent vulnerabilities demonstrate that malicious behavior can be embedded within model artifacts, often bypassing existing defenses. Current model-scanning solutions primarily re…
  • arxiv.org ↗ The growing reliance on pre-trained Machine Learning (ML) models has introduced new attack surfaces. Recent vulnera bilities demonstrate that malicious behavior can be embed ded within model artifacts, often bypassing existing defenses. Current model-scanning solutions primarily …
  • arxiv.org ↗ To address this challenge, we propose an automated method (called DynaHug 111DynaHug means “Dynamic Hugging Face PTM Detector”) that learns the behavior of benign models using a combination of dynamic analysis and ML. To the best of our knowledge, DynaHug is the first technique t…
  • arxiv.org ↗ To address these limitations, we present PickleBall, a two-part system for securing the exchange of pickle-based models. Our insight is that we can analyze library code to determine the expected behaviors of benign models produced by the library, and enforce tailored model loadin…
  • en.wikipedia.org ↗ Google Cloud is a suite of cloud computing services offered by Google that provides a series of modular cloud services including computing, data storage, data analytics, and machine learning, alongside a set of management tools. It runs on the same infrastructure that Google uses…
  • en.wikipedia.org ↗ The Python programming language is actively used by many people, both in industry and academia, for a wide variety of purposes.…
  • huggingface.co ↗ A cloudpickle-serialized MLflow PythonModel embeds arbitrary Python bytecode in method bodies. The dangerous logic (`requests.post` to an attacker webhook) lives inside the bytecode of`predict()`— never as a`GLOBAL` opcode. Static scanners that inspect`GLOBAL`/`STACK_GLOBAL` opco…
  • arxiv.org ↗ To address this challenge, we propose an automated method (called DynaHug 111DynaHug means “Dynamic Hugging Face PTM Detector”) that learns the behavior of benign models using a combination of dynamic analysis and ML. To the best of our knowledge, DynaHug is the first technique t…
  • arxiv.org ↗ We review thirteen generative systems and five supporting datasets for quantum circuit and quantum code generation, identified through a structured scoping review of Hugging Face, arXiv, and provenance tracing (January-February 2026). We organize the field along two axes: artifac…
  • huggingface.co ↗ # Paper Pages Paper pages allow people to find artifacts related to a paper such as models, datasets and apps/demos (Spaces). Paper pages also enable the community to discuss about the paper. ## Linking a Paper to a model, dataset or Space If the repository card (`README.md`) …

Sources

Spot something wrong? Report an issue