Search papers, labs, and topics across Lattice.
This paper introduces Moat, a dynamic lifecycle-aware analysis framework designed to enhance the security of ML model execution by focusing on the interactions between models and their host systems during well-defined lifecycle phases. By evaluating Re-Moat against 77,974 real-world model artifacts and various attack scenarios, the authors demonstrate its superior detection capabilities, successfully identifying all evaluated attack classes with a near-zero false-positive rate. This work addresses the limitations of existing static model-scanning solutions, highlighting the need for dynamic analysis in securing ML models against novel vulnerabilities.
Dynamic analysis can detect all attack classes in ML models while achieving near-zero false positives, outperforming traditional static scanning methods.
The growing reliance on pre-trained Machine Learning (ML) models has introduced new attack surfaces. Recent vulnerabilities demonstrate that malicious behavior can be embedded within model artifacts, often bypassing existing defenses. Current model-scanning solutions primarily rely on static, format-specific rules or known attack signatures, which limit their ability to generalize across frameworks and to detect novel exploitation paths. In contrast, we propose a solution that focuses on the effects an attack has on the host system executing the model and builds on foundational intuitions about ML model execution. In particular, we observe that ML models operate within well-defined lifecycle phases and that, within each phase, interactions with the host system are highly structured and predictable. We translate these intuitions into Moat, a dynamic lifecycle-aware approach for securing ML model execution, and instantiate this design in Re-Moat, our reference implementation. We evaluate Re-Moat across multiple ML frameworks using 77,974 real-world model artifacts from the Hugging Face Hub, 31 Proofs-of-Concept (PoCs) from CVEs, and 334 models from a state-of-the-art dataset, and compare it against state-of-the-art model-scanning solutions. Our results show that our approach detects all evaluated attack classes while maintaining a close-to-zero false-positive rate, validating our intuitions and motivating dynamic analysis for securing ML model execution.