Lifecycle-Aware Dynamic Analysis for Secure ML Model Execution

πŸ“… 2026-06-17
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
Pretrained machine learning models may embed novel malicious behaviors that evade detection by static scanning. This work proposes a dynamic, lifecycle-aware security analysis approach that, for the first time, partitions model execution into predictable phases and identifies attacks by monitoring the structured impact of each phase on the host systemβ€”without relying on model format or known signatures. Building upon this insight, we develop Re-Moat, a cross-framework runtime monitoring system that achieves full-spectrum detection across all evaluated attack categories with near-zero false positives on a dataset of 77,974 real-world models and multiple proof-of-concept attacks, significantly outperforming existing solutions.
πŸ“ Abstract
The growing reliance on pre-trained Machine Learning (ML) models has introduced new attack surfaces. Recent vulnerabilities demonstrate that malicious behavior can be embedded within model artifacts, often bypassing existing defenses. Current model-scanning solutions primarily rely on static, format-specific rules or known attack signatures, which limit their ability to generalize across frameworks and to detect novel exploitation paths. In contrast, we propose a solution that focuses on the effects an attack has on the host system executing the model and builds on foundational intuitions about ML model execution. In particular, we observe that ML models operate within well-defined lifecycle phases and that, within each phase, interactions with the host system are highly structured and predictable. We translate these intuitions into Moat, a dynamic lifecycle-aware approach for securing ML model execution, and instantiate this design in Re-Moat, our reference implementation. We evaluate Re-Moat across multiple ML frameworks using 77,974 real-world model artifacts from the Hugging Face Hub, 31 Proofs-of-Concept (PoCs) from CVEs, and 334 models from a state-of-the-art dataset, and compare it against state-of-the-art model-scanning solutions. Our results show that our approach detects all evaluated attack classes while maintaining a close-to-zero false-positive rate, validating our intuitions and motivating dynamic analysis for securing ML model execution.
Problem

Research questions and friction points this paper is trying to address.

secure ML model execution
malicious model artifacts
dynamic analysis
lifecycle-aware security
novel attack detection
Innovation

Methods, ideas, or system contributions that make the work stand out.

lifecycle-aware
dynamic analysis
ML model security
host-system interaction
zero false-positive detection
πŸ”Ž Similar Papers
No similar papers found.