![[2602.19818] SafePickle: Robust and Generic ML Detection of Malicious Pickle-based ML Models](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.19818] SafePickle: Robust and Generic ML Detection of Malicious Pickle-based ML Models
Summary
The paper presents SafePickle, a machine-learning-based scanner designed to detect malicious Pickle-based ML models, achieving a high F1-score and demonstrating effectiveness against evasive attacks.
Why It Matters
As machine learning models serialized with Python's pickle format become more widespread, the risk of remote code execution (RCE) increases. SafePickle addresses this vulnerability by providing a robust detection mechanism that does not rely on complex setups, making it a significant advancement in AI safety and security.
Key Takeaways
- SafePickle offers a lightweight solution for detecting malicious Pickle files without complex policy generation.
- The method achieves a 90.01% F1-score, outperforming existing state-of-the-art scanners.
- SafePickle is library-agnostic, enhancing its applicability across various ML frameworks.
- The approach effectively identifies evasive malicious models that other scanners fail to detect.
- A labeled dataset of 727 Pickle files was constructed to support the research and evaluation.
Computer Science > Cryptography and Security arXiv:2602.19818 (cs) [Submitted on 23 Feb 2026] Title:SafePickle: Robust and Generic ML Detection of Malicious Pickle-based ML Models Authors:Hillel Ohayon, Daniel Gilkarov, Ran Dubin View a PDF of the paper titled SafePickle: Robust and Generic ML Detection of Malicious Pickle-based ML Models, by Hillel Ohayon and Daniel Gilkarov and Ran Dubin View PDF HTML (experimental) Abstract:Model repositories such as Hugging Face increasingly distribute machine learning artifacts serialized with Python's pickle format, exposing users to remote code execution (RCE) risks during model loading. Recent defenses, such as PickleBall, rely on per-library policy synthesis that requires complex system setups and verified benign models, which limits scalability and generalization. In this work, we propose a lightweight, machine-learning-based scanner that detects malicious Pickle-based files without policy generation or code instrumentation. Our approach statically extracts structural and semantic features from Pickle bytecode and applies supervised and unsupervised models to classify files as benign or malicious. We construct and release a labeled dataset of 727 Pickle-based files from Hugging Face and evaluate our models on four datasets: our own, PickleBall (out-of-distribution), Hide-and-Seek (9 advanced evasive malicious models), and synthetic joblib files. Our method achieves 90.01% F1-score compared with 7.23%-62.75% achieved by the SOTA s...
