Achieving Zen: Combining Mathematical and Programmatic Deep Learning Model Representations for Attribution and Reuse
David Oygenblik
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · AI Security
When a self-driving car crashes because its sign recognition model was backdoored, how do investigators determine what happened? They need to recover the model's architecture, set up a testing environment, and apply white-box analysis techniques like **NeuralCleanse** or **OBD scan** -- but modern proprietary models mix open-source base models with custom layer implementations, making this process nearly impossible without source code. This talk presents **Zen**, a **memory forensics tool** that bridges this investigation gap by recovering both the **mathematical representation** (weights, layer shapes, graph structure) and the **programmatic representation** (model inference code, function signatures, bytecode) of deployed deep learning models from CPU and GPU memory dumps.
AI review
A forensics tool that recovers deployed DNN models from memory dumps, attributes them to their open-source base models with 97%+ accuracy, and generates patches to create testable reconstructions. The programmatic recovery (extracting inference code, not just weights) is the novel contribution that makes the tool actually useful for investigations. Not offensive research, but a genuinely useful tool for incident response and model analysis. The limitation of requiring a known base model library is significant but honest.