ShadowGenes: Leveraging Recurring Patterns within Computational Graphs for Model Genealogy
Kasimir Schulz, Kieran Evans
TL;DR
ShadowGenes tackles the challenge of verifying pretrained model architectures and lineage in public repositories by constructing a format-agnostic computational graph and deriving signature-based patterns. Through block-based analysis of repeated subgraphs and a JSON signature format, it scans models to infer architecture, family, and derivatives without external metadata, handling multimodal and derivative cases. On a diverse ONNX dataset of 1,483 models across 104 families, ShadowGenes achieves high accuracy with a mean TP rate of $97.49\%$ and precision of $99.51\%$, while addressing opset variations and architectural nuances via wildcard and combo signatures. The approach promises practical gains in model governance, transparency, and security, with future work aimed at expanding coverage and integrating complementary fingerprinting methods.
Abstract
Machine learning model genealogy enables practitioners to determine which architectural family a neural network belongs to. In this paper, we introduce ShadowGenes, a novel, signature-based method for identifying a given model's architecture, type, and family. Our method involves building a computational graph of the model that is agnostic of its serialization format, then analyzing its internal operations to identify unique patterns, and finally building and refining signatures based on these. We highlight important workings of the underlying engine and demonstrate the technique used to construct a signature and scan a given model. This approach to model genealogy can be applied to model files without the need for additional external information. We test ShadowGenes on a labeled dataset of over 1,400 models and achieve a mean true positive rate of 97.49% and a precision score of 99.51%; which validates the technique as a practical method for model genealogy. This enables practitioners to understand the use cases of a given model, the internal computational process, and identify possible security risks, such as the potential for model backdooring.
