Jump to content

Connect Leeroopedia MCP: Equip your AI agents to search best practices, build plans, verify code, diagnose failures, and look up hyperparameter defaults.

Principle:Protectai Modelscan Issue Severity Classification

From Leeroopedia
Knowledge Sources
Domains ML_Security, Risk_Assessment
Last Updated 2026-02-14 12:00 GMT

Overview

A risk classification framework that categorizes detected unsafe operations in ML model files by their potential impact, from LOW (anomalies) to CRITICAL (arbitrary code execution).

Description

Issue Severity Classification provides a structured approach to triaging security findings from model scanning. Not all detected unsafe operations carry the same risk — importing os.system (which enables arbitrary command execution) is far more dangerous than importing webbrowser.open (which can open URLs). By classifying findings into severity levels, security teams can prioritize remediation and make informed decisions about whether to proceed with model loading.

The classification system groups detected operators into four severity tiers based on the capability they grant to an attacker:

  • CRITICAL: Enables arbitrary code execution, system command injection, or process spawning
  • HIGH: Enables network access, HTTP requests, or browser manipulation
  • MEDIUM: Suspicious operations that may be legitimate in some contexts
  • LOW: Minor anomalies or low-risk deviations

Usage

Apply this principle when:

  • Interpreting scan results to decide whether a model is safe to load
  • Building automated gates in CI/CD pipelines (e.g., block on CRITICAL, warn on HIGH)
  • Customizing severity mappings for organization-specific threat models
  • Reporting scan findings to security teams with actionable priority levels

Theoretical Basis

The severity classification follows a capability-based threat model: 

# Pseudo-code for severity classification logic
severity_mapping = {
    "CRITICAL": {
        # Code execution primitives
        "builtins": ["eval", "exec", "compile", "__import__"],
        # System access
        "os": "*",         # os.system, os.popen, etc.
        "subprocess": "*", # subprocess.Popen, subprocess.call, etc.
        "sys": "*",        # sys.exit, module manipulation
        # Deserialization chains
        "pickle": "*",     # Recursive pickle exploitation
    },
    "HIGH": {
        # Network access
        "webbrowser": "*",
        "requests.api": "*",
        "httplib": "*",
    },
}

The classification is applied at detection time: when the scanner identifies an unsafe global import, it immediately looks up the module and operator in the severity-keyed unsafe_globals dictionary to determine the threat level. This produces a pre-triaged finding that can be acted upon without manual analysis.

For TensorFlow-specific operators, the severity is defined per-operator in the scanner settings (e.g., ReadFile = HIGH, Lambda = MEDIUM).

Issues are grouped by severity for reporting using a dictionary aggregation: 

# Pseudo-code for severity grouping
grouped = defaultdict(list)
for issue in all_issues:
    grouped[issue.severity.name].append(issue)

Related Pages

Implemented By

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Principle:Protectai_Modelscan_Issue_Severity_Classification&oldid=23936"