Analysis updated 2026-05-18
Embed a provenance note or watermark inside an ONNX model so you can later prove which organization produced it.
Research how steganographic channels in model files could be detected or prevented.
Verify that an ONNX model file has not been modified after distribution using embedded AEAD authentication tags.
Study how fine-tuning noise can camouflage hidden data in neural network weight distributions.
| x-3306/onnxstego | adeliox/klein-head-swap | ats4321/ragit | |
|---|---|---|---|
| Stars | 4 | 4 | 4 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 3/5 | 2/5 |
| Audience | researcher | designer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Python 3.8+ and an ONNX model file, the included proof/ directory provides a working demo with SqueezeNet without needing a GPU or dataset.
ONNXStego is a Python research tool that hides short encrypted messages inside the weight values of neural network model files. ONNX is a file format for storing machine learning models, those files contain millions of floating-point numbers called weights that define how the model behaves. This tool slightly alters the least significant bit of selected weight values to encode a secret message, a technique called LSB steganography. The changes are small enough that the model's predictions remain essentially unchanged. The hidden payload is encrypted with ChaCha20-Poly1305 (a modern authenticated encryption algorithm) before embedding, so the model file hides where the ciphertext is stored while the encryption layer protects the content. Only someone with the same 256-bit master key can extract the message. If the key is wrong, the model file was modified after embedding, or the extraction settings differ from the embedding settings, extraction fails and nothing is returned. The tool offers two modes for choosing which weights to use. Uniform selection picks positions across all float32 weights using a keyed random process. Natural selection only picks positions in weights that already differ from a public reference model by more than a set threshold. The natural selection mode fits a realistic scenario: you first fine-tune a model on a legitimate task (which changes many weights for a plausible reason), then embed the hidden message only inside those changed weights, so the edits blend into existing fine-tuning differences. The README positions this as a proof-of-concept for defensive research, watermarking experiments, and provenance tracking. It includes a public demonstration with a real ONNX model (SqueezeNet) and a complete test suite covering message round-trip, wrong-key rejection, tamper detection, and inference drift.
A Python proof-of-concept that hides short encrypted messages inside ONNX neural network model weights using LSB steganography and ChaCha20-Poly1305 encryption, for watermarking and defensive security research.
Mainly Python. The stack also includes Python, ONNX, ChaCha20-Poly1305.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.