James Davis, assistant professor of electrical and computer engineering

A Purdue University researcher is part of a multi-institution team recognized at one of the world’s leading cybersecurity conferences for developing a new tool that helps protect users from malicious artificial intelligence models.

The paper, “PickleBall: Secure Deserialization of Pickle-based Machine Learning Models,” received a CCS Distinguished Artifact Award at the 2025 ACM Conference on Computer and Communications Security (CCS). Purdue’s James Davis, an assistant professor in the Elmore Family School of Electrical and Computer Engineering, is a co-author along with Purdue alumnus Wenxin Jiang. Purdue collaborated with Columbia University, Brown University, Technion–Israel Institute of Technology, Google, and Socket on the project.

The work tackles a growing problem in AI: attackers hiding harmful code inside machine learning models.

Why this research matters

Modern machine learning runs on sharing. Engineers frequently download pre-trained models from public repositories like Hugging Face instead of building them from scratch. But many of these models rely on Pickle, a Python format that is extremely flexible… and extremely risky.

Because Pickle allows code to run automatically when a model is loaded, attackers can embed malware directly inside model files. The research team’s large-scale analysis shows this is not a hypothetical threat: pickle-based models are downloaded more than 2.1 billion times per month, and several documented attacks have already used this pathway.

“Machine learning engineers rely on shared models every day, and most people don’t realize how easy it is for attackers to hide malicious code inside those files,” Davis said. “With PickleBall, we wanted to give users a way to load models safely without breaking their workflows.”

Even as safer formats emerge, the researchers found that 44.9% of popular models on Hugging Face still use the insecure Pickle format, highlighting the community’s ongoing reliance on it.

How PickleBall works

PickleBall is a new system designed to safely load Pickle-based machine learning models without letting attackers execute hidden payloads.

Instead of relying on broad “allow” or “deny” lists, which are easy for attackers to evade, PickleBall analyzes the library that originally created the model. It determines which pieces of code are actually needed to rebuild the model correctly and allows only those operations during loading. Anything unexpected gets blocked.

“Existing tools either block too much or catch too little,” Davis said. “PickleBall takes a different approach by learning what ‘good behavior’ looks like for each library and enforcing that during loading. That lets us block all the malicious models we tested while still supporting legitimate ones.”

In tests on a dataset of 336 real and synthetic models, PickleBall:

• Blocked 100% of malicious models, preventing every attempted attack
• Successfully loaded nearly 80% of benign models, significantly more than other secure loaders
• Added only about 1.75% overhead, a negligible slowdown in practice

A growing area of concern

As AI systems become more widely deployed, and as organizations increasingly re-use models developed elsewhere, keeping the “model supply chain” secure has become a critical challenge.

This work demonstrates a practical way to harden one of the most widely used model formats without requiring major changes from developers.

The award recognizes not only the strength of the research but also the quality and reproducibility of the team’s code and datasets — factors emphasized by CCS for its artifact honors.