DEV Community: Pelumi Oluwategbe

Building Mithridatium: Detecting Hidden Backdoors in ML Models

Pelumi Oluwategbe — Wed, 06 May 2026 19:36:25 +0000

As pretrained AI models become more common, one growing concern is whether those models can actually be trusted.

A model may appear completely normal during testing, but behave maliciously when exposed to a hidden trigger. These attacks are known as backdoor or poisoning attacks, and they represent a serious security risk for real-world AI systems.

This semester, our team built Mithridatium - an open-source framework designed to help detect hidden backdoors in pretrained machine learning models.

What is a Backdoor?

In simple terms, a backdoor attack hides malicious behavior inside an otherwise normal model.

Most of the time, the model behaves exactly as expected. But when a specific trigger appears in the input, the model changes its behavior in a way that benefits an attacker.

Imagine a self-driving vehicle that correctly recognizes stop signs during testing, but misclassifies them when a small sticker or visual trigger is placed on the sign. A hidden trigger like this could potentially cause extremely dangerous outcomes in real-world systems.

This problem becomes even more concerning because many developers rely heavily on pretrained models downloaded from external sources like Hugging Face or public repositories.

The question becomes:

How do we verify that a pretrained model has not been poisoned before deploying it?

That is the problem Mithridatium was designed to explore.

What Mithridatium Does

Mithridatium is a framework for evaluating pretrained image classification models for potential backdoor behavior.

The framework allows users to:

Load local checkpoints or Hugging Face models
Run multiple backdoor detection defenses
Generate structured JSON reports
Visualize results through a web demo interface
Compare detection signals across different methods

The goal is to translate AI security research into practical and reusable tooling.

The Detection Defenses

One of the most interesting parts of the project was implementing and evaluating several different detection strategies. Each defense approaches the problem differently.

FreeEagle

FreeEagle is a white-box, data-free defense.

Instead of relying on datasets or trigger injection, it analyzes the internal behavior of the model itself and looks for abnormal class bias patterns that may indicate hidden backdoor behavior.

This makes it especially useful for quickly screening unknown models.

STRIP

STRIP works by perturbing inputs with other images.

The intuition is that a normal model should become less confident when the input changes significantly. However, backdoored models often remain unusually stable when the trigger is present.

If prediction entropy remains suspiciously low across perturbed inputs, STRIP raises a red flag.

MMBD

MMBD focuses on abnormal dominance patterns across output classes.

The defense looks for suspicious concentration or bias in the model’s behavior that may suggest hidden trigger relationships.

This approach was especially interesting because it worked well even against some dynamic backdoor scenarios.

AEVA

AEVA takes a more adversarial approach.

It perturbs input images and observes how the model responds to trigger-like changes. By analyzing anomaly indices and perturbation behavior, the framework can identify suspicious patterns associated with backdoors.

Compared to some other defenses, AEVA can require significantly more queries and computation, especially in black-box settings.

Building the Project

Mithridatium was built primarily in Python using PyTorch and Hugging Face tooling.

The project currently includes:

A modular CLI interface
Support for Hugging Face models
JSON report generation
Multiple detection defenses
Demo interfaces for visualization
Compatibility validation for supported architectures

A typical CLI run looks like this:

mithridatium detect \
  --model models/resnet18_cifar10.pt \
  --data cifar10 \
  --defense freeeagle \
  --out reports/freeeagle_report.json \
  --force

The framework can also evaluate models directly from Hugging Face using model IDs instead of local checkpoints.

Reports and Visual Output

One major goal of the project was usability.

A user should not need to read multiple research papers just to understand whether a model might be risky. Mithridatium attempts to translate complex detection signals into understandable verdicts and metrics.

The framework produces structured reports and can visualize outputs through the demo interface.

Lessons Learned

One thing we learned very quickly is that ML security tooling is not just about implementing algorithms.

A practical tool also has to handle:

dataset compatibility
integration problems
reporting
usability
deployment assumptions
benchmarking
reproducibility

One particularly important lesson involved dataset mismatch.

Some defenses behaved very differently depending on whether the evaluation dataset matched the dataset the model was originally trained on. In some cases, mismatched datasets produced false positives that initially looked like detection failures.

We also learned that different defenses come with different tradeoffs.

Some methods are lightweight and data-free, while others require large numbers of model queries or significant computational resources.

Another major takeaway was the importance of clear reporting. Security tooling becomes far more useful when results are understandable to developers who may not specialize in AI security research.

Current Developers

Mithridatium was developed through Open Source with SLU by:

Pelumi Oluwategbe
Gustavo Lucca
Payton Guffey
Will Phoenix

Project Links

GitHub Repository: https://github.com/oss-slu/mithridatium
Project Website: https://mithridatium.vercel.app/
Hugging Face Demo: https://huggingface.co/spaces/williamphoenix/Mithridatium

Looking Ahead

Mithridatium currently focuses on image classification models, but the broader concept of model integrity verification is much larger.

As AI systems become more widely deployed, verifying pretrained models before deployment will likely become increasingly important.

This project represents one small step toward making AI security tooling more practical, accessible, and open source.

Mithridatium: An Open-Source Toolkit for Verifying the Integrity of Pretrained Machine Learning Models

Pelumi Oluwategbe — Wed, 03 Dec 2025 02:53:48 +0000

Modern machine learning workflows rely heavily on pretrained models—downloaded from GitHub, HuggingFace, and countless other model hubs. This convenience comes with a growing risk: model tampering, data poisoning, and hidden backdoors embedded in .pth checkpoints.

To address this problem, we built Mithridatium, a lightweight open-source framework designed to verify the integrity of pretrained neural networks before they enter production or research pipelines.

Why Mithridatium?

Today’s ML ecosystem assumes that pretrained models are safe. In reality, the model file itself can be a silent attack vector:
• poisoned training data
• hidden triggers that activate under specific inputs
• manipulated weights
• malformed checkpoints that cause unexpected runtime behavior

Mithridatium provides a command-line workflow to evaluate these risks through model-centric defenses, inspired by academic research, but simplified for real-world use.

Offline Usage

Once installed, Mithridatium can run entirely offline.

You only need:
1. Your .pth model file
2. A local dataset directory (optional for STRIP; required for MMBD depending on configuration)

This makes the tool suitable for restricted environments, air-gapped machines, or secure internal ML pipelines.

Installation

Install from PyPI:

pip install mithridatium

Upgrade to the latest release:

pip install --upgrade mithridatium

Implemented Defenses

MMBD (Maximum Mean Backdoor Detection)

MMBD evaluates synthetic class-optimized images to detect anomalous activation patterns commonly associated with backdoored models.

The implementation exposes:
• per-class eigenvalue scores
• normalized anomaly distributions
• classical hypothesis testing (p-value)
• a deterministic verdict

Example invocation in our tool:

mithridatium detect --model model.pth --defense mmbd --arch resnet18 --data cifar10

STRIP (Strong Intentional Perturbation)

STRIP is a black-box defense: it does not rely on internal architectural details. Instead, it evaluates the prediction entropy when the model is exposed to heavily perturbed variants of the same input. Backdoored models typically exhibit abnormally low entropy under perturbation, due to a forced output toward the trigger class.

Our implementation includes:
• entropy computation on perturbed samples
• sampling and perturbation utilities
• summary metrics (mean, min, max entropy)
• integration into a unified reporting schema

Example invocation in our tool:

mithridatium detect --defense strip --model model.pth --data cifar10 --arch resnet18

Recent Advancements

The most recent development cycle added the following enhancements:

STRIP Core Utility

A modular implementation inside defenses/strip.py that handles entropy scoring, perturbation generation, and device-safe execution (CPU/MPS/CUDA).

CLI Integration

STRIP can now be invoked just like MMBD, with unified reporting and JSON output.

Output Schema Normalization

We’re standardizing all defenses toward a single report format to enable ecosystem integration.

End-to-End CLI Tests

Full test coverage ensures STRIP runs cleanly through subprocess without crashes.

What’s Next

With the major defenses complete, the remaining work is focused on:
• improving documentation
• adding developer notes
• refining report summaries
• strengthening validation and error messaging

We’re not adding new defenses till next year; instead, we’re polishing the tool so it is maintainable and accessible to new contributors.

Try it Yourself

The project is open-source and available here:

👉 mithridatium

Contributions, issues, and feedback are welcome.
If you’re working with pretrained models—research, deployment, or security, you should not assume integrity. Mithridatium helps you verify it. You can read detailed explanations, defense theory, and usage examples in the repository’s README.

MERN Stack Learning path

Pelumi Oluwategbe — Tue, 17 Jan 2023 18:27:19 +0000

Been a long time I wrote, but here I am. Hopefully I'll write more these days. So in my React journey (also learning Node JS along), I started this tutorial building a social media application and I'm currently at the back end part of it. I was stuck in one aspect for hourssss. Left it, watched a movie to clear my mind and came back but I still didn't get it. I even asked ChatGPT lol (it must've been tired of me today if it could get tired). Tried different methods and stuff. What I was trying to achieve was updating a particular post and I was testing the function on the postman app. Code snippet below:

So I followed the tutorial well, and it just wasn't working. The console gave the error below:

So after googling and asking ChatGPT for help, I found out that BSON error means that the arguments passed in the url wasn't complete so I checked my Postman url again and noticed that there was a new line after the url and wondered how in the world I could've missed such. Picture below:

It's amazing how a simple error set me back and I'm currently pissed at myself for that, but then it's all part of the learning journey so it's cool. So whoever is reading this, don't give up. If your code isn't working, check over and over again. Don't forget the details. Alright, till next time.

How to convert html to pdf (something like a generated invoice) and send it to an email

Pelumi Oluwategbe — Sat, 16 Jul 2022 10:45:49 +0000

Long time, no post. Sorry about that, been quite busy with my youth service PPA (Place of Primary Assignment), and sadly it has taken quite so much of my time. Anyways, down to business. So I'm building this web application for my PPA which generates a delivery note from a set of inputs and sends to the inputed email by the click of the "Send Email" button. I had problems with converting it to a pdf and I did a lot of research but I finally figured it out with the help of the internet and some people at Stack Overflow (every junior developer needs help from the internet), to convert it to pdf and print by the click of a button, here's the code below:

So you have to add the html2pdf script before it can work, though there are other ways, this was the one I found.
Meanwhile if you want to generate a pdf and then send it to an email, that is a different ball game. I tried fetching the downloaded pdf and then sending it to the email, but that gave me problems and I couldn't quite figure it out. Anyways, I did some research and also asked other senior developers I knew for help (Special thanks, Mr Samuel Adetoro @big_black_fella ). So I found smtpJs and followed the steps shown below

As you can see in the highlighted part, I could send an email with attachment but the code to convert and send a pdf straight was more complex than that so I did some further research and also found some help from some guys at Stack Overflow and to avoid long talk, I had to create an Elastic email account shown below

Then I combined it with the smtpjs code and also the html2pdf code to convert the invoice to a pdf, then change it to a datauristring and then send it as a data using the email code from smtpjs. I used elastic email as my smtp server. The code is shown below

Finally, it all worked out and the invoice looks like this:

.
It was successfully sent to the email that was inputed. That's all from me for now, till next time. Hope you found this useful.

New Journey

Pelumi Oluwategbe — Thu, 14 Apr 2022 09:12:59 +0000

Hey Guys, this is my first post as I just joined dev.to. So a role model of mine advised me to maybe start writing, as per document my programming journey and I thought: yeah, that's a great idea as it would even push me to learn more regularly even with the other things I'm so busy with (service year...ugh). So here I am, and I'm looking forward to taking you guys along in my journey.