Do You Trust Your Model? Emerging Malware Threats in the Deep Learning Ecosystem
arxiv(2024)
摘要
Training high-quality deep learning models is a challenging task due to
computational and technical requirements. A growing number of individuals,
institutions, and companies increasingly rely on pre-trained, third-party
models made available in public repositories. These models are often used
directly or integrated in product pipelines with no particular precautions,
since they are effectively just data in tensor form and considered safe. In
this paper, we raise awareness of a new machine learning supply chain threat
targeting neural networks. We introduce MaleficNet 2.0, a novel technique to
embed self-extracting, self-executing malware in neural networks. MaleficNet
2.0 uses spread-spectrum channel coding combined with error correction
techniques to inject malicious payloads in the parameters of deep neural
networks. MaleficNet 2.0 injection technique is stealthy, does not degrade the
performance of the model, and is robust against removal techniques. We design
our approach to work both in traditional and distributed learning settings such
as Federated Learning, and demonstrate that it is effective even when a reduced
number of bits is used for the model parameters. Finally, we implement a
proof-of-concept self-extracting neural network malware using MaleficNet 2.0,
demonstrating the practicality of the attack against a widely adopted machine
learning framework. Our aim with this work is to raise awareness against these
new, dangerous attacks both in the research community and industry, and we hope
to encourage further research in mitigation techniques against such threats.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要