MalModel: Hiding Malicious Payload in Mobile Deep Learning Models with Black-box Backdoor Attack

• URL: http://arxiv.org/abs/2401.02659v1
• Date: Fri, 5 Jan 2024 06:35:24 GMT
• Title: MalModel: Hiding Malicious Payload in Mobile Deep Learning Models with Black-box Backdoor Attack
• Authors: Jiayi Hua, Kailong Wang, Meizhen Wang, Guangdong Bai, Xiapu Luo, Haoyu Wang,
• Abstract summary: We propose a method to generate or transform mobile malware by hiding the malicious payloads inside the parameters of deep learning models. We can run malware in DL mobile applications covertly with little impact on the model performance.
• Score: 24.569156952823068
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Mobile malware has become one of the most critical security threats in the era of ubiquitous mobile computing. Despite the intensive efforts from security experts to counteract it, recent years have still witnessed a rapid growth of identified malware samples. This could be partly attributed to the newly-emerged technologies that may constantly open up under-studied attack surfaces for the adversaries. One typical example is the recently-developed mobile machine learning (ML) framework that enables storing and running deep learning (DL) models on mobile devices. Despite obvious advantages, this new feature also inadvertently introduces potential vulnerabilities (e.g., on-device models may be modified for malicious purposes). In this work, we propose a method to generate or transform mobile malware by hiding the malicious payloads inside the parameters of deep learning models, based on a strategy that considers four factors (layer type, layer number, layer coverage and the number of bytes to replace). Utilizing the proposed method, we can run malware in DL mobile applications covertly with little impact on the model performance (i.e., as little as 0.4% drop in accuracy and at most 39ms latency overhead).

Related papers

• MASKDROID: Robust Android Malware Detection with Masked Graph Representations [56.09270390096083]
  We propose MASKDROID, a powerful detector with a strong discriminative ability to identify malware. We introduce a masking mechanism into the Graph Neural Network based framework, forcing MASKDROID to recover the whole input graph. This strategy enables the model to understand the malicious semantics and learn more stable representations, enhancing its robustness against adversarial attacks.
  arXiv  Detail & Related papers  (2024-09-29T07:22:47Z)
• Privacy Backdoors: Enhancing Membership Inference through Poisoning Pre-trained Models [112.48136829374741]
  In this paper, we unveil a new vulnerability: the privacy backdoor attack. When a victim fine-tunes a backdoored model, their training data will be leaked at a significantly higher rate than if they had fine-tuned a typical model. Our findings highlight a critical privacy concern within the machine learning community and call for a reevaluation of safety protocols in the use of open-source pre-trained models.
  arXiv  Detail & Related papers  (2024-04-01T16:50:54Z)
• SecurityNet: Assessing Machine Learning Vulnerabilities on Public Models [74.58014281829946]
  We analyze the effectiveness of several representative attacks/defenses, including model stealing attacks, membership inference attacks, and backdoor detection on public models. Our evaluation empirically shows the performance of these attacks/defenses can vary significantly on public models compared to self-trained models.
  arXiv  Detail & Related papers  (2023-10-19T11:49:22Z)
• Isolation and Induction: Training Robust Deep Neural Networks against Model Stealing Attacks [51.51023951695014]
  Existing model stealing defenses add deceptive perturbations to the victim's posterior probabilities to mislead the attackers. This paper proposes Isolation and Induction (InI), a novel and effective training framework for model stealing defenses. In contrast to adding perturbations over model predictions that harm the benign accuracy, we train models to produce uninformative outputs against stealing queries.
  arXiv  Detail & Related papers  (2023-08-02T05:54:01Z)
• Beyond the Model: Data Pre-processing Attack to Deep Learning Models in Android Apps [3.2307366446033945]
  We introduce a data processing-based attack against real-world deep learning (DL) apps. Our attack could influence the performance and latency of the model without affecting the operation of a DL app. Among 320 apps utilizing MLkit, we find that 81.56% of them can be successfully attacked.
  arXiv  Detail & Related papers  (2023-05-06T07:35:39Z)
• DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified Robustness [58.23214712926585]
  We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection. Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables. We are the first to offer certified robustness in the realm of static detection of malware executables.
  arXiv  Detail & Related papers  (2023-03-20T17:25:22Z)
• Smart App Attack: Hacking Deep Learning Models in Android Apps [16.663345577900813]
  We introduce a grey-box adversarial attack framework to hack on-device models. We evaluate the attack effectiveness and generality in terms of four different settings. Among 53 apps adopting transfer learning, we find that 71.7% of them can be successfully attacked.
  arXiv  Detail & Related papers  (2022-04-23T14:01:59Z)
• Few-Shot Backdoor Attacks on Visual Object Tracking [80.13936562708426]
  Visual object tracking (VOT) has been widely adopted in mission-critical applications, such as autonomous driving and intelligent surveillance systems. We show that an adversary can easily implant hidden backdoors into VOT models by tempering with the training process. We show that our attack is resistant to potential defenses, highlighting the vulnerability of VOT models to potential backdoor attacks.
  arXiv  Detail & Related papers  (2022-01-31T12:38:58Z)
• DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection [17.136757440204722]
  We introduce a highly practical backdoor attack achieved with a set of reverse-engineering techniques over compiled deep learning models. The injected backdoor can be triggered with a success rate of 93.5%, while only brought less than 2ms latency overhead and no more than 1.4% accuracy decrease. We found 54 apps that were vulnerable to our attack, including popular and security-critical ones.
  arXiv  Detail & Related papers  (2021-01-18T06:29:30Z)
• Binary Black-box Evasion Attacks Against Deep Learning-based Static Malware Detectors with Adversarial Byte-Level Language Model [11.701290164823142]
  MalRNN is a novel approach to automatically generate evasive malware variants without restrictions. MalRNN effectively evades three recent deep learning-based malware detectors and outperforms current benchmark methods.
  arXiv  Detail & Related papers  (2020-12-14T22:54:53Z)
• Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps [17.421303987300902]
  This paper presents the first empirical study of machine learning model protection on mobile devices. We analyzed 46,753 popular apps collected from the US and Chinese app markets. We found that, alarmingly, 41% of ML apps do not protect their models at all, which can be trivially stolen from app packages.
  arXiv  Detail & Related papers  (2020-02-18T16:14:37Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.