Embed malware into Neural Networks

This introduction is entitled “EvilModel: Hiding Malware Inside of Neural Network Models ” The article .

This article mainly describes an implicit method of spreading malware , By modifying the weight of the neural network to achieve the spread of malware .

Essentially , Is to select some of the models “ redundancy ” The layer , Replace the weights of the neurons , For each weight , Replace its last 3 Bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit bit 3 A bit , And then realize the implicit transmission of malware .

Mentioned here redundancy , Actually, it passed the test , Check the impact on accuracy , Choose those layers that have little impact on the accuracy .

As shown in the figure above , The horizontal axis is the number of replacement neurons , The vertical axis is the accuracy of the modified model .

Here are some observations ：

• As the number of modified neurons increases , The more accuracy is affected .
• Neurons closer to the input layer , It is more suitable for embedding malware , Less impact

Because the modification of neural network weight will reduce its original accuracy , So the author also explored the effect of heavy training , As shown in the figure below ：

among ,BR Means before retraining (Before),AR It means after heavy training (After)

You can see , Didn't bring BN (BatchNorm) Layer network , Accuracy cannot be restored through retraining , With BN The accuracy of layer can be restored by retraining .