Abstract
Deep learning models are increasingly used in mobile applications as critical components. Unlike the program bytecode whose vulnerabilities and threats have been widely-discussed, whether and how the deep learning models deployed in the applications can be compromised are not well-understood since Neural Networks are usually viewed as a black box. In this paper, we introduce a highly practical backdoor attack achieved with a set of reverse-engineering techniques over compiled deep learning models. The core of the attack is a neural conditional branch constructed with a trigger detector and several operators and injected into the victim model as a malicious payload. The attack is effective as the conditional logic can be flexibly customized by the attacker, and scalable as it does not require any prior knowledge from the original model. We evaluated the attack effectiveness using 5 state-of-the-art deep learning models and real-world samples collected from 30 users. The results demonstrated that the injected backdoor can be triggered with a success rate of 93.5%, while only brought less than 2ms latency overhead and no more than 1.4% accuracy decrease. We further conducted an empirical study on real-world mobile deep learning apps collected from Google Play. We found 54 apps that were vulnerable to our attack, including popular and security-critical ones. The results call for the awareness of deep learning application developers and auditors to enhance the protection of deployed models.
Original language | English |
---|---|
Title of host publication | Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021 |
Editors | Arie van Deursen, Tao Xie |
Place of Publication | Piscataway NJ USA |
Publisher | IEEE, Institute of Electrical and Electronics Engineers |
Pages | 263-274 |
Number of pages | 12 |
ISBN (Electronic) | 9780738113197 |
ISBN (Print) | 9781665402965 |
DOIs | |
Publication status | Published - 2021 |
Event | International Conference on Software Engineering 2021 - Online, Madrid, Spain Duration: 25 May 2021 → 28 May 2021 Conference number: 43rd https://conf.researchr.org/committee/icse-2021/icse-2021-organizing-committe https://conf.researchr.org/home/icse-2021 https://ieeexplore.ieee.org/xpl/conhome/9401807/proceeding (Proceedings) |
Publication series
Name | Proceedings - International Conference on Software Engineering |
---|---|
Publisher | The Institute of Electrical and Electronics Engineers, Inc. |
ISSN (Print) | 0270-5257 |
ISSN (Electronic) | 1558-1225 |
Conference
Conference | International Conference on Software Engineering 2021 |
---|---|
Abbreviated title | ICSE 2021 |
Country/Territory | Spain |
City | Madrid |
Period | 25/05/21 → 28/05/21 |
Internet address |
Keywords
- Backdoor attack
- Deep learning
- Malicious payload
- Mobile applications
- Reverse engineering