DeepPayload: black-box backdoor attack on deep learning models through neural payload injection

Yuanchun Li, Jiayi Hua, Haoyu Wang, Chunyang Chen, Yunxin Liu

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

47 Citations (Scopus)

Abstract

Deep learning models are increasingly used in mobile applications as critical components. Unlike the program bytecode whose vulnerabilities and threats have been widely-discussed, whether and how the deep learning models deployed in the applications can be compromised are not well-understood since Neural Networks are usually viewed as a black box. In this paper, we introduce a highly practical backdoor attack achieved with a set of reverse-engineering techniques over compiled deep learning models. The core of the attack is a neural conditional branch constructed with a trigger detector and several operators and injected into the victim model as a malicious payload. The attack is effective as the conditional logic can be flexibly customized by the attacker, and scalable as it does not require any prior knowledge from the original model. We evaluated the attack effectiveness using 5 state-of-the-art deep learning models and real-world samples collected from 30 users. The results demonstrated that the injected backdoor can be triggered with a success rate of 93.5%, while only brought less than 2ms latency overhead and no more than 1.4% accuracy decrease. We further conducted an empirical study on real-world mobile deep learning apps collected from Google Play. We found 54 apps that were vulnerable to our attack, including popular and security-critical ones. The results call for the awareness of deep learning application developers and auditors to enhance the protection of deployed models.

Original languageEnglish
Title of host publicationProceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering, ICSE 2021
EditorsArie van Deursen, Tao Xie
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages263-274
Number of pages12
ISBN (Electronic)9780738113197
ISBN (Print)9781665402965
DOIs
Publication statusPublished - 2021
EventInternational Conference on Software Engineering 2021 - Online, Madrid, Spain
Duration: 25 May 202128 May 2021
Conference number: 43rd
https://conf.researchr.org/committee/icse-2021/icse-2021-organizing-committe
https://conf.researchr.org/home/icse-2021
https://ieeexplore.ieee.org/xpl/conhome/9401807/proceeding (Proceedings)

Publication series

NameProceedings - International Conference on Software Engineering
PublisherThe Institute of Electrical and Electronics Engineers, Inc.
ISSN (Print)0270-5257
ISSN (Electronic)1558-1225

Conference

ConferenceInternational Conference on Software Engineering 2021
Abbreviated titleICSE 2021
Country/TerritorySpain
CityMadrid
Period25/05/2128/05/21
Internet address

Keywords

  • Backdoor attack
  • Deep learning
  • Malicious payload
  • Mobile applications
  • Reverse engineering

Cite this