Robustness of on-device models: adversarial attack to deep learning models on Android apps

Yujin Huang; Han Hu; Chunyang Chen

doi:10.1109/ICSE-SEIP52600.2021.00019

Robustness of on-device models: adversarial attack to deep learning models on Android apps

Yujin Huang, Han Hu, Chunyang Chen

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

39 Citations (Scopus)

Abstract

Deep learning has shown its power in many applications, including object detection in images, natural-language understanding, and speech recognition. To make it more accessible to end users, many deep learning models are now embedded in mobile apps. Compared to offloading deep learning from smartphones to the cloud, performing machine learning on-device can help improve latency, connectivity, and power consumption. However, most deep learning models within Android apps can easily be obtained via mature reverse engineering, while the models' exposure may invite adversarial attacks. In this study, we propose a simple but effective approach to hacking deep learning models using adversarial attacks by identifying highly similar pre-trained models from TensorFlow Hub. All 10 real-world Android apps in the experiment are successfully attacked by our approach. Apart from the feasibility of the model attack, we also carry out an empirical study that investigates the characteristics of deep learning models used by hundreds of Android apps on Google Play. The results show that many of them are similar to each other and widely use fine-tuning techniques to pre-trained models on the Internet.

Original language	English
Title of host publication	Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering
Subtitle of host publication	Software Engineering in Practice, ICSE-SEIP 2021
Editors	Sigrid Eldh, Davide Falessi
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	101-110
Number of pages	10
ISBN (Electronic)	9780738146690
ISBN (Print)	9781665438698
DOIs	https://doi.org/10.1109/ICSE-SEIP52600.2021.00019
Publication status	Published - 2021
Event	International Conference on Software Engineering 2021: Software Engineering in Practice - Online, Madrid, Spain Duration: 25 May 2021 → 28 May 2021 Conference number: 43rd https://ieeexplore-ieee-org.ezproxy.lib.monash.edu.au/xpl/conhome/9401806/proceeding (Proceedings)

Publication series

Name	Proceedings - International Conference on Software Engineering
Publisher	The Institute of Electrical and Electronics Engineers, Inc.
ISSN (Print)	0270-5257

Conference

Conference	International Conference on Software Engineering 2021
Abbreviated title	ICSE-SEIP 2021
Country/Territory	Spain
City	Madrid
Period	25/05/21 → 28/05/21
Other	Track within the International Conference on Software Engineering
Internet address	https://ieeexplore-ieee-org.ezproxy.lib.monash.edu.au/xpl/conhome/9401806/proceeding (Proceedings)

Keywords

Adversarial attack
Android
Deep learning
Mobile apps
Security

Access to Document

10.1109/ICSE-SEIP52600.2021.00019

Cite this

Huang, Y., Hu, H., & Chen, C. (2021). Robustness of on-device models: adversarial attack to deep learning models on Android apps. In S. Eldh, & D. Falessi (Eds.), Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2021 (pp. 101-110). (Proceedings - International Conference on Software Engineering). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICSE-SEIP52600.2021.00019

Huang, Yujin ; Hu, Han ; Chen, Chunyang. / Robustness of on-device models : adversarial attack to deep learning models on Android apps. Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2021. editor / Sigrid Eldh ; Davide Falessi. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2021. pp. 101-110 (Proceedings - International Conference on Software Engineering).

@inproceedings{5d55986d29534a8cbe19c776ae1f6bdb,

title = "Robustness of on-device models: adversarial attack to deep learning models on Android apps",

abstract = "Deep learning has shown its power in many applications, including object detection in images, natural-language understanding, and speech recognition. To make it more accessible to end users, many deep learning models are now embedded in mobile apps. Compared to offloading deep learning from smartphones to the cloud, performing machine learning on-device can help improve latency, connectivity, and power consumption. However, most deep learning models within Android apps can easily be obtained via mature reverse engineering, while the models' exposure may invite adversarial attacks. In this study, we propose a simple but effective approach to hacking deep learning models using adversarial attacks by identifying highly similar pre-trained models from TensorFlow Hub. All 10 real-world Android apps in the experiment are successfully attacked by our approach. Apart from the feasibility of the model attack, we also carry out an empirical study that investigates the characteristics of deep learning models used by hundreds of Android apps on Google Play. The results show that many of them are similar to each other and widely use fine-tuning techniques to pre-trained models on the Internet.",

keywords = "Adversarial attack, Android, Deep learning, Mobile apps, Security",

author = "Yujin Huang and Han Hu and Chunyang Chen",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE. Copyright: Copyright 2021 Elsevier B.V., All rights reserved.; International Conference on Software Engineering 2021 : Software Engineering in Practice, ICSE-SEIP 2021 ; Conference date: 25-05-2021 Through 28-05-2021",

year = "2021",

doi = "10.1109/ICSE-SEIP52600.2021.00019",

language = "English",

isbn = "9781665438698",

series = "Proceedings - International Conference on Software Engineering",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

pages = "101--110",

editor = "Sigrid Eldh and Davide Falessi",

booktitle = "Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering",

address = "United States of America",

url = "https://ieeexplore-ieee-org.ezproxy.lib.monash.edu.au/xpl/conhome/9401806/proceeding",

}

Huang, Y, Hu, H & Chen, C 2021, Robustness of on-device models: adversarial attack to deep learning models on Android apps. in S Eldh & D Falessi (eds), Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2021. Proceedings - International Conference on Software Engineering, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 101-110, International Conference on Software Engineering 2021, Madrid, Spain, 25/05/21. https://doi.org/10.1109/ICSE-SEIP52600.2021.00019

Robustness of on-device models: adversarial attack to deep learning models on Android apps. / Huang, Yujin; Hu, Han; Chen, Chunyang.
Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2021. ed. / Sigrid Eldh; Davide Falessi. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2021. p. 101-110 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Robustness of on-device models

T2 - International Conference on Software Engineering 2021

AU - Huang, Yujin

AU - Hu, Han

AU - Chen, Chunyang

N1 - Conference code: 43rd

PY - 2021

Y1 - 2021

N2 - Deep learning has shown its power in many applications, including object detection in images, natural-language understanding, and speech recognition. To make it more accessible to end users, many deep learning models are now embedded in mobile apps. Compared to offloading deep learning from smartphones to the cloud, performing machine learning on-device can help improve latency, connectivity, and power consumption. However, most deep learning models within Android apps can easily be obtained via mature reverse engineering, while the models' exposure may invite adversarial attacks. In this study, we propose a simple but effective approach to hacking deep learning models using adversarial attacks by identifying highly similar pre-trained models from TensorFlow Hub. All 10 real-world Android apps in the experiment are successfully attacked by our approach. Apart from the feasibility of the model attack, we also carry out an empirical study that investigates the characteristics of deep learning models used by hundreds of Android apps on Google Play. The results show that many of them are similar to each other and widely use fine-tuning techniques to pre-trained models on the Internet.

AB - Deep learning has shown its power in many applications, including object detection in images, natural-language understanding, and speech recognition. To make it more accessible to end users, many deep learning models are now embedded in mobile apps. Compared to offloading deep learning from smartphones to the cloud, performing machine learning on-device can help improve latency, connectivity, and power consumption. However, most deep learning models within Android apps can easily be obtained via mature reverse engineering, while the models' exposure may invite adversarial attacks. In this study, we propose a simple but effective approach to hacking deep learning models using adversarial attacks by identifying highly similar pre-trained models from TensorFlow Hub. All 10 real-world Android apps in the experiment are successfully attacked by our approach. Apart from the feasibility of the model attack, we also carry out an empirical study that investigates the characteristics of deep learning models used by hundreds of Android apps on Google Play. The results show that many of them are similar to each other and widely use fine-tuning techniques to pre-trained models on the Internet.

KW - Adversarial attack

KW - Android

KW - Deep learning

KW - Mobile apps

KW - Security

UR - https://www.scopus.com/pages/publications/85111207102

U2 - 10.1109/ICSE-SEIP52600.2021.00019

DO - 10.1109/ICSE-SEIP52600.2021.00019

M3 - Conference Paper

AN - SCOPUS:85111207102

SN - 9781665438698

T3 - Proceedings - International Conference on Software Engineering

SP - 101

EP - 110

BT - Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering

A2 - Eldh, Sigrid

A2 - Falessi, Davide

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

Y2 - 25 May 2021 through 28 May 2021

ER -

Huang Y, Hu H, Chen C. Robustness of on-device models: adversarial attack to deep learning models on Android apps. In Eldh S, Falessi D, editors, Proceedings - 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2021. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2021. p. 101-110. (Proceedings - International Conference on Software Engineering). doi: 10.1109/ICSE-SEIP52600.2021.00019

Robustness of on-device models: adversarial attack to deep learning models on Android apps

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Cite this