Hiding Malware in ML Models
Interesting research: “EvilModel: Hiding Malware Inside of Neural Network Models.”
Abstract: Delivering malware covertly and detection-evadingly is critical to advanced malware campaigns. In this paper, we present a method that delivers malware covertly and detection-evadingly through neural network models. Neural network models are poorly explainable and have a good generalization ability. By embedding malware into the neurons, malware can be delivered covertly with minor or even no impact on the performance of neural networks. Meanwhile, since the structure of the neural network models remains unchanged, they can pass the security scan of antivirus engines. Experiments show that 36.9MB of malware can be embedded into a 178MB-AlexNet model within 1% accuracy loss, and no suspicious are raised by antivirus engines in VirusTotal, which verifies the feasibility of this method. With the widespread application of artificial intelligence, utilizing neural networks becomes a forwarding trend of malware. We hope this work could provide a referenceable scenario for the defense on neural network-assisted attacks.
News article.
Clive Robinson • July 27, 2021 7:02 AM
@ ALL,
Let’s be honest it’s been a long time since “antivirus engines” in general have been of much use except as over privileged “boat anchors”. I actually don’t advise them in many environments as they are more potential trouble than they are worth as the NSA found with Kaspersky (the AV thinks the code you are developing is some kind of virus and punts it off to some repository is just one issue of many that happens).
But 178MB/37MB or ~20% of the code being malware that goes undetected is still a very intetesting figure, especially when the performance impact is down around ~1%…
But it kind of brings up not the specific case of malware but the more general case of we realy don’t understand ML systems terribly well. Thus you could push several toes up pachyderms down the vomitory through the orifice and into amphitheater without anyone realy noticing them stinking the place up…
It’s this general issue we realy should be getting to grips with after all the realiry is ML systems are not realy that special so why do we treat them as though they are?