EvilModel 2.0: Bringing Neural Network Models into Malware Attacks.

In recent years, neural network has shown its strong power in various fields, and it also brings increasing security threats. The stegomalware based on neural network model is a representative one. Previous research preliminary proves the feasibility of launching malicious attacks by triggering malware embedded in the neural network model. However, the existing works have not shown that this emerging threat is practical in real-world attacks because of the low malware embedding rate, the high model performance degradation and the extra efforts. Therefore, we predict an improved stegomalware called EvilModel. We embed binary formed malware into neural network model as its parameters on the basis of analyzing the structure of the neural network model, and propose three new malware embedding technologies, namely MSB reservation, fast substitution and half substitution. By marrying 19 malware samples and 10 popular neural network models, we build 550 malware-embedded models, and analyze these models' performance on ImageNet dataset. The experimental results show that the half substitution almost performs perfectly, with a malware embedding rate of 48.52% and no model performance degradation or extra effort. Considering a series of factors, we propose a quantitative algorithm to evaluate the different embedding methods. The evaluation result indicates that EvilModel is much superior to the classic Stegonet. Additionally, we conduct a case study to trigger EvilModel in a real-world scenario. To understand the proposed malware embedding technology deeply, we also investigate the impact of neural network structures, layer and parameter size on malware embedding capacity and embedded model accuracy. We also give some possible countermeasures to defend EvilModel. We hope this work can provide a comprehensive understanding of such a novel AI-powered threat, and recommend to defense it in advance.