Steganographic Capacity of Deep Learning Models
This addresses security risks for users of ML models, but it is incremental as it quantifies capacity without proposing new defenses.
The paper tackled the problem of steganographic attacks by measuring how much information can be hidden in deep learning models without affecting performance, finding that the capacity is surprisingly high with clear degradation thresholds.
As machine learning and deep learning models become ubiquitous, it is inevitable that there will be attempts to exploit such models in various attack scenarios. For example, in a steganographic-based attack, information could be hidden in a learning model, which might then be used to distribute malware, or for other malicious purposes. In this research, we consider the steganographic capacity of several learning models. Specifically, we train a Multilayer Perceptron (MLP), Convolutional Neural Network (CNN), and Transformer model on a challenging malware classification problem. For each of the resulting models, we determine the number of low-order bits of the trained parameters that can be altered without significantly affecting the performance of the model. We find that the steganographic capacity of the learning models tested is surprisingly high, and that in each case, there is a clear threshold after which model performance rapidly degrades.