EvilModel 2.0: Bringing Neural Network Models into Malware Attacks

TL;DR

This paper introduces EvilModel 2.0, an advanced method for embedding malware into neural network models without degrading performance, demonstrating high embedding capacity and evasion in real-world scenarios.

Contribution

The paper presents three novel malware embedding techniques into neural networks that maintain model performance and significantly improve embedding capacity and practicality.

Findings

Achieved an embedding rate of 48.52% in EvilModels.

Embedded malware accounts for half of the model volume without performance loss.

Demonstrated evasion of detection and practical attack scenarios.

Abstract

Security issues have gradually emerged with the continuous development of artificial intelligence (AI). Earlier work verified the possibility of converting neural network models into stegomalware, embedding malware into a model with limited impact on the model's performance. However, existing methods are not applicable in real-world attack scenarios and do not attract enough attention from the security community due to performance degradation and additional workload. Therefore, we propose an improved stegomalware EvilModel. By analyzing the composition of the neural network model, three new methods for embedding malware into the model are proposed: MSB reservation, fast substitution, and half substitution, which can embed malware that accounts for half of the model's volume without affecting the model's performance. We built 550 EvilModels using ten mainstream neural network models and 19 malware samples. The experiment shows that EvilModel achieved an embedding rate of 48.52\%. A quantitative algorithm is proposed to evaluate the existing embedding methods. We also design a trigger and propose a threat scenario for the targeted attack. The practicality and effectiveness of the proposed methods were demonstrated by experiments and analyses of the embedding capacity, performance impact, and detection evasion.