Steganographic Capacity of Deep Learning Models

TL;DR

This paper investigates how much information can be hidden within deep learning models' parameters without significantly impairing their performance, revealing high steganographic capacity and thresholds for degradation.

Contribution

It quantifies the steganographic capacity of various deep learning models trained on malware classification, highlighting their potential for covert information hiding.

Findings

High steganographic capacity in tested models

Existence of a threshold for performance degradation

Potential security implications for model misuse

Abstract

As machine learning and deep learning models become ubiquitous, it is inevitable that there will be attempts to exploit such models in various attack scenarios. For example, in a steganographic-based attack, information could be hidden in a learning model, which might then be used to distribute malware, or for other malicious purposes. In this research, we consider the steganographic capacity of several learning models. Specifically, we train a Multilayer Perceptron (MLP), Convolutional Neural Network (CNN), and Transformer model on a challenging malware classification problem. For each of the resulting models, we determine the number of low-order bits of the trained parameters that can be altered without significantly affecting the performance of the model. We find that the steganographic capacity of the learning models tested is surprisingly high, and that in each case, there is a clear threshold after which model performance rapidly degrades.