MALIGN MACHINE LEARNING MODELS

github.com/sdnewhop/AISec

●●●●●

That’s me!

Problem overview

3

Frameworks

4

More parameters -> Longer train

5

Pre-trained model workflow

6

Distribution

7

•~ 2k repos on github•~ 100 repos on gitlab•~ 500 models on https://modelzoo.co/

Part I

8

Documentation

9

Reality

10

Step 1. Find an existing model

11

Step 2. Infect it!

12

Step 3. Upload it

13

• Just one command to run from anywhere!

• torch.hub.load(“ChickenDuo/top10-awesome-google-models”, “date_of_death_prediction”)

14

Part II

15

Serialization

16

Cross-platform -> Another approach

17

Custom serialization

•Protobuf format (.pb)•~1300 operations (math, conditionals, statistics, etc.)•Only TWO of them were found dangerous•WriteFile (any text, any file)•ReadFile (any file)

18

Graph serialization

19

Code

20

Wrapper

21

Wrapper

22

Configs

23

Part III

24

25

Serialization

Serialization with topology

26

- Only Keras layers (Functional model)

- … has a Lambda layer, which serialize custom python function with marshal (https://github.com/keras-team/keras/blob/master/keras/layers/core.py#L566)

- No warning on launching third-party models!

© keras.io

Example

27

28

@chicken_2007

THANKS FOR ATTENTION