malign machine learning models - zeronights · 2019-12-12 · custom serialization •protobuf...
TRANSCRIPT
MALIGN MACHINE LEARNING MODELS
Problem overview
3
Frameworks
4
More parameters -> Longer train
5
Pre-trained model workflow
6
Distribution
7
•~ 2k repos on github•~ 100 repos on gitlab•~ 500 models on https://modelzoo.co/
Part I
8
Documentation
9
Reality
10
Step 1. Find an existing model
11
Step 2. Infect it!
12
Step 3. Upload it
13
• Just one command to run from anywhere!
• torch.hub.load(“ChickenDuo/top10-awesome-google-models”, “date_of_death_prediction”)
14
Part II
15
Serialization
16
Cross-platform -> Another approach
17
Custom serialization
•Protobuf format (.pb)•~1300 operations (math, conditionals, statistics, etc.)•Only TWO of them were found dangerous•WriteFile (any text, any file)•ReadFile (any file)
18
Graph serialization
19
Code
20
Wrapper
21
Wrapper
22
Configs
23
Part III
24
25
Serialization
Serialization with topology
26
- Only Keras layers (Functional model)
- … has a Lambda layer, which serialize custom python function with marshal (https://github.com/keras-team/keras/blob/master/keras/layers/core.py#L566)
- No warning on launching third-party models!
© keras.io
Example
27
28
@chicken_2007
THANKS FOR ATTENTION