Training high-quality deep learning models is a challenging task due to
computational and technical requirements. A growing number of individuals,
institutions, and companies increasingly rely on pre-trained, third-party
models made available in public repositories. These models are often used
directly or integrated in product pipelines with no particular precautions,
since they are effectively just data in tensor form and considered safe. In
this paper, we raise awareness of a new machine learning supply chain threat
targeting neural networks. We introduce MaleficNet 2.0, a novel technique to
embed self-extracting, self-executing malware in neural networks. MaleficNet
2.0 uses spread-spectrum channel coding combined with error correction
techniques to inject malicious payloads in the parameters of deep neural
networks. MaleficNet 2.0 injection technique is stealthy, does not degrade the
performance of the model, and is robust against removal techniques. We design
our approach to work both in traditional and distributed learning settings such
as Federated Learning, and demonstrate that it is effective even when a reduced
number of bits is used for the model parameters. Finally, we implement a
proof-of-concept self-extracting neural network malware using MaleficNet 2.0,
demonstrating the practicality of the attack against a widely adopted machine
learning framework. Our aim with this work is to raise awareness against these
new, dangerous attacks both in the research community and industry, and we hope
to encourage further research in mitigation techniques against such threats.

本研究论文旨在提高对使用预训练模型时面临的新型机器学习供应链威胁的意识。我们介绍了 MaleficNet 2.0，这是一种在神经网络中嵌入自解压、自执行恶意软件的新技术。MaleficNet 2.0 利用扩频信道编码和纠错技术，将恶意载荷注入深度神经网络的参数中。该注入技术隐蔽且不降低模型性能，对去除技术具有鲁棒性。我们的方法旨在适用于传统和分布式学习环境，如联邦学习，并证明了在模型参数使用较少比特时仍具有效性。最后，我们利用 MaleficNet 2.0 实现了一个概念验证的自解压神经网络恶意软件，展示了该攻击对广泛采用的机器学习框架的实用性。我们希望通过这项工作提高学术界和工业界对这些新型危险攻击的意识，并鼓励进一步研究以应对此类威胁。