AVID-2023-V013

Vulnerability from avid – Published: 2023-03-31 – Updated: 2023-03-31 ATLAS Case Study
Summary
Deep learning models are increasingly used in mobile applications as critical components. Researchers from Microsoft Research demonstrated that many deep learning models deployed in mobile apps are vulnerable to backdoor attacks via "neural payload injection." They conducted an empirical study on real-world mobile deep learning apps collected from Google Play. They identified 54 apps that were vulnerable to attack, including popular security and safety critical applications used for cash recognition, parental control, face authentication, and financial services.
Risk domain
Security
SEP view
S0201: Model Compromise, S0601: Ingest Poisoning, S0403: Adversarial Example
Lifecycle
L06: Deployment, L04: Model Development
Organisations
Affected artifacts
Artifact Type
ML-based Android Apps System
References
URL Label
https://atlas.mitre.org/studies/AML.CS0013 Backdoor Attack on Deep Learning Models in Mobile Apps
https://arxiv.org/abs/2101.06896 DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection

{
  "affects": {
    "artifacts": [
      {
        "name": "ML-based Android Apps",
        "type": "System"
      }
    ],
    "deployer": [
      "ML-based Android Apps"
    ],
    "developer": []
  },
  "credit": null,
  "data_type": "AVID",
  "data_version": "0.2",
  "description": {
    "lang": "eng",
    "value": "Deep learning models are increasingly used in mobile applications as critical components.\nResearchers from Microsoft Research demonstrated that many deep learning models deployed in mobile apps are vulnerable to backdoor attacks via \"neural payload injection.\"\nThey conducted an empirical study on real-world mobile deep learning apps collected from Google Play. They identified 54 apps that were vulnerable to attack, including popular security and safety critical applications used for cash recognition, parental control, face authentication, and financial services."
  },
  "impact": {
    "avid": {
      "lifecycle_view": [
        "L06: Deployment",
        "L04: Model Development"
      ],
      "risk_domain": [
        "Security"
      ],
      "sep_view": [
        "S0201: Model Compromise",
        "S0601: Ingest Poisoning",
        "S0403: Adversarial Example"
      ],
      "taxonomy_version": "0.2"
    }
  },
  "last_modified_date": "2023-03-31",
  "metadata": {
    "vuln_id": "AVID-2023-V013"
  },
  "problemtype": {
    "classof": "ATLAS Case Study",
    "description": {
      "lang": "eng",
      "value": "Backdoor Attack on Deep Learning Models in Mobile Apps"
    },
    "type": "Advisory"
  },
  "published_date": "2023-03-31",
  "references": [
    {
      "label": "Backdoor Attack on Deep Learning Models in Mobile Apps",
      "type": "source",
      "url": "https://atlas.mitre.org/studies/AML.CS0013"
    },
    {
      "label": "DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection",
      "type": "source",
      "url": "https://arxiv.org/abs/2101.06896"
    }
  ],
  "reports": null
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…