Automation Slicing and Testing for in-App Deep Learning Models

Intelligent Apps (iApps), equipped with in-App deep learning (DL) models, are emerging to offer stable DL inference services. However, App marketplaces have trouble auto testing iApps because the in-App model is black-box and couples with ordinary codes. In this work, we propose an automated tool, ASTM , which can enable large-scale testing of in-App models. ASTM takes as input an iApps, and the outputs can replace the in-App model as the test object. ASTM proposes two reconstruction techniques to translate the in-App model to a backpropagation-enabled version and reconstruct the IO processing code for DL inference. With the ASTM ’s help, we perform a large-scale study on the robustness of 100 unique commercial in-App models and find that 56% of in-App models are vulnerable to robustness issues in our context. ASTM also detects physical attacks against three representative iApps that may cause economic losses and security issues.

[1]  Xiang Li,et al.  A Comprehensive Benchmark of Deep Learning Libraries on Mobile Devices , 2022, WWW.

[2]  D. Dou,et al.  Interpretable deep learning: interpretation, interpretability, trustworthiness, and beyond , 2021, Knowledge and Information Systems.

[3]  Xiapu Luo,et al.  PackerGrind: An Adaptive Unpacking System for Android Apps , 2020, IEEE Transactions on Software Engineering.

[4]  Ilias Leontiadis,et al.  Smart at what cost?: characterising mobile deep neural networks in the wild , 2021, Internet Measurement Conference.

[5]  H. Wehrheim,et al.  Jicer: Simplifying Cooperative Android App Analysis Tasks , 2021, 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM).

[6]  Gaurav Menghani,et al.  Efficient Deep Learning: A Survey on Making Deep Learning Models Smaller, Faster, and Better , 2021, ACM Comput. Surv..

[7]  Lei Xue,et al.  Happer: Unpacking Android Apps via a Hardware-Assisted Approach , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[8]  C. Glossner,et al.  Pruning and Quantization for Deep Neural Network Acceleration: A Survey , 2021, Neurocomputing.

[9]  Han Hu,et al.  Robustness of on-Device Models: Adversarial Attack to Deep Learning Models on Android Apps , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[10]  Thierry Chateau,et al.  Deep Model Compression and Architecture Optimization for Embedded Systems: A Survey , 2020, Journal of Signal Processing Systems.

[11]  Jianping Gou,et al.  Knowledge Distillation: A Survey , 2020, International Journal of Computer Vision.

[12]  Long Lu,et al.  Mind Your Weight(s): A Large-scale Study on Insufficient Machine Learning Model Protection in Mobile Apps , 2020, USENIX Security Symposium.

[13]  Yu Liu,et al.  Enhancing the interoperability between deep learning frameworks by model conversion , 2020, ESEC/SIGSOFT FSE.

[14]  Anmin Fu,et al.  Backdoor Attacks and Countermeasures on Deep Learning: A Comprehensive Review , 2020, ArXiv.

[15]  Yafeng Yang,et al.  MNN: A Universal and Efficient Inference Engine , 2020, MLSys.

[16]  Daniel Kroening,et al.  A survey of safety and trustworthiness of deep neural networks: Verification, testing, adversarial attack and defence, and interpretability , 2018, Comput. Sci. Rev..

[17]  Faisal Zaman,et al.  What is TensorFlow Lite , 2020 .

[18]  John Liu,et al.  Deep Learning for NLP and Speech Recognition , 2020, Springer International Publishing.

[19]  Rajiv Gupta,et al.  Dynamic Slicing for Android , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[20]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Ada Gavrilovska,et al.  Serving Mobile Apps: A Slice at a Time , 2019, EuroSys.

[22]  Xuanzhe Liu,et al.  A First Look at Deep Learning Apps on Smartphones , 2018, WWW.

[23]  Atul Prakash,et al.  Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[24]  Quanshi Zhang,et al.  Visual interpretability for deep learning: a survey , 2018, Frontiers of Information Technology & Electronic Engineering.

[25]  Nikolaos Doulamis,et al.  Deep Learning for Computer Vision: A Brief Review , 2018, Comput. Intell. Neurosci..

[26]  Matthias Bethge,et al.  Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models , 2017, ICLR.

[27]  Jun Zhu,et al.  Boosting Adversarial Attacks with Momentum , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[28]  Jinfeng Yi,et al.  EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples , 2017, AAAI.

[29]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[30]  Mu Zhang,et al.  Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation , 2018, NDSS.

[31]  Shashi Pal Singh,et al.  Machine translation using deep learning: An overview , 2017, 2017 International Conference on Computer, Communications and Electronics (Comptelix).

[32]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[33]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[34]  Xiaogang Wang,et al.  Deep Learning Face Attributes in the Wild , 2014, 2015 IEEE International Conference on Computer Vision (ICCV).

[35]  Trevor Darrell,et al.  Caffe: Convolutional Architecture for Fast Feature Embedding , 2014, ACM Multimedia.

[36]  Pietro Perona,et al.  Microsoft COCO: Common Objects in Context , 2014, ECCV.

[37]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[38]  Ondrej Lhoták,et al.  The Soot framework for Java program analysis: a retrospective , 2011 .

[39]  Luc Van Gool,et al.  The Pascal Visual Object Classes (VOC) Challenge , 2010, International Journal of Computer Vision.

[40]  Manu Sridharan,et al.  Thin slicing , 2007, PLDI '07.