Machine learning and deep learning models are potential vectors for various attack scenarios. For example, previous research has shown that malware can be hidden in deep learning models. Hiding information in a learning model can be viewed as a form of steganography. In this research, we consider the general question of the steganographic capacity of learning models. Specifically, for a wide range of models, we determine the number of low-order bits of the trained parameters that can be overwritten, without adversely affecting model performance. For each model considered, we graph the accuracy as a function of the number of low-order bits that have been overwritten, and for selected models, we also analyze the steganographic capacity of individual layers. The models that we test include the classic machine learning techniques of Linear Regression (LR) and Support Vector Machine (SVM); the popular general deep learning models of Multilayer Perceptron (MLP) and Convolutional Neural Network (CNN); the highly-successful Recurrent Neural Network (RNN) architecture of Long Short-Term Memory (LSTM); the pre-trained transfer learning-based models VGG16, DenseNet121, InceptionV3, and Xception; and, finally, an Auxiliary Classifier Generative Adversarial Network (ACGAN). In all cases, we find that a majority of the bits of each trained parameter can be overwritten before the accuracy degrades. Of the models tested, the steganographic capacity ranges from 7.04 KB for our LR experiments, to 44.74 MB for InceptionV3. We discuss the implications of our results and consider possible avenues for further research.

翻译：机器学习和深度学习模型是多种攻击场景的潜在载体。例如，已有研究表明恶意软件可以隐藏在深度学习模型中。将信息隐藏于学习模型可视为一种隐写术形式。本研究探讨学习模型隐写容量的普遍性问题。具体而言，针对广泛类型的模型，我们确定了在不损害模型性能的前提下，可被覆写的训练参数低阶位数。对于每个被研究的模型，我们绘制了精度作为已覆写低阶位数函数的曲线图，并对特定模型进一步分析了各层级的隐写容量。测试的模型包括：经典机器学习技术线性回归（LR）和支持向量机（SVM）；通用深度学习模型多层感知机（MLP）和卷积神经网络（CNN）；高度成功的循环神经网络（RNN）架构长短期记忆网络（LSTM）；基于预训练迁移学习的模型VGG16、DenseNet121、InceptionV3和Xception；以及辅助分类器生成对抗网络（ACGAN）。在所有案例中，我们发现多数训练参数的位元可在精度下降前被覆写。测试模型的隐写容量范围从LR实验的7.04 KB到InceptionV3的44.74 MB不等。我们讨论了研究结果的意义，并展望了未来可能的研究方向。