Steganographic embedding of malware into deep neural network checkpoints—termed “neural steganomware”—represents a critical yet under-addressed security threat. Current defenses lack robustness against state-of-the-art steganographic attacks that exploit model parameter redundancy. Method: We propose a novel defense leveraging column-permutation symmetry in weight and bias matrices. By reordering convolutional channel indices and permuting columns of fully connected layer weights and biases, our method disrupts the decoding structure of steganographic payloads without requiring fine-tuning or retraining. Contribution/Results: This is the first systematic application of permutation symmetry to steganographic defense in DNNs, provably neutralizing existing neural steganomware attacks. Experiments on ImageNet and CIFAR-10 demonstrate 100% detection and removal rates against leading schemes (e.g., Stegomalware, NeuroSteg), with <0.1% accuracy degradation—substantially outperforming prior defenses.

Deep neural networks are being utilized in a growing number of applications, both in production systems and for personal use. Network checkpoints are as a consequence often shared and distributed on various platforms to ease the development process. This work considers the threat of neural network stegomalware, where malware is embedded in neural network checkpoints at a negligible cost to network accuracy. This constitutes a significant security concern, but is nevertheless largely neglected by the deep learning practitioners and security specialists alike. We propose the first effective countermeasure to these attacks. In particular, we show that state-of-the-art neural network stegomalware can be efficiently and effectively neutralized through shuffling the column order of the weight- and bias-matrices, or equivalently the channel-order of convolutional layers. We show that this effectively corrupts payloads that have been embedded by state-of-the-art methods in neural network steganography at no cost to network accuracy, outperforming competing methods by a significant margin. We then discuss possible means by which to bypass this defense, additional defense methods, and advocate for continued research into the security of machine learning systems.