Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

AttackGNN: Red-Teaming GNNs in Hardware Security Using Reinforcement Learning (2402.13946v2)

Published 21 Feb 2024 in cs.LG and cs.CR

Abstract: Machine learning has shown great promise in addressing several critical hardware security problems. In particular, researchers have developed novel graph neural network (GNN)-based techniques for detecting intellectual property (IP) piracy, detecting hardware Trojans (HTs), and reverse engineering circuits, to name a few. These techniques have demonstrated outstanding accuracy and have received much attention in the community. However, since these techniques are used for security applications, it is imperative to evaluate them thoroughly and ensure they are robust and do not compromise the security of integrated circuits. In this work, we propose AttackGNN, the first red-team attack on GNN-based techniques in hardware security. To this end, we devise a novel reinforcement learning (RL) agent that generates adversarial examples, i.e., circuits, against the GNN-based techniques. We overcome three challenges related to effectiveness, scalability, and generality to devise a potent RL agent. We target five GNN-based techniques for four crucial classes of problems in hardware security: IP piracy, detecting/localizing HTs, reverse engineering, and hardware obfuscation. Through our approach, we craft circuits that fool all GNNs considered in this work. For instance, to evade IP piracy detection, we generate adversarial pirated circuits that fool the GNN-based defense into classifying our crafted circuits as not pirated. For attacking HT localization GNN, our attack generates HT-infested circuits that fool the defense on all tested circuits. We obtain a similar 100% success rate against GNNs for all classes of problems.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (93)
  1. DARPA Public Affairs. DARPA Selects Teams to Increase Security of Semiconductor Supply Chain. https://www.darpa.mil/news-events/2020-05-27, 2022. [Online; last accessed 17-Oct-2023].
  2. Dakshi Agrawal, et al. Trojan detection using IC fingerprinting. In 2007 IEEE Symposium on Security and Privacy (SP’07), pages 296–310. IEEE, 2007.
  3. Shimaa Ahmed, et al. Tubes Among Us: Analog Attack on Automatic Speaker Identification. In 32nd USENIX Security Symposium (USENIX Security 23), pages 265–282, 2023.
  4. AICPS. HW2VEC: A Graph Learning Tool for Automating Hardware Security. https://github.com/AICPS/hw2vec, 2021. [Online; last accessed 17-Oct-2023].
  5. Samira Mirbagher Ajorpaz, et al. Evax: Towards a practical, pro-active & adaptive architecture for high performance & security. In 2022 55th IEEE/ACM International Symposium on Microarchitecture (MICRO), pages 1218–1236. IEEE, 2022.
  6. ABC: A System for Sequential Synthesis and Verification. https://people.eecs.berkeley.edu/~alanmi/abc/, 2007.
  7. Yousra Alkabani et al. Active Hardware Metering for Intellectual Property Protection and Security. In 16th USENIX Security Symposium (USENIX Security 07), volume 20, pages 1–20, 2007.
  8. Lilas Alrahis, et al. PoisonedGNN: Backdoor attack on graph neural networks-based hardware security systems. IEEE Transactions on Computers, 2023.
  9. Lilas Alrahis, et al. OMLA: An oracle-less machine learning-based attack on logic locking. IEEE Transactions on Circuits and Systems II: Express Briefs, 69(3):1602–1606, 2021.
  10. Lilas Alrahis, et al. MuxLink: Circumventing learning-resilient mux-locking using graph neural network-based link prediction. In 2022 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 694–699. IEEE, 2022.
  11. Lilas Alrahis, et al. GNN-RE: Graph neural networks for reverse engineering of gate-level netlists. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 41(8):2435–2448, 2021.
  12. Georg T Becker, et al. Stealthy Dopant-Level Hardware Trojans. In International Conference on Cryptographic Hardware and Embedded Systems (CHES), pages 197–214. Springer, 2013.
  13. Aleksandar Bojchevski et al. Certifiable robustness to graph perturbations. Advances in Neural Information Processing Systems, 32, 2019.
  14. Cadence. Secret Key Generation with Physically Unclonable Functions. https://community.cadence.com/cadence_blogs_8/b/breakfast-bytes/posts/secret-key-generation-with-physically-unclonable-functions, 2017. [Online; last accessed 14-Feb-2024].
  15. Cadence. Genus User Guide, 2019.
  16. Quentin Cappart, et al. Combinatorial optimization and reasoning with graph neural networks. J. Mach. Learn. Res., 24:130–1, 2023.
  17. Nicholas Carlini et al. Adversarial examples are not easily detected: Bypassing ten detection methods. In Proceedings of the 10th ACM workshop on artificial intelligence and security, pages 3–14, 2017.
  18. Guangke Chen, et al. Who is real bob? adversarial attacks on speaker recognition systems. In 2021 IEEE Symposium on Security and Privacy (SP), pages 694–711. IEEE, 2021.
  19. Guangke Chen, et al. QFA2SR: Query-Free Adversarial Transfer Attacks to Speaker Recognition Systems. arXiv preprint arXiv:2305.14097, 2023.
  20. Hongge Chen, et al. Attacking visual language grounding with adversarial examples: A case study on neural image captioning. arXiv preprint arXiv:1712.02051, 2017.
  21. Huili Chen, et al. AdaTest: Reinforcement learning and adaptive sampling for on-chip hardware Trojan detection. ACM Transactions on Embedded Computing Systems, 22(2):1–23, 2023.
  22. Committee on National Security Systems. National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information. https://web.archive.org/web/20101106122007/http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf, 2003. [Online; last accessed 17-Oct-2023].
  23. Jiaxun Cui, et al. MACTA: A multi-agent reinforcement learning approach for cache timing attacks and detection. In The Eleventh International Conference on Learning Representations, 2023.
  24. Hanjun Dai, et al. Adversarial attack on graph structured data. In International conference on machine learning, pages 1115–1124. PMLR, 2018.
  25. Department of Justice. Attorney General Jeff Sessions Announces New Initiative to Combat Chinese Economic Espionage. https://www.justice.gov/opa/speech/attorney-general-jeff-sessions-announces-new-initiative-combat-chinese-economic-espionage, 2018. [Online; last accessed 17-Oct-2023].
  26. Sukanta Dey, et al. Secure physical design. Cryptology ePrint Archive, 2022.
  27. Rui Duan, et al. Perception-Aware Attack: Creating Adversarial Music via Reverse-Engineering Human Perception. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 905–919, 2022.
  28. Thorsten Eisenhofer, et al. No more Reviewer# 2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning. 2023.
  29. Kevin Eykholt, et al. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1625–1634, 2018.
  30. Wenqi Fan, et al. Graph neural networks for social recommendation. In The world wide web conference, pages 417–426, 2019.
  31. Simon Geisler, et al. Reliable graph neural networks via robust aggregation. Advances in Neural Information Processing Systems, 33:13272–13284, 2020.
  32. GNNRE. GNN-RE: Graph Neural Networks for Reverse Engineering of Gate-Level Netlists. https://github.com/DfX-NYUAD/GNN-RE, 2022. [Online; last accessed 17-Oct-2023].
  33. Vasudev Gohil, et al. ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 1275–1289, 2022.
  34. Vasudev Gohil, et al. MABFuzz: Multi-Armed Bandit Algorithms for Fuzzing Processors. arXiv preprint arXiv:2311.14594, 2023.
  35. Vasudev Gohil, et al. DETERRENT: Detecting Trojans using Reinforcement Learning. In Proceedings of the 59th ACM/IEEE Design Automation Conference, pages 697–702, 2022.
  36. Vasudev Gohil, et al. DETERRENT: Detecting Trojans Using Reinforcement Learning. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 43(1):57–70, 2024.
  37. Ian J Goodfellow, et al. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  38. Lukas Gosch, et al. Adversarial Training for Graph Neural Networks. arXiv preprint arXiv:2306.15427, 2023.
  39. Kathrin Grosse, et al. Adversarial examples for malware detection. In Computer Security–ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II 22, pages 62–79. Springer, 2017.
  40. Hanqing Guo, et al. Specpatch: Human-in-the-loop adversarial audio spectrogram patch attack on speech recognition. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 1353–1366, 2022.
  41. Hao Guo, et al. ExploreFault: Identifying Exploitable Fault Models in Block Ciphers with Reinforcement Learning. In 2023 60th ACM/IEEE Design Automation Conference (DAC), pages 1–6. IEEE, 2023.
  42. Hao Guo, et al. Vulnerability Assessment of Ciphers To Fault Attacks Using Reinforcement Learning. Cryptology ePrint Archive, 2022.
  43. Matthew Hicks, et al. Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically. In 2010 IEEE Symposium on Security and Privacy (SP’10), pages 159–172. IEEE, 2010.
  44. Alex Huang, et al. Adversarial deep learning for robust detection of binary encoded malware. arXiv preprint arXiv:1801.02950, 2018.
  45. Ibex. Ibex RISC-V Core. https://github.com/lowRISC/ibex, 2023. [Online; last accessed 17-Oct-2023].
  46. Frank Imeson, et al. Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation. In 22nd USENIX Security Symposium (USENIX Security 13), pages 495–510, 2013.
  47. Vassilis N Ioannidis, et al. Graphsac: Detecting anomalies in large-scale graphs. arXiv preprint arXiv:1910.09589, 2019.
  48. Xiaoyu Ji, et al. Poltergeist: Acoustic adversarial machine learning against cameras and computer vision. In 2021 IEEE Symposium on Security and Privacy (SP), pages 160–175. IEEE, 2021.
  49. Wei Jin, et al. Adversarial attacks and defenses on graphs. ACM SIGKDD Explorations Newsletter, 22(2):19–34, 2021.
  50. Samsung to spend $228 billion on the world’s largest chip facility as part of South Korea tech plan. https://www.cnbc.com/2023/03/15/samsung-to-spend-228-billion-on-the-worlds-largest-chip-facility.html, 2023. [Online; last accessed 17-Oct-2023].
  51. Diederik P Kingma et al. Adam: A Method for Stochastic Optimization. arXiv preprint arXiv:1412.6980, 2014.
  52. Hazem Lashen, et al. TrojanSAINT: Gate-Level Netlist Sampling-Based Inductive Learning for Hardware Trojan Detection. In 2023 IEEE International Symposium on Circuits and Systems (ISCAS), pages 1–5, 2023.
  53. Deqiang Li et al. Adversarial deep ensemble: Evasion attacks and defenses for malware detection. IEEE Transactions on Information Forensics and Security, 15:3886–3900, 2020.
  54. Heng Li, et al. Black-box Adversarial Example Attack towards FCG Based Android Malware Detection under Incomplete Feature Information. 2023.
  55. Heng Li, et al. Adversarial-example attacks toward android malware detection system. IEEE Systems Journal, 14(1):653–656, 2019.
  56. Timothy P Lillicrap, et al. Continuous control with deep reinforcement learning. arXiv preprint arXiv:1509.02971, 2015.
  57. Aishan Liu, et al. X-adv: Physical adversarial object attacks against x-ray prohibited item detection. 2023.
  58. Han Liu, et al. When evil calls: Targeted adversarial voice over ip network. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, pages 2009–2023, 2022.
  59. Mulong Luo, et al. Autocat: Reinforcement learning for automated exploration of cache-timing attacks. In 2023 IEEE International Symposium on High-Performance Computer Architecture (HPCA), pages 317–332. IEEE, 2023.
  60. Hongzi Mao, et al. Resource management with deep reinforcement learning. In Proceedings of the 15th ACM workshop on hot topics in networks, pages 50–56, 2016.
  61. Volodymyr Mnih, et al. Playing atari with deep reinforcement learning. arXiv preprint arXiv:1312.5602, 2013.
  62. Jiaming Mu, et al. A hard label black-box adversarial attack against graph neural networks. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 108–125, 2021.
  63. Department of Defense (DoD). Securing Defense-Critical Supply Chains. An action plan developed in response to President Biden’s Executive Order 14017, 2022. [Online; last accessed 17-Oct-2023].
  64. OMLA. OMLA: An Oracle-less Machine Learning-based Attack on Logic Locking. https://github.com/DfX-NYUAD/OMLA, 2021. [Online; last accessed 17-Oct-2023].
  65. OpenCores. Educational 16-bit MIPS Processor. https://opencores.org/projects/mips_16, 2013. [Online; last accessed 17-Oct-2023].
  66. OpenCores. OpenCores. https://opencores.org/, 2023. [Online; last accessed 17-Oct-2023].
  67. Satwik Patnaik, et al. Reinforcement Learning for Hardware Security: Opportunities, Developments, and Challenges. In 2022 19th International SoC Design Conference (ISOCC), pages 217–218. IEEE, 2022.
  68. Jonathan Prokos, et al. Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning. In 32nd USENIX Security Symposium (USENIX Security 23), pages 211–228, 2023.
  69. Masoud Rostami, et al. A Primer on Hardware Security: Models, Methods, and Metrics. Proceedings of the IEEE, 102(8):1283–1295, 2014.
  70. Amin Sarihi, et al. Hardware trojan insertion using reinforcement learning. In Proceedings of the Great Lakes Symposium on VLSI 2022, pages 139–142, 2022.
  71. John Schulman, et al. Proximal policy optimization algorithms. arXiv preprint arXiv:1707.06347, 2017.
  72. Sergei Skorobogatov et al. Breakthrough silicon scanning discovers backdoor in military chip. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES), pages 23–40. Springer, 2012.
  73. Alexey Strokach, et al. Fast and flexible protein design using deep graph neural networks. Cell systems, 11(4):402–411, 2020.
  74. Synopsys. Physically Unclonable Function (PUF) Solution for ARC EM Processors. https://www.synopsys.com/dw/doc.php/ds/cc/intrinsic-ID_PUF_ARC_EM.pdf. [Online; last accessed 14-Feb-2024].
  75. Synopsys. Design Compiler User Guide. Version O-2018.06-SP3, 2018.
  76. Timothy Trippel, et al. Bomberman: Defining and Defeating Hardware Ticking Timebombs at Design-time. In 2021 IEEE Symposium on Security and Privacy (SP’21), pages 970–986. IEEE, 2021.
  77. TrojanSAINT. TrojanSAINT: Gate-Level Netlist Sampling-BasedInductive Learning for Hardware Trojan Detection. https://github.com/DfX-NYUAD/TrojanSAINT, 2023. [Online; last accessed 17-Oct-2023].
  78. Trust-Hub. Trust-Hub. https://www.trust-hub.org/, 2022. [Online; last accessed 17-Oct-2023].
  79. Petar Veličković, et al. Graph attention networks. arXiv preprint arXiv:1710.10903, 2017.
  80. Verdict. Cybersecurity: who are the leaders in physically unclonable functions (PUFs) for the technology industry? https://www.verdict.co.uk/innovators-cybersecurity-physically-unclonable-functions-pufs-technology/, 2023. [Online; last accessed 14-Feb-2024].
  81. Adam Waksman, et al. FANCI: Identification of Stealthy Malicious Logic Using Boolean Functional Analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pages 697–708, 2013.
  82. Xinghui Wu, et al. {{\{{KENKU}}\}}: Towards Efficient and Stealthy Black-box Adversarial Attacks against {{\{{ASR}}\}} Systems. In 32nd USENIX Security Symposium (USENIX Security 23), pages 247–264, 2023.
  83. Chaowei Xiao, et al. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610, 2018.
  84. Keyulu Xu, et al. How powerful are graph neural networks? arXiv preprint arXiv:1810.00826, 2018.
  85. Xiaojun Xu, et al. Characterizing malicious edges targeting on graph neural networks. 2018.
  86. Yan Xu, et al. Exact adversarial attack to image captioning via structured output learning with latent variables. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4135–4144, 2019.
  87. Kaiyuan Yang, et al. A2: Analog Malicious Hardware. In 2016 IEEE Symposium on Security and Privacy (SP’16), pages 18–37. IEEE, 2016.
  88. Rozhin Yasaei, et al. GNN4TJ: Graph Neural Networks for Hardware Trojan Detection at Register Transfer Level. In 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 1504–1509, 2021.
  89. Rozhin Yasaei, et al. GNN4IP: Graph Neural Network for Hardware Intellectual Property Piracy Detection. In 2021 58th ACM/IEEE Design Automation Conference (DAC), pages 217–222, 2021.
  90. Zhiyuan Yu, et al. {{\{{SMACK}}\}}: Semantically Meaningful Adversarial Audio Attack. In 32nd USENIX Security Symposium (USENIX Security 23), pages 3799–3816, 2023.
  91. Hanqing Zeng, et al. Graphsaint: Graph sampling based inductive learning method. arXiv preprint arXiv:1907.04931, 2019.
  92. Shibo Zhang, et al. {{\{{CAPatch}}\}}: Physical Adversarial Patch against Image Captioning Systems. In 32nd USENIX Security Symposium (USENIX Security 23), pages 679–696, 2023.
  93. Baolin Zheng, et al. Black-box adversarial attacks on commercial speech platforms with minimal information. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 86–107, 2021.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Vasudev Gohil (11 papers)
  2. Satwik Patnaik (30 papers)
  3. Dileep Kalathil (62 papers)
  4. Jeyavijayan Rajendran (19 papers)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now