Graph Neural Networks for Hardware Vulnerability Analysis -- Can you Trust your GNN?

The participation of third-party entities in the globalized semiconductor supply chain introduces potential security vulnerabilities, such as intellectual property piracy and hardware Trojan (HT) insertion. Graph neural networks (GNNs) have been employed to address various hardware security threats, owing to their superior performance on graph-structured data, such as circuits. However, GNNs are also susceptible to attacks. This work examines the use of GNNs for detecting hardware threats like HTs and their vulnerability to attacks. We present BadGNN, a backdoor attack on GNNs that can hide HTs and evade detection with a 100% success rate through minor circuit perturbations. Our findings highlight the need for further investigation into the security and robustness of GNNs before they can be safely used in security-critical applications.Comment: Will be presented at 2023 IEEE VLSI Test Symposium (VTS

TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents

Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-time vulnerabilities extend to deep reinforcement learning (DRL) agents and can be exploited by an adversary with access to the training process. In particular, we focus on Trojan attacks that augment the function of reinforcement learning policies with hidden behaviors. We demonstrate that such attacks can be implemented through minuscule data poisoning (as little as 0.025% of the training data) and in-band reward modification that does not affect the reward on normal inputs. The policies learned with our proposed attack approach perform imperceptibly similar to benign policies but deteriorate drastically when the Trojan is triggered in both targeted and untargeted settings. Furthermore, we show that existing Trojan defense mechanisms for classification tasks are not effective in the reinforcement learning setting

A Survey on Neural Trojans

Neural networks have become increasingly prevalent in many real-world applications including security-critical ones. Due to the high hardware requirement and time consumption to train high-performance neural network models, users often outsource training to a machine-learning-as-a-service (MLaaS) provider. This puts the integrity of the trained model at risk. In 2017, Liu et. al. found that, by mixing the training data with a few malicious samples of a certain trigger pattern, hidden functionality can be embedded in the trained network which can be evoked by the trigger pattern. We refer to this kind of hidden malicious functionality as neural Trojans. In this paper, we survey a myriad of neural Trojan attack and defense techniques that have been proposed over the last few years. In a neural Trojan insertion attack, the attacker can be the MLaaS provider itself or a third party capable of adding or tampering with training data. In most research on attacks, the attacker selects the Trojan\u27s functionality and a set of input patterns that will trigger the Trojan. Training data poisoning is the most common way to make the neural network acquire Trojan functionality. Trojan embedding methods that modify the training algorithm or directly interfere with the neural network\u27s execution at the binary level have also been studied. Defense techniques include detecting neural Trojans in the model and/or Trojan trigger patterns, erasing the Trojan\u27s functionality from the neural network model, and bypassing the Trojan. It was also shown that carefully crafted neural Trojans can be used to mitigate other types of attacks. We systematize the above attack and defense approaches in this paper

Adversarial Deep Learning and Security with a Hardware Perspective

Adversarial deep learning is the field of study which analyzes deep learning in the presence of adversarial entities. This entails understanding the capabilities, objectives, and attack scenarios available to the adversary to develop defensive mechanisms and avenues of robustness available to the benign parties. Understanding this facet of deep learning helps us improve the safety of the deep learning systems against external threats from adversaries. However, of equal importance, this perspective also helps the industry understand and respond to critical failures in the technology. The expectation of future success has driven significant interest in developing this technology broadly. Adversarial deep learning stands as a balancing force to ensure these developments remain grounded in the real-world and proceed along a responsible trajectory. Recently, the growth of deep learning has begun intersecting with the computer hardware domain to improve performance and efficiency for resource constrained application domains. The works investigated in this dissertation constitute our pioneering efforts in migrating adversarial deep learning into the hardware domain alongside its parent field of research

A survey on security analysis of machine learning-oriented hardware and software intellectual property

Intellectual Property (IP) includes ideas, innovations, methodologies, works of authorship (viz., literary and artistic works), emblems, brands, images, etc. This property is intangible since it is pertinent to the human intellect. Therefore, IP entities are indisputably vulnerable to infringements and modifications without the owner’s consent. IP protection regulations have been deployed and are still in practice, including patents, copyrights, contracts, trademarks, trade secrets, etc., to address these challenges. Unfortunately, these protections are insufficient to keep IP entities from being changed or stolen without permission. As for this, some IPs require hardware IP protection mechanisms, and others require software IP protection techniques. To secure these IPs, researchers have explored the domain of Intellectual Property Protection (IPP) using different approaches. In this paper, we discuss the existing IP rights and concurrent breakthroughs in the field of IPP research; provide discussions on hardware IP and software IP attacks and defense techniques; summarize different applications of IP protection; and lastly, identify the challenges and future research prospects in hardware and software IP security