Graph neural networks (GNNs) have shown great success in detecting intellectual property (IP) piracy and hardware Trojans (HTs). However, the machine learning community has demonstrated that GNNs are susceptible to data poisoning attacks, which result in GNNs performing abnormally on graphs with pre-defined backdoor triggers (realized using crafted subgraphs). Thus, it is imperative to ensure that the adoption of GNNs should not introduce security vulnerabilities in critical security frameworks. Existing backdoor attacks on GNNs generate random subgraphs with specific sizes/densities to act as backdoor triggers. However, for Boolean circuits, backdoor triggers cannot be randomized since the added structures should not affect the functionality of a design. We explore this threat and develop PoisonedGNN as the first backdoor attack on GNNs in the context of hardware design. We design and inject backdoor triggers into the register-transfer- or the gate-level representation of a given design without affecting the functionality to evade some GNN-based detection procedures. To demonstrate the effectiveness of PoisonedGNN, we consider two case studies: (i) Hiding HTs and (ii) IP piracy. Our experiments on TrustHub datasets demonstrate that PoisonedGNN can hide HTs and IP piracy from advanced GNN-based detection platforms with an attack success rate of up to 100%.
翻译:图形神经网络(GNN)在检测知识产权(IP)盗版和硬件特洛伊(HT)方面已经取得了巨大成功。然而,机器学习社区已经证明GNN容易受到数据毒化攻击,这会导致GNN在具有预定义后门触发器(使用精心设计的子图实现)的图形上异常表现。因此,确保采用GNN不会在关键安全框架中引入安全漏洞至关重要。现有的GNN后门攻击生成具有特定大小/密度的随机子图以作为后门触发器。但是,对于布尔电路,后门触发器不能随机化,因为添加的结构不应影响设计的功能。我们探索这种威胁,开发了PoisonedGNN作为硬件设计上的第一个GNN后门攻击。我们设计并注入后门触发器到给定设计的寄存器传输或门级表示中,而不影响功能,以规避某些基于GNN的检测程序。为了证明PoisonedGNN的有效性,我们考虑了两个案例研究:(i)HT隐藏和(II)IP盗版。我们在TrustHub数据集上的实验表明,PoisonedGNN可以通过攻击成功率高达100%,从先进的基于GNN的检测平台中隐藏HT和IP盗版。