ML-Based Trojan Classification: Repercussions of Toxic Boundary Nets

Machine learning (ML) algorithms were recently adapted for testing integrated circuits and detecting potential design backdoors. Such testing mechanisms mainly rely on the available training dataset and the extracted features of the Trojan circuit. In this paper, we demonstrate that this method is attackable by exploiting a structural problem of classifiers for hardware Trojan detection in gate-level netlists, called the Boundary Net Problem. There, an adversary modifies the labels of those boundary nets, connecting the original logic to the Trojan circuit. We show that the proposed adversarial label-flipping attacks are potentially highly toxic to the accuracy of supervised ML-based Trojan detection approaches. The experimental results indicate that an adversary needs to flip only 0.09% of all labels to achieve an accuracy drop of over 9%, demonstrating one of the most efficient adversarial label-flipping attacks in the hardware Trojan detection research domain.