Showing papers on "Trojan published in 2019"

STRIP: a defence against trojan attacks on deep neural networks

Abstract: A recent trojan attack on deep neural network (DNN) models is one insidious variant of data poisoning attacks. Trojan attacks exploit an effective backdoor created in a DNN model by leveraging the difficulty in interpretability of the learned model to misclassify any inputs signed with the attacker's chosen trojan trigger. Since the trojan trigger is a secret guarded and exploited by the attacker, detecting such trojan inputs is a challenge, especially at run-time when models are in active operation. This work builds STRong Intentional Perturbation (STRIP) based run-time trojan attack detection system and focuses on vision system. We intentionally perturb the incoming input, for instance by superimposing various image patterns, and observe the randomness of predicted classes for perturbed inputs from a given deployed model---malicious or benign. A low entropy in predicted classes violates the input-dependence property of a benign model and implies the presence of a malicious input---a characteristic of a trojaned input. The high efficacy of our method is validated through case studies on three popular and contrasting datasets: MNIST, CIFAR10 and GTSRB. We achieve an overall false acceptance rate (FAR) of less than 1%, given a preset false rejection rate (FRR) of 1%, for different types of triggers. Using CIFAR10 and GTSRB, we have empirically achieved result of 0% for both FRR and FAR. We have also evaluated STRIP robustness against a number of trojan attack variants and adaptive attacks.

ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation

Abstract: This paper presents a technique to scan neural network based AI models to determine if they are trojaned. Pre-trained AI models may contain back-doors that are injected through training or by transforming inner neuron weights. These trojaned models operate normally when regular inputs are provided, and mis-classify to a specific output label when the input is stamped with some special pattern called trojan trigger. We develop a novel technique that analyzes inner neuron behaviors by determining how output activations change when we introduce different levels of stimulation to a neuron. The neurons that substantially elevate the activation of a particular output label regardless of the provided input is considered potentially compromised. Trojan trigger is then reverse-engineered through an optimization procedure using the stimulation analysis results, to confirm that a neuron is truly compromised. We evaluate our system ABS on 177 trojaned models that are trojaned with various attack methods that target both the input space and the feature space, and have various trojan trigger sizes and shapes, together with 144 benign models that are trained with different data and initial weight values. These models belong to 7 different model structures and 6 different datasets, including some complex ones such as ImageNet, VGG-Face and ResNet110. Our results show that ABS is highly effective, can achieve over 90% detection rate for most cases (and many 100%), when only one input sample is provided for each output label. It substantially out-performs the state-of-the-art technique Neural Cleanse that requires a lot of input samples and small trojan triggers to achieve good performance.

DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks

Abstract: Deep Neural Networks (DNNs) are vulnerable to Neural Trojan (NT) attacks where the adversary injects malicious behaviors during DNN training. This type of ‘backdoor’ attack is activated when the input is stamped with the trigger pattern specified by the attacker, resulting in an incorrect prediction of the model. Due to the wide application of DNNs in various critical fields, it is indispensable to inspect whether the pre-trained DNN has been trojaned before employing a model. Our goal in this paper is to address the security concern on unknown DNN to NT attacks and ensure safe model deployment. We propose DeepInspect, the first black-box Trojan detection solution with minimal prior knowledge of the model. DeepInspect learns the probability distribution of potential triggers from the queried model using a conditional generative model, thus retrieves the footprint of backdoor insertion. In addition to NT detection, we show that DeepInspect’s trigger generator enables effective Trojan mitigation by model patching. We corroborate the effectiveness, efficiency, and scalability of DeepInspect against the state-of-the-art NT attacks across various benchmarks. Extensive experiments show that DeepInspect offers superior detection performance and lower runtime overhead than the prior work.

TABOR: A Highly Accurate Approach to Inspecting and Restoring Trojan Backdoors in AI Systems.

Abstract: A trojan backdoor is a hidden pattern typically implanted in a deep neural network. It could be activated and thus forces that infected model behaving abnormally only when an input data sample with a particular trigger present is fed to that model. As such, given a deep neural network model and clean input samples, it is very challenging to inspect and determine the existence of a trojan backdoor. Recently, researchers design and develop several pioneering solutions to address this acute problem. They demonstrate the proposed techniques have a great potential in trojan detection. However, we show that none of these existing techniques completely address the problem. On the one hand, they mostly work under an unrealistic assumption (e.g. assuming availability of the contaminated training database). On the other hand, the proposed techniques cannot accurately detect the existence of trojan backdoors, nor restore high-fidelity trojan backdoor images, especially when the triggers pertaining to the trojan vary in size, shape and position. In this work, we propose TABOR, a new trojan detection technique. Conceptually, it formalizes a trojan detection task as a non-convex optimization problem, and the detection of a trojan backdoor as the task of resolving the optimization through an objective function. Different from the existing technique also modeling trojan detection as an optimization problem, TABOR designs a new objective function--under the guidance of explainable AI techniques as well as heuristics--that could guide optimization to identify a trojan backdoor in a more effective fashion. In addition, TABOR defines a new metric to measure the quality of a trojan backdoor identified. Using an anomaly detection method, we show the new metric could better facilitate TABOR to identify intentionally injected triggers in an infected model and filter out false alarms......

Detecting AI Trojans Using Meta Neural Analysis

Abstract: In machine learning Trojan attacks, an adversary trains a corrupted model that obtains good performance on normal data but behaves maliciously on data samples with certain trigger patterns. Several approaches have been proposed to detect such attacks, but they make undesirable assumptions about the attack strategies or require direct access to the trained models, which restricts their utility in practice. This paper addresses these challenges by introducing a Meta Neural Trojan Detection (MNTD) pipeline that does not make assumptions on the attack strategies and only needs black-box access to models. The strategy is to train a meta-classifier that predicts whether a given target model is Trojaned. To train the meta-model without knowledge of the attack strategy, we introduce a technique called jumbo learning that samples a set of Trojaned models following a general distribution. We then dynamically optimize a query set together with the meta-classifier to distinguish between Trojaned and benign models. We evaluate MNTD with experiments on vision, speech, tabular data and natural language text datasets, and against different Trojan attacks such as data poisoning attack, model manipulation attack, and latent attack. We show that MNTD achieves 97% detection AUC score and significantly outperforms existing detection approaches. In addition, MNTD generalizes well and achieves high detection performance against unforeseen attacks. We also propose a robust MNTD pipeline which achieves 90% detection AUC even when the attacker aims to evade the detection with full knowledge of the system.

STRIP: A Defence Against Trojan Attacks on Deep Neural Networks

Abstract: A recent trojan attack on deep neural network (DNN) models is one insidious variant of data poisoning attacks. Trojan attacks exploit an effective backdoor created in a DNN model by leveraging the difficulty in interpretability of the learned model to misclassify any inputs signed with the attacker's chosen trojan trigger. Since the trojan trigger is a secret guarded and exploited by the attacker, detecting such trojan inputs is a challenge, especially at run-time when models are in active operation. This work builds STRong Intentional Perturbation (STRIP) based run-time trojan attack detection system and focuses on vision system. We intentionally perturb the incoming input, for instance by superimposing various image patterns, and observe the randomness of predicted classes for perturbed inputs from a given deployed model---malicious or benign. A low entropy in predicted classes violates the input-dependence property of a benign model and implies the presence of a malicious input---a characteristic of a trojaned input. The high efficacy of our method is validated through case studies on three popular and contrasting datasets: MNIST, CIFAR10 and GTSRB. We achieve an overall false acceptance rate (FAR) of less than 1%, given a preset false rejection rate (FRR) of 1%, for different types of triggers. Using CIFAR10 and GTSRB, we have empirically achieved result of 0% for both FRR and FAR. We have also evaluated STRIP robustness against a number of trojan attack variants and adaptive attacks.

The endogenous retrovirus-derived long noncoding RNA TROJAN promotes triple-negative breast cancer progression via ZMYND8 degradation

Abstract: Human endogenous retroviruses (HERVs) play pivotal roles in the development of breast cancer. However, the detailed mechanisms of noncoding HERVs remain elusive. Here, our genome-wide transcriptome analysis of HERVs revealed that a primate long noncoding RNA, which we dubbed TROJAN, was highly expressed in human triple-negative breast cancer (TNBC). TROJAN promoted TNBC proliferation and invasion and indicated poor patient outcomes. We further confirmed that TROJAN could bind to ZMYND8, a metastasis-repressing factor, and increase its degradation through the ubiquitin-proteasome pathway by repelling ZNF592. TROJAN also epigenetically up-regulated metastasis-related genes in multiple cell lines. Correlations between TROJAN and ZMYND8 were subsequently confirmed in clinical samples. Furthermore, our study verified that antisense oligonucleotide therapy targeting TROJAN substantially suppressed TNBC progression in vivo. In conclusion, the long noncoding RNA TROJAN promotes TNBC progression and serves as a potential therapeutic target.

Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning

Abstract: We present a Trojan (backdoor or trapdoor) attack that targets deep learning applications in wireless communications. A deep learning classifier is considered to classify wireless signals using raw (I/Q) samples as features and modulation types as labels. An adversary slightly manipulates training data by inserting Trojans (i.e., triggers) to only few training data samples by modifying their phases and changing the labels of these samples to a target label. This poisoned training data is used to train the deep learning classifier. In test (inference) time, an adversary transmits signals with the same phase shift that was added as a trigger during training. While the receiver can accurately classify clean (unpoisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers. This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a signal classifier (e.g., for authentication). We show that this attack is successful over different channel conditions and cannot be mitigated by simply preprocessing the training and test data with random phase variations. To detect this attack, activation based outlier detection is considered with statistical as well as clustering techniques. We show that the latter one can detect Trojan attacks even if few samples are poisoned.

Consequences of planetary migration on the minor bodies of the early solar system

Abstract: Pebble accretion is an efficient mechanism that is able to build up the core of the giant planets within the lifetime of the protoplanetary disc gas-phase. The core grows via this process until the protoplanet reaches its pebble isolation mass and starts to accrete gas. During the growth, the protoplanet undergoes a rapid, large-scale, inward migration due to the interactions with the gaseous protoplanetary disc. In this work, we have investigated how this early migration would have affected the minor body populations in our solar system. In particular, we focus on the Jupiter Trojan asteroids (bodies in the coorbital resonance 1:1 with Jupiter, librating around the L4 and L5 Lagrangian points called, respectively, the leading and the trailing swarm) and the Hilda asteroids. We characterised their orbital parameter distributions after the disc dispersal and their formation location and compare them to the same populations produced in a classical in situ growth model. We find that a massive and eccentric Hilda group is captured during the migration from a region between 5 and 8 au and subsequently depleted during the late instability of the giant planets. Our simulations also show that inward migration of the giant planets always produces a Jupiter Trojans’ leading swarm more populated than the trailing one, with a ratio comparable to the current observed Trojan asymmetry ratio. The in situ formation of Jupiter, on the other hand, produces symmetric swarms. The reason for the asymmetry is the relative drift between the migrating planet and the particles in the coorbital resonance. The capture happens during the growth of Jupiter’s core and Trojan asteroids are afterwards carried along during the giant planet’s migration to their final orbits. The asymmetry and eccentricity of the captured Trojans correspond well to observations, but their inclinations are near zero and their total mass is three to four orders of magnitude higher than the current population. Future modelling will be needed to understand whether the dynamical evolution of the Trojans over billions of years will raise the inclinations and deplete the masses to observed values.

NeuronInspect: Detecting Backdoors in Neural Networks via Output Explanations.

Abstract: Deep neural networks have achieved state-of-the-art performance on various tasks. However, lack of interpretability and transparency makes it easier for malicious attackers to inject trojan backdoor into the neural networks, which will make the model behave abnormally when a backdoor sample with a specific trigger is input. In this paper, we propose NeuronInspect, a framework to detect trojan backdoors in deep neural networks via output explanation techniques. NeuronInspect first identifies the existence of backdoor attack targets by generating the explanation heatmap of the output layer. We observe that generated heatmaps from clean and backdoored models have different characteristics. Therefore we extract features that measure the attributes of explanations from an attacked model namely: sparse, smooth and persistent. We combine these features and use outlier detection to figure out the outliers, which is the set of attack targets. We demonstrate the effectiveness and efficiency of NeuronInspect on MNIST digit recognition dataset and GTSRB traffic sign recognition dataset. We extensively evaluate NeuronInspect on different attack scenarios and prove better robustness and effectiveness over state-of-the-art trojan backdoor detection techniques Neural Cleanse by a great margin.

The consequences of planetary migration on the minor bodies of the early Solar System

Abstract: Pebble accretion is an efficient mechanism able to build up the core of the giant planets within the lifetime of the protoplanetary disc gas-phase. The core grows via this process until the protoplanet reaches its pebble isolation mass and starts to accrete gas. During the growth, the protoplanet undergoes a rapid, large-scale, inward migration due to the interactions with the gaseous protoplanetary disc. In our work, we investigate how this early migration would have affected the minor body populations in our solar system. In particular, we focus on the Jupiter Trojans and the Hildas asteroids. We found that a massive and eccentric Hilda group is captured during the migration from a region between 5 and 8 au and subsequently depleted during the late instability of the giant planets. Our simulations also show that inward migration of the giant planets always produces a Jupiter Trojans' leading swarm more populated than the trailing one, with a ratio comparable to the current observed Trojan asymmetry ratio. The in situ formation of Jupiter, on the other hand, produces symmetric leading/trailing swarms. The reason for the asymmetry is the relative drift between the migrating planet and the particles in the coorbital resonance. The capture happens during the growth of Jupiter's core and Trojan asteroids are afterwards carried along during the giant planet's migration to their final orbits. The asymmetry and eccentricity of the captured Trojans correspond well to observations, but their inclinations are near zero and their total mass is 3-4 orders of magnitude higher than the current population. Future modelling will be needed to understand whether the dynamical evolution of the Trojans over billions of years will raise the inclinations and deplete the masses to observed values.

HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion

Abstract: Hardware manipulations pose a serious threat to numerous systems, ranging from a myriad of smart-X devices to military systems. In many attack scenarios an adversary merely has access to the low-level, potentially obfuscated gate-level netlist. In general, the attacker possesses minimal information and faces the costly and time-consuming task of reverse engineering the design to identify security-critical circuitry, followed by the insertion of a meaningful hardware Trojan. These challenges have been considered only in passing by the research community. The contribution of this work is threefold: First, we present $\sf {HAL}$HAL, a comprehensive reverse engineering and manipulation framework for gate-level netlists. $\sf {HAL}$HAL allows automating defensive design analysis (e.g., including arbitrary Trojan detection algorithms with minimal effort) as well as offensive reverse engineering and targeted logic insertion. Second, we present a novel static analysis Trojan detection technique $\sf {ANGEL}$ANGEL which considerably reduces the false-positive detection rate of the detection technique $\sf {FANCI}$FANCI. Furthermore, we demonstrate that $\sf {ANGEL}$ANGEL is capable of automatically detecting Trojans obfuscated with $\sf {DeTrust}$DeTrust. Third, we demonstrate how a malicious party can semi-automatically inject hardware Trojans into third-party designs. We present reverse engineering algorithms to disarm and trick cryptographic self-tests, and subtly leak cryptographic keys without any a priori knowledge of the design's internal workings.

Efficient Test Generation for Trojan Detection using Side Channel Analysis

Abstract: Detection of hardware Trojans is vital to ensure the security and trustworthiness of System-on-Chip (SoC) designs. Side-channel analysis is effective for Trojan detection by analyzing various side-channel signatures such as power, current and delay. In this paper, we propose an efficient test generation technique to facilitate side-channel analysis utilizing dynamic current. While early work on current-aware test generation has proposed several promising ideas, there are two major challenges in applying it on large designs: (i) the test generation time grows exponentially with the design complexity, and (ii) it is infeasible to detect Trojans since the side-channel sensitivity is marginal compared to the noise and process variations. Our proposed work addresses both challenges by effectively exploiting the affinity between the inputs and rare (suspicious) nodes. We formalize the test generation problem as a searching problem and solve the optimization using genetic algorithm. The basic idea is to quickly find the profitable test patterns that can maximize switching in the suspicious regions while minimize switching in the rest of the circuit. Our experimental results demonstrate that we can drastically improve both the side-channel sensitivity (30x on average) and time complexity (4.6x on average) compared to the state-of-the-art test generation techniques.

Februus: Input Purification Defense Against Trojan Attacks on Deep Neural Network Systems

Abstract: We propose Februus; a new idea to neutralize highly potent and insidious Trojan attacks on Deep Neural Network (DNN) systems at run-time. In Trojan attacks, an adversary activates a backdoor crafted in a deep neural network model using a secret trigger, a Trojan, applied to any input to alter the model's decision to a target prediction---a target determined by and only known to the attacker. Februus sanitizes the incoming input by surgically removing the potential trigger artifacts and restoring the input for the classification task. Februus enables effective Trojan mitigation by sanitizing inputs with no loss of performance for sanitized inputs, Trojaned or benign. Our extensive evaluations on multiple infected models based on four popular datasets across three contrasting vision applications and trigger types demonstrate the high efficacy of Februus. We dramatically reduced attack success rates from 100% to near 0% for all cases (achieving 0% on multiple cases) and evaluated the generalizability of Februus to defend against complex adaptive attacks; notably, we realized the first defense against the advanced partial Trojan attack. To the best of our knowledge, Februus is the first backdoor defense method for operation at run-time capable of sanitizing Trojaned inputs without requiring anomaly detection methods, model retraining or costly labeled data.

Memory Trojan Attack on Neural Network Accelerators

Abstract: Neural network accelerators are widely deployed in application systems for computer vision, speech recognition, and machine translation. Due to ubiquitous deployment of these systems, a strong incentive rises for adversaries to attack such artificial intelligence (AI) systems. Trojan is one of the most important attack models in hardware security domain. Hardware Trojans are malicious modifications to original ICs inserted by adversaries, which lead the system to malfunction after being triggered. The globalization of the semiconductor gives a chance for the adversary to conduct the hardware Trojan attacks.Previous works design Neural Network (NN) Trojans with access to the model, toolchain, and hardware platform. However, the threat model is impractical which hinders their real adoption. In this work, we propose a memory Trojan methodology without the help of toolchain manipulation and model parameter information. We first leverage the memory access patterns to identify the input image data. Then we propose a Trojan triggering method based on the dedicated input image other than the circuit events, which has better controllability. The triggering mechanism works well even with environment noise and preprocessing towards the original images. In the end, we implement and verify the effectiveness of accuracy degradation attack.

TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents

Abstract: Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-time vulnerabilities extend to deep reinforcement learning (DRL) agents and can be exploited by an adversary with access to the training process. In particular, we focus on Trojan attacks that augment the function of reinforcement learning policies with hidden behaviors. We demonstrate that such attacks can be implemented through minuscule data poisoning (as little as 0.025% of the training data) and in-band reward modification that does not affect the reward on normal inputs. The policies learned with our proposed attack approach perform imperceptibly similar to benign policies but deteriorate drastically when the Trojan is triggered in both targeted and untargeted settings. Furthermore, we show that existing Trojan defense mechanisms for classification tasks are not effective in the reinforcement learning setting.

Design and Evaluation of a Multi-Domain Trojan Detection Method on Deep Neural Networks.

Abstract: This work corroborates a run-time Trojan detection method exploiting STRong Intentional Perturbation of inputs, is a multi-domain Trojan detection defence across Vision, Text and Audio domains---thus termed as STRIP-ViTA. Specifically, STRIP-ViTA is the first confirmed Trojan detection method that is demonstratively independent of both the task domain and model architectures. We have extensively evaluated the performance of STRIP-ViTA over: i) CIFAR10 and GTSRB datasets using 2D CNNs, and a public third party Trojaned model for vision tasks; ii) IMDB and consumer complaint datasets using both LSTM and 1D CNNs for text tasks; and speech command dataset using both 1D CNNs and 2D CNNs for audio tasks. Experimental results based on 28 tested Trojaned models demonstrate that STRIP-ViTA performs well across all nine architectures and five datasets. In general, STRIP-ViTA can effectively detect Trojan inputs with small false acceptance rate (FAR) with an acceptable preset false rejection rate (FRR). In particular, for vision tasks, we can always achieve a 0% FRR and FAR. By setting FRR to be 3%, average FAR of 1.1% and 3.55% are achieved for text and audio tasks, respectively. Moreover, we have evaluated and shown the effectiveness of STRIP-ViTA against a number of advanced backdoor attacks whilst other state-of-the-art methods lose effectiveness in front of one or all of these advanced backdoor attacks.

Thwarting Security Threats From Malicious FPGA Tools With Novel FPGA-Oriented Moving Target Defense

Abstract: The increasing usage and popularity of the field-programmable gate array (FPGA) systems bring in security concerns. Existing countermeasures are mostly based on the assumption that the computer-aided design (CAD) tools for FPGA configuration are trusted. Unfortunately, this assumption does not always hold. In this paper, we investigate the potential security threats originated from the untrusted CAD tools. Furthermore, we exploit the principle of moving target defense (MTD) to propose an FPGA-oriented MTD (FOMTD) method. The three defense lines in the FOMTD generate uncertainties, from the attacker’s point of view, to thwart hardware Trojan insertion attacks. The theoretical upper bound of the hardware Trojan hit rate for each defense line is provided in this paper. Experimental results show that the proposed defense line 2 and defense line 3 reduce the Trojan hit rate by up to 40% and 91%, respectively, for the scenario where the malicious CAD tool can insert Trojans in the occupied FPGA slices. The proposed gate replacement technique in the defense line 3 further improves the attack resilience and obtains 88% reduction on the Trojan hit rate. Compared to the static redundancy-based Trojan detection method, the proposed method achieves better resilience against Trojan insertions and consumes 50% less dynamic power.

Toward FPGA Security in IoT: A New Detection Technique for Hardware Trojans

Abstract: Nowadays, field programmable gate array (FPGA) has been widely used in Internet of Things (IoT) since it can provide flexible and scalable solutions to various IoT requirements. Meanwhile, hardware Trojan (HT), which may lead to undesired chip function or leak sensitive information, has become a great challenge for FPGA security. Therefore, distinguishing the Trojan-infected FPGAs is quite crucial for reinforcing the security of IoT. To achieve this goal, we propose a clock-tree-concerned technique to detect the HTs on FPGA. First, we present an experimental framework which helps us to collect the electromagnetic (EM) radiation emitted by FPGA clock tree. Then, we propose a Trojan identifying approach which extracts the mathematical feature of obtained EM traces, i.e., 2-D principal component analysis (2DPCA) in this paper, and automatically isolates the Trojan-infected FPGAs from the Trojan-free ones by using a BP neural network. Finally, we perform extensive experiments to evaluate the effectiveness of our method. The results reveal that our approach is valid in detecting HTs on FPGA. Specifically, for the trust-hub benchmarks, we can find out the FPGA with always on Trojans (100% detection rate) while identifying the triggered Trojans with high probability (by up to 92%). In addition, we give a thorough discussion on how the experimental setup, such as probe step size, scanning area, and chip ambient temperature, affects the Trojan detection rate.

Insights into the mind of a trojan designer: the challenge to integrate a trojan into the bitstream

Abstract: The threat of inserting hardware Trojans during the design, production, or in-field poses a danger for integrated circuits in real-world applications. A particular critical case of hardware Trojans is the malicious manipulation of third-party FPGA configurations. In addition to attack vectors during the design process, FPGAs can be infiltrated in a non-invasive manner after shipment through alterations of the bitstream. First, we present an improved methodology for bitstream file format reversing. Second, we introduce a novel idea for Trojan insertion.

Trojan Attack on Deep Generative Models in Autonomous Driving.

Abstract: Deep generative models (DGMs) have empowered unprecedented innovations in many application domains. However, their security has not been thoroughly assessed when deploying such models in practice, especially in those mission-critical tasks like autonomous driving. In this work, we draw attention to a new attack surface of DGMs, which is the data used in the training phase. We demonstrate that the training data poisoning, the injection of specially-crafted data, are able to teach Trojan behaviors to a DGM without influencing the original training goal. Such Trojan attack will be activated after model deployment only if certain rare triggers are present in an input. For example, a rain-removal DGM after poisoning can, while removing raindrops in input images, change a traffic light from red to green if this traffic light has a specific appearance (i.e. a trigger). Clearly severe consequences can occur if such poisoned model is deployed on vehicle. Our study shows that launching our Trojan attack is feasible on different DGM categories designed for the autonomous driving scenario, and existing defense methods cannot effectively defeat it. We also introduce a concealing technique to make our data poisoning more inconspicuous during the training. In the end, we propose some potential defense strategies inspiring future explorations.

Defeating Untrustworthy Testing Parties: A Novel Hybrid Clustering Ensemble Based Golden Models-Free Hardware Trojan Detection Method

Abstract: Due to the globalization of the design and fabrication process of integrated circuits (ICs), ICs are becoming vulnerable to hardware Trojans. Most of the existing hardware Trojan detection works assume that the testing stage is trustworthy. However, testing parties may collude with malicious attackers and modify the results of hardware Trojan detection. In this paper, two attack models for untrustworthy testing parties are formulated. We further propose an adversarial data generation method for untrustworthy testing parties to modify the collected test data. Then, we propose a novel hybrid clustering ensemble method to build a trusted hardware Trojan detection method (clustering ensemble-based hardware Trojan detection method) against untrustworthy testing parties. To alleviate the impact of process variations and noises on hardware Trojan detection in the actual measurement, the unsupervised correlation-based feature selection method is exploited to process the raw test data of ICs for feature selection. The proposed method can eliminate the need of the fabricated golden chips and the simulated golden models. It can also resist the malicious modifications on Trojan detection results introduced by untrustworthy testing parties. Besides, the following problems and questions are also theoretically analyzed and answered: 1) the number of necessary testing parties; 2) the time overhead and the computational overhead of the proposed method; 3) how to choose the basic clustering algorithms (by using a proposed diversity analysis algorithm); and 4) the reason why the proposed clustering ensemble method is superior to the majority voting method. Both the EDA evaluation on ISCAS89 benchmarks and field-programmable gate array evaluation on Trust-HUB benchmarks are performed to evaluate the performance of the proposed method. Experimental results demonstrate that the proposed method can resist malicious modifications robustly and can detect hardware Trojans with high accuracy (up to 93.75%). Meanwhile, the introduced time overhead is small.

Design of intentional backdoors in sequential models

Abstract: Recent work has demonstrated robust mechanisms by which attacks can be orchestrated on machine learning models. In contrast to adversarial examples, backdoor or trojan attacks embed surgically modified samples with targeted labels in the model training process to cause the targeted model to learn to misclassify chosen samples in the presence of specific triggers, while keeping the model performance stable across other nominal samples. However, current published research on trojan attacks mainly focuses on classification problems, which ignores sequential dependency between inputs. In this paper, we propose methods to discreetly introduce and exploit novel backdoor attacks within a sequential decision-making agent, such as a reinforcement learning agent, by training multiple benign and malicious policies within a single long short-term memory (LSTM) network. We demonstrate the effectiveness as well as the damaging impact of such attacks through initial outcomes generated from our approach, employed on grid-world environments. We also provide evidence as well as intuition on how the trojan trigger and malicious policy is activated. Challenges with network size and unintentional triggers are identified and analogies with adversarial examples are also discussed. In the end, we propose potential approaches to defend against or serve as early detection for such attacks. Results of our work can also be extended to many applications of LSTM and recurrent networks.

Hardware Trojan Detection Using Deep Learning Technique

Abstract: A method to detect hardware Trojan in gate-level netlist is proposed using deep learning technique. The paper shows that it is easy to identify genuine nodes and Trojan-infected nodes based on controllability and transition probability values of a given Trojan-infected circuit. The controllability and transition probability characteristics of Trojan-infected nodes show large inter-cluster distance from the genuine nodes so that it is easy to cluster the nodes as Trojan-infected nodes and genuine nodes. From a given circuit, controllability and transition probability values are extracted as Trojan features using deep learning algorithm and clustering the data using k-means clustering. The technique is validated on ISCAS’85 benchmark circuits, and it does not require any golden model as reference. The proposed method can detect all Trojan-infected nodes in less than 6 s with zero false positive and zero false negative detection accuracy.

Co-orbital exoplanets from close-period candidates: the TOI-178 case

Abstract: Despite the existence of co-orbital bodies in the solar system, and the prediction of the formation of co-orbital planets by planetary system formation models, no co-orbital exoplanets (also called trojans) have been detected thus far. Here we study the signature of co-orbital exoplanets in transit surveys when two planet candidates in the system orbit the star with similar periods. Such a pair of candidates could be discarded as false positives because they are not Hill-stable. However, horseshoe or long-libration-period tadpole co-orbital configurations can explain such period similarity. This degeneracy can be solved by considering the transit timing variations (TTVs) of each planet. We subsequently focus on the three-planet-candidate system TOI-178: the two outer candidates of that system have similar orbital periods and were found to have an angular separation close to π ∕3 during the TESS observation of sector 2. Based on the announced orbits, the long-term stability of the system requires the two close-period planets to be co-orbital. Our independent detrending and transit search recover and slightly favour the three orbits close to a 3:2:2 resonant chain found by the TESS pipeline, although we cannot exclude an alias that would put the system close to a 4:3:2 configuration. We then analyse the co-orbital scenario in more detail, and show that despite the influence of an inner planet just outside the 2:3 MMR, this potential co-orbital system could be stable on a gigayear time-scale for a variety of planetary masses, either on a trojan or a horseshoe orbit. We predict that large TTVs should arise in such a configuration with a period of several hundred days. We then show how the mass of each planet can be retrieved from these TTVs.

On-Chip Analog Trojan Detection Framework for Microprocessor Trustworthiness

Abstract: With the globalization of semiconductor industry, hardware security issues have been gaining increasing attention. Among all hardware security threats, the insertion of hardware Trojans is one of the main concerns. Meanwhile, many current Trojan detection solutions follow the assumption that the hardware Trojan itself should be composed of digital logic. This assumption is invalidated by recently proposed analog Trojans which are extremely small and can detect rare events. This paper proposes a runtime hardware Trojan detection method which is geared toward detecting such advanced Trojans. The principle of this method is to guard a set of concerned signals, and initiate a hardware interrupt request when abnormal toggling events occur in these guarded signals. To prove the effectiveness of this method, we design a processor based on ARMv7-A&R ISA, and insert an analog Trojan into the processor. We fabricated the design in an SMIC 130-nm process and demonstrate the effectiveness of the proposed methodology.

When Capacitors Attack: Formal Method Driven Design and Detection of Charge-Domain Trojans

Abstract: The rapid growth and globalization of the integrated circuit (IC) industry put the threat of hardware Trojans (HTs) front and center among all security concerns in the IC supply chain. Current Trojan detection approaches always assume HTs are composed of digital circuits. However, recent demonstrations of analog attacks, such as A2 and Rowhammer, invalidate the digital assumption in previous HT detection or testing methods. At the system level, attackers can utilize the analog properties of the underlying circuits such as charge-sharing and capacitive coupling effects to create information leakage paths. These new capacitor-based vulnerabilities are rarely covered in digital testings. To address these stealthy yet harmful threats, we identify a large class of such capacitor-enabled attacks and define them as charge-domain Trojans. We are able to abstract the detailed charge-domain models for these Trojans and expose the circuit-level properties that critically contribute to their information leakage paths. Aided by the abstract models, an information flow tracking (IFT) based solution is developed to detect charge-domain leakage paths and then identify the charge-domain Trojans/vulnerabilities. Our proposed method is validated on an experimental RISC microcontroller design injected with different variants of charge-domain Trojans. We demonstrate that successful detection can be accomplished with an automatic tool which realizes the IFT-based solution.

ENTT: A Family of Emerging NVM-based Trojan Triggers

Abstract: Hardware Trojans in the form of malicious modifications during the design and/or the fabrication process is a security concern due to globalization of the semiconductor production process. A Trojan is designed to evade structural and functional testing and trigger under certain conditions (e.g., after a number of clock ticks or assertion of a rare net) and deliver the payload (e.g., denial-of-service, information leakage). A wide variety of logic Trojans (both triggers and payloads) have been identified, however, very limited literature exists on memory Trojans in spite of their high likelihood. Emerging Non-Volatile Memories (NVMs) e.g., Resistive RAM (RRAM) possess unique characteristics e.g., non-volatility and gradual drift in resistance with pulsing voltage that make them a prime target to deploy a Hardware Trojan. In this paper, we present a delay and voltage-based Trojan trigger by exploiting the RRAM resistance drift under pulsing current. Simulation results indicate that these triggers can be activated by accessing a pre-selected address 2500–3000 times (varies with trigger designs) since the proposed trigger requires a large number of hammerings to evade test phase. Due to non-volatility, the hammering need not be consecutive and therefore can evade system-level techniques that can classify hammering as a potential security threat. We also propose a mechanism to reset the triggers. The maximum area and static/dynamic power overheads of the trigger circuit are 6.68μm2 and 104.24μW/0.426μW, respectively in PTM 65nm technology.