Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Graph machine learning for hardware security and security of graph machine learning: attacks and defenses
(USC Thesis Other)
Graph machine learning for hardware security and security of graph machine learning: attacks and defenses
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
GRAPH MACHINE LEARNING FOR HARDWARE SECURITY AND
SECURITY OF GRAPH MACHINE LEARNING: ATTACKS AND
DEFENSES
by
Subhajit Dutta Chowdhury
A Dissertation Presented to the
FACULTY OF THE GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(ELECTRICAL ENGINEERING)
August 2024
Copyright 2024 Subhajit Dutta Chowdhury
Dedication
To my mom and dad for their unconditional love
“It is during our darkest moments
that we must focus to see the light”
— Aristotle
ii
Acknowledgements
Pursuing a Ph.D. has been a rewarding and fulfilling journey. I am sincerely thankful to all the people who supported me in this beautiful and
transformative journey.
First and foremost, I would like to express my heartfelt gratitude to my
advisor, Prof. Pierluigi Nuzzo. Without his unwavering support, guidance,
and encouragement, particularly during some of the most challenging times,
I would not have been able to explore the research avenues that culminated
in this dissertation. He taught me how to write papers, deliver talks, and,
most importantly, conduct rigorous and meaningful research. His mentorship has been a cornerstone of my journey, and I am forever indebted to
him for his immense contributions to my academic and personal growth.
I would also like to extend my sincere thanks to Prof. Peter A. Beerel
and Prof. Aiichiro Nakano for their technical insights and encouragement
as part of my dissertation committee. Their expertise and feedback have
been invaluable throughout this process. I am deeply grateful to Prof.
Sandeep Gupta and Prof. Akilesh Jaiswal for serving on my qualification
exam committee and for their technical guidance and support.
During my time at USC, I had the privilege of interacting with several
esteemed faculty members through research collaborations and coursework.
I would like to extend my deepest gratitude to Prof. Gandhi Puvvada, Prof.
Shahin Nazarian, Prof. Alan Willner, Prof. Moe Tabar, Prof. Yan Liu,
Prof. Saty Raghavachary, Prof. Mike Chen, and Prof. Hossein Hashemi
for the invaluable knowledge and insights I gained from each of them. A
special thanks to Prof. Puvvada for his exceptional dedication to teaching
and for inspiring me with his passion for education.
I am deeply grateful to all the student members of the Descyphy Lab
for fostering such a positive and collaborative work environment. Special thanks go to my primary collaborators, Kaixin Yang and Zhiyu Ni,
iii
for believing in my ideas and working alongside me with equal passion and
dedication. Thank you to Yinghua Hu, Yifeng Xiao, Matthew Conn, Chanwook Oh, Nikhil Naik, Krishna Chaitanya Kalagarla, and Kevin Chang. I
truly appreciate the time we spent together, both in and out of the office
and lab, throughout my PhD journey.
I would also like to extend my thanks to the student members of other
research groups, including Souvik Kundu, Dake Chen, Xuan Zhou, Yuke
Zhang, Mutian Zhu, Mohsen Hassanpourghadi, Qiaochu Zhang, Praveen
Kumar Sharma, and Jaewon Nam, whose collaborations were instrumental
in helping me achieve specific research goals. Additionally, I am incredibly
thankful to the cohort of Master’s directed research students I had the
pleasure of mentoring. Special thanks to Qingyuan Peng, Zeng Wang,
Gengyu Zhang, Ruobing Li, and Xianshi Ma for engaging in stimulating
research discussions leading to several technical contributions. I also had
the unique opportunity to work with several talented high school students,
including Muqing Zhao, Tristan Brankovic, Nicholas Hornung, and Luis
Parra.
I would like to thank the agencies that have funded my research – Air
Force Research Laboratory (AFRL), Defense Advanced Research Projects
Agency (DARPA), National Science Foundation (NSF), and University of
Southern California Information Sciences Institute (USC ISI). I am also
indebted to Diane Demetras and John Diaz for their help in administrative
matters related to the progress of my Ph.D.
My experience at USC would not have been the same without the
support of my friends. I am especially grateful to those who lived with
me: Souvik Kundu and Chandani Sen, who were like elder brother and
sister, always providing aid and encouragement. I also want to thank
Gourav Datta, Zhiyu Ni, Kaixin Yang, Yifeng Xiao, Arnab Sanyal, Sreetama Sarkar, Rezwan Rasul, Digbalay Bose, Rajrup Ghosh, and Subhayu
Chakraborty for their unwavering support throughout my journey. I feel
fortunate that many friends from my undergraduate studies have managed to stay in touch over the years, even remotely. A special mention
goes to Rajarshi Roy Chaudhuri, Rupam Kalyan Chakraborty, and Prasanta Ghosh for maintaining our connection and support. I am also deeply
grateful to my undergraduate professors Indrani Bhattacharya, Mili Sarkar,
iv
Rijuparna Chakraborty, and Ratna Chakraborty for their constant encouragement and support.
My deepest gratitude goes to my family, the unwavering pillar of support without whom this journey would not have been possible. If I have
achieved anything in my life, it is because of their boundless love and faith
in me. My time at USC was not always easy. I lost my mother to COVID
in 2020, and the pain of her loss was unbearable. There were many moments of uncertainty when I felt like giving up and didn’t know how to
move forward. Although my mom, Shema Dutta Chowdhury, is not physically present to share this moment with me, her influence on my life is
profound. She exemplified altruism and resilience—qualities that proved
invaluable during the challenging times of my Ph.D. journey. I strive to
carry these qualities with me throughout my life. I am also grateful to my
dad, Suvankar Dutta Chowdhury, who stood by me, supported me, and
motivated me during the tough times. This work is dedicated to them, as
without their support, I would not be where I am today.
v
Table of Contents
Dedication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . iii
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Security Threats to IC Supply Chain . . . . . . . . . 2
1.1.2 Existing Defenses Against IC Supply Chain Attacks
and Their Weaknesses . . . . . . . . . . . . . . . . . 4
1.1.3 Security Threats to Deep Learning Models . . . . . . 5
1.2 Dissertation Overview . . . . . . . . . . . . . . . . . . . . . 6
1.3 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Dissertation Organization . . . . . . . . . . . . . . . . . . . 9
2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 Attacks on IC Supply Chain . . . . . . . . . . . . . . . . . . 11
2.1.1 Hardware Trojans . . . . . . . . . . . . . . . . . . . . 11
2.1.2 IP Piracy and Overuse . . . . . . . . . . . . . . . . . 13
2.1.3 IC Overbuilding and Counterfeiting . . . . . . . . . . 13
2.2 Defenses Against Attacks on IC Supply Chain . . . . . . . . 14
2.2.1 Layout Camouflaging . . . . . . . . . . . . . . . . . . 14
2.2.2 Split Manufacturing . . . . . . . . . . . . . . . . . . 15
2.2.3 Logic Locking . . . . . . . . . . . . . . . . . . . . . . 16
2.3 IC Reverse Engineering . . . . . . . . . . . . . . . . . . . . . 19
2.3.1 Netlist Extraction . . . . . . . . . . . . . . . . . . . . 19
2.3.2 Specification Discovery . . . . . . . . . . . . . . . . . 21
2.4 Adversarial Attacks on Graph Machine Learning . . . . . . . 21
2.4.1 Graph Neural Networks . . . . . . . . . . . . . . . . 22
2.4.2 Adversarial Attack Classification: . . . . . . . . . . . 24
3 Graph Neural Network-Based State Register Identification for Circuit Reverse-Engineering . . . . . . . . . . . 26
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
vi
3.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.3.1 RELIC . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3.2 Graph Neural Networks . . . . . . . . . . . . . . . . 33
3.4 Proposed State Register Identification Technique Using Graph
Neural Networks . . . . . . . . . . . . . . . . . . . . . . . . 39
3.4.1 Node Feature Identification and Extraction . . . . . . 39
3.4.2 Graph Learning Pipeline . . . . . . . . . . . . . . . . 42
3.4.3 Post Processing . . . . . . . . . . . . . . . . . . . . . 43
3.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.1 Dataset Creation . . . . . . . . . . . . . . . . . . . . 44
3.5.2 Evaluation Method and Metrics . . . . . . . . . . . . 45
3.5.3 GNN Pipeline . . . . . . . . . . . . . . . . . . . . . . 47
3.5.4 Performance Analysis . . . . . . . . . . . . . . . . . . 49
3.5.5 Impact of the Type of GNN Model, Aggregate Function, and Feature Set . . . . . . . . . . . . . . . . . . 52
3.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4 Graph Learning-Driven Structural-Functional Attack to
Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.2 Background and Related Work . . . . . . . . . . . . . . . . . 60
4.2.1 Logic Locking . . . . . . . . . . . . . . . . . . . . . . 60
4.2.2 Attacks on Logic Locking . . . . . . . . . . . . . . . 62
4.3 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.3.1 Graph Neural Networks . . . . . . . . . . . . . . . . 65
4.3.2 Population-Based Optimization . . . . . . . . . . . . 67
4.4 Proposed Graph Learning-Driven Structural-Functional Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.4.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . 68
4.4.2 Netlist to Graph Transformation . . . . . . . . . . . 69
4.4.3 Graph Learning Pipeline . . . . . . . . . . . . . . . . 70
4.4.4 Candidate Key Set Generation . . . . . . . . . . . . . 71
4.4.5 Optimization Problem Formulation . . . . . . . . . . 72
4.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.5.1 Training Dataset . . . . . . . . . . . . . . . . . . . . 76
4.5.2 Performance Analysis . . . . . . . . . . . . . . . . . . 78
4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
5 Similarity-Based Logic Locking Against Machine Learning Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.2 Background and Related Work . . . . . . . . . . . . . . . . . 85
5.2.1 Learning-Resilient MUX-Based Locking . . . . . . . . 85
5.2.2 State-of-the-Art ML-Based Attack on D-MUX Locking 88
vii
5.3 SimLL: Similarity-Based Logic Locking . . . . . . . . . . . . 89
5.3.1 Clustering Topologically and Functionally Similar Nodes 90
5.3.2 Clustering Topologically and Functionally Similar Links 91
5.3.3 SimLL Scheme . . . . . . . . . . . . . . . . . . . . . 92
5.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6 Enhancing SAT-attack Resiliency and Cost-Effectiveness
of Reconfigurable-Logic-Based Circuit Obfuscation . . . 99
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.2 Background and Related Work . . . . . . . . . . . . . . . . . 101
6.2.1 SAT Attack . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.2 LUT-Based Logic Obfuscation . . . . . . . . . . . . . 101
6.2.3 Routing Obfuscation . . . . . . . . . . . . . . . . . . 102
6.3 Proposed Enhanced LUT-Based Obfuscation . . . . . . . . . 103
6.3.1 Enhanced 2-Stage LUT-Based Obfuscation (ELBO) . 103
6.3.2 Hybrid Logic-Routing Obfuscation (HLRO) . . . . . 105
6.4 Results and Discussion . . . . . . . . . . . . . . . . . . . . . 106
6.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7 Finding Adversarially Robust Graph Lottery Tickets . . 113
7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.2 Background and Related Work . . . . . . . . . . . . . . . . . 116
7.2.1 Graph Lottery Ticket Hypothesis . . . . . . . . . . . 116
7.2.2 Adversarial Attacks on Graphs . . . . . . . . . . . . 117
7.2.3 Defenses on Graphs . . . . . . . . . . . . . . . . . . . 118
7.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.3.1 UGS Analysis Under Adversarial Attacks . . . . . . . 121
7.3.2 Analyzing the Impact of Adversarial Attacks on Graph
Properties . . . . . . . . . . . . . . . . . . . . . . . . 122
7.3.3 Adversarially Robust Graph Sparsification . . . . . . 123
7.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
7.4.1 Evaluation Setup . . . . . . . . . . . . . . . . . . . . 127
7.4.2 Dataset Details . . . . . . . . . . . . . . . . . . . . . 128
7.4.3 Implementation Details . . . . . . . . . . . . . . . . . 129
7.4.4 Defense on Homophilic Graphs . . . . . . . . . . . . 131
7.4.5 Defense on Large Graphs . . . . . . . . . . . . . . . . 136
7.4.6 Defense Against Adaptive Attacks . . . . . . . . . . . 137
7.4.7 Defense on Heterophilic Graphs . . . . . . . . . . . . 138
7.4.8 Analysis Under Structure and Node Feature Attacks 139
7.4.9 Ablation Study . . . . . . . . . . . . . . . . . . . . . 141
7.4.10 Performance Evaluation of ARGS on Clean Graph . . 141
7.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
8 Conclusions and Future Work . . . . . . . . . . . . . . . . . 144
8.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
viii
8.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.2.1 GNNs for Sequential Logic Obfuscation . . . . . . . . 145
8.2.2 GNNs for Hardware Fuzzing . . . . . . . . . . . . . . 146
8.2.3 Defending GNNs Against Privacy Attacks . . . . . . 147
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
ix
List of Tables
2.1 IP Protection Techniques Versus Untrusted Entities (✓: Protection Offered, ×: No Protection Offered) . . . . . . . . . . 14
3.1 Overview of the Benchmarks . . . . . . . . . . . . . . . . . . 44
3.2 GNN Pipeline Architecture and Training Details . . . . . . . 47
3.3 Performance of ReIGNN for combined dataset . . . . . . . . 52
3.4 Different Feature Sets . . . . . . . . . . . . . . . . . . . . . . 54
6.1 SAT-attack time for hybrid logic-routing obfuscation and
different replacement locations . . . . . . . . . . . . . . . . . 110
6.2 SAT-attack time for hybrid obfuscation (HLRO) and universal circuit-based obfuscation for the same key length . . . 110
7.1 Details on the datasets. . . . . . . . . . . . . . . . . . . . . . 129
7.2 Performance comparison between ARGS and other defense
techniques in terms of accuracy and inference MAC count . 131
7.3 Comparison between ARGLTs identified by ARGS and GLTs
identified by UGS in terms of Graph sparsity, Model sparsity, and Inference MACs across different baselines for the
OGBN-Products dataset . . . . . . . . . . . . . . . . . . . . 138
7.4 ARGS and UGS performance comparison for the PGD attack
and an adaptive attack for the Cora, Citeseer, and PubMed
dataset. GCN is used as the GNN model. . . . . . . . . . . . . 138
7.5 ARGS and UGS performance comparison for the PRBCD attack
and adaptive attack for the OGBN-ArXiv dataset. DeeperGCN
is used as the GNN model. . . . . . . . . . . . . . . . . . . . . 139
7.6 Ablation study. . . . . . . . . . . . . . . . . . . . . . . . . . . 142
7.7 Comparison of ARGS and UGS performance with GCN,
GIN, and GAT as backbones on the clean Cora and Citeseer
datasets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
x
List of Figures
1.1 Major steps in the IC design flow. . . . . . . . . . . . . . . . 3
1.2 Illustration of adversarial perturbation in different domains.
(a) Image domain. (b) Graph domain. Red solid edges are
adversarial additions while red dashed edges are adversarial
removals. Only the graph structure is perturbed. . . . . . . 6
2.1 Hardware Trojan:(a)Typical structure of Hardware Trojan,
(b) A simple example of a Hardware Trojan. . . . . . . . . . 12
2.2 The gate-level view of a small combinational circuit (a) before and (b) after being locked by XOR/XNOR-based insertion 17
2.3 State transition diagram of a circuit locked by HARPOON [1] 18
2.4 Workflow diagram of the hardware reverse engineering process comprising two major phases: (1) netlist extraction and
(2) specification discovery. The second phase includes a variety of methods and algorithms that are not necessarily mutually exclusive [2]. . . . . . . . . . . . . . . . . . . . . . . . 20
3.1 High-level overview of the graph learning-based state register
identification technique ReIGNN. The netlist of a design is
converted into a graph and processed by the graph neural
network to classify the registers as state and data registers. . 28
3.2 Block diagram of an FSM. In a Moore machine, the output
function logic depends on the current state only. In a Mealy
machine, the output is a function of both the current state
and the input (dotted line). . . . . . . . . . . . . . . . . . . 29
3.3 Pictorial representation of a 2-layer GNN processing a graph:
(a) Each layer processes each node in the graph, colored
in the picture. (b) Processing node d in layer 1 involves
aggregating the embeddings of node D’s neighbors and using
them to update the embedding of node d. . . . . . . . . . . 35
3.4 ReIGNN methodology. . . . . . . . . . . . . . . . . . . . . . 38
3.5 ReIGNN methodology workflow (a) Feature vector extraction and representation for the node a in the netlist subgraph, (b) GNN training pipeline. . . . . . . . . . . . . . . 40
xi
3.6 Impact of the number of GNN layers and their dimension on
ReIGNN performance (sensitivity) for aes benchmark circuits. 47
3.7 Performance comparison between ReIGNN and RELIC on
one-hot encoded benchmarks. . . . . . . . . . . . . . . . . . 48
3.8 Performance comparison between ReIGNN and RELIC on
binary encoded benchmarks. . . . . . . . . . . . . . . . . . . 49
3.9 Performance comparison between different types of GNN
layers on 1-hot encoded benchmarks. . . . . . . . . . . . . . 53
3.10 Impact of the type of aggregate function used in GraphSage
on the performance of ReIGNN in terms of sensitivity. . . . 53
3.11 Impact of the different features on the performance of ReIGNN
for 1-hot encoded benchmarks. . . . . . . . . . . . . . . . . . 53
4.1 High-level overview of GLean, a graph learning-driven structuralfunctional attack to combinational logic locking. . . . . . . . 59
4.2 Example of logic locking. (a) Original design, (b) design
locked with XOR key gate, (c) design locked with AND key
gate, (d) design locked with Multiplexer. . . . . . . . . . . . 61
4.3 GLean Methodology . . . . . . . . . . . . . . . . . . . . . . 66
4.4 GNN model architecture and its training . . . . . . . . . . . 69
4.5 Performance comparison between Snapshot, OMLA, and GLean
for RLL. (a) KPA achieved by the different ML-based attacks, (b) Average Percentage HD of the key predicted by
the different attacks. . . . . . . . . . . . . . . . . . . . . . . 73
4.6 Performance comparison of GLean before and after the optimization step for RLL. (a) KPA achieved by GLean, (b)
Average percentage HD achieved by GLean, and (c) FC
achieved by GLean. . . . . . . . . . . . . . . . . . . . . . . 74
4.7 Evolution of the approximate key in terms of average Hamming distance through different generations for different benchmarks. We consider two different initialization keys, GNN
predicted keys and random keys. . . . . . . . . . . . . . . . 75
4.8 KPA achieved by GLean before and after performing optimization for (a) strong logic locking, (b) cone-based locking.
Average Percentage HD before and after optimization for (c)
strong logic locking, and (d) cone-based locking. . . . . . . 77
4.9 KPA and average percentage HD achieved by GLean before
optimization for (a) random AND/OR locking, (b) Controllabilitybased AND/OR locking, and (c) multiplexer based locking.
This result shows that GLean can recover the original design in most cases without performing optimization for these
techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
xii
5.1 Logic locking techniques: (a) Overview; (b) Original netlist;
(c) XOR/XNOR-based logic locking; (d) MUX-based logic
locking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.2 D-MUX locking strategies. . . . . . . . . . . . . . . . . . . . 85
5.3 Workflow of the MuxLink attack. A MUX-locked locality, i.e., a fixed-depth subcircuit surrounding the MUX key
gates, is converted to a graph to solve the corresponding link
prediction problem. . . . . . . . . . . . . . . . . . . . . . . . 88
5.4 MuxLink attack evaluation on SimLL locked benchmarks.
ISCAS-85 benchmarks are locked with 64 and 128 key bits
while ITC-99 benchmarks are locked with 256 and 512 keys.
Success of the attack is evaluated using AC, PC, FC, and
HD. AC and PC achieved by MuxLink on D-MUX locked
designs are also included for comparison. Area overhead of
SimLL is also reported. . . . . . . . . . . . . . . . . . . . . . 94
5.5 (a)(b) SWEEP attack evaluation on SimLL. (c) SnapShot
attack evaluation on SimLL under the SRS attack scenario. . 97
6.1 Examples of LUT structures: (a) single 8-input LUT, (b)
2-stage 8-input LUT which consists of a 4-input LUT driven
by 4 2-input LUTs. . . . . . . . . . . . . . . . . . . . . . . . 102
6.2 Gate replacement using a combined CLN-based and 2-stage
LUT-based obfuscation. The CLN provides routing obfuscation while the LUT provides logic obfuscation. . . . . . . . 106
6.3 (a) Evaluation of ELBO (solid line) in comparison with reference obfuscation scheme [3] (dotted line) for c7552: SATattack execution time as a function of LUT size and number
of replaced gates . . . . . . . . . . . . . . . . . . . . . . . . 107
6.4 Evaluation of ELBO (solid line) in comparison with reference obfuscation scheme [3] (dotted line) for c7552: normalized area overhead as a function of SAT-attack runtime for
different LUT sizes . . . . . . . . . . . . . . . . . . . . . . . 107
6.5 SAT-attack time for ELBO when ascending (solid line) and
descending (dotted line) order of observability cost of nodes
are used to decide the gate replacement location in c7552. . 108
6.6 Area overhead for traditional LUT-based (SLO), enhanced
2-stage LUT-based (ELBO), and hybrid CLN-LUT-based
(HLRO) obfuscation. . . . . . . . . . . . . . . . . . . . . . . 109
7.1 Comparison of different graph sparsification techniques in accuracy vs. graph sparsity. ARGS achieves similar accuracy with
35% more sparsity for the Cora dataset under PGD attack. . . . 114
xiii
7.2 Classification accuracy of GLTs generated using UGS for Cora
and Citeseer datasets attacked by the PGD attack and MetaAttack. The baseline refers to accuracy on the clean graph. . . . . 121
7.3 Impact of adversarial attacks on graph properties. (a), (b) Density distribution of attribute feature differences of connected nodes
in perturbed homophilic (Citeseer) and heterophilic (Chameleon)
graphs. (c) Density distribution of positional feature differences
of connected nodes in perturbed heterophilic graphs. . . . . . . 122
7.4 Evolution of adversarial edges in Cora dataset (attacked by PGD,
20% perturbation) as we apply ARGS to prune the graph. TrainTrain edges connect two nodes from the train set. Train-Test
edges connect a node from the train set with one from the test
set. Test-Test edges connect two nodes from the test set. . . . . 124
7.5 Node classification performance versus graph sparsity levels and
inference MACs for the GCN, GIN, and GAT architectures on
Cora and Citeseer datasets attacked by PGD and MetaAttack,
respectively. Red stars ⋆ indicate the ARGLTs. Dash black
lines represent the performance of STRG, an adversarial defense
technique. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
7.6 Node classification performance over achieved graph sparsity levels for GCN on the Cora dataset attacked by the PGD attack and
MetaAttack. The perturbation rates are 5%, 10%, and 15%. Red
stars ⋆ indicate the ARGLTs which achieve similar performance
with high sparsity. STRG is used as the baseline. . . . . . . . . 133
7.7 Node classification performance over achieved graph sparsity levels for GCN on the Citeseer dataset attacked by the PGD attack
and MetaAttack. The perturbation rates are 5%, 10%, and 15%.
Red stars ⋆ indicate the ARGLTs which achieve similar performance with high sparsity. STRG is used as the baseline. . . . . 133
7.8 Node classification performance over achieved graph sparsity levels for GIN on the Cora dataset attacked by the PGD attack and
MetaAttack. The perturbation rates are 5%, 10%, and 15%. Red
stars ⋆ indicate the ARGLTs which achieve similar performance
with high sparsity. STRG is used as the baseline. . . . . . . . . 134
7.9 Node classification performance over achieved graph sparsity levels for GIN on the Citeseer dataset attacked by the PGD attack
and MetaAttack. The perturbation rates are 5%, 10%, and 15%.
Red stars ⋆ indicate the ARGLTs which achieve similar performance with high sparsity. STRG is used as the baseline. . . . . 134
xiv
7.10 Node classification performance over achieved graph sparsity levels for GAT on the Citeseer dataset attacked by the PGD attack
and MetaAttack. The perturbation rates are 5%, 10%, and 15%.
Red stars ⋆ indicate the ARGLTs which achieve similar performance with high sparsity. STRG is used as the baseline. . . . . 135
7.11 Node classification performance over achieved graph sparsity levels for GCN on the PubMed dataset attacked by the PGD attack
and MetaAttack. The perturbation rates are 5%, 10%, 15%, and
20%. Red stars ⋆ indicate the ARGLTs which achieve similar
performance with high sparsity. STRG is used as the baseline. . 135
7.12 Node classification performance versus graph sparsity levels and
inference MACs for Deeper-GCN on OGBN-ArXiv dataset attacked by PR-BCD. . . . . . . . . . . . . . . . . . . . . . . . 137
7.13 Node classification performance versus weight sparsity levels for
GPRGNN on Chameleon and Squirrel dataset attacked by the
PGD Attack and MetaAttack. . . . . . . . . . . . . . . . . . . 139
7.14 Node classification performance over achieved graph sparsity levels for a GCN model on Cora and Citeseer datasets attacked by
a version of the MetaAttack that modifies both graph structure
and node features. The perturbation rates are 5%, 10%, and
15%. Red stars ⋆ indicate the ARGLTs. STRG is used as the
baseline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
xv
Abstract
The burgeoning costs of integrated circuit (IC) fabrication have led to
widespread globalization of the IC supply chain, exposing IC designs to
hardware security threats like intellectual property (IP) theft or piracy, illegal overproduction, and hardware Trojan insertion. These security challenges have triggered research on the exploration of secure design methodologies. However, the security solutions are often incomplete, leaving new
channels of sensitive information leakage which must be considered. In this
dissertation, we introduce novel analysis methods, attacks, and defenses
based on graph learning, and specifically graph neural networks (GNNs),
to address some of the information leakage challenges to trustworthy ICs.
GNNs are particularly effective in processing circuit netlists, which are inherently graph-structured data. They can leverage the node properties of a
circuit netlist and their neighborhood information to successfully perform
different tasks. First, we present a state register identification technique
with GNNs (ReIGNN) that enables circuit reverse engineering for hardware
protection. ReIGNN combines, for the first time, GNNs with structural
analysis to identify the state registers and help recover the control logic
of a design. We then present a graph learning-driven attack (GLEAN) for
analyzing the security guarantees of different logic obfuscation (or locking)
methods by assessing the level of information leakage from their structural
signatures. Graph learning can also be used to detect topologically and
functionally similar logic gates or wires in a design, which in turn can be
used to confuse existing machine learning-based attacks on logic obfuscation. In this context, we introduce a graph similarity-based logic locking
technique (SimLL) which is the state-of-the-art defense against existing
oracle-less learning-based attacks. We also introduce a reconfigurable logicbased locking technique which improves resilience against existing oraclebased attacks. Reconfigurable logic blocks like look-up table (LUT), and
xvi
switch-boxes reduce the amount of information leaked from their structural
signatures making them resilient against machine learning-based attacks
too.
Finally, security is a major concern for GNN models too. GNN models
are highly vulnerable to adversarial attacks, where imperceptible perturbations to the input data can significantly impact their performance. To
mitigate this vulnerability, we present a GNN training method that yields
models that are sparse and compressed, yet adversarially robust. Overall,
this dissertation explores the intersection of graph learning and hardware
security highlighting the critical role of graph learning in fortifying hardware security as well as the importance of security considerations in graph
learning.
Thesis supervisor: Dr. Pierluigi Nuzzo (Chair), Electrical and Computer Engineering, University of Southern California.
xvii
Chapter 1
Introduction
This chapter provides the motivation for the work in this dissertation and a
preview of the main contributions. We first discuss some of the challenges
associated with realizing secure integrated circuits and the vulnerability of
graph learning models to adversarial attacks. We then provide an overview
of the different attacks and defenses developed in this thesis to address these
challenges and highlight the key technical contributions. Finally, we outline
the covered topics and their organization.
1.1 Motivation
The rapid evolution of computing capabilities and machine learning (ML)
has ushered in a new era of technological progress, profoundly impacting
every facet of modern life. These technologies are not only enhancing productivity and decision-making across industries but are also reshaping the
way individuals interact with the world. However, as these technologies
become increasingly integrated into critical systems, the importance of ensuring their security becomes paramount.
Integrated circuits (ICs) are the foundation of modern computing systems, facilitating a wide array of applications ranging from personal gadgets
to medical equipment. However, the globalization of the IC supply chain
exposes ICs to diverse hardware security threats like intellectual property
(IP) theft and piracy, illegal overproduction of ICs, and insertion of malicious modifications dubbed as “hardware Trojans” (HTs). Safeguarding
the integrity and security of ICs thus becomes challenging [4–6]. These
security challenges have prompted extensive research into secure design
methodologies for improving the trustworthiness of the ICs. However, existing security solutions are often incomplete and leave new channels of
1
sensitive information leakage. Therefore, developing novel analysis methods to circumvent existing security concerns, challenge security guarantees
of the existing solutions, and develop new solutions for enabling the design
of secure and trustworthy ICs becomes inevitable.
Concurrently, deep learning models also face security challenges. Deep
learning has revolutionized various domains and enabled critical tasks like
facial recognition (using image data), language translation (using text
data), and drug discovery (using graph data). However, deep learning
models are found to be vulnerable to adversarial attacks, where humanly
imperceptible perturbations to the input data impact their performance
heavily. This underscores the importance of robustifying the deep learning
models against attacks, particularly as these models proliferate in safetycritical domains and decision-making contexts.
In this dissertation, we explore the intersection of deep learning, more
specifically graph learning, and hardware security, investigating how graph
learning techniques can be leveraged to enhance the security of IC designs while simultaneously developing strategies to bolster the robustness
of graph learning models against adversarial attacks. The following subsections further elaborate on the security challenges and motivate the research
developed in this dissertation.
1.1.1 Security Threats to IC Supply Chain
The IC supply chain has been through notable advances over the past
several decades. With the advancement in the semiconductor technology
nodes, the financial cost of commissioning foundries has skyrocketed [7].
Reports indicate that TSMC, a leading semiconductor manufacturing company, plans to spend $100 billion on new production facilities and research
and development over the next three years [7]. This astronomical cost of
setting up foundries coupled with the need to meet faster time-to-market
2
Figure 1.1: Major steps in the IC design flow.
deadlines and cost reduction have resulted in globalization and the associated deverticalization of the semiconductor supply chain. Consequently,
major IC design companies like Apple, AMD, NVIDIA, and Qualcomm (to
name a few) have transitioned to a fabless model and become increasingly
dependent on third-party intellectual property (IP) cores.
Figure 1.1 illustrates the key stages in the life cycle of an IC, encompassing IP design, fabrication, testing, and field deployment. Unfortunately, a
plethora of hardware security threats like IP piracy/theft, IC overbuilding
and counterfeiting, Hardware Trojan insertion, and side-channel attacks exist along the different stages of the IC life cycle. Security threats in the design phase can primarily come from two sources, untrustworthy third-party
IPs, and untrustworthy third-party commercial design tools [4]. While integrating third-party IPs facilitates faster time-to-market and economic
advantages, it also allows the untrusted IP providers to insert malicious
backdoors, making the chip malfunction under certain circumstances [8].
Similarly, third-party design automation and verification tools pose potential threats since the resulting design might be tampered with or undermined during these automated design processes [9]. To access advanced
semiconductor technology nodes at a lower cost, most IC design companies
outsource their designs to an offshore foundry for fabrication. However, the
offshore foundry might be untrustworthy acting as a malicious entity that
can pirate or tamper with the GDSII masks. Moreover, offshore assembly
and test facilities represent another potential source of security threats.
3
Finally, end users themselves can also pose security risks. These untrustworthy entities are highlighted in red in Fig. 1.1.
1.1.2 Existing Defenses Against IC Supply Chain Attacks and Their Weaknesses
Over the last decade, several defense techniques have been proposed in
the literature to enforce security and trust in the IC supply chain. Split
manufacturing was proposed to eliminate the foundry as a threat vector
by splitting the design IP and giving only partial design to the untrusted
foundry for fabrication, while the remaining design is fabricated either inhouse or at a trusted foundry [10–13,13–18]. However, split manufacturing
does not protect against an untrusted test facility, untrusted third-party
IP providers, or an end-user. IC camouflaging was proposed to eliminate
end users and untrusted test facilities as a threat vector. It obfuscates
a design by replacing selected cells with their camouflaged counterparts
which have similar layouts across different Boolean logic gate types [19–
25]. However, a major drawback of IC camouflaging is the reliance on a
trusted foundry to implement the camouflaged cells. Different from these
defense techniques, logic obfuscation (locking) protects the IC design by
inserting additional programmable circuitry, called key-gates, controlled
by key-inputs to lock the functionality of the design [26–29]. The correct
functionality of the design is only restored when the correct secret key is
provided as input. The secret key is securely loaded post-fabrication by
a trusted entity (typically a design house) in a tamper-proof non-volatile
memory and then applied to the key-inputs. Logic obfuscation eliminates
untrusted foundries, test facilities, and end-users as threat vectors. But
it does not protect against untrusted third-party IP providers. Reverse
engineering can help eliminate third-party IP providers as a threat vector
by enabling the detection of malicious modifications in the IPs (like HTs)
provided by third-party vendors. Therefore, logic obfuscation combined
4
with reverse engineering can protect against all different attack vectors in
the IC supply chain.
However, the security guarantees of different logic locking techniques
have been heavily challenged by the development of several attacks showing
that the existing security solutions are often incomplete and leave new
channels of sensitive information leakage. Therefore, developing (a) novel
analysis methods to circumvent existing security concerns, (b) attacks to
challenge security guarantees of the existing solutions, and (c) new solutions
for enabling the design of secure and trustworthy ICs becomes inevitable.
1.1.3 Security Threats to Deep Learning Models
Deep learning models are vulnerable to attacks. Depending on the threat
models, these attacks can have various purposes, such as model stealing [30], membership inference [31], and output manipulation [32]. This
dissertation focuses on output-manipulation attacks, commonly addressed
as adversarial attacks. Adversarial attacks widely span across domains
like image [32], text [33], and graphs [34] where small perturbations, imperceptible to humans, when added to the input lead to incorrect model
behavior [35–38]. Figure 1.2 (a) shows an example of an adversarial attack
in the image domain where the left image is classified correctly as “pig” by
a deep neural network, while the right image, indistinguishable from the
left picture to a human, is labeled as “aeroplane” by the model. Figure 1.2
(b) shows an example of an adversarial attack in the graph domain. In the
case of graph data, an attacker can perturb the node features or modify the
graph structure, i.e., insert or remove edges to perform an attack. We can
characterize the attacker based on their goals, knowledge, and capabilities.
Adversarial attacks can be classified as poisoning attacks, perturbing the
data at train time, and evasion attacks, perturbing the data at test time.
Both poisoning and evasion attacks can be targeted or global attacks. A
targeted attack deceives the model to misclassify a specific target data
5
Figure 1.2: Illustration of adversarial perturbation in different domains. (a)
Image domain. (b) Graph domain. Red solid edges are adversarial additions
while red dashed edges are adversarial removals. Only the graph structure is
perturbed.
point. A global attack on the other hand degrades the overall performance
of the model. Depending on the amount of information available, the existing attacks can be categorized into white-box attacks, practical black-box
attacks, and restricted black-box attacks.
1.2 Dissertation Overview
Circuits are inherently graph-structured data. Graphs are ubiquitous data
structures that describe pairwise relations between objects. To capture
the underlying inductive biases of the relational data, graph neural networks (GNNs) [39–41] have been developed which demonstrate remarkable performance in various graph-related tasks including node classification [39, 42], graph classification [43, 44], and link prediction [45, 46].
GNNs have been successfully applied to a variety of applications including
traffic forecasting [47–51], recommendation systems [44, 52], drug discovery [53–55], molecular property prediction [56–59], to name a few. Recently,
6
GNNs have been used for improving different steps like logic synthesis,
placement, routing, testing, and verification in the IC design flow [60, 61].
However, the use of GNNs for enabling the design of trustworthy IC designs
remains largely unexplored.
This dissertation shows how we can leverage graph learning to enable
the design of trustworthy ICs. In particular, we develop novel analysis
methods and attacks to challenge the security guarantees of the existing security solutions and present new state-of-the-art defense solutions
against IC supply chain attacks. GNNs are particularly effective in processing circuit netlists, which are inherently graph-structured data. They
can leverage the node properties of a circuit netlist and their neighborhood information to perform different tasks successfully. First, we present
a state register identification technique with GNNs that enables circuit reverse engineering for hardware protection against Trojan attacks. Security
solutions like logic obfuscation leak information through their structural
signatures. We then present a graph learning-driven attack for analyzing
the security guarantees of different logic obfuscation methods by assessing
the level of information leakage from their structural signatures. Graph
learning can also be used to detect topologically and functionally similar
logic gates or wires in a design, which in turn can be used to confuse existing
machine learning-based attacks on logic obfuscation. In this context, we
introduce a graph similarity-based logic locking technique (SimLL) which is
the state-of-the-art defense against existing oracle-less learning-based attacks. We also introduce a reconfigurable logic-based locking technique
resilient against existing oracle-based attacks. Reconfigurable logic blocks
like look-up table (LUT), and switch-boxes reduce the amount of information leaked from their structural signatures making them resilient against
machine learning-based attacks too.
Security is a major concern for GNNs too. GNNs are vulnerable to
adversarial attacks, where imperceptible perturbations to the input data
can significantly impact their performance. To mitigate this vulnerability,
7
we present a GNN training method that yields efficient models, which are
sparse and compressed, yet adversarially robust. In summary, this dissertation explores the intersection of graph learning and hardware security,
highlighting the critical role of graph learning in fortifying hardware security
as well as the importance of security considerations in graph learning.
1.3 Main Contributions
This dissertation provides contributions to the areas of hardware security
and adversarial graph machine learning. It emphasizes how graph learning
can be leveraged to identify critical information leakages of existing defenses
and enable the design of trustworthy ICs. Concurrently, it underscores the
importance of security-aware graph learning. The main contributions can
be summarized as follows:
1. This dissertation develops a learning-driven register classification
methodology that combines graph neural networks (GNNs) with
structural analysis to identify the control registers in a circuit. This
enables reverse engineering of an IC netlist, a powerful tool for detecting malicious logic (hardware Trojans) and counteracting design
piracy to restore trust in the IC supply chain.
2. It develops a learning-driven attack to logic locking that combines
graph learning with functional constraints to approximate the key of
a locked design with high accuracy.To analyze the security guarantees
of the existing logic locking techniques. This attack enables analyzing
the security guarantees of the existing logic locking techniques, which
is key to the emergence of holistic security solutions with improved
security guarantees.
3. It develops a state-of-the-art graph similarity-based logic locking defense technique that locks a design using multiplexers and shows robustness against all existing oracle-less learning-based attacks. This
8
technique introduces key-controlled multiplexers between logic gates
or wires that exhibit high levels of topological and functional similarity which successfully confuses all the existing learning-based attacks
on logic locking.
4. It develops a reconfigurable logic-based locking defense technique that
introduces reconfigurable logic blocks like LUTs and switch-boxes
into a design while optimizing the design overhead. The proposed
defense provides resiliency against functional as well as structural
attacks on logic locking.
5. It develops a framework for generating GNN models that are sparse
and compressed, yet robust to adversarial attacks. The proposed
framework prunes the adjacency matrix of the input graph and the
GNN weights by optimizing a novel loss function that captures the
impact of adversarial attacks on the graph homophily property and
leverages information associated with both the true labels of the train
nodes and the pseudo labels of the test nodes.
1.4 Dissertation Organization
This chapter has provided the motivation for our research. We outlined the
security challenges associated with trustworthy IC design and robust deep
learning models. We summarized our strategy to tackle these challenges
and highlighted our main contributions. The remainder of the dissertation
is organized as follows.
Chapter 2 provides the background material for the concepts introduced
in the thesis. We give an overview of the different attacks on IC supply
chain and the defense techniques that have been developed to combat these
attacks. Then, we review IC reverse engineering followed by adversarial
attacks on GNNs. Chapter 3 presents the learning-based register classification methodology that combines graph neural networks (GNNs) with
9
structural analysis to identify the control registers in a circuit enabling
reverse engineering of the control logic of a circuit design. Some of the results presented in Chapter 3 are based on joint work with Kaixin Yang, and
Pierluigi Nuzzo [62]. Chapter 4 presents a graph learning-driven attack for
analyzing the security guarantees of different logic obfuscation methods.
This attack assesses the level of information leakage from the structural
signatures of different locking. This technique was jointly developed with
Zeng Wang, Kaixin Yang, Yinghua Hu, and Pierluigi Nuzzo. Chapter 5
shows how we can leverage structural and functional similarity in a graph
to develop a logic locking defense technique that locks a design using multiplexers and shows robustness against all existing oracle-less learning-based
attacks. This work was done in collaboration with Kaixin Yang, and Pierluigi Nuzzo [63]. Chapter 6 presents a reconfigurable logic-based locking
technique to combat the oracle-based functional attacks, jointly developed
with Gengyu Zhang, Yinghua Hu, and Pierluigi Nuzzo [64]. Reconfigurable
logic blocks like LUT and switch-boxes reduce the amount of information
leaked from their structural signatures making them resilient against machine learning-based attacks too. In chapter 7, we explore the impact
of adversarial attacks on GNNs and develop a framework for generating
GNN models that are sparse and compressed, yet robust to adversarial attacks jointly with Zhiyu Ni, Qingyuan Peng, Souvik Kundu, and Pierluigi
Nuzzo [65–67] In Chapter 8, we conclude the thesis by discussing our findings, providing insights into some of the crucial aspects of our work, and
proposing directions for future work.
10
Chapter 2
Preliminaries
This chapter provides the background for the works introduced in this thesis.
It gives an overview of the different attacks on the IC supply chain and the
defenses developed to combat them. It then provides an overview of the
different adversarial attacks on GNNs.
2.1 Attacks on IC Supply Chain
Globalization of the IC supply chain has resulted in cost reduction and
faster time-to-market. However, it comes at the cost of exposing critical
design assets to a range of attack vectors such as intellectual property
(IP) piracy, counterfeiting [68,69], and hardware Trojan (HT) insertion [6]
which becomes an important concern for both government agencies and
private companies [70]. The following subsections will present some of
these security threats in more detail.
2.1.1 Hardware Trojans
Hardware Trojans (HTs) are defined as malicious and intentional circuit
modifications that can result in undesired circuit behavior after deployment. The malicious behavior can be manifested in the form of information leakage, incorrect functionality, performance degradation, Denial of
Service (DoS) etc. HTs can be inserted into the ICs during the design or
the fabrication phase of the IC supply chain.
The typical structure of HT consists of (a) Trigger and (b) Payload as
depicted in fig. 2.1. The trigger activates the Trojan based on a specific
activation event, such as the occurrence of specific data values or circuit
states, external signals, number of cycles, etc. Once activated, the payload
part performs malicious activity on the target circuitry. The diverse design
11
Figure 2.1: Hardware Trojan:(a)Typical structure of Hardware Trojan, (b) A
simple example of a Hardware Trojan.
possibilities, insertion locations, and stealthy implementation nature make
HT detection a challenging task. Moreover, similar to regular faults, the
later Trojans are detected in the design and production flow, the costlier
and more difficult it becomes for the IP owner to act. This problem is
further exacerbated by the fact that HTs are often assumed to be deployed
by untrusted, external foundries beyond the control of the legitimate IP
owner.
In general, design-independent HTs are implemented and inserted with
very little knowledge about the design’s functionality or structure. These
Trojans, however, are likely to be detected, exhibit uncontrollable trigger
mechanisms, and result in random payloads, thus mimicking a random
fault. On the contrary, design-dependent Trojans are constructed to have
controllable activation, stealthy implementation, and dedicated payload,
thus leading to high-impact attack scenarios. The attackers need to have a
good understanding of the design to develop these kind of HTs. HTs can
be either introduced by a malicious foundry or the third party IP cores
may have them. In either cases, it becomes extremely important to detect
such malicious modifications to enable trust in supply chain.
12
2.1.2 IP Piracy and Overuse
IP piracy involves the unauthorized or illegal use of intellectual property
(IP) within the integrated circuit (IC) supply chain. This type of infringement can occur at various stages. For instance, an unscrupulous Systemon-Chip (SoC) designer might make unauthorized copies of legitimately acquired Third-Party Intellectual Property (3PIP) and then sell these copies
to other SoC designers. Additionally, the designer could modify the original
design and market the altered version as a new IP.
IP overuse is another significant threat, where an entity uses IP beyond
the limits specified in their contract [68]. Typically, the IP rights are retained by the IP creator. SoC integrators often depend on purchasing IP
from legitimate owners to design their chips, with the licensing agreement
specifying the number of chips that can be produced using the IP. However,
a dishonest SoC designer may exceed this limit, producing more chips than
permitted by the licensing agreement, thereby causing financial losses to
the IP owner. Considering the semiconductor IP market was valued at 5.33
billion in 2019 and is expected to grow to 7.44 billion by 2027 [71], IP owners have a substantial economic interest in safeguarding their intellectual
property.
2.1.3 IC Overbuilding and Counterfeiting
Untrusted foundries and assembly facilities present a significant risk in
the semiconductor manufacturing process by producing integrated circuits
(ICs) in quantities exceeding those specified in legal contracts, a practice
referred to as IC overbuilding. This vulnerability arises from the inherent
challenges faced by intellectual property (IP) owners and design houses in
monitoring and controlling the fabrication and assembly stages. Malicious
entities can overbuild chips at a high profit as no design development cost
is required. Moreover, overbuilding can be performed at virtually no cost
by reporting a lower yield.
13
In this context, a serious threat is posed by IC counterfeiting [69].
Counterfeit ICs are unauthorized replicas of genuine integrated circuits,
engineered to be indistinguishable from authentic products in both functionality and appearance. These counterfeits often encompass remarked,
out-of-specification, or recycled components [72]. Besides incurring revenue
losses to legitimate IP owners, overbuilding and counterfeit components are
a major source of serious reliability and security issues. With minimal or
no testing and verification, these ICs end up having an impact on personal
computers, telecommunications, automotive electronics, medical devices,
and military systems [69].
2.2 Defenses Against Attacks on IC Supply
Chain
Over the last decade, a multitude of IP protection techniques have been
proposed to enforce security and trust throughout the IC supply chain.
Here, we present a bird’s eye view of a subset of these solutions that focus
on hardware integrity protection.
Table 2.1: IP Protection Techniques Versus Untrusted Entities (✓: Protection
Offered, ×: No Protection Offered)
Technique Foundry Test Facility End-User
Logic Locking ✓ ✓ ✓
Layout Camouflaging × × ✓
Split Manufacturing ✓ × ×
2.2.1 Layout Camouflaging
Layout Camouflaging (LC) aims at preventing attacks by replacing selected
cells in the design with their camouflaged counterparts [73]. The camouflaged cells have a structurally similar construction across different gate
14
types. Therefore, the attacker faces significant challenges in uncovering
the correct functionality of the design while reverse engineering it. LC
can be performed by obfuscating the interconnects, using dummy contacts,
threshold voltage-dependent cells, filler cells, etc [20, 73–75].
Threat Model: The threat model for layout camouflaging is the following:
• The design house and foundry are trusted, the test facility is either
trusted or untrusted, and the end-user is untrusted.
• The adversary has black-box access to functional copies of the design
and is armed with more or less sophisticated equipment and knowhow to conduct reverse engineering. The adversary is aware of the
layout camouflaging scheme being used. The goal of the adversary is
to infer the correct functionality of the camouflaged cells.
A major drawback of camouflaging is the reliance on a trusted foundry
to fabricate such camouflaged gates. For more details on the different types
of camouflaging techniques please refer to the literature [76].
2.2.2 Split Manufacturing
Split manufacturing (SM) protects the design IP from untrusted foundries
during manufacturing time. It splits the layout layers of a circuit design
into two parts: the Front End of Line (FEOL) and the Back End of Line
(BEOL), which are fabricated in separate foundries and then stacked together [14,77]. FEOL includes the transistors and lower metal layers, while
BEOL includes the higher metal layers. Since no single foundry possesses
the complete design information, split manufacturing safeguards the design
IP from adversaries. Also, since there are missing interconnects, it becomes
difficult for an adversary to implant hardware Trojans.
Threat Model: The threat model for split manufacturing is the following:
15
• The design house and end-user are trusted, while the FEOL foundry is
deemed untrusted. Split manufacturing necessitates a trusted BEOL
foundry, with assembly and testing facilities typically also considered
trusted.
• With the design house and end-user being trusted, the adversary
cannot obtain a chip copy from those entities. Besides, the chip has
typically not been manufactured before; the chip is then unavailable
altogether for RE attacks. The adversary, i.e., the foundry, is aware
of the underlying protection scheme, if any, and has access to the
utilized EDA tools, libraries, and other supporting information.
Split manufacturing can address security threats related to untrusted
foundry but not by an end-user or the test facility [78].
2.2.3 Logic Locking
Logic locking or obfuscation is a gate-level obfuscation approach to protect
design IPs. Unlike previous defense techniques, logic locking can provide
security against untrusted foundry, test facilities, as well as malicious endusers. In this technique, the designer inserts additional gates into the design
and locks its functionality using a secret key. If the correct key is provided,
the design performs as originally intended. Otherwise, an incorrect key
ensures that the circuit generates faulty output values for at least some
input patterns. Alongside the functional implications, logic locking also
induces structural hardware changes. Thus, the original functionality and
structure (topology) of the hardware design remain concealed while passing
through the hands of external, untrusted parties.
Threat Model: The threat model for logic locking is
• The design house is considered trusted, whereas the foundry, the test
facility and the end-user(s) are all considered untrusted.
16
Figure 2.2: The gate-level view of a small combinational circuit (a) before and
(b) after being locked by XOR/XNOR-based insertion
• The attackers know the logic locking scheme that has been applied
and have access to the locked netlist with knowledge about the key
inputs and the related logic but are oblivious to the secret key. Depending on the type of attack, the adversary can have black-box
access to a functional copy of the design.
However, the security of logic locking schemes has been threatened by
the introduction of several attacks over the past decade which shows that
the existing security solutions often fall short of providing comprehensive
security guarantees. Since logic locking can protect against a range of
untrusted parties within the IC supply chain, we explore it in more detail
in this dissertation.
Since 2008, numerous logic locking techniques have been developed,
yet their security guarantees have been repeatedly challenged by various
deobfuscation attacks, leading to the continuous evolution of new locking
methods. Logic locking techniques can be broadly classified into two categories namely, combinational and sequential logic locking.
Combinational Logic Locking
A class of logic locking methods, namely, combinational logic locking, aims
to insert programmable elements and extra key ports into a portion of
a circuit’s combinational logic, such that the correct circuit functionality
17
Figure 2.3: State transition diagram of a circuit locked by HARPOON [1]
can only be accessed by applying the correct key [28,79,80,80–91]. Fig. 2.2
illustrates a simple example of an early combinational logic locking method,
where an XOR gate and an XNOR gate, both denoted in red, are inserted
in the original circuit. For each inserted gate, the dangling input port is
regarded as a key port. Only when the two key ports, i.e., K1 and K2,
are assigned the value of zero and one, respectively, will the locked circuit
be functionally equivalent to the original circuit. If any other values are
applied, the signals passing through the inserted gates will be inverted,
resulting in corrupted output values from the circuit.
Sequential Logic Locking
On the other hand, sequential logic locking targets the finite state machine
(FSM) of the original circuit and usually involves creating new states in the
original FSM and modifying its transitions [1,92]. The correct functionality
is typically retrieved by either providing a key sequence, i.e., a sequence
of input patterns, via the primary input ports during the first few clock
cycles [1, 92–94] or by setting a set of key ports, if any, to fixed values
throughout the circuit operation time. Fig. 2.3 shows the state transition
diagram of an FSM locked by HARPOON [1], one of the earliest sequential
logic locking methods. The states denoted in blue represent the states in
18
the original FSM, while the states denoted in red are the additional states
created by the logic locking scheme. When powered on, the locked circuit
starts in a wrong reset state Se,0 and exhibits an incorrect functionality.
The authorized user must apply an appropriate sequence of input patterns,
i.e., k
⋆
0 → k
⋆
1 → k
⋆
2
, during the first three clock cycles to enter the correct
reset state Sf,0, from which the correct functionality is restored. To claim
ownership of the design, HARPOON also creates a set of watermark states,
i.e., Se,4, Se,5, and Se,6 which can be entered when another unique sequence
of input patterns, only known to the designer, is applied. Anyone who
pretends to be the original designer will fail to prove so since they do not
know how to enter the watermark states and the expected circuit output
behavior at those states.
2.3 IC Reverse Engineering
Reverse engineering of Integrated Circuits (ICs) is a complex process that
takes a physical device as input and outputs a human-readable specification. The process of IC reverse engineering comprises two steps, namely,
netlist extraction, and specification discovery, as shown in Fig. 2.4. During
the first phase, netlist extraction, the IC is analyzed to generate a gatelevel netlist description, while the specification discovery step takes the
gate-level netlist as an input and results in a partial or full understanding
of the IC’s functionality.
2.3.1 Netlist Extraction
Netlist extraction of application-specific integrated circuits (ASICs) involves a series of invasive techniques, namely, decapsulation, delayering,
imaging, and processing [95, 96]. Decapsulation removes the packaging of
the chip and exposes its internal components. During the delayering and
imaging step, the layers of the chip are removed in interleaving with an
19
Figure 2.4: Workflow diagram of the hardware reverse engineering process
comprising two major phases: (1) netlist extraction and (2) specification discovery. The second phase includes a variety of methods and algorithms that are not
necessarily mutually exclusive [2].
image acquisition step to retrieve images of every layer via scanning electron microscopes (SEM) or transmission electron microscopes (TEM). In
the processing step, images of each layer are stitched together using image
processing software, and then the gate-level netlist is extracted by identifying the standard cells and their interconnections in the metal layers. Please
note invasive netlist extraction can only be performed by specialized labs
and takes substantial time. Scan chains can also be used as an alternative
non-invasive netlist extraction technique that provides easy access to the
circuit internals and enables learning the functions of the logic cones that
reside between the flip-flops.
20
2.3.2 Specification Discovery
Understanding circuits of millions of gates first requires partitioning into
smaller sub-circuits to allow for an efficient understanding of the high-level
functionality. This step usually attempts to detect module boundaries that
have been lost during synthesis. Those modules can then subsequently be
investigated by structural and functional analysis methods to determine
their functionality. Structural analysis is used to identify the high-level description of a previously extracted sub-circuit by, e.g., matching against a
library of known sub-circuits. It is confined to solely topological properties
and usually pays little attention to the circuit’s functionality. An alternative to the structural approach is the behavioral functional analysis that
examines the underlying logic functions. We provide more details about
reverse engineering in Chapter 3.
2.4 Adversarial Attacks on Graph Machine
Learning
Graphs are ubiquitous data structures that describe pairwise relations between objects and are instrumental in modeling a wide range of complex
systems across various domains. In social sciences, for instance, graphs are
used to represent social networks; in natural sciences, they model physical
systems and protein interactions; and in computer science, they form the
backbone for organizing relational data in knowledge graphs [97], among
other applications. Graph neural networks (GNNs) have emerged as the
de facto deep learning model for processing graph-structured data [98],
achieving state-of-the-art performance across numerous graph-based machine learning tasks like semi-supervised node classification [39,97,99], link
prediction [46], and graph classification [44].
Notation: Formally, G = {V, E} represents an undirected graph with
|V| nodes and |E| edges. The topology of the graph can be represented with
21
an adjacency matrix A ∈ R
|V|×|V|, where Aij = 1 if there is an edge ei,j ∈ E
between nodes vi and vj while Aij = 0 otherwise. Each node vi ∈ V has an
attribute feature vector xi ∈ R
F
, where F is the number of node features.
Let X ∈ R
|V|×F and Y ∈ R
|V|×C denote the feature matrix and the labels
of all nodes in the graph, respectively. Thus, a graph can be denoted as a
pair {A, X}.
The graphs examined in this dissertation are homogeneous, meaning
they consist of a single type of node and edge. This contrasts with heterogeneous graphs, which feature multiple node types—such as users and
products in user-product graphs—or various edge types, like distinct bond
types in molecular graphs. The tasks considered herein are node classification task where each node in the graph G belongs to a class in the label
set Z. The objective here is to learn a model based on labeled (trained)
nodes, to predict the class of unlabeled (test) nodes.
2.4.1 Graph Neural Networks
GNNs generalize traditional deep neural networks (DNNs) to graphstructured data. The power of GNNs relies on their capability of capturing
the graph structure simultaneously with the node features. Instead of only
considering the instances (nodes with their features) independently, GNNs
also leverage the relationships between them. We focus on message-passing
GNNs where each node updates its feature by recursively aggregating and
transforming the features of its neighbors. In this framework, messages
that encode the current representation of each node are passed along the
edges of the graph. Each node aggregates the messages from its neighbors
to update its own representation. Let h
(k)
u denote the representation of
node u at the k
th GNN layer.
The k
th iteration of message-passing is characterized by an aggregateupdate step, namely,
m
(k)
N (u) = Aggr(k)
({h
(k−1)
v
, v ∈ N (u)}), (2.1)
22
h
(k)
u = Update(k)
(h
(k−1)
u
, m
(k)
N (u)
), (2.2)
where Aggr and Update are functions with learnable parameters and
m
(k)
N (u)
is the message aggregated from the graph neighborhood N (u) of u.
At layer k, the Aggr function takes as input the set of embeddings of the
nodes in the neighborhood N (u) of u and generates a message m
(k)
N (u)
based
on this aggregated information. The Update function then combines this
message m
(k)
N (u) with the previous embedding h
(k−1)
u to generate the kthlayer embedding h
(k)
u for u. The initial embeddings, at k = 0, are the node
features xu.
Since the Aggr function operates on a multiset of neighboring nodes,
it must be permutation invariant [100]. The embeddings generated by the
final GNN layer are used for various downstream tasks, including nodelevel tasks like node regression and node classification [39, 97], as well as
graph-level tasks such as graph classification [44,101]. In node classification
tasks, GNNs are trained to ensure that nodes belonging to the same class
have similar embeddings in the latent space. Several GNN models have
explored different formulations for the Aggr and Update functions.
Recent studies reveal that GNNs are vulnerable to adversarial attacks [102–106]. An adversarial attack on the graph structure introduces
unnoticeable perturbations by inserting, deleting, or rewiring edges in the
graph. Moreover, an attacker can modify the features of the nodes or add
adversarial nodes to a graph to perform the attack. Such vulnerability of
GNNs has raised concerns about applying them in safety-critical applications such as financial systems and risk management. A practical example
of an adversarial attack includes a credit scoring system, where fraudsters
can fake connections with several high-credit customers to evade the fraud
detection models.
23
2.4.2 Adversarial Attack Classification:
Adversarial attacks can be categorized into different types based on several
factors namely when the attack is performed, the attacker’s knowledge, and
the attacker’s goal.
Adversarial Attack Classification Based on the Time of Attack
An adversarial attack can happen during the model training or inference.
Based on the time of the attack, we can classify them into evasion and
poisoning attacks.
Evasion Attacks: Attacks happen after the GNN model is trained i.e.,
in the inference phase. Therefore, the parameters of the model are fixed.
Evasion attack only changes the test data and does not require the model
to be trained on the perturbed data.
Poisoning Attacks: Attacks happen before the GNN model is trained.
This attack tries to affect the performance of the model by adding adversarial samples to the training dataset. Most existing attacks are poisoning,
and their node classification tasks are performed in the transductive learning setting.
Adversarial Attack Classification Based on Attacker’s Knowledge
An attacker’s knowledge means how much information an attacker knows
about the model that they aim to attack. Usually, there are three settings:
White-box Attack: All information about the victim model such
as model parameters, training data (e.g. adjacency matrix and attribute
matrix), and the labels are available to the attacker. This is the strongest
form of attack.
Gray-box Attack: The attacker has access to the training data and
the labels but does not have access to the model parameters. The attacker
utilizes the training data to train surrogate models which are then used to
perform the adversarial attack.
24
Black-box Attack: Here the attacker does not have access to either
the model’s parameters or the training data and labels. The attacker can
perform a black-box query to the model to obtain data which can then be
used to train a surrogate model for performing the attack.
Adversarial Attack Classification Based on Attacker’s Goal
According to the goals of attacker, we can organize the attacks for nodelevel classification into the following two categories:
Targeted Attack: The attacker aims to make the trained model misclassify a targeted set of test samples. We can further organize targeted
attacks into (1) direct attacks, where the attacker directly modifies the
features or edges of the target nodes and (2) influence attacks, where the
attacker can only manipulate other nodes to influence the targets.
Untargeted Attack: The attacker aims to insert perturbations such
that the trained model has bad overall performance on all test data.
25
Chapter 3
Graph Neural Network-Based
State Register Identification
for Circuit
Reverse-Engineering
In this chapter we present a learning-based methodology that combines
GNNs with structural analysis to classify the registers of a circuit to enable reverse engineering of the design. We first provide the introduction
and motivation behind using GNNs for the task of register classification.
In Section 3.2 and 3.3 we discuss the related work and provide background
notions at the basis of our technique. We describe the learning-based register classification methodology in Section 3.4 and its detailed evaluation in
Section 3.5. Finally, we conclude in Section 3.6.
3.1 Introduction
Reverse-engineering is a tool that can restore trust in the supply chain by
enabling the identification of malicious modifications in a design, the verification of an IP’s implementation, and the detection of its infringement.
Hardware reverse-engineering consists in extracting the functionality of a
design through multiple automated or manual analysis steps. A gate-level
netlist can be obtained from a fabricated chip via decapsulation, delayering,
imaging, and post-processing [68, 95, 107]. Netlist reverse-engineering usually includes the identification of data-path and control logic. The control
logic is responsible for generating control signals that govern the behavior
of the data path while the data path is responsible for processing input
data to produce the desired output data [108–110]. Multiple techniques
have been proposed over the years for reverse-engineering data paths by
26
exploiting their regularity and high degree of replication, such as template
matching [111], behavioral matching of an unknown sub-circuit against a
library of abstract components [112], and machine learning (ML)-based
circuit recognition [113, 114]. On the other hand, the control logic is generally highly specialized and varies from design to design, which makes it
difficult to apply the techniques above. Reverse-engineering the control
logic involves the identification of the state registers in the design followed
by the extraction of a finite state machine (FSM), by recovering the state
transition graph (STG) [115–118] of the circuit. Correct identification of
the state registers is, therefore, instrumental in retrieving the correct FSM.
Among the techniques proposed in the literature to identify the state
registers in a design [119–122], RELIC [119] and fastRELIC [120] are based
on the detection of similarities between the topologies of the registers’ fan-in
circuits. However, they tend to depend on fine-tuning of a set of configuration parameters for each circuit to achieve high accuracy. When little
or no information is available about a design, it becomes challenging to
converge on the parameter values that can lead to the best result. More
recently, a new technique [122] has been proposed to identify state registers
by analyzing the scan-chain data when no gate-level netlist is available.
Inspired by the success of state-of-the-art deep learning (DL) techniques in solving challenging problems across diverse fields, we present
ReIGNN (Register Identification Using Graph Neural Networks), a novel
learning-based technique for classifying state and data registers in a netlist.
ReIGNN combines Graph Neural Networks (GNNs) with structural analysis to achieve high classification accuracy and generalization capabilities
across different designs. GNNs are deep learning models that operate directly on graphs and leverage the graph structure, the properties of the
nodes, and the characteristics of their neighborhoods to perform different
graph-related learning and inference tasks like node classification, graph
27
Figure 3.1: High-level overview of the graph learning-based state register identification technique ReIGNN. The netlist of a design is converted into a graph
and processed by the graph neural network to classify the registers as state and
data registers.
classification, and link prediction. By mapping the circuit gates and registers to graph nodes and their connections to graph edges, the register
classification task directly translates into a node classification problem.
As shown in Fig. 3.1, ReIGNN automatically abstracts the circuit netlist
as a graph and associates each graph node with a feature vector that captures information about its functionality and connectivity. We train the
GNN to process these graphs and learn to discriminate between state and
data register nodes. The trained GNNs can then be used to classify the registers of new benchmark netlists. Finally, we perform structural analysis
of the netlist and, specifically, identification of strongly connected components that include registers in the graph, to further improve the accuracy of the GNN predictions and rectify misclassifications. To the best
of our knowledge, this is the first GNN-based circuit register classification
method. Empirical results on a dataset containing standard circuit designs
show that ReIGNN can achieve, on average, 97.87% balanced accuracy and
98% sensitivity across different designs.
28
Figure 3.2: Block diagram of an FSM. In a Moore machine, the output function
logic depends on the current state only. In a Mealy machine, the output is a
function of both the current state and the input (dotted line).
3.2 Related Work
We briefly review the existing state register identification techniques as well
as the applications of graph learning techniques in reverse-engineering.
Register Classification Techniques
Control logic reverse-engineering aims at extracting an FSM from the gatelevel netlist [117, 120]. The first and often most critical step in FSM extraction is correctly classifying the state and data registers in the design.
Many techniques have been proposed to perform this task. A register can
be classified as a state register if it has a feedback path [116], based on the
observation that the state registers in an FSM always have a logic path
from their output to the input, as shown in Fig. 3.2. However, the accuracy of a technique exclusively based on this rule tends to be poor since
it neglects that many data-path designs employ data registers including
feedback paths. Shi et al. [115] improve the classification accuracy by eliminating all the candidate state registers that do not affect a control signal
like the select line of a multiplexer or the enable input of a register. More
recently, the reset signal, control behavior, and feedback path information
29
of the registers have been used together with strongly connected component (SCC) analysis to improve on the results of previous methods [118].
While ReIGNN leverages graph algorithms and SCC, it differs from previous techniques in that it also uses the structural and functional properties
associated with the registers in the netlist.
Another category of reverse-engineering techniques compares the registers’ fan-in circuits either topologically or functionally to determine the
type of registers, by exploiting the fact that the replication of circuit’s structures occurs naturally in the implementation of multi-bit data-path designs.
RELIC [119] performs a similarity test between all pairs of registers’ fan-in
circuits to identify possible state registers. Given two registers, it computes
a “similarity” score between 0 and 1 which indicates how much similar the
two registers’ fan-in logic are topologically. Intuitively, data-path registers
may be clustered into groups that implement the same functionality, hence
they have similar fan-in structure. On the other hand, state registers do
not generally have similar fan-in circuit structures because the FSM state
transitions tend to depend on unique logic conditions. Different state registers tend to relate to different transition logic blocks. The registers are
then classified based on pre-defined threshold values and similarity scores.
FastRELIC [120] improves the performance of RELIC by reducing the number of register pair comparisons and by considering not only the similarity
between the registers’ original fan-in circuits, but also the similarity between the original and the inverse fan-in circuits, obtained by replacing the
AND and OR gates with OR and AND gates, respectively, and inverting
the inputs [123] of the original fan-in circuits. A greedy register clustering algorithm is used to group the registers based on the similarity of the
structure of their fan-in circuits. Instead of comparing each register with
every other register in the design, the comparison is performed with only
one member of a cluster. The worst-case complexity of FastRelic is the
same as that of RELIC.
30
Subramanyan et al. [124, 125] compare the registers’ fan-in logic functions rather than their structure. Cut-based Boolean function matching is
used to find replicated bit-slices in the netlist so that all the data registers
can be identified and aggregated into words. A bit-slice is a Boolean function with one output and a small number of inputs. RELIC-FUN [121] uses
the same algorithmic approach but focuses on finding registers whose fanin logic implements different functions. Unlike these techniques [119–121],
ReIGNN does not require pairwise comparisons of the structure or function of the registers’ fan-in circuits or pre-calibration of threshold values
for similarity scores, since the registers of an unknown circuit are directly
classified by the trained GNN.
Application of DL in Reverse-Engineering
DL has been recently used for different tasks in the context of hardware
security, e.g., to reverse-engineer the functionality of data-path building
blocks [107, 113], to detect HTs [126, 127], and to attack logic locking [64,
128–131]. Our work is different, since it uses DL models, and specifically
GNNs, for classifying the registers in a netlist, which is the first step toward
reverse-engineering the circuit control logic.
3.3 Preliminaries
This section outlines some background concepts that will be used throughout the chapter. We model the control logic of a circuit as a finite state
machine [118].
Definition 1 (FSM). An FSM is a 6-tuple (S, I, s0, δ, O, ω) where S is the
finite set of states, I is the finite set of inputs, O is the finite set of outputs,
s0 ∈ S is the initial state, δ : S × I → S is the state transition function
which determines the next state depending on the input and the current
state, and ω is the output function logic.
31
In Moore machines, the output function logic depends only on the current state (ω : S → O); in Mealy machines, the output depends on both the
current state and input (ω : S × I → O). All the state registers in an FSM
are connected to the same clock signal, which is used to trigger the FSM
reaction. The states can be encoded using different styles to meet different design goals. Commonly used state encoding styles are 1-hot encoding
and binary encoding. In one-hot encoding, |S|-bit registers are required
to represent the state, |S| being the cardinality of the set S. The number
of required registers is higher than with binary encoding, which only uses
⌈log2
|S|⌉-bit registers [132]. However, the complexity of the next state
logic tends to be lower when adopting one-hot encoding. In this chapter,
we denote a memory element that stores one bit of the encoded state of a
circuit FSM by state register. All other memory elements in the design are
denoted as data registers.
3.3.1 RELIC
We detail RELIC [119], which will be used as a reference method to compare
with ReIGNN. RELIC pre-processes a gate-level netlist such that it contains only AND, OR, and INV gates, to ensure that similar logic functions
are represented by similar circuit structures [119]. A topological similarity
test is then performed on the pre-processed netlists to calculate the similarity score between every register pair, as denoted by the SimilarityScore
function in Algorithm 1. The calculated similarity score lies between 0 (no
similarity) and 1 (identical fan-in circuit structure).
RELIC first creates a bipartite graph with the fan-in nodes of the registers. The fan-in nodes are then compared recursively and, if their similarity score is above a pre-defined threshold T1, an edge is connected to
the bipartite graph. To avoid a large number of recursive calls to the SimilarityScore function, the analysis of the fan-in circuits is limited to a
maximum depth d. A maximal matching algorithm is then executed on the
32
bipartite graph to generate the similarity score between two registers. A
maximal matching of a graph is the largest possible subset of edges such
as no two edges in the subset share a common vertex. The function MaxMatching(G) returns the cardinality of the maximal matching in graph
G. If this similarity score is above T2, then the similarity count of both
registers is incremented by one. Finally if the similarity count of a register
is above T3, then it is classified as a data register. RELIC requires the user
to define these three threshold parameters, T1, T2, and T3, together with
the depth of the fan-in circuits.
3.3.2 Graph Neural Networks
Deep learning architectures like convolutional neural networks
(CNNs) [133] and recurrent neural networks (RNNs) [134] have revolutionized the way we perform different tasks like image classification [135, 136],
object detection [137], speech recognition [138], and natural language
processing [139]. On the other hand, GNNs have become the de facto
model for processing graph-structured data [98].
GNNs rely on effective methods to encode and process information
about the nodes in a graph and their neighborhoods to learn and infer
helpful information about the nodes themselves. Node representations (or
embeddings) are iteratively updated based on the information from their
neighbors, and then used to make predictions [39, 97].
Let G = (V, E) denote a graph which is defined by a set of nodes V
and a set of edges E connecting the nodes. An edge going from node u ∈
V to a node v ∈ V is denoted as (u, v) ∈ E. The neighborhood of a node
v is denoted by N (v). The attribute or feature associated with node v is
denoted by xv ∈ R
n
. X ∈ R
|V|×n
represents the node feature matrix of G.
GNNs use message-passing algorithms to propagate information between
nodes. Messages encoding the current representation of each node are
33
Algorithm 1 RELIC
Input:
1: graph: the graph generated from the netlist
2: registers: the list of registers in the netlist
3: T1, T2, T3: three threshold values selected by the user to tune the
result of RELIC
4: d: depth of the registers’ fan-in logic circuits
5:
6: function SimilarityScore(i, j, d, T1)
7: max children ← max(i.num children, j.num children)
8: min children ← min(i.num children, j.num children)
9: if i.type ̸= j.type then
10: return 0
11: if d == 0 then
12: return min children/max children
13: insert all children nodes of i and j into a new bipartite graph G
14: for a ∈ i.children do
15: for b ∈ j.children do
16: score ← SimilarityScore(a, b, d − 1, T1)
17: if score > T1 then
18: add edge between a and b in G
19: return maxmatching(G)/max children
20:
21: function ClassifyRegister(graph, registers, d, T 1, T2, T3)
22: n ← length of registers
23: sim score ∈ R
n×n
24: pair cnt ∈ Z
n
25: register type ∈ {control, data}
n
26: for i ∈ registers do
27: for j ∈ registers do
28: if i == j then
29: sim score[i][j] = 1
30: else
31: sim score[i][j] = SimilarityScore(i, j, d, T1)
32: if sim score[i][j] > T2 then
33: pair cnt[i]+ = 1
34: pair cnt[j]+ = 1
35: for reg ∈ registers do
36: if pair cnt[reg] ≤ T3 then
37: register type[reg] = control
38: else
39: register type[reg] = data
34
(a)
(b)
Figure 3.3: Pictorial representation of a 2-layer GNN processing a graph: (a)
Each layer processes each node in the graph, colored in the picture. (b) Processing node d in layer 1 involves aggregating the embeddings of node D’s neighbors
and using them to update the embedding of node d.
passed along the edges of the graph, and the messages received at each
node from its neighbors are aggregated to update the node representation.
We denote by h
(k)
u the representation of node u at the k
th GNN layer.
The k
th iteration of message-passing is characterized by an aggregateupdate step, namely,
m
(k)
N (u) = Aggr(k)
({h
(k−1)
v
, v ∈ N (u)}), (3.1)
h
(k)
u = Update(k)
(h
(k−1)
u
, m
(k)
N (u)
), (3.2)
where Aggr and Update are functions with learnable parameters and
m
(k)
N (u)
is the message aggregated from the graph neighborhood N (u) of u.
At layer k, the Aggr function takes as input the set of embeddings of the
nodes in the neighborhood N (u) of u and generates a message m
(k)
N (u)
based
on this aggregated information. The Update function then combines this
35
message m
(k)
N (u) with the previous embedding h
(k−1)
u to generate the kthlayer embedding h
(k)
u for u. Fig. 3.3b pictorially represents a messagepassing step to update the embedding of a given node in a graph. The
initial embeddings, at k = 0, are the node features xu.
The Aggr function takes a multiset as input and should be permutation
invariant [100]. The node embeddings generated by the final GNN layer
are then used for performing different downstream tasks which include both
node-level tasks, like node regression and node classification [39, 97], and
graph-level tasks, like graph classification [44, 101]. In the case of node
classification tasks, GNNs are trained such that the embeddings of the
nodes of a given class are close to each other in the latent space. In this
work, we leverage GNNs to solve the problem of classifying the registers
in a netlist as a register node classification problem. Several GNN models
exploring different formulations for the Aggr and Update functions have
been proposed. We discuss some of these below.
GraphSage
At each iteration k of message propagation, the GraphSAGE [97] layer
updates the node embedding h
(k)
u of node v as
h
(k)
v ← σ
Wk
1h
(k−1)
v + m
(k)
N (v)
m
(k)
N (v) = Wk
2
aggr({h
(k−1)
u
, ∀u ∈ N (v)})
where Wk
1
,Wk
2
are the learnable weight matrices associated with the k
th
GraphSAGE layer, aggr is the aggregate function, σ(·) is the rectified linear unit (ReLU) activation function, and h
(k)
u represents the embedding for
node u at the k
th layer. The aggregate function is symmetric. Examples
of aggregate functions are mean, sum, and max [97], where the mean aggregator takes the elementwise mean, sum takes the elementwise sum, and
max takes the elementwise maximum of the vectors in {h
(k−1)
v , ∀v ∈ N (u)}.
3
GraphSAGE is an isotropic GNN as every neighboring node contributes
equally to the update of the embedding of the node under consideration.
Graph Attention Network
Unlike GraphSAGE, graph attention network (GAT) is an anisotropic GNN
since each neighboring node contributes differently to the update of the
embedding of the node under consideration. At each iteration k of message
passing, the GAT layer updates the embedding h
(k)
v of node v by following
a self-attention strategy
h
(k)
v ← σ
αv,vWkh
(k−1)
v +
X
∀u∈N(v)
αv,uWkh
(k−1)
u
where αv,u = f
k
(h
(k−1)
v , h(k−1)
u ) is the attention coefficient that specifies
how much the neighboring node u contributes to the updated embedding
of node v [99]. Self-attention is an attention mechanism for relating the
different neighbors of a node to compute the updated representation of
the node [140]. f
k
is a parameterized function whose weights are learned
during training. αv,u is computed as
αv,u =
exp(LeakyReLU(a
T
[Wkh
(k−1)
v ||Wkh
(k−1)
u ]))
P
∀u∈N(v)
exp(LeakyReLU(a
T [Wkh
(k−1)
v ||Wkh
(k−1)
u ]))
where a single-layer feedforward neural network (perceptron), parameterized by a and followed by a LeakyReLU non-linearity, is used as the attention mechanism [99, 140], the superscript T represents transposition, ||
represents the concatenation operation and “exp” is the exponential function.
37
Figure 3.4: ReIGNN methodology.
Graph Isomorphism Network
More recently, a new class of GNNs has been introduced which tries to
improve on the theoretical limitations of the previous ones [141–143]. A
theoretical framework for analyzing the expressive power of different GNNs
in learning to represent and distinguish between different graph structures,
developed by Xu et al. [141], shows that existing GNNs cannot learn to
distinguish certain simple graph structures. The framework is inspired by
the close connection between GNNs and the Weisfeiler-Lehman (WL) graph
isomorphism test [144]. The Graph Isomorphism Network (GIN) [141] is
then proposed. A GIN layer k updates the embedding h
(k)
v as
h
(k)
v ← MLPk
(1 + ϵk)h
(k−1)
v +
X
∀u∈N(v)
h
(k−1)
u
where MLP is multi-layer perceptron and ϵk is a learnable parameter.
38
3.4 Proposed State Register Identification
Technique Using Graph Neural Networks
Fig. 3.4 illustrates the overall flow of ReIGNN. We first train the GNN
pipeline with a set of benchmarks and then leverage the trained GNN to
perform inference on new netlists. The first step in training is to transform
a circuit netlist into a graph and associate the graph nodes with feature
vectors and labels as described in Section 3.4.1. These graph benchmarks
are used for learning the weight parameters of the GNN layers and the
MLP. Once the model is trained, it is used for inference, i.e., to compute
the predicted labels for the register nodes in the test designs. We further
improve the classification accuracy by performing structural analysis. We
detail these steps below.
3.4.1 Node Feature Identification and Extraction
We translate a gate-level netlist into a generic, technology-independent
representation in terms of a graph G, where the gates are the nodes and
the wires connecting the gates become the edges. Unlike previous register
identification techniques [119, 120], ReIGNN does not require processing
the netlist to only include AND, OR, and INV cells. An example of a
circuit netlist and its corresponding graph is shown in Fig. 3.5a.
Each node in the graph is then associated with a feature vector capturing functional properties of the logic cells and node-level statistics of the
graph. The feature vector x of a node contains the following information:
(a) node type, (b) node in-degree, (c) node out-degree, (d) node betweenness centrality, (e) node harmonic centrality, and (f) number of different
types of gates appearing in the neighborhood of the node. We use one-hot
encoding to represent the node type i.e., the logic gate type. For example,
39
(a)
(b)
Figure 3.5: ReIGNN methodology workflow (a) Feature vector extraction and
representation for the node a in the netlist sub-graph, (b) GNN training pipeline.
if a library has in total 10 different types of logic cells, then we have a
10-dimensional vector representing the node type. Changes in the library
may then impact |x|. The node in-degree is the number of incoming neighbors, while the node out-degree is the number of outgoing neighbors. The
betweenness centrality and harmonic centrality of a node in a graph are
defined as follows.
40
Definition 2 (Betweenness Centrality [145]). Betweenness centrality of a
node v is the sum of the fraction of all-pairs shortest paths that pass through
v, i.e.,
Cbc(v) = X
x,y∈V
σ(x, y)|v
σ(x, y)
(3.3)
where σ(x, y) is the number of shortest paths between nodes x and y and
σ(x, y)|v is the number of those paths passing through the node v, with
v ̸= x, y.
Definition 3 (Harmonic Centrality [146]). Harmonic centrality of a node
v is the sum of the reciprocal of the shortest path distances from all other
nodes to v, i.e.,
Chc(v) = X
u̸=v
1
d(u, v)
, (3.4)
where d(u, v) is the shortest distance between u and v.
Intuitively, the betweenness centrality quantifies the number of times a
node acts as a bridge along the shortest paths between any two other nodes.
Nodes with high betweenness centrality usually have more influence over
the information flowing between other nodes. Since the control logic in a
design is in charge of sending signals to control the data-path blocks, the
betweenness centrality is expected to be higher for the state registers than
the data registers. Computing the betweenness centrality is quadratic in
the number of nodes in a graph. However, we can reduce the computational
cost by resorting to an approximate betweenness centrality metric [145]. On
the other hand, the harmonic centrality of a node is inversely proportional
to the average distance of the node from all other nodes. The harmonic
centrality of state registers is also expected to be higher than the one of data
registers, since signals originating from state registers are responsible for
controlling the operation of the data registers distributed across the design,
while data registers only interact with the neighboring registers. Fig. 3.5
shows an example feature vector associated with a node a in the graph.
For the training and validation dataset, we also have labels y associated
41
with the nodes in the graph. Hence, the training and validation set is a
set of graphs such that each node is provided with a feature vector and we
have labels for the register nodes.
3.4.2 Graph Learning Pipeline
Once the training set is created, the next step is to train the GNN model
which processes the graph data and generates the labels for the register
nodes, as illustrated in Fig. 3.5b. A previous version of ReIGNN [64]
converted the circuit netlist into an undirected graph, implying that no
distinction was made between the fan-in and fan-out neighbors of a node.
Messages from these neighbors were aggregated following (3.1) and the embedding of the node was updated following (3.2). In the current version, we
also incorporate information about the direction of the edges in a circuit
netlist and convert the netlists into directed graphs. This enables differentiating between the fan-in and fan-out neighbors of a node. To enable
a node to aggregate messages from both fan-in and fan-out neighbors, we
create a graph G
T
corresponding to the directed graph G where G
T
contains
a directed edge (u, v) between nodes u and v if and only if G contains the
edge (v, u). Then, we train two GNNs in parallel, one with G and the other
with G
T
to generate two embeddings for each node:
h
(k)
u(F I) = Update(k)
(h
(k−1)
u
, m
(k)
NF I (u)
) (3.5)
h
(k)
u(F O) = Update(k)
(h
(k−1)
u
, m
(k)
NF O(u)
) (3.6)
where h
(k)
u(F I)
and h
(k)
u(F O)
are the updated embeddings for node u generated
by aggregating messages from the fan-in (NF I (u)) and fan-out (NF O(u))
neighbors respectively. The final embedding of each node is then generated
by combining both h
(k)
u(F I)
and h
(k)
u(F O)
:
h
(k)
u = Combine(k)
(h
(k)
u(F I)
, h(k)
u(F O)
), (3.7)
42
where the Combine function is the sum operation in our setup. Following
the final GNN layer, there is an MLP layer with Softmax activation
functions, which processes the node embeddings h
f in
v
to produce the final
prediction Softmax(MLP(h
f in
v
)) providing a measure of the “likelihood”
of the two classes, i.e., ‘state’ and ‘data’ register. The class with higher
likelihood will be taken as the prediction.
A circuit graph contains both logic gates and registers. While all nodes
and their incident edges in the graph are considered in the message passing
operations to generate the embeddings, only the final layer embeddings
h
f in
v
of the register nodes are used to compute the loss function. To train
the model, we use the negative log-likelihood loss and follow a systematic
approach to determine hyper-parameters like GNN type, number of GNN
layers, and node embedding dimension, as detailed in Section 3.5.
3.4.3 Post Processing
We leverage structural information associated with the gate-level netlist
graphs to further improve the classification accuracy of ReIGNN. As shown
in Fig. 3.2, the state registers in the control logic of a design must have a
feedback path and they should all be part of a strongly connected component (SCC) [118], defined as follows.
Definition 4 (Strongly Connected Component). A strongly connected
component of a directed graph G is a maximal subset of vertices in V such
that for every pair of vertices u and v, there is a directed path from u to v
and a directed path from v to u.
An SCC in a graph can be obtained using Tarjan’s algorithm [147].
After the GNN prediction, we use the circuit connectivity information to
rectify any misclassifications of state registers. In particular, we check if a
register identified by the GNN as a state register is part of an SCC and has
a feedback loop. If any of these criteria is not satisfied, we safely reclassify
the register as a data register.
43
Table 3.1: Overview of the Benchmarks
Design Name No. Inputs No. Registers No. State Registers No. Gates
aes⋆ 45 2994 15 29037
siphash⋆ 44 794 8 6214
sha1⋆ 516 1526 3 11822
fsm⋄ 17 15 7 166
gpio⋄ 111 51 11 311
memory⋄ 173 75 7 881
uart∧
12 69 10 469
cr div∧
99 4172 4 34218
altor32 lite∧
39 1249 6 13111
gcm aes∧
267 1697 10 34496
cfi ctrl∧
90 169 18 1459
hight core∧
198 134 38 3736
Ima adpcm encoder∧
19 96 6 2078
pid ctrl∧
53 397 12 5464
rc4 probs∧
10 2145 5 45794
simple spi∧
16 131 3 729
3.5 Evaluation
This section provides details about the dataset, evaluation metrics, and
GNN pipeline architecture. It then reports the performance of ReIGNN
on different benchmarks by comparing it with an implementation of the
RELIC algorithm [119] as in Algorithm 1. Finally, it provides an ablation
study on the node features and how ReIGNN performs when we change
the GNN layers with other models. ReIGNN is implemented in Python
and uses the Pytorch Geometric package [148] for implementing the graph
learning model. Training and testing of the model were performed on
a server with an NVIDIA GeForce RTX 2080 graphics card, 48 2.1-GHz
processor cores, and 500-GB memory.
3.5.1 Dataset Creation
We assess the performance of ReIGNN on a set of 16 reference benchmark
circuits, which are frequently used in the literature [119, 120, 122]. As
summarized in Table 3.1, the benchmarks include designs from OpenCores
(∧) [149], the secworks GitHub repository (⋆) [150], and blocks from a 32-bit
44
RISC-V processor and a 32-bit microcontroller (⋄) [151]. We synthesized
these benchmark circuits using Synopsys Design Compiler with a 45-nm
Nangate open cell library [152]. We considered both a one-hot encoded
FSM and a binary encoded FSM version of each design while creating the
dataset. Table 3.1 shows the number of inputs, total number of registers,
and the number of state registers for the one-hot encoded version of the
designs. We get the number of inputs and total number of registers in a
design from the synthesized netlist, while the number of state registers is
obtained from the RTL description.
Different synthesis constraints are used to synthesize different versions
of the benchmark circuits in Table 3.1. Specifically, each benchmark in
the table is synthesized according to 4 different constraint configurations,
resulting in a total of 64 different circuit designs, providing the one-hot
encoded dataset. We use different synthesis constraints to achieve different neighborhood configurations for the nodes in the circuit. The binary
encoded dataset, which also contains 64 benchmarks, is generated in a similar way. ReIGNN transforms the netlists into graphs and associates each
node in the graphs with a feature vector. The one-hot encoded dataset
contains in total 618,602 nodes and 1,123,713 edges, while the binary encoded dataset has 616,001 nodes and 1,119,637 edges. We use the RTL
description of the netlists to obtain the labels for the register nodes in the
graphs. For the Nangate library, the size of the feature vector x of each
node is 26, considering all the features mentioned in Section 3.4.1.
3.5.2 Evaluation Method and Metrics
We perform classification tasks on an independent set of netlists, which
excludes the ones used for training and validation. Specifically, we use kfold cross validation [153], where the data is initially divided into k bins
and the model is trained using k − 1 bins and tested on the k-th bin. This
process is repeated k times and each time a new bin is considered as the
45
test set. In our case, the 4 different versions of a design create the test
set each time. For example, when reporting the performance on the aes
benchmark in the one-hot encoded dataset, 4 different aes graphs create
the test set, while the remaining one-hot encoded benchmark graphs in the
dataset are used for training and validation.
We evaluate the performance of ReIGNN by comparing its predictions
with the true labels of the nodes and using the standard statistical measures of correctness of a binary classification test. Since the dataset is
imbalanced, we use sensitivity, or true positive rate (TPR), specificity, or
true negative rate (TNR), and balanced accuracy as the metrics, defined
as follows:
Sensitivity = No. TPs
No. TPs + No. FNs
, (3.8)
Specificity = No. TNs
No. TNs + No. FPs
, (3.9)
Balanced Accuracy = Sensitivity + Specificity
2
, (3.10)
where we consider detecting state registers as positive outcomes and
data registers as negative outcomes. Therefore, a true positive (TP) implies
that a state register is correctly identified as a state register by ReIGNN,
while a false positive (FP) means that a data register is incorrectly classified
as a state register. True negatives (TNs) and false negatives (FNs) can also
be defined in a similar way. Overall, the sensitivity is the ratio between the
number of correctly identified state registers and the total number of state
registers in the design. The specificity is the ratio between the number of
correctly identified data registers and the total number of data registers.
The balanced accuracy is the average of sensitivity and specificity.
High sensitivity and high balanced accuracy are both desirable since
they impact any FSM extraction methodology for IC reverse engineering.
If we report low sensitivity, then there exist unidentified state registers,
which will impact the correctness of the extracted FSM. On the other hand,
46
Table 3.2: GNN Pipeline Architecture and Training Details
Architecture Training Settings
Input Layer [|x|, 100] Optimizer Adam
Hidden Layer [100, 100] Learning Rate 0.001
MLP Layer [100, 50] Dropout 0.25
Output Layer [50, #classes] No. of Epochs 300
Activation ReLU
Classification Softmax
Figure 3.6: Impact of the number of GNN layers and their dimension on
ReIGNN performance (sensitivity) for aes benchmark circuits.
low specificity, hence low balanced accuracy, makes FSM extraction timeconsuming since many data registers are also identified as state registers
and will be included in the STG of the FSM.
3.5.3 GNN Pipeline
ReIGNN consists of GNN layers and ReLU activation functions followed by
a final MLP layer with Softmax activation units. We use GraphSage [97
90
100
100
85
100
86.4
100
83.3
34.4
100
95.8
33.31
29.6
87.5
100
100
15
0
100
100
0
79.5
100
0
100
100
100
0
0
8.3
100
20
0
0
12.5
28.6
0
70.1
100
0
0
27.5
54.2
0
0
2.1
0
10
98.3
95.8
100
100
100
90.9
100
83.3
100
100
88.9
98
100
100
100
100
aes altor cfi_ctrl cr_div fsm gcm_aes gpio hight ima_adpcm memory pid_ctrl rc4 sha simple_spi siphash uart
0
20
40
60
80
100
Sensitvity
(1-hot encoding)
RELIC - P1 RELIC - P2 RELIC - P3 ReIGNN
93.9
98.2
99.2
49.1
96.4
90
97.5
89.4
66.1
80.1
89.7
54.6
54.2
86.4
87.9
99.3
57.5
50
99.2
50
40.3
86.6
97
50
94.5
56
64.9
41.7
50
54.2
83.7
66.3
50
50
56
41
49.5
83.5
100
50
49.6
62.9
72.3
50
50
51.1
47.9
57.4
98.9
97.8
100
100
95.5
95.5
100
91.7
100
74
91.5
99.1
98.6
98.7
99.9
98.8
aes altor cfi_ctrl cr_div fsm gcm_aes gpio hight ima_adpcm memory pid_ctrl rc4 sha simple_spi siphash uart
0
20
40
60
80
100
Balanced Accuracy
(1-hot encoding)
RELIC - P1 RELIC - P2 RELIC - P3 ReIGNN
Figure 3.7: Performance comparison between ReIGNN and RELIC on one-hot
encoded benchmarks.
with mean aggregator function as the GNN layer and the Adam optimizer
for optimizing the weights of the GNN. We perform a grid search on the
hyper-parameter space defined by the number of GNN layers {2, 3, 4,
5} and their dimension {50, 100, 200} to obtain the most suitable values
for the number and dimension of the GNN layers. Fig. 3.6 shows how
the sensitivity performance metric of ReIGNN varies as we change the
number of GNN layers and their dimension. When the number of layers is
equal to 3 or 4 and the corresponding GNN dimension is 100, we achieve
the best sensitivity. For illustration purposes, we plot the results for the
aes benchmark. To avoid overfitting the trained model, we use dropout,
a regularization technique that randomly drops weights from the neural
network during training [154]. As the dataset is highly imbalanced (the
number of data registers is much larger than the number of state registers),
we use a weighted loss function inducing a greater penalty for misclassifying
the minority class. The weights are set based on the ratio between state
and data registers in the dataset. The details of the GNN model as well as
the training architecture are provided in Table 3.2.
48
71.9
91.6
100
100
100
43.8
100
100
50
100
75
50
100
100
100
100
0
0
100
100
0
100
100
0
100
100
100
0
0
0
100
8.3
0
0
100
100
0
100
83.3
0
0
75
71.4
0
0
0
12.5
8.3
96.9
100
100
100
100
100
100
100
100
90
71.4
100
100
100
100
100
aes altor cfi_ctrl cr_div fsm gcm_aes gpio hight ima_adpcm memory pid_ctrl rc4 sha simple_spi siphash uart
0
20
40
60
80
100
Sensitvity
(binary encoding)
RELIC - P1 RELIC - P2 RELIC - P3 ReIGNN
85
92.7
99.8
64.1
98.6
69.4
97
99.3
73.9
83.2
78.5
55.9
85.8
90.6
91.8
99.3
50
50
99.2
50
40.4
71.2
97.1
50
87.5
62.1
59.1
41.7
50
50
83.62
50
50
52.5
99.9
50
49.6
98.4
91.6
50
49.6
83.6
79.5
49.4
50
50
54.1
54.4
98.2
99.7
100
93.8
98.6
100
100
100
100
91.4
85.5
100
99.4
97.4
99.8
99.1
aes altor cfi_ctrl cr_div fsm gcm_aes gpio hight ima_adpcm memory pid_ctrl rc4 sha simple_spi siphash uart
0
20
40
60
80
100
Balanced Accuracy
(binary encoding)
RELIC - P1 RELIC - P2 RELIC - P3 ReIGNN
Figure 3.8: Performance comparison between ReIGNN and RELIC on binary
encoded benchmarks.
3.5.4 Performance Analysis
We evaluate the performance of ReIGNN on all the benchmarks from
the one-hot encoded and binary encoded datasets. The GNN models are
trained offline using the available data, thus incurring a one-time-only training cost. The average test time of the trained model is 1 s while the average
training time is 5000 s. The training time can be further reduced if we can
increase the training batch size at the cost of more memory. Table 3.2
shows the details of the model architecture and training parameters across
the different benchmarks.
For each benchmark, Fig. 3.7 shows the average balanced accuracy and
sensitivity across the 4 different synthesized versions of the netlist. We
compare the achieved performance with the one of RELIC [119], which
has a similar classification accuracy as fastRELIC [120]. In fact, while
fastRELIC reduces the run-time of RELIC, it uses the same heuristic for
determining the similarity scores between two registers. In RELIC, the
user needs to set the three threshold values T1, T2, and T3 together with
the fan-in cone depth d. In our experiments, we consider the following
parameter configurations, which are also used in the literature:
• P1: T1 = 0.5, T2 = 0.8, T3 = 1, d = 5;
49
• P2: T1 = 0.7, T2 = 0.5, T3 = 5, d = 5;
• P3: T1 = 0.4, T2 = 0.5, T3 = 4, d = 7.
Depending on the threshold values, both balanced accuracy and sensitivity vary largely across different benchmarks. Across the one-hot encoded
benchmarks, ReIGNN reports an average balanced classification accuracy
of 96.25% and a sensitivity of 97.12%. RELIC’s average balanced accuracy
varies between 57.41% (for configuration P3) and 83.7% (for configuration
P1) while its sensitivity varies between 19.1% (for configuration P3) and
82.78% (for configuration P1).
To analyze the impact of the performance of different tools, we consider, for instance, the aes benchmark, including a total of 2994 registers,
only 15 of which are state registers. As shown in Fig. 3.7, across the four
synthesized versions of the netlist, ReIGNN achieves on average a balanced
accuracy of 98.98% (FP = 11, 11, 12, 11 for the four netlists) and a sensitivity of 98.3%. Specifically, the sensitivity is 100% (TP = 15, FN = 0) for
three designs and decreases to 93.33% (TP = 14, FN = 1) for the remaining design. On the other hand, when using configuration P1, the average
balanced accuracy of RELIC is 93.9% with FP values of 71, 67, 55, and 69.
RELIC achieved a sensitivity of 80% for two netlists (TP = 12, FN = 3)
and 93.33% (TP = 14, FN = 1) and 100% (TP = 15, FN = 0) on the other
two. Overall, Algorithm 1 achieves lower sensitivity and balanced accuracy
and produces more FPs, which can make the FSM extraction task harder.
Whenever ReIGNN cannot achieve full sensitivity, meaning that some
state registers are misclassified as data registers, we can still use structural
analysis to bring the number of FNs to zero. In fact, by finding the SCCs
associated with the correctly classified state registers, we can look for all
the registers that are part of the SCCs, some of which may indeed be data
registers, and label them as state registers for FSM extraction. This extension makes ReIGNN complete (TN = 0) but compromises its soundness
50
(FP ̸= 0), which, again, may increase the complexity of the FSM extraction. Finally, when using configuration P2 and P3, Algorithm 1 has 15%
and 0% sensitivity, respectively. In P3, Algorithm 1 misclassifies all the
state registers as data registers, making it impossible to recover the FSM
from the netlist. As shown in Fig. 3.7, ReIGNN can achieve an average sensitivity of 100% for uart but the average balanced accuracy is only 74.57%,
implying that the number of FPs is high. This is due to the fact that
the registers associated with the counters in the design are all classified as
state registers by the GNN. Moreover, since these registers are all part of
an SCC, structural analysis cannot rectify these misclassifications. While a
counter is indeed an FSM, its registers should be considered data registers,
in that they do not hold the state bits of the control logic. This explains
the lower performance of ReIGNN.
Across the binary encoded benchmarks, ReIGNN reports an average
balanced accuracy of 97.9% and a sensitivity of 99.4%. RELIC’s average
balanced accuracy varies between 66.4% (for configuration P2) and 86.6%
(for configuration P1) while its sensitivity varies between 45.8% (for configuration P3) and 85.72% (for configuration P1) as shown in Fig. 3.8.
Structural analysis improves the overall performance of ReIGNN. While
the sensitivity remains unchanged, as explained in Section 3.4.3, the average balanced accuracy can improve since structural analysis reduces the
number of FPs. While the enhanced GNN pipeline architecture in this
chapter achieves an average balanced accuracy of 95.75%, which further
raises to 96.25% after structural analysis, the improvement in balanced
accuracy due to structural analysis was up to 6.52% for a less optimized
architecture in a preliminary version of this work [64]. This highlights the
importance of structural analysis as a way to increase the robustness to
model architecture tuning.
To observe how well ReIGNN generalizes across different types of benchmarks and encoding styles, we create a dataset with both one-hot encoded
51
Table 3.3: Performance of ReIGNN for combined dataset
Design Sensitivity Balanced Accuracy
aes 97.6% 98.57%
altor32 lite 97.9% 98.56%
cr div 100% 100%
fsm 100% 93.75%
gcm aes 100% 98.56%
gpio 95.45% 97.72%
memory 100% 100%
sha 100% 99.65%
siphash 100% 100%
uart 93.75% 94.22%
cfi ctrl 88.09% 92.02%
ima adpcm 100% 99.58%
hight 95.18% 97.59%
pid ctrl 100% 97.42%
simple spi 100% 98.35%
rc4 100% 99.86%
and binary-encoded versions of each benchmark, for a total of 128 graphs.
Similar to our previous experiments, we perform classification tasks on
each benchmark independently. As shown in Table 3.3, ReIGNN generalizes well across different encoding styles and achieves on average a balanced
classification accuracy of 96.93% and a sensitivity of 97.53%.
3.5.5 Impact of the Type of GNN Model, Aggregate
Function, and Feature Set
GraphSage can use different types of aggr functions to gather information
from the neighborhood of a node [97]. We evaluate the impact of three aggregate functions, namely, mean, sum, and max [97], on the performance
of ReIGNN. Fig. 3.10 shows that ReIGNN achieves the highest average
sensitivity of 97.8% across the different benchmarks using the mean aggregate function. With the sum aggregate function, ReIGNN achieves an
52
98.3
95.8
100
100
100
90.9
100
83.3
100
100
95
91.7
93.8
100
80
88.6
92.9
83.3
96.9
97.5
93.3
91.7
100
100
90
79.5
100
75
100
95
aes altor cr_div fsm gcm_aes gpio memory sha siphash uart
0
20
40
60
80
100
Sensitvity
(1-hot encoding)
GraphSage GAT GIN
98.9
97.8
100
100
95.5
95.5
100
91.7
100
74
97.3
95.6
96.9
98.4
86.5
94.3
96.4
91.7
98.4
85.3
96.5
95.7
99.9
100
92.7
90
100
87.5
99.9
89.8
aes altor cr_div fsm gcm_aes gpio memory sha siphash uart
0
20
40
60
80
100
Balanced Accuracy
(1-hot encoding)
GraphSage GAT GIN
Figure 3.9: Performance comparison between different types of GNN layers on
1-hot encoded benchmarks.
98.3
95.83
100
100
100
90.9
100
83.33
100
100
87.5
100
98.03
100
100
100
100
91.67
100
100
100
86.36
100
83.33
100
100
88.9
100
97.37
97.92
87.5
100
96.67
95.83
95
100
100
77.27
94.4
58.33
93.75
100
87.5
100
97.37
100
87.5
100
aes altor cfi_ctrl cr_div fsm gcm_aes gpio hight ima_adpcm memory pid_ctrl rc4 sha simple_spi siphash uart
0
20
40
60
80
100
Sensitvity
(1-hot encoding)
MEAN SUM MAX
Figure 3.10: Impact of the type of aggregate function used in GraphSage on
the performance of ReIGNN in terms of sensitivity.
88.3
75
93.8
96.4
87.5
86.4
100
83.3
96.9
91.7
90
83.3
93.8
96.4
87.5
88.6
100
83.3
96.9
83.4
96.7
95.8
100
100
100
86.4
100
83.3
100
85
96.7
95.8
100
85.7
85.7
90.9
100
83.3
100
100
98.3
95.8
100
100
100
86.4
100
83.3
100
100
98.3
95.8
100
100
100
90.9
100
83.3
100
100
aes altor cr_div fsm gcm_aes gpio memory sha siphash uart
0
20
40
60
80
100
Sensitvity
(1-hot encoding)
Feature Set-1 Feature Set-2 Feature Set-3 Feature Set-4 Feature Set-5 Feature Set-6
94
87.3
96.9
91.9
90.3
93.2
100
91.7
98.4
82.7
95.7
91.4
96.9
96.7
90.3
94.3
100
91.7
98.4
84.6
98.2
97.4
100
93.8
95.6
93.2
100
91.7
99.9
89.9
98.2
97.8
100
92.9
94.2
95.5
100
91.6
100
75
99
97.7
99.9
96.9
95.9
93.2
100
91.7
99.9
78.2
98.9
97.8
100
100
95.5
95.5
100
91.7
100
74
aes altor cr_div fsm gcm_aes gpio memory sha siphash uart
0
20
40
60
80
100
Accuracy
(1-hot encoding)
Feature Set-1 Feature Set-2 Feature Set-3 Feature Set-4 Feature Set-5 Feature Set-6
Figure 3.11: Impact of the different features on the performance of ReIGNN
for 1-hot encoded benchmarks.
53
Table 3.4: Different Feature Sets
Feature Set Node
Type
In-degree,
Out-degree
Betweenness
Centrality
Harmonic
Centrality Neighborhood
Feature set-1 ✓ ✗ ✗ ✗ ✗
Feature set-2 ✓ ✓ ✗ ✗ ✗
Feature set-3 ✓ ✓ ✓ ✓ ✗
Feature set-4 ✓ ✓ ✗ ✗ ✓
Feature set-5 ✓ ✓ ✗ ✓ ✓
Feature set-6 ✓ ✓ ✓ ✓ ✓
average sensitivity of 95.82%, while this lowers to 92.73% when a max is
used.
We evaluate the impact of the GNN type, i.e., GraphSage [97], GAT
[99], and GIN [141] on the performance of ReIGNN. We use the same
number and dimensions for the GNN layers. In the case of GIN, we use 2
layered MLP. Fig. 3.9 shows that, for the given 10 benchmarks, when GAT
with 1 attention head is used as the GNN layer instead of GraphSage, the
average sensitivity lowers from 96.84% to 92%, while the average balanced
accuracy lowers from 95.32% to 94.1%. Similarly, GIN provides lower
average sensitivity and balanced accuracy values, namely, 93% and 95.02%,
respectively.
We gather insight into the relevance of ReIGNN’s features by studying
the impact of different combinations of features on its performance for 10
different benchmark circuits. Specifically, we create six different feature sets
as summarized in Table 3.4. In set 1, we consider only the node type, i.e.,
the logic function that each node represents. Using feature set 1, ReIGNN
can achieve an average sensitivity of 89.76% and an average balanced accuracy of 92.64%, showing that GNNs leveraging only the graph structure
and a minimal feature set can already achieve satisfactory performance.
Feature set 2 additionally includes information about the in-degree and
out-degree of each node, leading to 90.49% average sensitivity and 93.9%
balanced accuracy, a marginal improvement in performance.
54
Feature set 3 adds the centrality information (betweenness and harmonic) of each node, improving by ∼5% the average sensitivity (94.73%)
and by ∼3.5% the balanced accuracy (95.92%).
On the other hand, feature set 4 includes the neighborhood information but not the centrality information and achieves average sensitivity of
95.25% and balanced accuracy of 94.51%. Finally, set 6 includes all the
features, attaining the best performance (96.84% average sensitivity and
95.33% balanced accuracy). Overall, adding information relating nodes to
their neighbors improves the performance of ReIGNN. However, the performance achieved by only using neighborhood information is comparable
with the one achieved by only using the centrality information. In particular, measuring the betweenness centrality of a node can be expensive. We
can then consider skipping this feature, as in set 5, with negligible impact
on the overall performance, as evident from Fig. 3.11.
3.6 Conclusions
In this chapter we presented ReIGNN, a learning-based register classification methodology for finite state machine extraction and circuit reverse engineering. ReIGNN combines graph neural networks with structural analysis to classify the registers in a circuit with high accuracy and generalize
well across different designs. Numerical results show the advantage of combining graph-based deep learning with post-processing based on structural
analysis to achieve higher balanced accuracy and sensitivity with respect
to previous classification methods.
55
Chapter 4
Graph Learning-Driven
Structural-Functional Attack
to Logic Locking
This chapter shows how we can leverage GNNs for analyzing the security
guarantees of different logic obfuscation methods by assessing the level of
information leakage from their structural signatures. Logic obfuscation or
logic locking is used interchangeably in this chapter. First, we provide the
introduction and motivation for developing new attacks on existing logic
locking techniques in Section 4.1. In Section 4.2 and 4.3 we discuss
background concepts and some related work on logic locking. We describe
our proposed attack methodology in Section 4.4 and its evaluation in Section 4.5. Finally, we conclude in Section 4.6.
4.1 Introduction
A potential solution to the different security threats like IP piracy and
theft [68], overproduction, counterfeiting [69], and malicious design modification (hardware Trojan insertion) [6, 155] to trustworthy IC design is
combinational logic locking [79–81]. Combinational logic locking is a set
of techniques that introduce additional logic and new inputs to a design in
order to “lock” it and prevent its unauthorized use. The main objective
of logic locking is to conceal the functionality of designs from adversaries.
The additional logic can be XOR/XNOR gates [28, 79, 82, 83], AND/OR
gates [81], multiplexers [83–86], look-up tables (LUTs) [80, 87], or point
functions [88, 90, 91], which are often termed as key gates and are associated with additional inputs, called key inputs. The locked design operates
correctly if and only if the key inputs are set to the correct key values.
56
With the advent of different locking schemes, several attacks on these
techniques have also been developed with the objective of recovering (part
of) the original functionality of the locked designs. The attacker aims to
either recover the exact functionality [28, 156, 157] or an approximation
[84, 158, 159]. One class of attacks, called oracle-guided attacks, leverages
the functional information obtained from the activated IC (oracle) to unlock
the logic locked design [28, 84, 156–158]. The attacker has access to the
locked design as well as the oracle, and they query the oracle with different
input patterns to get the correct output which is then used to derive a
correct key. In principle, oracle-guided attacks can be applied to any type
of logic locking scheme; some of them, however, may suffer from scalability
issues. On the other hand, in oracle-less attacks, the attacker has access
to the locked design and is aware of the locking scheme that is used, but
has no access to a functional IC. Most of the oracle-less attacks exploit the
information leakage from the topological and structural signatures of the
locking schemes to predict the key value [160–162]. These attacks suffer
less of scalability issues but often target a specific locking scheme and lack
generalization capabilities.
Recently, machine learning (ML) and, more specifically, deep learning
(DL)-based attacks on combinational logic locking have also been developed, which are mostly oracle-less. In DL-based attacks, DL models are
trained to either predict the key bit value [129, 130, 163] or identify the
extra logic that is being introduced by the specific locking scheme [131].
DL-based attacks tend to generalize better but, as in most of the oracleless attacks, the recovered design may still exhibit a significant error rate,
often measured in terms of functional corruptibility [164]. Finally, hybrid
structural-functional attacks like the FALL attack [165] and SURF [166]
couple structural analysis with functional probing to develop stronger attacks. Unfortunately, however, the FALL attack is only applicable to
specific locking techniques, namely, stripped functionality logic locking
57
(SF LL − HD) [91] and T T Lock [167]. On the other hand, SURF requires creating a new dataset and training a new DL model every time it
is applied to a new circuit, which can be expensive and inefficient.
A Graph is a general and powerful data structure that represents entities
and their relationships in a succinct form. GNNs have shown great success
in capturing the underlying inductive biases of the relational data, showing
remarkable performance in various graph-related tasks including node classification, graph classification, and link prediction. Circuits are essentially
graphs. Therefore, we leverage GNNs to develop a graph learning-driven
structural-functional attack to combinational logic locking called GLean.
GLean combines graph neural networks (GNNs) with functional constraints
to find an exact key for the locked design, or an approximate key, in the
sense that it reduces the average Hamming distance or functional corruptibility at the output of the recovered design. By leveraging structural as
well as functional information leakage, GLean is successful in recovering
the original design with high accuracy and shows generalization properties
across different designs and locking schemes.
GNNs effectively perform different graph-related tasks like node classification by leveraging the graph structure and the node properties. As
illustrated in Figure 4.1, in GLean, we map the circuit gates to graph
nodes, their connections to graph edges, and translate the task of key bit
value prediction into a node classification problem. We train the GNN to
process these graphs and learn any correlation between the netlist graph
structure and the correct key bit value. The trained GNNs can then be
used to classify key nodes in a design.
We recognize that GNN predictions are affected by uncertainty. Therefore, we take into consideration not only the prediction results but also the
associated confidence estimates from the GNNs to obtain a list of candidate
keys, instead of a single key. Differently from previous ML-based attacks,
we improve the quality of the GNN prediction by formulating a binary
58
Figure 4.1: High-level overview of GLean, a graph learning-driven structuralfunctional attack to combinational logic locking.
optimization problem to find a key that minimizes the average Hamming
distance of the recovered design. We use a population-based optimization algorithm, more specifically, particle swarm optimization, to solve the
problem, where the cost function of each particle is evaluated by inquiring
the oracle. Initializing the search space with the GNN-predicted keys helps
reach faster convergence. Therefore, the proposed attack scales well with
large circuits and can be effective for designs that challenge oracle-based
attacks based on Boolean satisfiability (SAT) solving. In summary, this
chapter makes the following contributions:
• A novel learning-based, hybrid attack on combinational logic locking that employs GNNs to analyze the information leakage from the
structural signatures of different logic locking techniques and predict
a list of candidate keys by taking into consideration the confidence
associated with the model prediction.
59
• An optimization-based algorithm that starts with the GNN-predicted
key candidates and integrates functional constraints obtained by inquiring an oracle with a small set of input patterns to achieve an
optimal approximate key.
• Extensive analysis of the effectiveness of the proposed attack on a
variety of logic locking techniques and a suite of common benchmarks.
Empirical results show that GLean can completely unlock 60% of the
designs locked with different logic locking schemes. In other cases, the recovered designs provide the correct output for more than 99% of the inputs,
on average, while the Hamming distance between the correct output and
the wrong output is, on average, less than 1.12%. Remarkably, our analysis shows the advantage of augmenting the key-prediction accuracy (KPA),
a commonly used metric for evaluating the effectiveness of different MLbased attacks, with functionality-based metrics to evaluate the quality of
a predicted key. Moreover, GLean can serve as a diagnostic tool to characterize the information leakage from the structural signatures of different
types of key gates and insertion strategies.
4.2 Background and Related Work
In this section, we provide a short summary on logic locking schemes and
their attacks.
4.2.1 Logic Locking
Logic locking locks the functionality of a design by introducing additional
logic and new inputs to the design. Different logic locking schemes have
been proposed over the years. Some techniques focus on using different
types of key gates, while others propose new algorithms to find the optimal
location for the key gates. Figure 4.2 shows examples of logic locking
60
Figure 4.2: Example of logic locking. (a) Original design, (b) design locked
with XOR key gate, (c) design locked with AND key gate, (d) design locked with
Multiplexer.
with different types of key gates. Algorithms for identifying the optimal
locations for the key-gates include random insertion [29], fault analysis
based insertion [83], logic cone analysis based insertion [85] to mention a
few. When a design is locked using a logic locking technique, unless a
correct key input is provided, the design produces wrong outputs for a
number of input patterns. A locked design can have more than one correct
key. More formally, the original design can be represented as Co : I → O,
where I ∈ B
n
is the input and O ∈ B
m is the output, respectively. The
locked design can be represented as Ce : I × K → O, where K ∈ B
k
is the key input. In case of locked design, when the key input is set to
K∗ ∈ Kcorrect key, where Kcorrect key is the set of correct keys, then Ce ≡ Co
. Two keys k1, k2 are said to be equivalent, i.e., k1 ≡ k2 if ∀i : Ce(I, K1) =
Ce(I, K2).
A goal for logic locking is to achieve a high level of functional corruptibility and hamming distance between the output of the locked design and
61
the one of the oracle when a wrong key input is provided. Given a set of
N input patterns, we define the functional corruptibility (FC) as
F C(Ce, K) = 1
2
N
X
I=I1,...,IN
1 [Ce(I, K) ̸= Co(I)] , K ∈ B
k
(4.1)
while the average Hamming distance (HD) is defined as
HD(Ce, K) = 1
2
N
X
I=I1,...,IN
X
j=1,...,m
1 [Ce(I, K)j ̸= Co(I)j
] (4.2)
where m is the number of primary output ports, 1 is the indicator function,
and Ce(I, K)j
is the j-th bit of Ce’s output given the primary input I and
key input K.
4.2.2 Attacks on Logic Locking
We provide an overview of different types of attacks on logic locking.
Oracle-Guided Attacks
One of the earliest oracle-guided attacks used automatic test pattern generation (ATPG) to find input patterns that would reveal the key bits values [82] when applied to the locked design. Following, a powerful attack
called SAT attack [156] was proposed which defeated all known logic locking
schemes at that time. The SAT attack uses a Boolean satisfiability solver to
iteratively find inputs that can eliminate equivalent classes of wrong keys.
The SAT attack continues until all the wrong key classes are eliminated
and only the correct key class is left. It then returns a key from the correct
key class as a solution. This attack suffers from scalability issues for large
designs.
A set of new SAT attack resilient locking schemes were developed which
exponentially increase the number of equivalent wrong key classes [90, 91]
62
thus forcing the SAT attack to run for an exponential number of iterations before termination. However, these locking schemes have low output
corruptibility. While SAT attack aims to recover the exact functionality,
AppSAT [158] is another oracle-guided attack that can be applied to SATattack resilient locking schemes like SARLock [90] and Anti-SAT to recover
a design which is functionally similar to the original design, that is, the FC
of the recovered design is below a certain acceptable threshold. However,
AppSAT still suffers from scalability issues for large designs.
To address the scalability issue, oracle-guided attacks were developed
which formulate the problem of finding the key as a discrete optimization problem and then use techniques like hill climbing [84], genetic algorithms [168], and particle swarm optimization [159] to solve the optimization problem and arrive to an approximate key. The quality of the
approximate key highly depends on the initial key candidates with which
the optimization starts [169]. All of these techniques use random initialization.
Differently from previous oracle-guided attacks, GLean does not use any
SAT formulation, which avoid scalability issues. Unlike the previous methods based on optimization, GLean uses structural analysis of the locked
design via a GNN to obtain the initial key candidates, which helps the
convergence of the subsequent optimization step.
Oracle-Less Attacks
In oracle-less attacks, the attacker has only access to the gate-level netlist
of the locked design. Some of these attacks leverage synthesis tools to
resynthesize the locked design with some values assigned to the key inputs.
By assigning different values to the key inputs, the attacker gets different
resynthesized designs which are then analyzed to extract the correct key
value [161, 170]. However, these attacks tend to scale poorly for larger
key lengths. Another set of heuristics-based attacks analyze the gate-level
netlist of the locked design for identifying the redundancies and structural
63
signatures introduced by the locking schemes to predict an approximate
key [160, 162].
More recently, DL-based attacks have been developed. Here, DL models
are trained to predict a single key bit value [129,130,163] by leveraging the
information leakage from the structural signatures of the locking scheme.
ML-based attacks consist of two stages, namely training and inference. To
train the ML model, first the training dataset, consisting of feature vectors
and labels is generated. In Snapshot [129], each key gate corresponds to
a data point. This method extracts a subgraph for each key gate and
represents it using a vector. This vector is the feature vector for the data
point while the key gate value is the label. The feature vector captures
information about the function and the topology of the neighborhood of
the key gate. A convolutional neural network (CNN) is trained on this
training dataset to learn the correlation between the feature vector and the
correct key bit value. Once the model is trained, then it is used to predict
the key bit value for the target netlist during the inference stage.
Similarly to Snapshot, OMLA [163] also extracts subgraphs, but uses
GNNs to directly process these graph-structured data. It maps the task
of key bit prediction into a subgraph classification problem and trains the
GNN model to predict the key bit value for a given subgraph. In all of
these techniques, the attacker needs to create a new training dataset and
train a new DL-model for every target netlist. This makes the oracle-less
attacks expensive. Moreover, these methods do not usually recover the
complete functionality of the design. Unlike these attacks, GLean trains
only a single generalized DL model one time. The model is then used
for performing inference for different benchmark circuits. Because, ML
model predictions provide no correctness guarantees, making the first step
of structural analysis using ML as fast as possible becomes advantageous.
64
Structural-Functional Attacks
Hybrid techniques like SURF [166] and FALL [165] combine structural
analysis with functional probing of an oracle to develop stronger attacks.
The FALL attack [165] first uses Boolean satisfiability (SAT)-based analyses of the structural and functional properties of locked designs to identify
a list of potential correct keys. Next, it uses a SAT-based key confirmation algorithm to identify the correct key from the list of candidate keys.
FALL fails to find a key if no correct key is present in the list of candidate
keys reported in the first step. Moreover, it specifically targets Stripped
functionality logic locking (SF LL − HD) [91] and TTLock [167].
SURF [166] first uses SAIL [130] to predict an initial candidate key for
the locked circuit [130]. SAIL is an oracle-less attack that uses two ML
models, random forest and multi-layer perceptrons (MLPs), in cascade.
A heuristic-based key refining algorithm is then employed which leverages
functional information from the oracle to refine the initial key candidate
and find a better key. SURF uses complex learning models and, like other
ML-based models, requires a new training dataset and DL-model for every
target netlist.
4.3 Preliminaries
This section outlines some background concepts that will be used throughout the chapter.
4.3.1 Graph Neural Networks
Deep learning paradigms like CNNs [133] and recurrent neural networks
(RNNs) [134] are appropriate for processing grid-structured inputs (e.g.,
images) and sequences (e.g., text), respectively. They are less suited to
process graph-structured data, which exhibits heterogeneous topologies,
where the number of nodes may vary, and different nodes have different
65
Figure 4.3: GLean Methodology
numbers of neighbors [100]. GNNs have instead been conceived to process graph-structured data [98]. GNNs implement complex functions that
can encode the properties of a graph’s nodes in terms of low-dimensional
vectors, called embeddings, that summarize the position, features, and the
structure and properties of the local neighborhood of the nodes. GNNs
project nodes into a latent space such that a similarity in the latent space
approximates similarity in the original graph [100]. To do so, GNNs use
neural message-passing algorithms, where vector messages are exchanged
between nodes and updated using neural networks [56]. To define mathematically how a GNN works, let us first recall the graph definition.
Definition 5 (Graph). A graph G = (V, E) is defined by a set of nodes V
and edges E. The neighborhood of a node v is given by N (v) = {u ∈ V :
(u, v) ∈ E} and the attribute or feature information associated with node
v is denoted by xv ∈ R
n
. X ∈ R
|V|×n
represents the node feature matrix of
the graph.
66
During the message-passing step of the k
th GNN layer, an embedding
h
(k)
u corresponding to each node u ∈ V is updated according to the information aggregated from its graph neighborhood N (u). We can express this
message-passing update as:
m
(k)
N (u) = Aggregate(k)
({h
(k−1)
v
, v ∈ N(u)}), (4.3)
h
(k)
u = Update(k)
(hu
(k−1), m
(k)
N (u)
), (4.4)
where Aggregate and Update are differentiable functions and m
(k)
N (u)
is the “message” aggregated from the graph neighborhood N (u) of u. At
each GNN layer, the Aggregate function takes the set of embeddings
of the nodes in the neighborhood as input N (u) of u and generates a
message m
(k)
N (u)
based on the aggregated information. The Update function
combines the message m
(k)
N (u) with the previous embedding h
(k−1)
u of the
node u to generate the updated embedding h
(k)
u . Since the Aggregate
function takes a set as input, it should be permutation invariant. The
initial embeddings, at k = 0, are the node features xv. Once the final
node embeddings are generated, they can be used to successfully perform
different tasks like node classification [39, 97], graph classification [101],
and link prediction [46] in an end-to-end fashion. In the case of graphrelated tasks like node classification, GNNs are trained to generate node
embeddings such that the embeddings of the nodes of a given class are
close to each other in the latent space. In this work, we leverage GNNs
to formalize the problem of identifying the key bit value associated with a
key gate in a netlist as a graph node classification problem.
4.3.2 Population-Based Optimization
Population-based optimization algorithms are extensively used for solving
problem with non-differentiable objectives [171]. In particular, particle
67
swarm optimization (PSO) [172] is a population-based optimization algorithm that starts with an initial population of particles, each corresponding
to a possible solution to the optimization problem. The fitness of each particle is evaluated at every generation using a cost function and the particles
evolve over generations following a policy. The convergence of the optimization problem heavily depends on the initial particle population [173, 174].
In this work, we formulate the task of finding the optimal key as a binary
optimization problem and solve it using PSO. The GNN provide a set of
possible candidate keys which forms the initial population of particles for
the PSO.
4.4 Proposed Graph Learning-Driven
Structural-Functional Attack
Figure 4.3 illustrates the GLean framework. We first train the GNN
pipeline with a set of benchmarks and then leverage the trained GNN to
perform inference on new netlists. We check the FC and average HD of the
GNN-predicted key and if both the values are zero, then the attack stops
since the original functionality is recovered. Otherwise, we use the model
predictions and the confidence associated with them to generate a set of
candidate keys. Finally, we solve an optimization problem over the set of
key candidates by incorporating functional constraints and using PSO to
arrive to a final approximate key. We detail these steps below.
4.4.1 Threat Model
We assume that the attacker can be any rogue entity in the supply chain.
The attacker has access to the locked gate-level netlist and knowledge about
the type of locking scheme used. The attacker has also access to a functional
IC and a set of input/output (I/O) patterns obtained from it.
68
Figure 4.4: GNN model architecture and its training
4.4.2 Netlist to Graph Transformation
We translate a gate-level netlist into a generic, technology independent
representation, i.e., a graph G, where the gates are the nodes and the
wires connecting the gates are the edges. GLean poses no restrictions
on the netlist structure (e.g., in terms of fixed fain-in and fan-out size)
and can operate on any netlist. Each node in the graph is associated
with a simple feature vector that contains the following information: (a)
node type, (b) node in-degree, and (c) node out-degree. We use one-hot
encoding to represent the node type. For example, if a target library has in
total 12 different types of logic cells, then we have a 12-dimensional vector
representing the node type. The node in-degree is the number of incoming
neighbors, while the node out-degree represents the number of outgoing
neighbors. Therefore, the training and validation set is a set of graphs
such that each node is provided with a feature vector and a label.
69
4.4.3 Graph Learning Pipeline
Once the training set is created, we train the graph learning pipeline.
GLean processes the graph data and generates node embeddings, as illustrated in figure 4.4. We use GraphSAGE [97] as the GNN layer, which
follows an inductive approach to generate node embeddings in order to facilitate generalization across unseen graphs. GraphSAGE trains an aggregator function to learn to aggregate feature information from a node’s neighborhood to generate the embeddings. In GLean, we convert the netlists
into directed graphs. This enables each node to differentiate between their
fan-in and fan-out neighbors and learn different information from them. To
enable a node to aggregate messages from both fan-in and fan-out neighbors, we train two GNNs in parallel where one GNN gathers information
from the fan-in neighbors while the other GNN gathers information from
the fan-out neighbors. Thus, in each iteration k of message propagation,
the embedding of each node is updated as:
h
k
v ← σ(Wk
fan−in · Aggregate({h
k−1
v }) ∪ {hu
k−1
, ∀u ∈ Nfan−in(v)}
+Wk
fan−out · Aggregate({h
k−1
v }) ∪ {hu
k−1
, ∀u ∈ Nfan−out(v)}),
(4.5)
where Wk
fain−in and Wk
fan−out are trainable weight parameter matrices associated with the k
th GraphSAGE layer, h
k
v
represents the embedding for
node v at the k
th layer, and the Aggregate function defines how the
neighbors are aggregated. It can be a mean, sum, or max function. For the
first layer, h
0
v
is the node feature vector xv, σ(·) is the activation function,
i.e., a rectified linear unit (ReLU) and h
f in
v
is the final node embedding.
Following the final GNN layer, there is an MLP layer with Softmax activation function, which processes the node embeddings h
f in
v
to produce
the final prediction z =Softmax(MLP(h
f in
v
)) along with the confidence
associated with this prediction.
A circuit graph contains both logic gates and key-gates. All nodes and
edges are considered in the message passing operations to generate the
70
Algorithm 2 Key refinement using PSO
Input: Candidate key set generated from GNN (K); Locked netlist (Ce);
Oracle (Co); Maximum number of generations (Max Gen); Generation size
(N); Particle intelligence (α); Swarm intelligence (β)
Output: Optimal key
1: Initialize the first generation withNkeys chosen from K
2: for each particle do
3: Compute the cost of the particle
4: Initialize Globalbest Particle, Genbest Particle, Pbest Particle
5: Current Gen = 1
6: while Current Gen ≤ Max Gen do
7: for each particle do
8: Refine(particle, Pbest Particle, α)
9: Refine(particle, Genbest Particle, β)
10: Compute particle fitness based on simulation results fromCeandCo
11: UpdateGlobalbest Particle, Pbest Particle, Genbest Particle
12: Current Gen ← Current Gen + 1
13: if cost of Globalbest Key == 0 then
14: return Globalbest Particle
15: if Globalbest Particle has not improved in 20 generations then
16: Update the population candidates
17: return Globalbest Particle
18: function refine(particle 1, particle 2, prob)
19: for each bit in particle 1 do
20: Rand = A random number generated between 0 and 1
21: if Rand ≤ prob then
22: Replace the bit with the corresponding bit in particle 2
embeddings but only the final layer embeddings h
f in
v
of the key gate nodes
are used to compute the loss function. We use the negative log-likelihood
loss to train the model.
4.4.4 Candidate Key Set Generation
The graph learning pipeline produces the final prediction
z =Softmax(MLP(h
f in
v
)) providing a measure of the likelihood of
the two classes, i.e., ‘0’ and ‘1’, for the key bit value. In general, the class
with higher likelihood is taken as the result. In our case, we introduce
71
one more class ’X’, i.e., ‘undecided,’ for those data points where the
model has less confidence about its prediction. In other words, if the
likelihood of the predicted class is below a certain threshold, then we
consider the prediction to be X. This allows us to take into consideration
the uncertainty affecting the model prediction and, instead of selecting a
single candidate key, obtain a set of candidate keys. After observing the
model predictions, we empirically set the value of the threshold to 0.55.
For example, if the GNN model predicts the key bits to be 0, 1, 1, 0, 1 with
likelihoods 0.8, 0.52, 0.7, 0.88, 0.54, respectively, we mark those bits as ’X’
the 2nd and 5th bits, since their likelihood are below the threshold. This
will then lead to the following set of candidate keys: 01101, 00101, 01100,
and 00100. Setting the threshold to a higher value will convert many of
the predictions to ’X,’ which increases the number of the key candidates,
but undermines the result of the structural analysis performed by the
GNN model.
4.4.5 Optimization Problem Formulation
We formulate the task of finding the approximate key as an optimization
problem whose objective is to minimize the HD of the recovered design. By
utilizing the particle swarm optimization (PSO) algorithm to iteratively
modify the candidate keys generated in Section 4.4.4, we finally find an
optimal key K∗
for the locked circuit Ce is such that
K∗ ∈ arg min
K
HD(Ce, K), K ∈ B
k
(4.6)
The iterative updates to the set of candidate keys are described below.
Algorithm 2 outlines the pseudo-code of the PSO for finding the optimal key. We follow the approach defined in [159] for designing the PSO
algorithm. PSO starts with a set of particles and, in each generation, let
72
Figure 4.5: Performance comparison between Snapshot, OMLA, and GLean
for RLL. (a) KPA achieved by the different ML-based attacks, (b) Average Percentage HD of the key predicted by the different attacks.
them evolve. The optimal key is denoted by Globalbest P article. Each
generation is associated with Genbest P article, the particle with the best
fitness in the generation, while each particle is also associated with the
P best P article, which is its best structure (i.e., highest fitness) over the
generations. In each generation, the fitness of each particle is calculated
in terms of HD, where a particle with low HD is considered a good particle. To measure the fitness, the functional IC is first simulated with 500
random test patterns to obtain the response. The locked circuit is then
simulated with the same set of inputs and the key input is set to be the
particle to obtain the corresponding outputs. Next, the HD between the
obtained and golden responses is calculated to measure the fitness value
of the particle. The fitness values of all the particles of a given generation are calculated based on the same random test patterns. From these
73
Figure 4.6: Performance comparison of GLean before and after the optimization step for RLL. (a) KPA achieved by GLean, (b) Average percentage HD
achieved by GLean, and (c) FC achieved by GLean.
simulations, we get the Genbest P article for the given generation and also
update the P best P article for each particle.
In PSO, particle intelligence, global/swarm intelligence, and inertia
factor guide the evolution of the particles. Each particle based on its
P best P article and the Genbest P article is updated using the refine
function. In particular, for each particle, its bits are replaced with the corresponding bits of the P best P article with a probability α to consider the
particle intelligence. Next, the same operation is performed with respect
to the Genbest P article, with a corresponding probability β to consider
74
Figure 4.7: Evolution of the approximate key in terms of average Hamming
distance through different generations for different benchmarks. We consider
two different initialization keys, GNN predicted keys and random keys.
the swarm intelligence. We set the value of α and β to be 0.2 to perform
more local search but, at the same time, allow global search. When there
is no improvement in the Globalbest P article over multiple generations,
it is likely that the solution gets stuck to a local minima. To avoid local minima in the key search process, whenever the Globalbest P article
does not change over 20 generations, we replace the current generation
particles with a set of new particles. Each of these new particles differs
from the Globalbest P article in at least k-bits. In our experiments, we
set k to be 10. The optimization terminates if we get a particle which
has 0 HD or we have reached the maximum generation count upon which
the Globalbest P article is returned as the optimal approximate key of the
locked design.
75
4.5 Evaluation
We evaluate the performance of GLean on several ISCAS’85 and ITC’99
benchmarks which are locked using different locking techniques, namely,
XOR/XNOR based random logic locking [29], AND/OR based random
logic locking [81], XOR/XNOR based strong logic locking [28], logic cone
size based XOR/XNOR locking [175], and fault analysis based locking using multiplexers [83]. For all the benchmarks, we lock them using 64 bit
keys. Our framework is implemented in Python and we use the Pytorch Geometric package [148] for implementing the graph learning model. Training
and inference of the model were performed on a server with an NVIDIA
GeForce RTX 2080 graphics card, 48 2.1-GHz processor cores, and 500-GB
memory.
4.5.1 Training Dataset
In GLean, we train a single GNN model only once for each type of locking
scheme. The model is then used to perform inference for other benchmarks. This is different from previous ML-based attacks which create a
new dataset and train a new ML-model for each locked design. Therefore, we follow an approach based on a generalized dataset, unlike the selfreferencing dataset [129] approach adopted by other ML-based attacks. We
first lock different benchmarks (a total of 1000) with 64-bits sized keys for
each locking scheme. We then synthesize these benchmark circuits using
Synopsys Design Compiler with a 45-nm Nangate open cell library [152].
GLean transforms the netlists into graphs and associates each node in the
graphs with a feature vector. In the experiments, we performed neural architecture search in order to find the optimal GNN architecture for the key
prediction task. In particular we define the hyperparameter search space by
the number of GNN layers {3, 4, 5, 6}, their dimension {64, 100}, type of
aggregation function {mean, sum}, learning rate {0.01, 0.001, 0.005}
and dropout ratio {0.25, 0.5}. We use dropout, a regularization technique
76
Figure 4.8: KPA achieved by GLean before and after performing optimization
for (a) strong logic locking, (b) cone-based locking. Average Percentage HD
before and after optimization for (c) strong logic locking, and (d) cone-based
locking.
that randomly drops weights from the neural network during training [154]
to avoid overfitting. We also add normalization layers after each GraphSAGE layer. We use k-fold cross validation [153] for performing inference
for the different benchmarks.
77
Figure 4.9: KPA and average percentage HD achieved by GLean before optimization for (a) random AND/OR locking, (b) Controllability-based AND/OR
locking, and (c) multiplexer based locking. This result shows that GLean can
recover the original design in most cases without performing optimization for
these techniques.
4.5.2 Performance Analysis
Key-prediction accuracy (KPA), FC, and HD are used to evaluate the performance of GLean. KPA is defined as KP A = (|Kc|/|K|) × 100, where
|Kc| indicates the number of correct key-assignments and |K| denotes the
total key-size. To measure the FC and HD, we simulate the locked and
oracle designs with 200,000 random input patterns. First, we evaluate the
performance of GLean on random logic logic locking using XOR/XNOR. To
evaluate the quality of GNN model, we compare its performance with the
78
Snapshot [129] and OMLA [163] models. We implement Snapshot following
the reference paper. For OMLA, we use the open-source tool. Figure 4.5
shows the performance of the Snapshot, OMLA, and GLean GNN model
on different benchmark circuits in terms of KPA and HD. GLean achieves
an average KPA of 78.13%, which is 12% better than for the reference attacks. The average percentage HD of GLean, OMLA, and Snapshot are
11%, 14.92%, and 13.53%, respectively.
We then perform the complete GLean attack on the RLL locked circuits. To observe the contribution of the population based optimization
step in GLean, Figure 4.6 shows the KPA, FC, and average percentage HD
achieved by GLean before and after optimization. GLean can completely
unlock 5 circuits. For the other circuits, the recovered design is functionally
close to the oracle, since the average percentage FC of the recovered circuits
is only 0.5% while the average percentage HD is less than 0.004%, implying
that the recovered circuits output matches the oracle in more than 99% of
the inputs. To verify that the initial key candidates provided by the GNN
model in GLean can accelerate the convergence of the optimization step,
we also run the GLean with random key candidates. Figure 4.7 shows that
when we use the GNN predicted candidate keys as the initial population,
the optimization can converge much earlier while in case of random key
candidates, even if we run the optimization for more generations the final
approximate key has higher average HD.
We also evaluate the performance of GLean for strong logic locking
(SLL) [28], and logic cone analysis based locking [85]. Figure 4.8 shows
that the average percentage HD of the recovered circuit is 1.02% and 0.25%
respectively, implying that the recovered circuit provides the correct output for most of the inputs. Interestingly, Figure 4.8a and 4.8b show that
KPA alone may not be sufficient to measure the quality of the approximate key. If we consider KPA only, then the approximate key obtained
after optimization for a circuit like c1908 seems worse than the GNN predicted initial key. However, Figure 4.8c and 4.8d shows that the refined
79
approximate key is better, in that it provides an average percentage HD of
0.047%, while the average percentage HD for the initial key predicted by
the GNN is 20.02%.
Finally, we evaluate the performance of GLean for locking techniques
which use AND/OR gates and multiplexers. In the first case, we consider
a random insertion [81] and a controllability-based locking method. As
shown in Figure 4.9a and b, the GNN model can recover the exact key
for 14 designs out of 22 designs. For the remaining 8 designs, the average
percentage HD is less than 0.5%, implying that there is no need for running
the optimization step of GLean. This result suggests that an AND/OR keygate-based method tends to leak more information than a method based on
XOR/XNOR gates. This information is encoded into structural patterns
that can be effectively learnt by the GNN model to predict the key bit
value correctly. We plot FC and average percentage HD together in the
figure 4.9. When applying GLean on designs locked with multiplexers, we
resynthesize the locked designs with the basic gates only (excluding the
multiplexers). Figure 4.9 shows that the GNN model of GLean is able to
recover the exact key for 5 out of 7 designs. The remaining 2 designs are
completely unlocked after the PSO step.
4.6 Conclusion
We presented GLean, a learning-driven, hybrid attack to logic locking that
combines graph learning with functional constraints to approximate the key
of a locked design with high accuracy. Validation results show that GLean
succeeds in unlocking most of the locked designs completely. Moreover, it
can be used as a diagnostic tool to expose different levels of information
leakage associated with the structural signatures of different types of logic
locking configurations, which can be leveraged by other deep learning-based
attacks. Finally, while the key prediction accuracy is commonly used to
characterize the performance of learning-based attacks, we observe that
80
a locked circuit may have multiple correct keys. Moreover, an accurate
approximation of any of these keys does not always lead to a sufficiently
accurate approximation of the circuit functionality. Our results show the
benefit of pairing the key prediction accuracy metric with output error measures such as Hamming distance and functional corruptibility to evaluate
the quality of a candidate key.
81
Chapter 5
Similarity-Based Logic Locking
Against Machine Learning
Attacks
This chapter shows that graph structural and functional similarity can be
leveraged to design a locking technique that can confuse all the existing
machine learning-based attacks on logic locking. First, we provide the introduction and motivation for developing this novel logic locking technique
in Section 5.1. Section 5.2 introduces the background concepts and related
work. We describe our proposed defense methodology in Section 5.3 and its
evaluation in Section 5.4. Finally, we conclude in Section 5.5.
5.1 Introduction
Logic locking (LL) performs functional and structural design alterations through the insertion of additional key-controlled logic such as
XOR/XNOR gates, multiplexers (MUXes), or look-up tables (LUTs) [64,
79,84,128,176,177]. Figure 5.1 shows examples from different LL methods.
Security of LL has, however, been challenged by the development of various
attacks which can be broadly classified into two categories, namely, oracleguided (OG) and oracle-less (OL). In OG attacks [156], attackers access
the locked design netlist and a functional chip, i.e., the oracle. In OL attacks [129, 130], the attackers only have the locked design netlist at their
disposal. OL attacks pose greater threats to LL as they can be mounted
even if an oracle is not available.
82
Figure 5.1: Logic locking techniques: (a) Overview; (b) Original netlist; (c)
XOR/XNOR-based logic locking; (d) MUX-based logic locking.
Among OL attacks, those based on machine learning (ML) [129, 130]
aim to predict the correct key by exploiting the information leakage occurring through the structural signatures induced by the different LL schemes.
In fact, in XOR/XNOR-based and AND/OR-based LL, there usually exists a direct mapping between the type of the key gate and the key value.
Attacks like SAIL [130], SnapShot [129], and OMLA [163] leverage this information along with the surrounding circuitry of a key gate to uncover the
key value using deep learning models. MUX-based LL tends to leak less
information about the key value via the structure of the key gate. However, other attacks, like the constant propagation attacks SWEEP [161]
and SCOPE [178] and the structural analysis attack on MUX-based LL
(SAAM), can successfully break MUX-based locking, calling for the development of learning-resilient LL techniques, such as deceptive MUX-based
(D-MUX) [179] LL and symmetric MUX-based LL [178].
Unfortunately, however, a new attack based on graph neural networks
(GNNs), called MuxLink [180], has been recently developed that can break
D-MUX and symmetric MUX-based locking and recover the correct key
with 100% accuracy for many designs from the ISCAS-85 and ITC-99
83
benchmarks. MuxLink maps the task of finding the correct key to a linkprediction problem, i.e., the problem of predicting the likelihood for a link
(or wire) to be present in a design. In link prediction [46], a local subgraph
is extracted around each (true or false) link, which is then processed by
GNN layers to learn the mapping from subgraph patterns to the likelihood
of existence of the link. Overall, a MUX-based locking technique that is
resilient to the existing ML-based attacks remains elusive.
In this chapter, we present SimLL, a novel similarity-based logic locking
technique that locks a design using MUXes and shows robustness against
the state-of-the-art OL ML-based attacks [129,180] and constant propagation attacks [161, 178]. We observe that, in D-MUX or symmetric MUXbased locking, the local subgraph structure associated with the false link
may be significantly different from that of the true link, which is exploited
by MuxLink to train a GNN model that can differentiate between the
true and false wires in a design. We may then mitigate this vulnerability by choosing the false inputs to the MUX in such a way that the local
subgraph structure associated with them is topologically and functionally
“similar” to that of the true wires. SimLL addresses this challenge by
leveraging a notion of topological and functional similarity of logic gates
and wires to insert key-controlled MUXes. Topologically and functionally
similar logic gates or wires are identified using a message passing-based
algorithm and clustered into groups. Logic gates or wires from the same
cluster are then used to insert key-controlled MUXes, resulting in true and
false wires having similar subgraph structures. In summary, this chapter
makes the following contributions:
• A scalable, message passing-based graph theoretic approach to clustering topologically and functionally similar logic gates or wires in a
design.
84
Figure 5.2: D-MUX locking strategies.
• SimLL, an LL scheme that inserts MUXes between topologically and
functionally similar gates or wires and shows resilience against existing ML-based attacks.
To the best of our knowledge, this is the first approach leveraging clusters
of topologically and functionally similar logic gates and wires to robustify
LL against ML-based attacks. We evaluate the effectiveness of SimLL
against different ML-based OL attacks on various ISCAS-85 and ITC-99
benchmarks. Empirical results show that SimLL can reduce the average
accuracy achieved by the ML-based attacks to ∼50%, bringing little to no
advantage over a random guessing attack.
5.2 Background and Related Work
In this section, we discuss the existing MUX-based learning-resilient locking
techniques and the OL attacks on them.
5.2.1 Learning-Resilient MUX-Based Locking
MUX-based locking inserts a MUX key-gate into a design, which takes in
two wires from the circuit as inputs, while a key-input is connected to
the select line, allowing the true wire to pass upon applying the correct
85
key value. Differently from other locking schemes like XOR/XNOR or
AND/OR insertion, MUX-based locking reconfigures the existing logic by
always inserting the same element, i.e., a multiplexer. However, na¨ıve implementations of MUX-based locking are vulnerable to different OL attacks
like SWEEP, SCOPE [161, 178], and SAAM [179].
Recently, a learning-resilient MUX-based locking technique, D-MUX,
has been proposed which successfully thwarts all the above attacks. DMUX ensures that each wire feeding the MUX has the same probability of
being true or false. To do so, D-MUX introduces different locking strategies
(S1-S4), as shown in Fig. 5.2. Multi-output gates are those which have fanout of 2 or more while single-output gates have fan-out of 1. Strategy S1
selects two multi-output gates (fi
, fj ). An output gate corresponding to
each gate, i.e., (g
i
, gj
) is selected randomly from the respective fan-out
gates. Next, two MUXes, controlled by key inputs (ki
, kj ), are introduced
between the two input gates (fi
, fj ) and output gates (g
i
, gj
) to generate
four valid paths for all values of (ki
, kj ). Out of these four paths, fi → g
i
and fj → g
j are the true paths while fi → g
j and fj → g
i are the false
paths. Since both input gates have multiple outputs, an attacker cannot
determine which path is true or false. Strategy S2 selects two multi-output
gates (fi
, fj ) but performs locking using a single MUX controlled by a single
key-input ki
. A randomly selected output gate for one of the input gates is
locked, as shown in Fig. 5.2(b), where S2 selects fi and its output gate g
i
.
Strategy S3 selects one multi-output gate fi
, which is then locked using
a single key-input ki controlling one MUX. Given a single-output gate fj
, an
output gate is selected from the multi-output input gate’s fan-out so that,
regardless of the key bit value, input gates (fi
, fj ) remain connected to the
circuit. Finally, strategy S4 selects two gates (fi
, fj ), which can be multior single-output gates, and introduces two MUXes which are controlled by
a single key-input ki
. In all these strategies, the MUXes are configured
in such a way that, regardless of the key bit value, both the input gates
always remain connected to the circuit, i.e., there are no floating gates, and
86
no combinational loops are created. Symmetric MUX-based locking [178]
adopts a strategy similar to S4 of D-MUX, but instead of a single key
input, two key inputs control the two MUXes.
The SAAM [179] attack analyzes the logic gates connected to a MUXkey gate to identify the true wire. The attacker iterates over each key bit
and applies the values 0 and 1 to check if any of these results in a netlist with
structural faults. For example, for the circuit in Fig. 5.1(d), the attacker
applies 0 to the key input, which forwards the true wire to the output, and
the resulting netlist displays no structural faults. However, applying a 1
forwards the false wire to the output and the true wire remains floating.
In a functional design, we do not have any floating internal wires. The
attacker can then identify the MUX input that remains floating as the true
wire. D-MUX is resilient to SAAM since every strategy in D-MUX makes
sure that, regardless of the key bit value, both the input gates of the MUX
remain connected to the circuit via valid paths [179].
A constant propagation attack like SWEEP [161, 178] hard-codes the
value of a single key input at a time and performs re-synthesis to extract
relevant design features (like area and power consumption) from the two
synthesis reports corresponding to each key value. Next, it learns a set
of weight variables that captures the correlation between the correct key
value and the features from the training dataset. During test, SWEEP uses
the learned weights and the target features to deduce a value for each key
input which can be 0, 1, or X, where X means that the attack was not
able to make a decision. SWEEP has an adjustable margin m which can be
tuned by an attacker. The default value of m is 0. In the case of D-MUX,
the features resulting from the two key input values are similar, since no
circuit reduction occurs for wrong key-input values, making it resilient to
constant propagation attacks [179].
87
Figure 5.3: Workflow of the MuxLink attack. A MUX-locked locality, i.e., a
fixed-depth subcircuit surrounding the MUX key gates, is converted to a graph
to solve the corresponding link prediction problem.
5.2.2 State-of-the-Art ML-Based Attack on D-MUX
Locking
The security guarantees of D-MUX locking have been challenged by
MuxLink [180], an ML-based attack that can recover the correct key with
approximately 100% accuracy for different designs. MuxLink maps the task
of finding the true MUX input into a link prediction problem. It trains a
GNN model to predict the likelihood of a wire (link) to be present in a
design by leveraging the structure of the given circuit and the interconnection of gates surrounding the true wires. Each MUX key gate in a locked
design is associated with a true and false link. During inference, for each of
these links, MuxLink, extracts a subgraph and processes it with the trained
GNN model to predict the likelihood score for the link to be present in the
design. If the likelihood score of the true wire is significantly higher than
the one of the false wire, MuxLink can indeed identify the true wire. If the
difference between the likelihood scores of the wires is less than a certain
threshold (th), then MuxLink predicts the key bit value associated with the
MUX as X, implying that it is not able to make a decision. Fig. 5.3 shows
the workflow for MuxLink.
88
5.3 SimLL: Similarity-Based Logic Locking
We first specify our threat model. Then, we discuss how structural and
functional properties of logic gates and wires in a design can be used to
introduce false wires that confuse the MuxLink GNN model. Finally, we
introduce SimLL.
Threat Model
We assume that the adversary: (a) has access to the locked netlist only
(OL model); (b) knows the algorithmic details of the LL scheme; (c) knows
the location of the key inputs in the netlist.
Preliminaries
D-MUX LL considers the fan-out of the gates when choosing the inputs to
a MUX key gate. However, the location of the input gates to the MUX are
chosen randomly while making sure that no combinational feedback loop
is introduced. This may result in the true and the false wires having significantly different subgraphs associated with them, making it easy for the
GNN model to differentiate between them. We can mitigate this weakness
by choosing the inputs to the MUX in such a way that the induced subgraphs are “similar” to make it difficult for the GNN model to discriminate
between true and false wires. We address this challenge by searching for
topological and functional similarities in wires and gates. Among the few
approaches in the literature for detecting structural and functional similarities in a design, some efforts focus on finding similar registers [62, 121],
but their extension to generic gates and wires is not straightforward. We
propose instead two algorithms inspired by a classic result for testing graph
isomorphism [181].
89
Algorithm 3 Node Clustering
Input: G = (V, E, XV ): graph generated from the netlist, h = # hops
Output: NC: node clusters
1: s
0
v ← Update(Xv), ∀v ∈ V
2: for k ← 1 to h do
3: s
k−1
nv ← Sort({{s
k−1
w : w ∈ NG(v)}}), ∀v ∈ V
4: s
k−1
v,nv ← Concat(s
k−1
v
, sk−1
nv ), ∀v ∈ V
5: s
k
v ← Update(s
k−1
v,nv), ∀v ∈ V
6: return node cluster({{s
h
v
, ∀v ∈ V }})
7:
8: function node cluster(S)
9: NC ← {}
10: for sv ∈ S do
11: if sv = sn, where n is from c ∈ NC then
12: add v into c
13: else
14: create a new set c
′ = {v} and add it into NC
15: return NC
5.3.1 Clustering Topologically and Functionally Similar Nodes
We convert the circuit netlist to a graph G = (E, V, XV ), where V =
{1, . . . , n} is the set of nodes (gates), E ⊆ V ×V is the set of links (wires),
and XV is the set of node features. Each node v is associated with a
feature Xv consisting of the logic gate type encoded as a string. One-hop
neighbors of node v are denoted by NG(v) = {w : (v, w) ∈ E}. We use
{{·}} to denote a multiset.
As outlined in Algorithm 3, each node is also associated with a state sv
that encodes as a string the structural and functional properties of the node
and its neighborhood. The state of a node is computed using the Update
function, an injective hash function that takes a string as an input and
returns another string as the output. Update has the following property:
for any pair of strings v, w, Update(v) = Update(w) if and only if v = w.
The initial state of a node is calculated as s
0
v =Update(Xv) and subsequently updated iteratively by aggregating the states of the neighboring
90
nodes NG(v). For each node v, its current state is concatenated with the
current states of the nodes in NG(v) and used to generate the new state using the Update function. Depending on the number of hops h, each node
aggregates information from neighbors which are at a distance less than or
equal to h from it. Finally, nodes that end up having the same state are
marked as similar and clustered together, meaning that they possess the
same h-hop neighborhood.
5.3.2 Clustering Topologically and Functionally Similar Links
The procedure for clustering similar links is outlined in Algorithm 4. We
first extract an h-hop enclosing subgraph g(u,v)
for each link (u, v). We call
the link under consideration the target link, and the nodes connected by
it the target nodes. The subgraph g(u,v)
is obtained from G and contains
the nodes {x|d(u, x) ≤ h or d(v, x) ≤ h}, where d(u, x) is the distance
between nodes u and x. To distinguish between target nodes and other
nodes in the subgraph, a new feature l is added to each node in addition
to the gate type. The string l is assigned using the double radius node
labeling (DRNL) [46] technique. The DRNL label for node x is calculated
as lx = 1 + min(du, dv) + (d/2)[(d/2) + (d%2) − 1] where du = d(x, u),
dv = d(x, v) and d = du + dv. d/2 and d%2 are the integer quotient and
remainder of d divided by 2, respectively. If x has a path to only one of the
target nodes, then lx = 0. The target nodes have lx = 1. DRNL assigns
larger labels to nodes with larger distances with respect to both target
nodes.
Similarly to Algorithm 3, each node x in the subgraph has a state sx
which is then updated by aggregating the states of the neighboring nodes.
At the end of h hops, the subgraph corresponding to each link is defined by
a multiset of node states, denoted by H(u,v)
. We then cluster links that have
the same multisets together, where two multisets are called equal if they
91
Algorithm 4 Link Clustering
Input: G = (V, E, XV ): graph generated from the netlist, h = # hops
Output: LC: link clusters
1: Extract h-enclosing subgraph g(u,v)∀ (u, v) ∈ E
2: for each g(u,v) do
3: X′
a ← Concat(Xa, la), ∀ a ∈ g(u,v)
4: s
0
a ← Update(X′
a
), ∀ a ∈ g(u,v)
5: for k ← 1 to h do
6: s
k−1
na ← Sort({{s
k−1
w : w ∈ Ng(u,v)
(a)}}), ∀a ∈ g(u,v)
7: s
k−1
a,na ← Concat(s
k−1
a
, sk−1
na ), ∀a ∈ g(u,v)
8: s
k
a ← Update(s
k−1
a,na), ∀a ∈ g(u,v)
9: H(u,v) = {{s
h
a
: ∀a ∈ g(u,v)}}
10: return link cluster({{H(u,v)}})
11:
12: function link cluster(HG)
13: LC ← {}
14: for hg(e) ∈ HG do
15: if hg(e) = hg(n)
, where n is from c ∈ LC then
16: add e into c
17: else
18: create a new set c
′ = {e} and add it into LC
19: return LC
have the same elements with equal multiplicities [181]. Having the same
multisets indicates that the links possess the same h-hop neighborhood.
5.3.3 SimLL Scheme
In Algorithm 5 SimLL leverages the different locking strategies S1 − S4 of
D-MUX to introduce the MUX key gates. However, instead of choosing
the inputs to the MUX gates randomly, it follows a systematic approach.
Algorithm 5 outlines SimLL, which takes as inputs (a) the original netlist
N, (b) the correct key vector K, (c) a set of available strategies Ls, and
(d) number of hops h for subgraph extraction.
SimLL calls Algorithm 3 and 4 to get (i) clusters of similar nodes and
(ii) clusters of similar links. It then introduces MUX key gates by first
92
Algorithm 5 SimLL Scheme
Input: Netlist N, key K, available locking strategies Ls, hop # h
Output: Locked netlist
1: Convert N to graph G = (V, E, XV )
2: node clusters ← Node Clustering(G(V, E, XV ), h)
3: link clusters ← Link Clustering(G(V, E, XV ), h)
4: kl ← Len(K) ▷ The number of unused key inputs
5: for c ∈ link clusters do ▷ Introduce MUXes for similar links
6: divide c into Ec
s and Ecm
7: while kl ≥ 2 and |Ecm| ≥ 2 do
8: select two links li, lj ∈ Ecm
9: apply S1 on N with li, lj and then remove li, lj from Ecm
10: while kl ≥ 1 and |Ec
s
| ≥ 2 do
11: select two links li, lj ∈ Ec
s
12: apply S4 on N with li, lj and then remove li, lj from Ec
s
13: for c ∈ node clusters do ▷ Introduce MUXes for similar nodes
14: divide c into F
c
s and F
cm
15: while kl ≥ 1 and (|F
cm| + |F
c
s
| ≥ 2) do
16: RandomShuffle(Ls)
17: for Si ∈ Ls do
18: if Si = S1 and |F
cm| ≥ 2 and kl ≥ 2 then
19: select two nodes fi, fj ∈ F
cm and then break
20: else if Si = S2 and |F
cm| ≥ 2 then
21: select two nodes fi, fj ∈ F
cm and then break
22: else if Si = S3 and |F
cm| ≥ 1 and |F
c
s
| ≥ 1 then
23: select two nodes fi ∈ F
cm, fj ∈ F
c
s and then break
24: else if Si = S4 then
25: select two nodes fi, fj ∈ (F
sm ∪ F
c
s
) and then break
26: randomly select g
i
, gj
s.t. (fi, gi
) ∈ E, (fj , gj
) ∈ E
27: apply Si on N with fi, fj , gi
, gj
28: while kl ≥ 1 do ▷ Run D-MUX if unused key inputs exist
29: D-MUX(Ls, K, N)
30: return N
leveraging similar links, followed by similar nodes. Once the clusters of
similar links are obtained, the links in a single cluster are further divided
into two sets, namely single-output source links E
c
s
and multi-output source
links E
c
m, where E
c
s
contains all those links in cluster c whose source node
has fan-out of 1 while E
c
m contains links whose source node has fan-out
of 2 or more. SimLL starts performing locking by choosing two links li
, lj
from the E
c
m set and introduces two MUXes M1, M2 controlled by two key
inputs ki
, kj
following strategy S1 while making sure that no combinational
loops are introduced. M1 will have nodes fi and fj connected to its inputs,
ki to its control input, and g
i
connected to its output. For M2, fi and fj
are connected to its inputs, kj to the control input, and g
j
to its output.
SimLL iterates over E
c
m and introduces the MUXes until the key inputs
are exhausted. If there still exist more key inputs, then SimLL performs
locking by taking links from E
c
s
and introducing two MUXes controlled by
93
K=64
100
82.8
96.9
92.2
100
96.9
96.9
39.1
35.9
60.9
54.7
53.1
53.6
73.4
0
50
100
Accuracy (%)
K=128
94.5
96.1
100
98.4
54.7
49.2
58.6
75.8
0
50
100
K=256
96.5
97.3
98.4
98.4
98.8
98.8
57.8
55.1
50.4
36.3
39.8
51.6
0
50
100
K=512
98.2
97.9
97.1
98.8
98
99.6
59.2
53.5
42.8
47.7
51.4
51.4
0
50
100
DMUX SimLL
100
85.9
96.9
93.8
100
100
100
60.9
81.3
76.6
81.3
65.6
89.3
92.2
0
50
100
Precision (%)
95.3
96.1
100
99.2
82
67.2
80.5
92.2
0
50
100
98
98.4
100
99.2
99.2
99.6
90.2
88.3
88.3
88.7
91
91.8
0
50
100
99
98.6
98.6
99.4
98.8
100
86.3
84
86.3
84.4
90
89.3
0
50
100
1
0.99
1
0.99
1
1
1
0
0.5
1
FC
0.98
1
1
1
0
0.5
1
1
1
1
1
1
1
0
0.5
1
1
1
1
1
1
1
0
0.5
1
50
48.8
40.5
43
40.9
48.3
45.4
0
50
100
HD(%)
34.4
40.8
48.3
45.4
0
50
100
49.5
49.3
49.3
49.6
49.8
49.7
0
50
100
49.2
49.4
49.3
49.6
49.8
49.7
0
50
100
68
75.2
48.2
23.1
13.5
7.9
19.1
c1355 c1908 c2670 c3540 c5315 c6288 c7552
0
50
100
Area Overhead (%)
39
28.7
9.6
44.9
c3540 c5315 c6288 c7552
0
50
100
24.5
11.5
2.6
9.1
10.2
5
b14 b15 b17 b20 b21 b22
0
50
100
40.9
24.4
5.8
20.5
21.3
13
b14 b15 b17 b20 b21 b22
0
50
100
Figure 5.4: MuxLink attack evaluation on SimLL locked benchmarks. ISCAS85 benchmarks are locked with 64 and 128 key bits while ITC-99 benchmarks
are locked with 256 and 512 keys. Success of the attack is evaluated using AC,
PC, FC, and HD. AC and PC achieved by MuxLink on D-MUX locked designs
are also included for comparison. Area overhead of SimLL is also reported.
a single key input following strategy S4. S4 is similar to S1 except that
only one key input ki controls both the MUXes and the source nodes can
be single or multi-output.
In case all the edge clusters are exhausted while key inputs are still left,
SimLL leverages similar nodes in the design. Before performing locking,
SimLL divides nodes in a single cluster into a single-output node set F
c
s
and a multi-output node set F
c
m. Then, it iterates over the clusters and
randomly shuffles the available strategies to pick a candidate strategy and
suitable nodes fi
, fj
from the cluster. SimLL needs to choose valid output
nodes g
i
, gj
for fi
, fj
from their fan-out nodes. If the chosen output nodes
do not introduce any combinational feedback loop in the design, SimLL
goes ahead and introduces single MUXes between the input nodes fi
, fj
and output node g
i
, in the of case strategies S2 or S3, or two MUXes in
the case of S1 and S4. If all the node clusters are used up and some unused
key inputs still exist, SimLL introduces the MUX randomly following the
D-MUX locking approach.
94
5.4 Evaluation
We evaluate SimLL against MuxLink [180], SWEEP [161], and SnapShot [129] for different designs from the ISCAS-85 and ITC-99 benchmarks.
The ISCAS-85 benchmarks are locked with 64 and 128 keys while the ITC99 benchmarks are locked with 256 and 512 keys to assess the impact of
different key sizes on the performance of the existing attacks on SimLL.
We used the 45-nm Nangate Open Cell Library to synthesize the designs.
In SimLL, we set the value of h to 2. In fact, higher values of h tend to
result in smaller cluster sizes, which leads to fewer options for introducing MUXes between similar nodes or links, making SimLL less effective.
We implemented SimLL in Python and performed all the experiments on
a server with an NVIDIA GeForce RTX 2080 graphics card, 48 2.1-GHz
processor cores, and 500-GB memory.
Evaluation Metrics
We use the following metrics for evaluating the resilience of SimLL against
different types of attacks: key accuracy (AC), precision (PC), functional
corruptibility (FC), and Hamming distance (HD). AC is defined as the
percentage ratio between the correctly predicted key bits Kcorrect and the
total number of key bits Ktotal, i.e., AC = (Kcorrect/Ktotal) × 100. PC
measures the ratio of the correctly predicted key bits, counting every X as
a correct guess, i.e., P C = ((Kcorrect + KX)/Ktotal) × 100, where KX is the
number of key bits for which the attack is unable to make a decision. FC
represents the ratio between the number of input patterns for which the
output is incorrect and the number of applied input patterns along with
the predicted key. HD measures the average number of incorrect bits in
the output. They are defined as follows,
FC = 1
|I|
P
i∈I
1(OX,i ̸= OC,i), (5.1)
95
HD = 1
|I|
P
i∈I
P
j∈m OX,i,j ⊕ OC,i,j , (5.2)
where OX,i is the output given the predicted key and an input pattern i,
OC,i is the output given the correct key and an input pattern i, OX,i,j is the
j-th bit of OX,i, and OC,i,j is the j-th bit of OC,i. To measure the FC and
HD, we simulate the locked and oracle designs with |I| = 200, 000 random
input patterns.
MuxLink
We evaluate the resilience of SimLL against MuxLink using the open-source
MuxLink tool [180]. We use the same GNN model architecture defined in
MuxLink [180], consisting of four graph convolution (GCN) layers, two
1 − D convolutional layers, a single fully connected layer, a dropout layer,
and a softmax layer of 2 output units. A tanh activation function is used
for the GCN layers while the ReLU function is used in the rest of the
layers. Similar to MuxLink, we set the threshold th to be 0.01. For each
benchmark design, we lock it using SimLL and then perform the MuxLink
attack. The AC, PC, FC, and HD achieved by MuxLink on SimLL locked
benchmarks are presented in Fig. 5.4. We also include the performance of
MuxLink on D-MUX locked circuits for comparison.
MuxLink achieves average AC of 97.1% and PC of 98.1% on benchmarks locked with D-MUX [180]. However, when we apply the attack on
designs locked with SimLL, the AC and PC reduce to 52.4% and 83.8%,
respectively. In the case of D-MUX, the difference between PC and AC is
1%, implying that the number of key bits for which the attack is unable to
make a decision is very low. The difference between PC and AC increases
to 31.4% for SimLL, meaning that a large number of key bits are classified
as X. SimLL is then successful in confusing the ML model. Moreover, the
average PC of 83.9% shows that a large number of key inputs are incorrectly predicted by MuxLink and SimLL is successful in making the ML
model incorrectly identify some false links as true links. While the AC
96
(a)
23.94
37.7
19.98
6.86
21.22 15.84 20.34
c1355 c1908 c2670 c3540 c5315 c6288 c7552
0
50
100
SWEEP
Accuracy (%)
(b) 93.69 92.73
78.58 84.28 85.89 78.42 75.56
c1355 c1908 c2670 c3540 c5315 c6288 c7552
0
50
100
SWEEP
Precision (%)
(c)
49.4 49 49.3 52 50 51.2 52.5 50 52.2 49 50 50.6 50.4
b14 b15 b17 b20 b21 b22 c1355 c1908 c2670 c3540 c5315 c6288 c7552
0
50
100
SnapShot
Accuracy (%)
Figure 5.5: (a)(b) SWEEP attack evaluation on SimLL. (c) SnapShot attack
evaluation on SimLL under the SRS attack scenario.
reduces by ∼40% for most of the designs, c7552 provides ∼25%, mostly
due to the fact that the number of similar nodes and links in the clusters
was smaller than in other benchmarks and many MUX inputs were chosen
randomly as in D-MUX.
We also measure the FC and HD for the key predicted by MuxLink on
the SimLL locked circuits. Since MuxLink predicts many key bits to be
X, to mimic the decision of an attacker, we set the value for these key bits
randomly, averaged over multiple runs. The average FC is 0.99 and the
average HD is 46.94% across the different SimLL locked designs, showing
that the design recovered by the MuxLink attack can exhibit a significant
amount of errors with respect to the original design. Figure 5.4 shows the
area overhead incurred by SimLL for the different benchmarks, which is
similar to the one of D-MUX.
SWEEP
We evaluate the resiliency of SimLL to the constant propagation attack
SWEEP [161] using the open-source tool. We follow the same setup used
in the literature [179]. Seven ISCAS-85 benchmarks were copied 100 times
and locked with SimLL with a key size of 64, resulting in a data set of 700
locked benchmarks. For each benchmark, the data set is divided into a test
set consisting of the 100 locked designs of the benchmark in question and
a training set consisting of the remaining 600 other designs. We recall that
97
SWEEP predicts the value of a key bit as 0, 1, or X. We set the value of
the margin m to be initially 0, which results in an average AC of 21% and
an average PC of 84.2%, as shown in Fig. 5.5 (a) and (b). SimLL is then
resilient to SWEEP. When the margin m is slightly increased, AC falls to
0% while PC rises to 100%, which implies that SWEEP predicts all the
key bits as X.
SnapShot
We also evaluate the resiliency of SimLL to the ML-based OL attack SnapShot using the self-referencing scheme (SRS) attack scenario. SnapShot
predicts the key bit value either as 0, 1 by looking into locality vectors that
represent the neighboring sub-circuit associated with the key gate. For
each SimLL locked benchmark, a training set is created by relocking the
target netlist 100 times which is used for training a convolution neural network (CNN) model [129]. During inference, the trained model is used for
predicting the key of the target locked netlist. As shown in Fig. 5.5 (c),
SnapShot achieves an average AC of ∼50%.
5.5 Conclusion
This chapter presented SimLL, a locking technique that introduces keycontrolled MUXes between topologically and functionally similar logic gates
and wires in a design to confuse ML-based attacks. Empirical results show
that SimLL is resilient against the state-of-the-art OL attacks.
98
Chapter 6
Enhancing SAT-attack
Resiliency and
Cost-Effectiveness of
Reconfigurable-Logic-Based
Circuit Obfuscation
This chapter presents a reconfigurable logic-based locking technique. Section 6.1 provides the introduction and motivation behind developing reconfigurable logic-based locking. Section 6.2 provides the necessary background
and highlights the related work and its weaknesses. Section 6.3 discusses
our proposed reconfigurable logic-based locking technique. Evaluation of the
proposed locking technique is presented in Section 6.4. Finally, we conclude
in Section 6.5.
6.1 Introduction
Logic locking is a promising defense against security threats such as IP
piracy and theft [68], overproduction, counterfeiting [69], and hardware
Trojan insertion [6,155]. However, the early logic locking methods showed
to be vulnerable to an attack strategy based on Boolean satisfiability (SAT),
termed SAT attack [182], which efficiently eliminates classes of incorrect
keys via an iterative approach by relying on an oracle, i.e., an unlocked
version of the circuit.
Researchers tried to circumvent the SAT attack via a spectrum of
techniques that either increase the number of attack iterations or create
SAT-hard formulas to increase the run-time of each iteration [183–189].
99
A promising approach to achieve SAT-attack resiliency relies on replacing some gates with reconfigurable logic blocks like look-up tables
(LUTs) [3, 190–192]. LUTs are programmable circuits that can represent
any logic function for a fixed number of inputs, which can increase the
search space of a SAT solver. Moreover, LUTs can help eliminate structural signatures in the design and prevent information leakage that can be
exploited by removal attacks [193] or other attacks targeting the circuit
structure. Similar principles, aiming to infuse an IC with programmable
structures, have also led to the exploration of routing obfuscation [183,186].
While reconfigurable-logic-based obfuscation techniques can achieve attack resiliency, unfortunately, they often come with prohibitive costs, which
makes them practically infeasible. It is then desirable to devise methods
that can address the conflicting goals of optimal overhead and attack resiliency. A recent work [3] addresses this challenge by focusing on optimizing the LUT sizes and introducing a practical 2-stage LUT architecture.
This chapter builds on this architecture [3] to propose a set of enhanced
reconfigurable-logic-based locking solutions via the following contributions:
• We present a novel LUT-based obfuscation algorithm that leverages
concepts from IC testing to select optimized LUT replacement locations and LUT input signals to achieve SAT-attack resiliency with
reduced overhead.
• Whenever the LUT location cannot be arbitrarily selected, we propose a practical method to robustify LUT-based obfuscation via a
combination of LUTs and SBs that can provide both logic and routing obfuscation, largely independently of the specific location.
We validate the proposed methods on various ISCAS benchmark circuits
and show that the enhanced 2-stage LUT-based obfuscation (ELBO) technique can achieve on average the same SAT-attack resiliency as for the reference architecture [3] with 2× less area overhead. A similar improvement
100
can also by obtained with the proposed hybrid logic and routing obfuscation (HLRO) strategy. On the other hand, the hybrid strategy outperforms
a single-stage LUT-based architecture by a factor of 7 in area overhead for
the same average SAT-attack resiliency.
6.2 Background and Related Work
6.2.1 SAT Attack
SAT attack [182], based on iteratively solving Boolean satisfiability problems, can effectively break many of the logic locking techniques in minutes.
With the access to a locked netlist and an activated circuit serving as an
oracle, the attack uses a SAT solver to find an input pattern, called distinguishing input pattern (DIP), that helps prune out one or more wrong
equivalent key classes in each iteration. A major research focus has then
been on developing SAT-attack resilient techniques. Since the SAT attack
tries to eliminate multiple incorrect keys at each iteration, a method to provide SAT attack resiliency is to guarantee that only one incorrect key can
be eliminated at each iteration, which makes the number of iterations grow
exponentially with the key bit length [187–189]. However, many locking
techniques based on this method become vulnerable to attacks like removal
attack [193], signal probability skew (SPS) attack, and approximate SAT
attack [194]. Another method for providing SAT-attack resiliency is to
increase the duration of each iteration of the SAT attack, which can be
achieved by adding SAT-hard instances to the circuit [183, 186, 192].
6.2.2 LUT-Based Logic Obfuscation
Logic obfuscation can be achieved using reconfigurable logic blocks like
LUTs, where one or more gates in a design are replaced by one or more
LUTs [190, 195–197]. Once a LUT is inserted into a design, the replaced
101
Figure 6.1: Examples of LUT structures: (a) single 8-input LUT, (b) 2-stage
8-input LUT which consists of a 4-input LUT driven by 4 2-input LUTs.
gates and their connections become indiscernible to the attacker, making them immune to attacks based on the circuit structure [193]. While
some of the LUT-based obfuscation techniques are vulnerable to SAT attacks [195, 196], recent work tries to circumvent the attack by either increasing the number and the size of the LUTs [3] or by leveraging heuristics
based on signal probability skews to choose the LUT locations [190]. Large
LUTs increase the key length and the SAT-attack resiliency by pushing
the SAT attack to potentially search over the entire, exponential space of
implementable functions. However, large LUTs also add significant design
overhead [3]. This chapter addresses these issues by principled selection of
the input signals and the locations of the LUTs based on concepts from IC
testing.
6.2.3 Routing Obfuscation
In routing obfuscation, the routing of a group of selected wires is obfuscated by connecting them to fully programmable switching networks, such
as mesh [186], logarithmic [183], and other customized networks [191]. The
key configurable logarithmic networks (CLNs) can be categorized as blocking, non-blocking, and almost non-blocking [196], depending on how many
different input permutations they allow to pass to the output. Compared
102
to different logarithmic networks, almost non blocking CLNs [183, 196] allow almost all input permutations to pass to the output, thus creating
SAT-hard instances [183] with lower overhead.
6.3 Proposed Enhanced LUT-Based Obfuscation
The SAT-attack resiliency of LUT-based obfuscation has been recently analyzed in the literature, as a function of the number of LUTs, their size, and
replacement strategy [3], empirically showing the impact of the LUT size.
When small LUTs are used for obfuscation, even after obfuscating 35% of
the design, the SAT-attack takes a short time to recover the correct key.
On the other hand, obfuscating a small number of gates with large LUTs
provides higher SAT-attack resiliency. Because the overhead associated
with large LUTs can be prohibitive, the study proposes a customized 2-
stage LUT architecture to provide attack resiliency at low overhead, where
a first stage is made up of 2-input LUTs and a second stage is made up
of a large LUT, as shown in Figure 6.1 [3]. When the LUT input ports
are greater than that of the replaced gate, additional signals from the circuit are connected to the LUT as dummy inputs. Algorithm 6 shows that
the overhead of existing solutions can be further reduced considerably via
a principled approach for selecting the LUT locations and dummy input
signals.
6.3.1 Enhanced 2-Stage LUT-Based Obfuscation
(ELBO)
We look for LUT replacement locations and nodes to be connected to the
LUT dummy inputs by leveraging controllability and observability measures from circuit testability [198]. As shown in Algorithm 1, we first
103
convert a circuit netlist into a graph and assign levels to the nodes by performing a breadth-first traversal starting from the primary inputs (PIs).
We then use the SCOAP algorithm [199] to find the observability and controllability costs associated with the nodes. Let P O be the set of primary
outputs (POs) and |P O| be its cardinality. For each primary output P Oi
,
i = 1, . . . , |P O|, we select only those nodes in the fan-in cone of P Oi which
have P Oi as the only primary output in their fan-out cone. Selecting these
nodes as a location for LUT replacement guarantees that the Hamming
distance between the correct output value and the output obtained with
an incorrect key is solely controlled by the errors introduced on P Oi
.
Our strategy is to determine the LUT locations to provide enough functional corruptibility, while selecting the dummy inputs in a way that increases the number of SAT-attack iterations. Differently from previous approaches [3], which randomly choose the nodes to be connected as dummy
inputs, we observe that, if a node has low controllability, then it tends to
keep its state for most of the input configurations [198]. If this node is
connected to a dummy input, it will bias the signal distribution at both
the input and output of the LUT as well as the corresponding POs. The
probability for the PO to change its value as a function of the key will then
be lowered, thus reducing the probability for an input to be detected as a
DIP. As a result, the number of DIPs, hence the maximum number of SATattack iterations, will decrease. Conversely, a node with high controllability
will contribute to increasing the maximum number of SAT iterations.
Based on these considerations, as detailed by lines 8-24, the nodes in
the list iso node are arranged in ascending order of their observability cost
and the node with the lowest cost (i.e., intuitively, the highest observability) is chosen for replacement by a LUT to provide sufficient functional
corruptibility. Once a node from the list iso node is selected for replacement, its immediate fan-out and fan-in nodes are removed from iso node to
avoid masking effects due to the correlation between successive gates [190].
The candidate circuit nodes that can be connected as dummy inputs are
104
then sorted in ascending order of controllability cost, and the nodes with
the smallest cost (i.e., intuitively, the highest controllability) are selected.
Nodes can be replaced by LUTs until a desired level of SAT-attack resiliency is achieved. Overall, 2-stage LUT-based locking creates a large
key search space and SAT-hard instances [3]. Algorithm 6 contributes to
strengthening SAT-attack resiliency by also increasing the number of iterations.
6.3.2 Hybrid Logic-Routing Obfuscation (HLRO)
The SAT-attack resiliency of 2-stage LUT-based obfuscation can significantly vary with the location of the LUT, as it impacts both the number
of attack iterations and the duration of each iteration, as also shown by
the empirical evaluation in Section 6.4. Therefore, instead of increasing
the number of LUTs, whenever the LUT location cannot be arbitrarily
selected, we propose a practical method to robustify LUT-based obfuscation by combining it with SBs in a way that is largely independent of the
location.
We observe that routing obfuscation implemented using almost-nonblocking CLNs can create SAT-hard formulas [183], since they generate
a deep symmetric multiplexer tree. We then propose to combine small
almost-non-blocking CLNs with 2-stage LUTs to achieve the desired SATattack resiliency without incurring the large overhead of a solution exclusively based on logic obfuscation. Figure 6.2 shows a sample hybrid
obfuscation architecture used to replace one gate in the design, consisting
of a CLN followed by a 2-stage LUT where the sizes of both components
can be configured based on the allowable design overhead to significantly
increase the key search space.
105
Figure 6.2: Gate replacement using a combined CLN-based and 2-stage LUTbased obfuscation. The CLN provides routing obfuscation while the LUT provides logic obfuscation.
6.4 Results and Discussion
We evaluate the effectiveness of the proposed ELBO and HLRO techniques
by comparing their SAT-attack [182] resiliency with the one of the reference
schemes [3, 192] for different ISCAS’85 and ISCAS’89 benchmark circuits.
We set the time-out deadline to 5 days (4.32 × 105
s). The obfuscated
circuits were synthesized using a 45-nm Nangate open cell library to meet
the same timing requirements of the original circuits. To execute SAT
attacks, LUTs are translated into multiplexer-based circuits. All tests ran
on a machine with 48 2.1-GHz processor cores and 500-GB memory.
106
Figure 6.3: (a) Evaluation of ELBO (solid line) in comparison with reference
obfuscation scheme [3] (dotted line) for c7552: SAT-attack execution time as a
function of LUT size and number of replaced gates
Figure 6.4: Evaluation of ELBO (solid line) in comparison with reference obfuscation scheme [3] (dotted line) for c7552: normalized area overhead as a function
of SAT-attack runtime for different LUT sizes
107
Figure 6.5: SAT-attack time for ELBO when ascending (solid line) and descending (dotted line) order of observability cost of nodes are used to decide the
gate replacement location in c7552.
We first examine the effectiveness of ELBO by obfuscating the c7552
benchmark with 8-, 10-, 12-, and 14-input 2-stage LUTs using Algorithm 6
and the reference method [3]. As shown in Figure 6.3, ELBO on average requires 2× less gates to be replaced by LUTs when compared to the
reference method [3] to reach a SAT-attack timeout time of 5 days. In
Figure 6.4, this turns into 2× less area overhead when compared to the
reference method [3] for the same SAT-attack timeout time. Moreover, for
the same number of gates replaced by LUTs, in more than 90% of the cases,
ELBO provides longer SAT-attack time. As shown in Figure 6.5, the SATattack resiliency of ELBO changes with the replacement location. When
using the descending order of observability cost, rather than the ascending
order of Algorithm 6, to determine the LUT location, we need to replace
more gates to reach the same SAT-attack timeout time.
We then illustrate the efficacy of HLRO using a hybrid block made up
of 8 × 8 CLN followed by an 8-input 2-stage LUT. We first obfuscate the
designs using Algorithm 6, by leveraging both the ascending and descending
108
Figure 6.6: Area overhead for traditional LUT-based (SLO), enhanced 2-stage
LUT-based (ELBO), and hybrid CLN-LUT-based (HLRO) obfuscation.
orders of observability cost to decide the gate replacement location, and
compare the performance of these strategies. Table 6.1 reports the SATattack time when 1, 2, and 3 gates are replaced by HLRO in both cases.
We observe that, in both cases, HLRO exhibits comparable performance,
and the same number of gates need to be replaced by a hybrid block to
reach the SAT-attack timeout time of 5 days. We compare HLRO with
ELBO and a conventional single-stage LUT-based obfuscation (SLO) in
Figure 6.6. HLRO uses hybrid blocks made up of an 8 × 8 CLN and an
8-input 2-stage LUT. ELBO uses 14-input 2-stage LUTs while SLO uses 8-
input single stage LUTs. HLRO incurs consistently lower design overhead
over the different benchmarks, when compared to the other techniques, in
order to reach the SAT-attack timeout time. Specifically, HLRO incurs 7×
less area overhead compared to SLO and 2× less area overhead compared
to ELBO.
Finally, Table 6.2 compares the performance of HLRO with an obfuscation technique based on universal circuits (UCs) [192], a reconfigurable
109
Table 6.1: SAT-attack time for hybrid logic-routing obfuscation and different
replacement locations
Ascending Observability Descending Observability
Benchmark 8 × 8 CLN + LUT-8 8 × 8 CLN + LUT-8
1 2 3 1 2 3
c880 52386s TO TO 46033s TO TO
c1355 32851s TO TO 24976s TO TO
c1908 18578s 197015s TO 8015s 98078s TO
c2670 113166s 410324s TO 109057s 395728s TO
c3450 196135s TO TO 187720s TO TO
c5315 1807s 224570s TO 23210s 356219s TO
c6288 10713s 378516s TO 35646s 401202s TO
c7552 60438s TO TO 100516s TO TO
s15850 120505s TO TO 124495s TO TO
s35932 63360s TO TO 84404s TO TO
s38584 119757s TO TO 101139s TO TO
Time-Out(TO) = 4.32 × 105
s
Table 6.2: SAT-attack time for hybrid obfuscation (HLRO) and universal
circuit-based obfuscation for the same key length
Benchmark Hybrid Obfuscation Universal Circuit [192]
c880 (110 keys) TO 4169.51s
c1355 (110 keys) TO 1636.07s
c1908 (170 keys) TO TO
c2670 (170 keys) TO TO
c3450 (110 keys) TO 740.732s
c5315 (170 keys) TO 18856.8s
c7552 (110 keys) TO 169532s
s15850 (110 keys) TO 11.8s
s35932 (110 keys) TO 15853s
s38584 (110 keys) TO 94s
Time-Out(TO) = 4.32 × 105
s
logic routing block made up of multiplexers and LUTs. UC-based obfuscation replaces a portion of the original circuit with given depth and width
with a UC in a randomly chosen location. For the purpose of comparison,
we obfuscate each design by using the same key length for both techniques.
The designs obfuscated with HLRO could not be deobfuscated after 5 days
of SAT attack, while 9 out of 11 designs obfuscated with UCs were unlocked
in less than 8 hours, showing that HLRO can provide higher security levels
110
than UC-based obfuscation for the same key length, mostly motivated by
the capability of generating SAT-hard formulas via deep symmetric multiplexer tree structures.
6.5 Conclusion
In summary, we introduced and validated by simulation two methods to
enhance LUT-based IC obfuscation and achieve high SAT-attack time with
reduced overhead when compared with other state-of-the-art solutions.
ELBO leverages concepts from IC testing to increase the SAT-attack resilience via principled selection of the LUT dummy inputs and its location.
HLRO further reduces the design overhead for the same level of SAT-attack
resiliency by creating SAT-hard instances via routing obfuscation. Future
work includes further investigation of using controllability and observability concepts in UC-based obfuscation and their impact on attack resiliency
and overhead.
111
Algorithm 6 Enhanced LUT-based Obfuscation
Input: LUT count cLUT , LUT size sLUT , original netlist Cori
Output: Locked netlist Clock
1: circuit graph ← parse and levelize(Cori)
2: SCOAP(circuit graph) ▷ Use SCOAP algorithm to measure the
observability and controllability of each node
3: for po node ∈ circuit graph.P O list do ▷ PO list: list of primary
outputs, asc: ascending, dsc: descending
4: iso node(po node) = ()
5: for node ∈ po node.f an in cone do
6: if node.f an out cone has only one PO node then
7: iso node(po node).append(node)
8: for po node ∈ circuit graph.P O list do
9: sort(iso node(po node), observability, asc)
10: rep nodes = sort(iso node, iso node(.).size, dsc)
11: i = 0
12: while count < cLUT do
13: target = rep nodes(i)(1) ▷ target: gate to be replaced by LUT
14: rep nodes(i).remove(target)
15: Dummy = () ▷ Dummy: Nodes that can be connected to the
LUT inputs
16: for node ∈ circuit graph do
17: if node.level < target.level then
18: Dummy.append(node)
19: sort(Dummy, controllability, asc)
20: Dummyin = ()
21: while j < LUT.size − target.size do ▷ target.size: number of
inputs
22: Dummyin.append(Dummy(j))
23: LUT.input = (target.input, Dummyin) ▷ target.input: list of
inputs
24: replace(target, LUT)
25: rep nodes(i).remove(rep nodes(i)(1).f an in nodes)
26: rep nodes(i).remove(rep nodes(i)(1).f anout out node)
27: if rep nodes(i).size == 0 then
28: i = i + 1
112
Chapter 7
Finding Adversarially Robust
Graph Lottery Tickets
In this chapter we evaluate the impact of adversarial attacks on GNNs and
develop a new training algorithm for generating compressed yet adversarially robust GNNs. Section 7.1 provides the introduction and motivation
behind this work. Section 7.2 provides the necessary background and highlights the related works and their weaknesses. Section 7.3 discusses our
proposed training algorithm in detail and its evaluation is presented in Section 7.4. Finally, we conclude in Section 7.5.
7.1 Introduction
Graph neural networks (GNNs) [39,97,99,200,201] achieve state-of-the-art
performance on various graph-based tasks like semi-supervised node classification [39, 97, 99], link prediction [46], and graph classification [44].
The success of GNNs is attributed to the neural message-passing scheme in
which each node updates its feature by recursively aggregating and transforming the features of its neighbors. However, the effectiveness of GNNs
when scaled up to large and densely connected graphs is impacted due
to high training and inference cost and substantial memory consumption.
Unified graph sparsification (UGS) [202] addresses this concern by simultaneously pruning the input graph adjacency matrix and the GNN to show
the existence of a graph lottery ticket (GLT), a pair of sparse graph adjacency matrix and GNN model, which can substantially reduce inference
cost without compromising model performance.
Recent studies reveal that GNNs are vulnerable to adversarial attacks [102–106]. An adversarial attack on the graph structure introduces
113
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
14
28
42
56
70
84 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
PGD Attack
Accuracy (GCN cora)
Figure 7.1: Comparison of different graph sparsification techniques in accuracy
vs. graph sparsity. ARGS achieves similar accuracy with 35% more sparsity for
the Cora dataset under PGD attack.
unnoticeable perturbations by inserting, deleting, or rewiring edges in the
graph. These perturbations increase the distribution shift between train
and test nodes in the graph, fooling the GNN to misclassify nodes [203] in
the transductive node classification task. To counter these attacks, many
defense techniques have been developed. Some techniques improve the node
classification accuracy of GNNs by cleaning the perturbed graph structure [103, 204–207]; others improve the accuracy by modifying the GNN
architecture [208–210]. Although GLTs demonstrate strong performance
on original benign graph data, their performance in the presence of adversarial structure perturbations remains largely unexplored. Achieving
adversarially robust GLTs (ARGLTs) can enable efficient GNN inference
under adversarial threats.
We address this challenge by first investigating empirically the resilience
of GLTs identified by UGS against different structure perturbation attacks [104,105,211] and showing that they are vulnerable. We then present
114
ARGS (Adversarially Robust Graph Sparsification), an optimization framework that, given an adversarially perturbed graph, iteratively prunes the
graph adjacency matrix and the GNN model weights to generate an adversarially robust graph lottery ticket (ARGLT) which achieves competitive
node classification accuracy while exhibiting high levels of sparsity.
Adversarial attacks like the projected gradient descent (PGD) attack [103], the meta-learning-based graph attack (MetaAttack) [104], the
projected randomized block coordinate descent (PR-BCD) attack [209],
and the greedy randomized block coordinate descent (GR-BCD) attack [209] poison the graph structure by adding new edges or deleting existing edges, resulting in changes in the properties of the underlying graph.
Our analysis shows that the PGD attack and MetaAttack introduce most
edge modifications around the train nodes [203] while the local structure of
the test nodes is less affected. Moreover, for homophilic graphs, adversarial edges are often introduced between nodes with dissimilar features. In
contrast, for heterophilic graphs, adversarial edges are introduced between
nodes with dissimilar neighborhood structures. We leverage this information to formulate a new loss function that better guides the pruning of
the adversarial edges in the graph and the GNN weights. Additionally,
we use self-learning to train the pruned GNNs on sparse graph structures,
which improves the classification accuracy of the GLTs. To the best of our
knowledge, this is the first study on the adversarial robustness of GLTs.
Our proposal is evaluated across various GNN architectures on both
homophilic (Cora, citeseer, PubMed, OGBN-ArXiv, OGBN-Products) and
heterophilic (Chameleon, Squirrel) graphs attacked by the PGD attack,
MetaAttack, the PR-BCD attack [209], and the GR-BCD attack for the
node classification task. In case of homophilic graphs, connected nodes
generally have similar features and often belong to the same class while
for heterophilic graphs, linked nodes have dissimilar features and different
classes. We also evaluate the proposed technique for adaptive attacks.
By iteratively applying ARGS, ARGLTs can be broadly located across
115
the 7 graph datasets with substantially reduced inference costs (up to 98%
multiply-and-accumulate savings) and little to no accuracy drop. Figure 7.1
shows that, for node classification on Cora attacked by the PGD attack, our
ARGLT achieves similar accuracy to that of the full models and graphs even
with high graph and model sparsity of 48.68% and 94.53%, respectively.
Compared to the GLTs identified by UGS, our ARGLTs on average achieve
the same accuracy with 2.4× higher graph sparsity and 2.3× higher model
sparsity.
7.2 Background and Related Work
7.2.1 Graph Lottery Ticket Hypothesis
The lottery ticket hypothesis (LTH) [212] conjectures that there exist small
sub-networks, dubbed as lottery tickets (LTs), within a dense randomly initialized neural network, that can be trained in isolation to achieve comparable accuracy to their dense counterparts. UGS made it possible to extend
the LTH to GNNs [202], showing the existence of GLTs that can make GNN
inference efficient. A GNN sub-network along with a sparse input graph is
defined as a GLT if the sub-network with the original initialization trained
on the sparsified graph has a matching test accuracy to the original unpruned GNN trained on the full graph. Specifically, during training, UGS
applies two differentiable binary mask tensors to the adjacency matrix and
the GNN model weights, respectively. After training, the lowest-magnitude
elements are removed and the corresponding mask location is updated to
0, eliminating the low-scored edges and weights from the adjacency matrix and the GNN, respectively. The sparse GNN weight parameters are
then rewound to their original initialization. To identify the GLTs, the
UGS algorithm is applied in an iterative fashion until pre-defined graph
and weight sparsity levels are reached. Experimental results show that
UGS can significantly trim down the inference computational cost without
116
compromising predictive accuracy. In this work, we aim to find GLTs for
datasets that have been adversarially perturbed. When we apply the UGS
algorithm directly to the perturbed graphs, the performance accuracy of
the GLTs is substantially low compared to their clean counterparts, calling
for new methods to find adversarially robust GLTs.
7.2.2 Adversarial Attacks on Graphs
Adversarial attacks on graphs can be classified as poisoning attacks, perturbing the graph at train time, and evasion attacks, perturbing the graph
at test time. Both poisoning and evasion attacks can be targeted or global
attacks [211]. A targeted attack deceives the model to misclassify a specific node [34, 213]. A global attack degrades the overall performance of
the model [103, 104]. Depending on the amount of information available,
the existing attacks can be categorized into white-box attacks, gray-box
attacks, and black-box attacks [34, 214]. An attacker can modify the node
features, the discrete graph structure, or both. Different attacks show that
structure perturbation is often more effective when compared to modifying
the node features [215]. Examples of global poisoning attacks include the
MetaAttack [104], PGD attack [103], PR-BCD attack [209], and GR-BCD
attack [209]. Gradient-based attacks like PGD and MetaAttack treat the
adjacency matrix as a parameter tensor and modify it via scaled gradientbased perturbations that aim to maximize the loss, thus resulting in degradation of the GNN prediction accuracy. PR-BCD and GR-BCD [209] are
more scalable first-order optimization attacks that can scale up to large
datasets like OGBN-ArXiv, and OGBN-Products [216] respectively. Global
poisoning attacks are highly effective in reducing the classification accuracy
of different GNNs and are typically more challenging to counter since they
modify the graph structure before training [215]. Therefore, we consider
global graph structure poisoning attacks.
117
7.2.3 Defenses on Graphs
Several approaches have been developed to combat adversarial attacks on
graphs [103, 204–206, 208, 210, 217, 218]. Many of these techniques try to
improve the classification accuracy by preprocessing the graph structure,
i.e., they detect the potential adversarial edges and assign lower weights to
these edges, or even remove them. Jaccard-GCN [103] removes all the edges
between nodes whose features exhibit a Jaccard similarity below a certain
threshold. SVD-GCN [204] replaces the adjacency matrix with a low-rank
approximation since many real-world graphs are low-rank and attacks tend
to disproportionately affect the high-frequency spectrum of the adjacency
matrix. ProGNN [205] leverages low rank, sparsity, and feature smoothness properties of graphs to clean the perturbed adjacency matrix. GARNET [206] combines spectral graph embedding with probabilistic graphical
models to recover the original graph topology from the perturbed graph.
GNNGuard [208] learns weights for the edges in each message passing aggregation via cosine-similarity and penalizes the adversarial edges either by
filtering them out or by assigning less weight to them. STABLE [219] preprocesses the graph structure by leveraging unsupervised learning. Instead
of using the node features like the above mentioned techniques, STABLE
uses contrastive learning to learn new node representations which are then
used for refining the graph structure. Other techniques try to improve the
GNN performance by enhancing model training through data augmentation [219, 220], adversarial training [103], self-learning [203], robust aggregate functions [209, 219], or by developing novel GNN layers [210].
Differently from the approaches above, GCN-LFR [221], a spectralbased method, leverages the fact that some low-frequency components in
the graph spectrum are more robust to edge perturbations and regularizes the training process of a given GCN with robust information from an
auxiliary regularization network to improve the adversarial performance of
GCNs. Overall, graph preprocessing tends to remove only a small fraction
118
of edges from the adjacency matrix. Additionally, none of these defenses reduce the number of parameters in the GNN model, resulting in unchanged
computational footprints. We instead aim to improve the robustness of
sparse GNNs with sparse adjacency matrices to achieve computation efficiency. As robustness generally requires more non-zero parameters, yielding
parameter-efficient robust GLTs remains a challenge.
7.3 Methodology
Notations. Let G = {V, E} represent an undirected graph with |V| nodes
and |E| edges. The topology of the graph can be represented with an
adjacency matrix A ∈ R
|V|×|V|, where Aij = 1 if there is an edge ei,j ∈ E
between nodes vi and vj while Aij = 0 otherwise. Each node vi ∈ V
has an attribute feature vector xi ∈ R
F
, where F is the number of node
features. Let X ∈ R
|V|×F and Y ∈ R
|V|×C denote the feature matrix and
the labels of all nodes in the graph, respectively. In this work, we will
also represent a graph as a pair {A, X}. In the case of message-passing
GNN, the representation of a node vi
is iteratively updated by aggregating
and transforming the representations of its neighbors. As an example, a
two-layer [39] GCN can be specified as
Z = f({A, X}, Θ) = S(Aσˆ (AXW ˆ
0)W1), (7.1)
where Z is the prediction, Θ = (W0, W1) are the weights, σ(.) is the activation function, e.g., a rectified linear unit (ReLU), S(.) is the softmax
function, Aˆ = D˜ − 1
2 (A+I)D˜ − 1
2 is the normalized adjacency matrix with selfloops, and D˜ is the degree matrix of A + I. We consider the transductive
semi-supervised node classification (SSNC) task for which the cross-entropy
(CE) loss over labeled nodes is given by
119
L0(f({A, X}, Θ)) = −
X
l∈YT L
X
C
j=1
Ylj
log(Zlj
), (7.2)
where YT L is the set of train node indices, C is the total number of classes,
and Yl
is the one-hot encoded label of node vl
.
Graph Lottery Tickets. A GLT consists of a sparsified graph, obtained by pruning some edges in G, and a GNN sub-network, with the
original initialization, that can be trained to achieve comparable performance to the original GNN trained on the full graph, where performance
is measured in terms of test accuracy. Given a GNN f(·, Θ) and a graph
G = {A, X}, the associated GNN sub-network and the sparsified graph
can be represented as f(·, mθ ⊙ Θ) and Gs = {mg ⊙ A, X}, respectively,
where mg and mθ are differentiable masks applied to the adjacency matrix A and the model weights Θ, respectively, and ⊙ is the element-wise
product. UGS [202] finds the two masks mg and mθ by optimizing the loss
function LUGS = L0(f({mg ⊙A, X}, mθ ⊙Θ)) +ψ1||mg||1 +ψ2||mθ||1, such
that the GNN sub-network f(·, mθ ⊙Θ) along with the sparsified graph Gs
can be trained to a similar accuracy as f(, Θ) on G. Here, ψ1, ψ2 are the
l1 sparsity regularizes of mg, mθ.
Poisoning Attack on Graphs. In this work, we primarily investigate
the robustness of GLTs under global poisoning attacks modifying the structure of the graph. In the case of a poisoning attack, GNNs are trained on a
graph that has been maliciously modified by the attacker. The aim of the
attacker is to find an optimal perturbed A
′
that fools the GNN into making incorrect predictions. This can be formulated as a bi-level optimization
problem [34, 104]:
A
′∈Φ(A)Latk(f({A
′
, X}, Θ∗
))
s.t. Θ∗ =Θ L0(f({A
′
, X}, Θ))
(7.3)
120
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
30
40
50
60
70
80
Accuracy (Cora)
PGD Attack
Perturbation rate 5%
Perturbation rate 20%
Baseline
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
40
48
56
64
72
80
MetaAttack
Perturbation rate 5%
Perturbation rate 20%
Baseline
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
40
48
56
64
72
80
Accuracy (Citeseer)
PGD Attack
Perturbation rate 5%
Perturbation rate 20%
Baseline
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
40
48
56
64
72
80
MetaAttack
Perturbation rate 5%
Perturbation rate 20%
Baseline
Figure 7.2: Classification accuracy of GLTs generated using UGS for Cora and
Citeseer datasets attacked by the PGD attack and MetaAttack. The baseline
refers to accuracy on the clean graph.
where Φ(A) is the set of adjacency matrices that fit the constraint
||A
′
−A||0
||A||0
≤ ∆, Latk is the attack loss function, ∆ is the perturbation rate,
and Θ∗
is the optimal parameter for the GNN on the perturbed graph.
7.3.1 UGS Analysis Under Adversarial Attacks
We perform MetaAttack [104] and the PGD attack [103] on the Cora
and Citeseer datasets with different perturbation rates. We use the same
setup as [141], [208], and [105] for performing the poisoning attacks on the
datasets. Then, we apply UGS on these perturbed graphs to find the GLTs.
As shown in Figure 7.2, the classification accuracy of the GLTs identified
by UGS is lower than the clean graph accuracy. The difference increases
substantially when the perturbation rate increases. For example, in the
PGD attack, when the graph sparsity is 30%, at 5% perturbation, the accuracy drop is 6%. This drop increases to 25% when the perturbation rate
is 20%. Moreover, for 20% perturbation rate, even with 0% sparsity, the
accuracy of the GNN is around 20% lower than that of the clean graph
accuracy. While UGS removes edges from the perturbed adjacency matrix, as shown in Figure 7.2, it may not effectively remove the adversarially
perturbed edges. A na¨ıve application of UGS may not be sufficient to improve the adversarial robustness of the GLTs. Consequently, there is a need
for an adversarially robust UGS technique that can efficiently remove the
edges affected via adversarial perturbations while pruning the adjacency
121
matrix and the associated GNN, along with improved adversarial training,
allowing the dual benefits of improved robustness and inference efficiency.
7.3.2 Analyzing the Impact of Adversarial Attacks on
Graph Properties
0 10 20 30 40
Attribute Feature Difference Between Connected Nodes
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Density Distribution
Citeseer
Normal edges
Adversarial edges
0 25 50 75 100 125 150
Attribute Feature Difference Between Connected Nodes
0.00
0.01
0.02
0.03
0.04
0.05
0.06
Density Distribution
Chameleon
Normal edges
Adversarial edges
0 5 10 15 20 25 30 35
Positional Feature Difference Between Connected Nodes
0.00
0.03
0.06
0.09
0.12
0.15
0.18
Density Distribution
Chameleon
Normal edges
Adversarial edges
(a) (b) (c)
Figure 7.3: Impact of adversarial attacks on graph properties. (a), (b) Density
distribution of attribute feature differences of connected nodes in perturbed homophilic (Citeseer) and heterophilic (Chameleon) graphs. (c) Density distribution of positional feature differences of connected nodes in perturbed heterophilic
graphs.
Adversarial attacks like MetaAttack, PGD, PR-BCD, and GR-BCD
poison the graph structure by either introducing new edges or deleting
existing edges, resulting in changes in the original graph properties. We
analyze the difference in the attribute features of the nodes that are connected by the clean and adversarial edges. Figure 7.3a and b depict the
density distribution of the attribute feature difference of connected nodes
in homophilic and heterophilic graph datasets attacked by the PGD attack. In homophilic graphs, the attack tends to connect nodes with large
attribute feature differences. A defense technique can potentially leverage
this information to differentiate between the benign and adversarial edges
in the graph [?]. However, this is not the case for heterophilic graphs [?].
We resort, instead, to the positional features of the nodes, using positional
encoding techniques like DeepWalk [222]. Interestingly, as we observe from
Figure 7.3c, in heterophilic graphs, attacks tend to connect nodes with
122
large positional feature differences. ARGS uses these graph properties to
iteratively prune the adversarial edges from homophilic and heterophilic
graphs.
7.3.3 Adversarially Robust Graph Sparsification
We present ARGS, a sparsification technique that simultaneously reduces
edges in G and GNN parameters in Θ under adversarial attack conditions
to effectively accelerate GNN inference yet maintain robust classification
accuracy. ARGS reformulates the loss function to include (a) a CE loss
term on the train nodes, (b) a CE loss term on a set of test nodes, and (c)
a square loss term on all edges. Pruning the edges based on this combined
loss function results in the removal of adversarial as well as less-important
non-adversarial edges from the graph.
Removing Edges Around Train Nodes. Poisoning attacks like the
MetaAttack and the PGD attack tend to modify more the local structure
around the train nodes than that around the test nodes [203]. Specifically,
a large portion of the modifications is introduced to the edges connecting a
train node to a test node or a train node to another train node. We include
a CE loss term associated with the train nodes, as defined in (7.2) in our
objective function to account for the edges surrounding the train nodes.
These edges include both adversarial and non-adversarial edges.
Removing Adversarial Edges. In numerous application domains, including social graphs, web page graphs, and citation graphs, connected nodes
in a homophilic graph exhibit similar attribute features, while they still
keep similar positional features in heterophilic graphs [39,219,223]. On the
other hand, as shown in Figure 7.3, adversarial attacks tend to connect
nodes with distinct attribute features in homophilic graphs and distinct
123
H
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Pruning Iterations
0
200
400
600
800
1000
1200
1400
No. of Adversarial Edges
Train-Test
Train-Train
Test-Test
Figure 7.4: Evolution of adversarial edges in Cora dataset (attacked by PGD,
20% perturbation) as we apply ARGS to prune the graph. Train-Train edges
connect two nodes from the train set. Train-Test edges connect a node from the
train set with one from the test set. Test-Test edges connect two nodes from the
test set.
positional features in heterophilic graphs. Therefore, we help remove adversarial edges and encourage feature smoothness by including the following
loss to our objective function for homophilic graphs:
Lfs(A
′
, X) = 1
2
X
i,j=1
A
′
ij (xi − xj )
2
, (7.4)
where A
′
is the perturbed adjacency matrix and (xi − xj )
2 measures the
attribute feature difference. For heterophilic graphs, we introduce instead
the following loss term:
Lfs(A
′
) = 1
2
X
i,j=1
A
′
ij (yi − yj )
2
, (7.5)
where yi
, yj ∈ R
P are the positional features of nodes i, j, obtained by
running the DeepWalk algorithm [222] on the input graph G, P is the
124
number of node positional features, and (yi − yj )
2 measures the positional
feature distance.
Removing Edges Around Test Nodes. Removal of edges tends to be
random in later iterations of UGS [224] since only a fraction of edges in
G is related to the train nodes and directly impacts the corresponding CE
loss. To better guide the edge removal around the test nodes, we also
introduce a CE loss term for these nodes. However, the labels of the test
nodes are unknown. We can then leverage the fact that structure poisoning
attacks modify only the structure surrounding the train nodes, while their
features and labels remain clean. Therefore, we first train a simple multilayer perceptron (MLP) with 2 layers on the train nodes. The nodes in
the train set are termed train nodes, whereas those within the test set are
denoted as test nodes. MLPs only use the node features for training. We
then use the trained MLP to predict the labels for the test nodes. We call
these labels pseudo-labels. Finally, we use the test nodes for which the MLP
has high prediction confidence for computing the test node CE loss term.
Let YP L be the set of test nodes for which the MLP prediction confidence
is high and Ymlp be the prediction by the MLP. The CE loss is given by
L1(f({A
′
, X}, Θ)) = −
X
l∈YT L
X
C
j=1
Ymlplj
log(Zlj
). (7.6)
In summary, the complete loss function that ARGS optimizes is
LARGS = αL0(f({mg ⊙ A
′
, X}, mθ ⊙ Θ)) + βLfs(mg ⊙ A
′
, X)
+γL1(f({mg ⊙ A
′
, X}, mθ ⊙ Θ)) + λ1||mg||1 + λ2||mθ||1,
(7.7)
where β, λ1, and λ2 are the hyperparameters and the value of α and γ is
set to 1. λ1 and λ2 are the l1 regularizers of mg and mθ, respectively. After
the training is complete, the lowest percentages pg of elements of mg and
pθ of elements of mθ are set to 0. Then, the updated masks are applied to
prune A and Θ, and the weights of the GNN are rewound to their original
125
Algorithm 7 Adversarially Robust Graph Sparsification
Input: Graph G = {A, X}, GNN f(G, Θ0) with initialization Θ0
, Sparsity levels
sg for graph and sθ for GNN, Initial masks mg = A, mθ = 1 ∈ R
||Θ0||0
Output: Final masks mg, mθ
1: while
1 −
||mg||0
||A||0
< sg
and
1 −
||mθ||0
||Θ||0
< sθ
do
2: m
(0)
g = mg, m
(0)
θ = mθ, Θ(0) = {W
(0)
0
, W(0)
1
}
3: for t = 0, 1, 2, . . . , T − 1 do
4: Input G = {mt
g ⊙ A, X} to f(·, mt
θ ⊙ Θt
) to compute the loss LARGS
in equation (7.7)
5: Θt+1 ← Θt − µ∇ΘtLARGS
6: mt+1
g ← mt
g − ωg∇mt
g
LARGS
7: mt+1
θ ← mt
θ − ωθ∇mt
θ
LARGS
8: mg = mT −1
g
, mθ = mT −1
θ
9: Set percentage pg of the lowest-scored values in mg to 0 and set others
to 1
10: Set percentage pθ of the lowest-scored values in mθ to 0 and set others
to 1
initialization value to generate the ARGLT. We apply these steps iteratively until we reach the desired sparsity sg and sθ. Algorithm 7 illustrates
our iterative pruning process, where || · ||0 is the L0 norm, counting the
number of non-zero elements. As shown in Figure 7.4 for the Cora dataset
attacked by the PGD attack with 20% perturbation, most of the adversarial
perturbation edges are between train and test nodes [203]. Moreover, our
proposed sparsification technique successfully removes many of the adversarial edges. In particular, after applying our technique for 20 iterations,
where each iteration removes 5% of the graph edges, the number of traintrain, train-test, and test-test adversarial edges reduces by 68.13%, 47.3%,
and 14.3%, respectively.
Training Sparse ARGLTs. Structure poisoning attacks do not modify
the labels of the nodes. In the case of attacks like PGD and MetaAttack,
the locality structure of the test nodes is less contaminated [203], implying
that the train node labels and the local structure of the test nodes contain
relatively “clean” information. We leverage this insight and train the GNN
sub-network using both train nodes and test nodes. We use a CE loss term
for both the train (L0) and test (L1) nodes. Since the true labels of the
126
test nodes are not available, we train an MLP on the train nodes and then
use it to predict the labels for the test nodes [203,225]. To compute the CE
loss, we use only those test nodes for which the MLP has high prediction
confidence. The loss function used for training the sparse GNN on the
sparse adjacency matrix generated by ARGS is
min
Θ
ηL0(f({mg⊙A
′
, X}, mθ⊙Θ))+ζL1(f({mg⊙A
′
, X}, mθ⊙Θ)) (7.8)
where mθ and mg are the masks evaluated by ARGS that are kept fixed
throughout training, and η is set to 1. In the early pruning iterations,
when graph sparsity is low, the test nodes are more useful in improving
the model adversarial performance because the train nodes’ localities are
adversarially perturbed and there exist distribution shifts between the train
and test nodes. However, as the graph sparsity increases, adversarial edges
associated with the train nodes are gradually removed by ARGS, thus
reducing the distribution shift and making the contribution of the train
nodes more important in the adversarial training.
7.4 Evaluation
7.4.1 Evaluation Setup
We evaluate the effectiveness of ARGS and the existence of ARGLTs across
diverse datasets and GNN models under different adversarial attacks and
perturbation rates. In particular, we evaluate our sparsification method
on both homophilic and heterophilic graph datasets which are attacked by
two structure poisoning attacks, namely, PGD [103] and MetaAttack [104].
We consider 3 different GNN models, namely, graph convolution networks
(GCNs) [39], graph isomorphism networks (GINs) [141], and graph attention networks [99]. We also evaluate ARGS on large datasets, namely,
OGBN-ArXiv and OGBN-Products [216] attacked by the PR-BCD and
GR-BCD attacks, respectively for the DeeperGCN model. Finally, we
127
evaluate the robustness of ARGS against adaptive attacks [105]. We use
DeepRobust, an adversarial attack library [226], to perform the PGD attack and MetaAttack and generate the perturbed graph adjacency matrix
A
′
. When performing these attacks we use surrogate models which are of
the same type and architecture as that of the GNN model being attacked.
For example, when attacking ARGS that is using a 2-layer GCN as the
GNN model, the surrogate model is also a 2-layer GCN. We use PytorchGeometric [148] to perform the PR-BCD and GR-BCD attacks on the
OGBN-ArXiv and OGBN-Products datasets, respectively. We compare
our method with UGS [202], random pruning, and other state-of-the-art
adversarial defense methods, namely, STRG [203], GARNET [206], GNNGuard [208], ProGNN [106], and Soft Median [209]. Only UGS and random
pruning techniques prune both the graph adjacency matrix and the GNN
model parameters – no other existing defense techniques prune the GNN
model parameters. For a fair comparison, we set pg = 5%, pθ = 20%,
similarly to the parameters used by UGS.
7.4.2 Dataset Details
We use seven different benchmark datasets, namely, Cora, Citeseer,
PubMed, OGBN-arXiv, OGBN-Produts, Chameleon, and Squirrel, to evaluate the efficacy of ARGS in finding ARGLTs. Details about the benchmark datasets are summarized in Table 7.1. In the case of Cora, Citeseer, and PubMed, 10% data constitute the train set, 10% data constitute
the validation set while the test set is 80%. For Chameleon and Squirrel
[39], we keep the same data split setting as [227]. For OGBN-ArXiv, and
OGBN-Products we follow the data split setting of Open Graph Benchmark
(OGB) [216].
128
Table 7.1: Details on the datasets.
Datasets Type #Nodes #Edges Classes Features
Cora Homophilic 2485 5069 7 1433
Citeseer Homophilic 2110 3668 6 3703
PubMed Homophilic 19717 44338 3 500
OGBN-ArXiv Homophilic 169,343 1,166,243 40 128
OGBN-Products Homophilic 2,449,029 61,859,140 47 100
Chameleon Heterophilic 2277 62792 5 2325
Squirrel Heterophilic 5201 396846 5 2089
7.4.3 Implementation Details
For fair comparison, we follow the setup used by UGS as our default setting [202]. For Cora, Citeseer, and PubMed we conduct all our experiments
on two-layer GCN, GIN, and GAT networks with 512 hidden units. The
graph sparsity pg and model sparsity pθ are 5% and 20% unless otherwise
stated. The value of β is chosen from {0.01, 0.1, 1, 10} while the value of
α, γ, η, and ζ is 1 by default. We use the Adam optimizer for training the
GNNs. In each pruning round, the number of epochs to update the masks
is by default 200, using early stopping. The 2-layer MLP used for predicting the pseudo-labels of the test nodes has by default hidden dimension
of 1024 unless otherwise mentioned. We use DeepRobust, an adversarial
attack library [226], to implement the PGD attack and MetaAttack on
the different datasets. We use Pytorch-Geometric [148] to perform the
PR-BCD and GR-BCD attacks on the OGBN-ArXiv and OGBN-Products
datasets, respectively. All the experiments are conducted on an NVIDIA
Tesla A100 (80GB GPU).
For GCN, the values of λ1 and λ2 are 10−2 and 10−2
for Cora and
Citeseer, while for PubMed they are 10−6 and 10−3
, respectively. The value
of the learning rate is 8 × 10−3 and that of the weight decay is 8 × 10−5
for
the Cora dataset. For Citeseer and PubMed, the learning rate is 10−2 and
129
the weight decay is 5 × 10−4
. For the different datasets, we use a dropout
of 0.5.
In the case of GIN, for the Cora dataset, the learning rate is 8 × 10−3
,
the weight decay is 8 × 10−5
, λ1 is 10−3
, and λ2 is 10−3
. For Citeseer, the
learning rate is 10−2
, the weight decay is 5×10−4
, λ1 is 10−5
, and λ2 is 10−5
.
For GAT, in the case of the Cora dataset, the learning rate is 8 × 10−3
,
the weight decay is 8 × 10−5
, λ1 is 10−3
, λ2 is 10−3
, and dropout is 0.6.
Finally, for the Citeseer dataset, the learning rate is 10−2
, the weight decay
is 5 × 10−4
, λ1 is 10−5
, λ2 is 10−5
, and the dropout is 0.6.
We use DeeperGCN models for the OGBN-ArXiv and OGBN-Products
datasets. In the case of OGBN-ArXiv, we use a 28-layer DeeperGCN
model; for OGBN-Products, we use a 14-layer DeeperGCN model. For
OGBN-ArXiv, the learning rate is 10−2
, λ1 is 10−6
, and λ2 is 10−6
. For
OGBN-Products, the learning rate is 10−3
, λ1 is 10−4
, and λ2 is 10−6
.
Droput is 0.5 for both the datasets. In the case of heterophilic graphs,
we use GPRGNN as the backbone GNN. For the Chameleon dataset, the
learning rate is 5 × 10−2
, λ1 is 10−3
, λ2 is 10−3
, and dropout is 0.4. For the
Squirrel dataset, the learning rate is 5 × 10−2
, λ1 is 10−6
, λ2 is 10−2
, and
dropout is 0.4.
0
10
20
30
40
50
60
20
30
40
50
60
70
80
GCN Cora
PGD Attack Ptb rate: 20.0%
0
10
20
30
40
50
60
40
45
50
55
60
65
70
75
80
GAT Cora
PGD Attack Ptb rate: 20.0%
0
10
20
30
40
50
60
Graph Sparsity (%)
45
50
55
60
65
70
75
GIN Cora
PGD Attack Ptb rate: 20.0%
0
10
20
30
40
50
60
20
30
40
50
60
70
GCN Citeseer
MetaAttack Ptb rate: 20.0%
0
10
20
30
40
50
60
45
50
55
60
65
70
GAT Citeseer
MetaAttack Ptb rate: 20.0%
0
10
20
30
40
50
60
50
55
60
65
70
GIN Citeseer
MetaAttack Ptb rate: 20.0%
0
800
600
400
200
1800
1600
1400
1200
1000
20
30
40
50
60
70
80
0
8000
6000
4000
2000
14000
12000
10000
40
45
50
55
60
65
70
75
80
0
800
600
400
200
1800
1600
1400
1200
1000
Inference MACs (M)
45
50
55
60
65
70
75
0
500
4000
3500
3000
2500
2000
1500
1000
20
30
40
50
60
70
0
8000
4000
32000
28000
24000
20000
16000
12000
45
50
55
60
65
70
0
500
4000
3500
3000
2500
2000
1500
1000
50
55
60
65
70
Accuracy (%) Accuracy (%)
ARGS UGS Random Pruning Baseline (STRG)
Figure 7.5: Node classification performance versus graph sparsity levels and
inference MACs for the GCN, GIN, and GAT architectures on Cora and Citeseer
datasets attacked by PGD and MetaAttack, respectively. Red stars ⋆ indicate the
ARGLTs. Dash black lines represent the performance of STRG, an adversarial
defense technique.
130
7.4.4 Defense on Homophilic Graphs
We first evaluate the performance of ARGS on homophilic graphs against
PGD and MetaAttack. We consider 3 different backbones, namely,
graph convolution networks (GCNs) [39], graph isomorphism networks
(GINs) [141], and graph attention networks [99]. Figure 7.5 shows the
results for the GCN, GIN, and GAT architectures on the Cora and Citeseer datasets attacked by PGD and MetaAttack, respectively, where the
average accuracy of ARGLT is reported across 5 runs. ARGLTs at a range
of graph sparsity from 30% to 60% with similar performance as the STRG
baseline can be identified across the different GNN backbones. The ARGLTs significantly reduce the inference MACs for GCN, GIN, and GAT
by ∼ 95%, ∼ 97%, and ∼ 83%, respectively, for the Cora dataset. For the
Citeseer dataset, the inference MACs reduce by ∼ 98% for all the backbone
GNNs.
Table 7.2: Performance comparison between ARGS and other defense techniques in terms of accuracy and inference MAC count
Cora (PGD attack)
Perturbation Rate 20%
Citeseer (MetaAttack)
Perturbation Rate 20%
Model Accuracy (%) Inference MACs (M) Accuracy (%) Inference MACs (M)
GCN-ProGNN 63.43±0.89 1832.14 61.02 ±0.11 4006.91
GCN-ARGS 77.53±1.15 78.78 68.97 ±0.89 43.78
GCN-GNNGuard 73.19±0.72 1948.32 71.62±1.01 4188.33
GCN-ARGS 77.53±1.15 78.78 71.78±0.58 211.77
GCN-GARNET 66.66±1.10 1684.9 72.97±1.20 3898.21
GCN-ARGS 77.53±1.15 78.78 73.19±0.78 425.81
Comparison with Other Defense Techniques. We compare the
performance of ARGS with GNNGuard, GARNET, and ProGNN, which
are all defense methods. Differently from ARGS, none of these methods
prunes the weights of the GNN model. We compare these methods in
terms of accuracy and inference MAC and we consider GCN as the backbone. For the different baselines, the GLT which has similar accuracy as
the baseline with maximum graph and model sparsity is identified as the
131
ARGLT by ARGS and reported in Table 7.2. For the Cora dataset, the
ARGLT identified by ARGS for PGD attack (20% perturbation rate) with
maximum sparsity levels (model sparsity: 98.9%, graph sparsity: 64.1%)
has a classification accuracy of 77.53%. The three different defense techniques, namely, ProGNN, GNNGuard, and GARNET have a classification
accuracy of 63.43%, 73.19%, and 66.66%, respectively, which are all less
than the classification accuracy of the most sparse ARGLT identified by
ARGS. Therefore, when comparing these different defense techniques, we
report the performance of the ARGLT with maximum sparsity level in Table (7.2). For the Citeseer dataset attacked by MetaAttack with a 20%
perturbation rate, the most sparse ARGLT has a classification accuracy
of 70.2%. The defense technique ProGNN has a classification accuracy of
61.02%, which is less than the classification accuracy of the most sparse
ARGLT. Hence, we compare it with the most sparse ARGLT. The defense techniques GNNGuard and GARNET have a classification accuracy
of 71.62% and 72.97%, respectively. In these cases, the GLT with the same
classification accuracy as the defense technique is reported in Table (7.2).
132
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
14
28
42
56
70
84 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
12
26
40
54
68
82 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
12
26
40
54
68
82 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GCN cora)
MetaAttack
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
14
28
42
56
70
84 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
14
28
42
56
70
84 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
14
28
42
56
70
84 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GCN cora)
PGD Attack
Figure 7.6: Node classification performance over achieved graph sparsity levels
for GCN on the Cora dataset attacked by the PGD attack and MetaAttack. The
perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs
which achieve similar performance with high sparsity. STRG is used as the
baseline.
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
16
28
40
52
64
76 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
18
30
42
54
66
78 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
16
28
40
52
64
76 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GCN citeseer)
MetaAttack
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
18
30
42
54
66
78 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
6
20
34
48
62
76 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
16
28
40
52
64
76 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GCN citeseer)
PGD Attack
Figure 7.7: Node classification performance over achieved graph sparsity levels
for GCN on the Citeseer dataset attacked by the PGD attack and MetaAttack.
The perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs
which achieve similar performance with high sparsity. STRG is used as the
baseline.
133
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
48
55
62
69
76
83 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
44
51
58
65
72
79 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
56
62
68
74
80 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GIN cora)
MetaAttack
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
56
62
68
74
80 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
46
53
60
67
74
81 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
46
53
60
67
74
81 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GIN cora)
PGD Attack
Figure 7.8: Node classification performance over achieved graph sparsity levels
for GIN on the Cora dataset attacked by the PGD attack and MetaAttack. The
perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs
which achieve similar performance with high sparsity. STRG is used as the
baseline.
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
55
60
65
70
75 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
55
60
65
70
75 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
55
60
65
70
75 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GIN citeseer)
MetaAttack
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
52
57
62
67
72
77 Perturbation rate 5%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
55
60
65
70
75 Perturbation rate 10%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
50
55
60
65
70
75 Perturbation rate 15%
ARGS (Ours)
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GIN citeseer)
PGD Attack
Figure 7.9: Node classification performance over achieved graph sparsity levels
for GIN on the Citeseer dataset attacked by the PGD attack and MetaAttack.
The perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs
which achieve similar performance with high sparsity. STRG is used as the
baseline.
134
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
40
47
54
61
68
75 Perturbation rate 5%
ARGS
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
40
47
54
61
68
75 Perturbation rate 10%
ARGS
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
34
42
50
58
66
74 Perturbation rate 15%
ARGS
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GAT citeseer)
MetaAttack
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
38
46
54
62
70
78 Perturbation rate 5%
ARGS
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
32
41
50
59
68
77 Perturbation rate 10%
ARGS
UGS
Random Pruning
Baseline
ARGLT
0
5
10
15
20
25
30
35
40
45
50
55
60
65
Graph Sparsity (%)
22
33
44
55
66
77 Perturbation rate 15%
ARGS
UGS
Random Pruning
Baseline
ARGLT
Accuracy (GAT citeseer)
PGD Attack
Figure 7.10: Node classification performance over achieved graph sparsity levels for GAT on the Citeseer dataset attacked by the PGD attack and MetaAttack.
The perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs which achieve similar performance with high sparsity. STRG is used as
the baseline.
0
10
20
30
40
50
60
Graph Sparsity (%)
61
66
71
76
81
86 Perturbation rate 5%
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
39
48
57
66
75
84 Perturbation rate 10%
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
41
50
59
68
77
86 Perturbation rate 15%
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
31
42
53
64
75
86 Perturbation rate 20%
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
47
55
63
71
79
87
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
37
47
57
67
77
87
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
13
28
43
58
73
88
ARGS (Ours)
UGS
Baseline
ARGLT
0
10
20
30
40
50
60
Graph Sparsity (%)
13
28
43
58
73
88
ARGS (Ours)
UGS
Baseline
ARGLT
Accuracy (pubmed)
PGD Attack
Accuracy (pubmed)
MetaAttack
GCN
Figure 7.11: Node classification performance over achieved graph sparsity levels for GCN on the PubMed dataset attacked by the PGD attack and MetaAttack. The perturbation rates are 5%, 10%, 15%, and 20%. Red stars ⋆ indicate
the ARGLTs which achieve similar performance with high sparsity. STRG is
used as the baseline.
135
7.4.5 Defense on Large Graphs
We evaluate the robustness of ARGS on the large-scale datasets OGBNArXiv and OGBN-Products. OGBN-ArXiv has 170,000 nodes and 1.16
million edges while OGBN-Products has 2.5 million nodes and 61 million edges. We use the PR-BCD attack for perturbing the OGBN-ArXiv
dataset. Attempting the PR-BCD attack on the OGBN-Products dataset
resulted in out-of-memory errors. We then conducted a more scalable GRBCD attack [209] on the OGBN-Products dataset, employing a perturbation rate of 50%. The reference GNN model is Deeper-GCN [228]. For
both the PR-BCD and GR-BCD attacks, the adversarial edges are uniformly distributed among the train and test nodes. Hence, we set the
value of ζ to be 0. The PGD attack or MetaAttack faces timeout due to
memory for these large graphs. Figure 7.12 shows that ARGS with 28-layer
DeeperGCN as the backbone GNN can identify ARGLTs that have high
model and graph sparsity compared to UGS. Here we take GARNET as the
baseline. In the case of the original GARNET, a 3-layer GCN is used as the
backbone GNN. We also consider GARNET with 28-layer DeeperGCN as
an additional baseline for fair comparison. For 28-layer DeeperGCN baseline, the model sparsity and graph sparsity are 94.50% and 48.67% for the
10% perturbed dataset, and 94.50% and 48.70%, respectively, for the 15%
perturbed dataset. Results on the OGBN-Products dataset are reported in
Table 7.3. Our baselines include GCN, GARNET, GNNGuard, and Soft
Median GDC. For the different baselines, the GLT which has similar accuracy as the baseline with maximum graph and model sparsity is identified
as the ARGLT by ARGS and reported in Table 7.3. Here we compare
the performance between UGS and ARGS and as evident from Table 7.3,
ARGS can identify lottery tickets with higher graph and model sparsity
than UGS.
136
H
5
15
25
35
45
55
65
Graph Sparsity (%)
50
55
60
65
Perturbation Rate: 10.0%
5
15
25
35
45
55
65
Graph Sparsity (%)
50
55
60
65
Perturbation Rate: 15.0%
0
70000
56000
42000
28000
14000
Inference MACs (M)
50
55
60
65
0
70000
56000
42000
28000
14000
Inference MACs (M)
50
55
60
65
Accuracy (%) Accuracy (%)
ARGS
UGS
Baseline (GARNET with 3-layer GCN)
Baseline (GARNET with 28-layer DeeperGCN)
Figure 7.12: Node classification performance versus graph sparsity levels and
inference MACs for Deeper-GCN on OGBN-ArXiv dataset attacked by PR-BCD.
7.4.6 Defense Against Adaptive Attacks
Recently, adaptive attacks [105] have been developed, which are targeted
to specific defense techniques, to evaluate their robustness. Because all
the components in the loss function of ARGS are differentiable, ARGS can
also be directly attacked by an adaptive attack. Specifically, we evaluate
ARGS on a gradient-based adaptive attack, called Meta-PGD [105], where
ARGS is attacked by unrolling its training procedure. Table 7.4 compares
the performance of ARGS against the PGD attack and the adaptive attack, with GCN as the GNN backbone for Cora and CiteSeer. For a 5%
perturbation rate, the accuracy of the ARGLT identified by ARGS reduces
137
Table 7.3: Comparison between ARGLTs identified by ARGS and GLTs identified by UGS in terms of Graph sparsity, Model sparsity, and Inference MACs
across different baselines for the OGBN-Products dataset
Baseline Accuracy (%) Graph Sparsity(%) Model Sparsity(%) Inference MACs(M)
UGS ARGS UGS ARGS UGS ARGS
Soft Median GDC 59.23 87.84 87.84 87.89 87.89 75721.5 75727.8
GCN 62.71 83.32 87.84 83.36 87.89 104076.4 75727.8
GNNGuard 63.22 83.32 87.84 83.36 87.89 104076.4 75727.8
GARNET 74.97 19.00 40.95 19.01 40.98 506511.0 369089.2
Table 7.4: ARGS and UGS performance comparison for the PGD attack and
an adaptive attack for the Cora, Citeseer, and PubMed dataset. GCN is used
as the GNN model.
Classification
Accuracy at
Perturbation Rate 5%
Classification
Accuracy at
Perturbation Rate
10%
Dataset Technique Attack
Graph
Sparsity
22.64%
Model
Sparsity
67.60%
Graph
Sparsity
43.16%
Model
Sparsity
91.70%
Graph
Sparsity
22.64%
Model
Sparsity
67.60%
Graph
Sparsity
43.16%
Model
Sparsity
91.70%
Cora ARGS PGD Attack 82.04±1.09 80.68±0.85 82.8±0.77 80.18±1.13
Adaptive Attack 80.33±1.35 78.77±1.86 79.68±1.35 77.16±0.98
Citeseer ARGS PGD Attack 75.32±0.88 74.17±0.56 74.7±0.98 73.53±1.05
Adaptive Attack 74.11±1.76 73.16±0.87 72.93±1.87 71.89±1.01
PubMed ARGS PGD Attack 85.57±0.07 85.41±0.09 82.72±0.05 83.36±0.10
Adaptive Attack 83.09±0.06 83.75±0.09 80.78±0.12 83.04±0.09
by only ∼1.7% for Cora while for CiteSeer it reduces by only ∼1.5%. For
a 10% perturbation rate, the reduction in classification accuracy is ∼2.9%
for the Cora dataset and ∼2.5% for the Cora dataset, showing that the
performance degradation of ARGS against adaptive attack is minimal. We
also perform the adaptive attack on OGBN-ArXiv and the results are highlighted in Table 7.5.
7.4.7 Defense on Heterophilic Graphs
We report the classification accuracy of ARGS on heterophilic graphs in
Figure 7.13. We use GPRGNN [227] as the GNN model for the heterophilic
graph datasets Chameleon and Squirrel [229]. GPRGNN performs better
than GCN, GIN, and GAT for heterophilic graphs [206]. We use GARNET
138
Table 7.5: ARGS and UGS performance comparison for the PRBCD attack
and adaptive attack for the OGBN-ArXiv dataset. DeeperGCN is used as the
GNN model.
Classification
Accuracy at
Perturbation Rate
10%
Classification
Accuracy at
Perturbation Rate
15%
Dataset Technique Attack
Graph
Sparsity
5.0%
Model
Sparsity
20.0%
Graph
Sparsity
26.5%
Model
Sparsity
73.8%
Graph
Sparsity
5.0%
Model
Sparsity
20.0%
Graph
Sparsity
26.5%
Model
Sparsity
73.8%
OGBN-ArXiv ARGS PRBCD Attack 68.70 68.28 69.19 67.64
Adaptive Attack 68.30 67.83 67.06 66.38
0
20
40
60
80
100
Weight Sparsity (%)
30
35
40
45
50
55
MetaAttack Ptb rate 10.0%
0
20
40
60
80
100
Weight Sparsity (%)
15
20
25
30
35
40
45
50
MetaAttack Ptb rate 20.0%
0
20
40
60
80
100
Weight Sparsity (%)
15
20
25
30
35
40
PGD Attack Ptb rate 10.0%
0
20
40
60
80
100
Weight Sparsity (%)
15
20
25
30
35
PGD Attack Ptb rate 20.0%
Accuracy (Chameleon)
Accuracy (Squirrel)
ARGS UGS Baseline (GARNET)
Figure 7.13: Node classification performance versus weight sparsity levels for
GPRGNN on Chameleon and Squirrel dataset attacked by the PGD Attack and
MetaAttack.
as the baseline since it achieves state-of-the-art adversarial classification accuracy compared to other defense techniques for heterophilic graphs. As
shown in Figure 7.13, ARGS is able to identify GLTs that achieve similar classification accuracy as GARNET for the Chameleon and Squirrel
datasets attacked by PGD and MetaAttack with 85% to 97% weight sparsity, resulting in a substantial reduction in inference MACs.
7.4.8 Analysis Under Structure and Node Feature
Attacks
In addition to structural attacks, we also evaluate the performance of ARGS
against an attack that modifies both the graph structure and the node features simultaneously. Mettack [104] can be modified for this purpose. For
a given perturbation budget, this attack performs a structure perturbation
139
and a feature perturbation at each iteration, and between the two perturbations, it chooses the one that results in a higher attack loss. This iterative
process is repeated until the perturbation budget is exhausted. We attack the Cora and Citeseer datasets with 5%, 10%, and 15% perturbation
rates, and use the STRG defense technique as the baseline. ARGS can
find highly sparse GLTs that achieve similar classification accuracy as the
baseline for different graph datasets perturbed with different perturbation
rates using this attack. For example, for a 5% perturbation rate, ARGS
finds GLTs that have 53.75% graph sparsity and 96.55% model sparsity for
the Cora dataset and 58.31% graph sparsity and 97.92% model sparsity for
the Citeseer dataset. We also include the performance of UGS for comparison. Figure 7.14 shows that, for the same sparsity levels, GLTs identified by
ARGS achieve much higher classification accuracy when compared to GLTs
identified by UGS. We observe that the attacked graph contains more edge
perturbations than feature perturbations since modifying the graph structure results in higher attack loss than modifying the node features. This
result shows that ARGS can find highly sparse GLTs for graphs attacked
by both structure and node feature perturbations.
0
10
20
30
40
50
60
Graph Sparsity (%)
50
55
60
65
70
GCN Citeseer
MetaAttack Ptb rate: 5.0%
0
10
20
30
40
50
60
60
65
70
75
80
GCN Cora
MetaAttack Ptb rate: 5.0%
0
500
4000
3500
3000
2500
2000
1500
1000
Inference MACs (M)
50
55
60
65
70
0
800
600
400
200
1800
1600
1400
1200
1000
60
65
70
75
80
Accuracy (%) Accuracy (%)
0
10
20
30
40
50
60
Graph Sparsity (%)
50
55
60
65
70
GCN Citeseer
MetaAttack Ptb rate: 10.0%
0
10
20
30
40
50
60
50
55
60
65
70
75
80
GCN Cora
MetaAttack Ptb rate: 10.0%
0
500
4000
3500
3000
2500
2000
1500
1000
Inference MACs (M)
50
55
60
65
70
0
800
600
400
200
1800
1600
1400
1200
1000
50
55
60
65
70
75
80
Accuracy (%) Accuracy (%)
ARGS UGS Baseline (STRG)
0
10
20
30
40
50
60
Graph Sparsity (%)
50
55
60
65
70
GCN Citeseer
MetaAttack Ptb rate: 15.0%
0
10
20
30
40
50
60
40
45
50
55
60
65
70
75
80
GCN Cora
MetaAttack Ptb rate: 15.0%
0
500
4000
3500
3000
2500
2000
1500
1000
Inference MACs (M)
50
55
60
65
70
0
800
600
400
200
1800
1600
1400
1200
1000
40
45
50
55
60
65
70
75
80
Accuracy (%) Accuracy (%)
Figure 7.14: Node classification performance over achieved graph sparsity levels for a GCN model on Cora and Citeseer datasets attacked by a version of the
MetaAttack that modifies both graph structure and node features. The perturbation rates are 5%, 10%, and 15%. Red stars ⋆ indicate the ARGLTs. STRG
is used as the baseline.
140
7.4.9 Ablation Study
We evaluate the effectiveness of each component of the proposed loss function for the sparsification algorithm by performing an ablation study, as
shown in Table 7.6. We consider the Cora dataset under PGD attack with
10% and 20% perturbation rates. Configuration 1 corresponds to ARGS
with all the loss components ((7.7)). Configuration 2 does not use the feature smoothness component ((7.4)) while configuration 3 skips the CE loss
associated with the predicted test nodes ((7.6)). Configuration 4 skips both
the smoothness and CE loss on predicted test nodes. Table 7.6 shows that
both configurations 2 and 3 improve the final performance when compared
to that of configuration 4, highlighting the importance of the losses introduced in (7.4) and (7.6). More importantly, at both high and low target
sparsity, we yield the best classification performance with configuration 1,
showcasing the importance of the unified loss function ((7.7)).
7.4.10 Performance Evaluation of ARGS on Clean
Graph
We evaluate the performance of ARGS on clean graphs. As shown in
Table 7.7 ARGS can find highly sparse GLTs for clean graphs. The lottery
tickets found by ARGS achieve similar model and graph sparsity when
compared to UGS for the same classification accuracy on Cora and Citeseer
datasets across three different GNN models. We assume the accuracy of
UGS at 0% graph and 0% model sparsity as the baseline accuracy.
7.5 Conclusion
In this chapter, we first empirically observed that the performance of GLTs
collapses against structure perturbation poisoning attacks. To address this
141
Table 7.6: Ablation study.
GCN, Cora, PGD Attack Classification Accuracy at
Perturbation Rate 10%
Classification Accuracy at
Perturbation Rate 20%
Configuration α β γ η ζ
Graph Sparsity
9.8%
Model Sparsity
36.1%
Graph Sparsity
64.4%
Model Sparsity
98.9%
Graph Sparsity
9.8%
Model Sparsity
36.1%
Graph Sparsity
64.5%
Model Sparsity
98.9%
1 ✓ ✓ ✓ ✓ ✓ 83.25 75.10 80.63 75.60
2 ✓ ✗ ✓ ✓ ✓ 82.04 70.57 78.92 64.84
3 ✓ ✓ ✗ ✓ ✓ 82.44 72.84 78.97 52.92
4 ✓ ✗ ✗ ✓ ✓ 80.58 62.42 75.7 54.18
GCN, Cora, PGD Attack Classification Accuracy at
Perturbation Rate 5%
Classification Accuracy at
Perturbation Rate 15%
Configuration α β γ η ζ
Graph Sparsity
22.7%
Model Sparsity
67.7%
Graph Sparsity
60.4%
Model Sparsity
98.2%
Graph Sparsity
22.7%
Model Sparsity
67.7%
Graph Sparsity
60.4%
Model Sparsity
98.2%
1 ✓ ✓ ✓ ✓ ✓ 82.04 74.75 80.23 73.99
2 ✓ ✗ ✓ ✓ ✓ 81.84 73.64 79.98 68.81
3 ✓ ✓ ✗ ✓ ✓ 81.69 74.45 76.86 72.89
4 ✓ ✗ ✗ ✓ ✓ 79.28 71.33 74.70 63.48
GCN, Cora, Mettack Attack Classification Accuracy at
Perturbation Rate 5%
Classification Accuracy at
Perturbation Rate 10%
Configuration α β γ η ζ
Graph Sparsity
22.7%
Model Sparsity
67.6%
Graph Sparsity
62.3%
Model Sparsity
98.6%
Graph Sparsity
22.6%
Model Sparsity
67.5%
Graph Sparsity
64.2%
Model Sparsity
98.9%
1 ✓ ✓ ✓ ✓ ✓ 81.74 71.83 80.23 71.58
2 ✓ ✗ ✓ ✓ ✓ 80.89 69.91 78.17 70.98
3 ✓ ✓ ✗ ✓ ✓ 79.88 71.33 75.40 66.81
4 ✓ ✗ ✗ ✓ ✓ 78.89 69.03 75.40 60.97
GCN, Cora, Mettack Attack Classification Accuracy at
Perturbation Rate 15%
Classification Accuracy at
Perturbation Rate 20%
Configuration α β γ η ζ
Graph Sparsity
22.7%
Model Sparsity
67.6%
Graph Sparsity
60.4%
Model Sparsity
98.2%
Graph Sparsity
22.6%
Model Sparsity
67.5%
Graph Sparsity
60.3%
Model Sparsity
98.2%
1 ✓ ✓ ✓ ✓ ✓ 80.73 75.91 79.38 70.37
2 ✓ ✗ ✓ ✓ ✓ 80.23 73.69 78.72 69.97
3 ✓ ✓ ✗ ✓ ✓ 77.97 72.74 75.50 69.16
4 ✓ ✗ ✗ ✓ ✓ 78.42 72.08 74.09 68.86
issue, we presented a new adversarially robust graph sparsification technique, ARGS, that prunes the perturbed adjacency matrix and the GNN
weights by optimizing a novel loss function. By iteratively applying ARGS,
we found ARGLTs that are highly sparse yet achieve competitive performance under different structure poisoning attacks. Our evaluation showed
the superiority of our method over UGS at both high and low sparsity
regimes.
142
Table 7.7: Comparison of ARGS and UGS performance with GCN, GIN, and
GAT as backbones on the clean Cora and Citeseer datasets.
Dataset Technique Accuracy Graph Sparsity Model Sparsity
GCN
Cora UGS 80% 26.52% 74.20%
ARGS 80% 40.17% 89.48%
Citeseer UGS 70% 64.56% 98.93%
ARGS 70% 64.27% 98.88%
GIN
Cora UGS 79% 26.82% 73.93%
ARGS 79% 33.73% 83.33%
Citeseer UGS 68% 66.05% 98.86%
ARGS 68% 64.27% 98.86%
GAT
Cora UGS 80% 65.35% 98.91%
ARGS 80% 64.32% 98.93%
Citeseer UGS 70% 67.61% 98.86%
ARGS 70% 64.24% 98.86%
143
Chapter 8
Conclusions and Future Work
In this chapter, we summarize the main contributions of this dissertation
and suggest promising research directions for future work.
8.1 Conclusions
This dissertation shows a path toward leveraging graph learning to enable
the design of secure and trustworthy ICs. It also underscores the importance of security for graph learning. In particular, this dissertation develops
novel analysis methods and attacks to challenge the security guarantees of
the existing security solutions and presents new state-of-the-art defense
solutions against IC supply chain attacks.
GNNs are particularly effective in processing circuit netlists, which are
inherently graph-structured data. They can leverage the node properties
of a circuit netlist and their neighborhood information to perform different
tasks successfully. First, Chapter 3 presents a state register identification
technique with GNNs that enables circuit reverse engineering for hardware
protection. To combat against different IC supply chain attacks, security
solutions like logic obfuscation or locking have been developed. However,
often these solutions leak information through their structural signatures
which can be exploited by an attacker. This dissertation presents a graph
learning-driven attack for analyzing the security guarantees of different
logic obfuscation methods by aiming to assess the level of information leakage from their structural signatures in Chapter 4. Validation results show
that the proposed technique succeeds in unlocking most of the locked designs completely. Moreover, this attack highlights the benefit of pairing
the key prediction accuracy metric with output error measures such as
144
Hamming distance and functional corruptibility to evaluate the quality of
a candidate key solution.
Graph learning can be used to detect topologically and functionally
similar logic gates or wires in a design, which in turn can be used to confuse existing machine learning-based attacks on logic obfuscation. In this
context, this dissertation introduces a graph similarity-based logic locking
technique (SimLL) which is the state-of-the-art defense against existing
oracle-less learning-based attacks in Chapter 5. Chapter 6 presents a reconfigurable logic-based locking technique which improves resilience against
existing oracle-based attacks. Reconfigurable logic blocks like LUT and
switch-boxes reduce the amount of information leaked from their structural
signatures making them resilient against machine learning-based attacks
too. Finally, Chapter 7 analyze the robustness of GNNs against adversarial attacks. It presents a GNN training method which yields efficient GNN
models, which are sparse and compressed, yet adversarially robust.
8.2 Future Work
The research conducted in this dissertation shows the promise GNNs hold
for enabling the design of trustworthy ICs. While the focus has been more
on reverse engineering and logic locking, there are several other important
areas where GNNs can be applied.
8.2.1 GNNs for Sequential Logic Obfuscation
While many works have explored the security guarantees of combinational
logic locking in the past, very few works have been developed for analyzing sequential logic obfuscation techniques. The satisfiability-based attack (SAT attack) has been extended recently to analyze the security of
sequential locking techniques [230]. However, there is a notable gap in
the literature concerning the analysis of information leakage from lockinginduced structural characteristics of different sequential logic obfuscation
145
techniques. Some sequential logic obfuscation techniques introduce decoy
registers to the design [231], while others incorporate additional states into
the control logic finite state machine (FSM) [1, 92]. ReIGNN represents a
promising foundation for examining these obfuscation methods. In particular, for techniques that integrate additional registers, ReIGNN could be
refined to identify these decoy registers more effectively. This enhancement
could reduce attack complexity and bolster the evaluation of security guarantees provided by such defense mechanisms. Similarly, for obfuscation
methods that introduce new states, ReIGNN can facilitate faster state register identification, enabling faster control logic reverse engineering, thus
helping challenge the security guarantees of these techniques.
8.2.2 GNNs for Hardware Fuzzing
Hardware fuzzing has emerged as an effective approach to exploring and
detecting security vulnerabilities in large-scale designs like modern processors. Compared to traditional methods like random regression and formal
verification, hardware fuzzing offers superior coverage, scalability, and efficiency. Random regression, while widely used, faces significant limitations
in efficiency, particularly when tasked with exploring the intricate details
of hardware designs. As a result, it struggles to identify vulnerabilities in
critical, hard-to-reach components [232]. In contrast, formal verification
excels at verifying the correctness of hard-to-reach components. However,
formal methods are frequently plagued by state space explosion, making
comprehensive verification of the entire DUT impractical for large-scale designs. Hardware fuzzing presents a promising alternative by expanding the
exploration of the design space and revealing security vulnerabilities in even
the most complex hardware architectures, such as modern processors [233].
Unlike traditional methods, hardware fuzzers utilize coverage data, including branch conditions, statements, and control signals for multiplexers,
to generate test cases that probe various hardware behaviors. While this
146
coverage-driven approach has demonstrated success, further advancements
can be achieved by incorporating graph neural networks (GNNs). GNNs
can leverage the inherent structural properties of the hardware’s source
code to generate more sophisticated test patterns, potentially improving
the coverage and detection of vulnerabilities in intricate hardware designs.
8.2.3 Defending GNNs Against Privacy Attacks
GNNs transform nodes and graphs into low-dimensional embeddings which
can be used to perform different node and graph-level tasks. Graph and
node embeddings can be shared with third-party service providers too in
order to gather insights into the data and conduct different downstream
graph analysis tasks1
. However, sharing the embeddings raises substantial
privacy concerns [234] in different application areas, since the dataset may
contain confidential data. Recent work shows that attackers can utilize
graph embeddings to infer sensitive information about the target graph.
Property inference attacks can infer basic properties like the number of
edges and the density of the target graph directly from the graph embeddings. Similarly, a subgraph inference attack can infer if a given subgraph
is contained in the target graph [234]. Therefore, developing defense techniques that can protect against privacy inference attacks becomes critical.
While many defense techniques aimed at privacy attacks like membership
inference and model extraction for graph data have been developed, defenses against property and subgraph inference attacks on GNNs remain
mostly unexplored. Pruning of GNN model and the data is a promising
direction for developing defense against privacy attacks since pruning modifies the structure of the underlying data thereby reducing the correlation
between the data and the embedding.
1https://projector.tensorflow.org
147
Bibliography
[1] R. Chakraborty and S. Bhunia, “Hardware protection and authentication through netlist level obfuscation,” in 2008 IEEE/ACM International Conference on Computer-Aided Design. IEEE, 2008, pp.
674–677.
[2] L. Azriel, J. Speith, N. Albartus, R. Ginosar, A. Mendelson, and
C. Paar, “A survey of algorithmic methods in ic reverse engineering,”
Journal of Cryptographic Engineering, vol. 11, no. 3, pp. 299–315,
2021.
[3] G. Kolhe, H. M. Kamali, M. Naicker, T. D. Sheaves, H. Mahmoodi,
P. S. Manoj, H. Homayoun, S. Rafatirad, and A. Sasan, “Security
and complexity analysis of lut-based obfuscation: From blueprint to
reality,” in 2019 IEEE/ACM International Conference on ComputerAided Design (ICCAD). IEEE, 2019, pp. 1–8.
[4] M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware
security: Models, methods, and metrics,” Proceedings of the IEEE,
vol. 102, no. 8, pp. 1283–1295, 2014.
[5] M. Tehranipoor and C. Wang, Introduction to hardware security and
trust. Springer Science & Business Media, 2011.
[6] M. Tehranipoor and F. Koushanfar, “A survey of hardware Trojan
taxonomy and detection,” IEEE Design & Test of Computers, vol. 27,
no. 1, pp. 10–25, 2010.
[7] A. Shilov, “TSMC to Spend $100B on Fabs and R&D Over
Next Three Years:2nm, Arizona Fab & More.” [Online; accessed
17-April-2024], https://www.anandtech.com/show/16593/tsmc-tospend-100b-on-fabs-and-rd-over-three-years-2nm-arizona-fab-more/.
[8] M. Rostami, F. Koushanfar, and R. Karri, “A primer on hardware
security: Models, methods, and metrics,” Proceedings of the IEEE,
vol. 102, no. 8, pp. 1283–1295, 2014.
148
[9] K. Basu, S. M. Saeed, C. Pilato, M. Ashraf, M. T. Nabeel,
K. Chakrabarty, and R. Karri, “Cad-base: An attack vector into the
electronics supply chain,” ACM Transactions on Design Automation
of Electronic Systems (TODAES), vol. 24, no. 4, pp. 1–30, 2019.
[10] V. Gohil, M. Tressler, K. Sipple, S. Patnaik, and J. Rajendran,
“Games, dollars, splits: A game-theoretic analysis of split manufacturing,” IEEE Transactions on Information Forensics and Security,
vol. 16, pp. 5077–5092, 2021.
[11] M. Li, B. Yu, Y. Lin, X. Xu, W. Li, and D. Z. Pan, “A practical split
manufacturing framework for trojan prevention via simultaneous wire
lifting and cell insertion,” IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems, vol. 38, no. 9, pp. 1585–
1598, 2018.
[12] H. Li, S. Patnaik, M. Ashraf, H. Yang, J. Knechtel, B. Yu,
O. Sinanoglu, and E. F. Young, “Deep learning analysis for splitmanufactured layouts with routing perturbation,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,
vol. 40, no. 10, pp. 1995–2008, 2020.
[13] J. Rajendran, O. Sinanoglu, and R. Karri, “Is split manufacturing
secure?” in 2013 Design, Automation & Test in Europe Conference
& Exhibition (DATE). IEEE, 2013, pp. 1259–1264.
[14] Y. Wang, T. Cao, J. Hu, and J. Rajendran, “Front-end-of-line attacks
in split manufacturing,” in 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE, 2017, pp. 1–8.
[15] S. Chen and R. Vemuri, “Improving the security of split manufacturing using a novel beol signal selection method,” in Proceedings of the
2018 on Great Lakes Symposium on VLSI, 2018, pp. 135–140.
[16] J. Maga˜na, D. Shi, J. Melchert, and A. Davoodi, “Are proximity attacks a threat to the security of split manufacturing of integrated circuits?” IEEE Transactions on Very Large Scale Integration (VLSI)
Systems, vol. 25, no. 12, pp. 3406–3419, 2017.
[17] K. Vaidyanathan, R. Liu, E. Sumbul, Q. Zhu, F. Franchetti, and
L. Pileggi, “Efficient and secure intellectual property (ip) design
with split fabrication,” in 2014 IEEE international symposium on
hardware-oriented security and trust (HOST). IEEE, 2014, pp. 13–
18.
149
[18] Y. Wang, P. Chen, J. Hu, and J. Rajendran, “The cat and mouse
in split manufacturing,” in Proceedings of the 53rd Annual Design
Automation Conference, 2016, pp. 1–6.
[19] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis
of integrated circuit camouflaging,” in Proceedings of the 2013 ACM
SIGSAC conference on Computer & communications security, 2013,
pp. 709–720.
[20] M. Li, K. Shamsi, T. Meade, Z. Zhao, B. Yu, Y. Jin, and D. Z.
Pan, “Provably secure camouflaging strategy for ic protection,” IEEE
transactions on computer-aided design of integrated circuits and systems, vol. 38, no. 8, pp. 1399–1412, 2017.
[21] S. Patnaik, M. Ashraf, O. Sinanoglu, and J. Knechtel, “A modern approach to ip protection and trojan prevention: Split manufacturing
for 3d ics and obfuscation of vertical interconnects,” IEEE Transactions on Emerging Topics in Computing, vol. 9, no. 4, pp. 1815–1834,
2019.
[22] A. Vijayakumar, V. C. Patil, D. E. Holcomb, C. Paar, and S. Kundu,
“Physical design obfuscation of hardware: A comprehensive investigation of device and logic-level techniques,” IEEE Transactions on
Information Forensics and Security, vol. 12, no. 1, pp. 64–77, 2016.
[23] C. Yu, X. Zhang, D. Liu, M. Ciesielski, and D. Holcomb, “Incremental
sat-based reverse engineering of camouflaged logic circuits,” IEEE
Transactions on Computer-Aided Design of Integrated Circuits and
Systems, vol. 36, no. 10, pp. 1647–1659, 2017.
[24] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Camoperturb: Secure ic camouflaging for minterm protection,” in 2016
IEEE/ACM International Conference on Computer-Aided Design
(ICCAD). IEEE, 2016, pp. 1–8.
[25] M. El Massad, S. Garg, and M. V. Tripunitara, “Integrated circuit
(ic) decamouflaging: Reverse engineering camouflaged ics within minutes.” in NDSS, 2015, pp. 1–14.
[26] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu,
and R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions on computers, vol. 64, no. 2, pp. 410–424, 2013.
[27] S. M. Plaza and I. L. Markov, “Solving the third-shift problem
in ic piracy with test-aware logic locking,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits and Systems, vol. 34,
no. 6, pp. 961–971, 2015.
150
[28] M. Yasin, J. Rajendran, O. Sinanoglu, and R. Karri, “On improving
the security of logic locking,” IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems, vol. 35, no. 9, pp. 1411–
1424, 2015.
[29] J. A. Roy, F. Koushanfar, and I. Markov, “Epic: Ending piracy of
integrated circuits,” in Proceedings of the conference on Design, automation and test in Europe, 2008, pp. 1069–1074.
[30] F. Tram`er, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart,
“Stealing machine learning models via prediction {APIs},” in 25th
USENIX security symposium (USENIX Security 16), 2016, pp. 601–
618.
[31] L. Song, R. Shokri, and P. Mittal, “Membership inference attacks
against adversarially robust deep learning models,” in 2019 IEEE
Security and Privacy Workshops (SPW). IEEE, 2019, pp. 50–56.
[32] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572, 2014.
[33] J. X. Morris, E. Lifland, J. Y. Yoo, J. Grigsby, D. Jin, and
Y. Qi, “Textattack: A framework for adversarial attacks, data
augmentation, and adversarial training in nlp,” arXiv preprint
arXiv:2005.05909, 2020.
[34] D. Z¨ugner, A. Akbarnejad, and S. G¨unnemann, “Adversarial attacks
on neural networks for graph data,” in Proceedings of the 24th ACM
SIGKDD international conference on knowledge discovery & data
mining, 2018, pp. 2847–2856.
[35] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,”
arXiv preprint arXiv:1312.6199, 2013.
[36] N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and
A. Swami, “Practical black-box attacks against machine learning,”
in Proceedings of the 2017 ACM on Asia conference on computer and
communications security, 2017, pp. 506–519.
[37] N. Papernot, P. McDaniel, A. Swami, and R. Harang, “Crafting adversarial input sequences for recurrent neural networks,” in MILCOM
2016-2016 IEEE Military Communications Conference. IEEE, 2016,
pp. 49–54.
151
[38] N. Carlini and D. Wagner, “Towards evaluating the robustness of
neural networks,” in 2017 ieee symposium on security and privacy
(sp). Ieee, 2017, pp. 39–57.
[39] T. N. Kipf and M. Welling, “Semi-supervised classification with graph
convolutional networks,” arXiv preprint arXiv:1609.02907, 2016.
[40] M. Gori, G. Monfardini, and F. Scarselli, “A new model for learning in graph domains,” in Proceedings of IEEE International Joint
Conference on Neural Networks, 2005., vol. 2, 2005, pp. 729–734.
[41] F. Scarselli, M. Gori, A. Tsoi, M. Hagenbuchner, and G. Monfardini,
“The graph neural network model,” IEEE transactions on neural
networks, vol. 20, no. 1, pp. 61–80, 2008.
[42] Z. Yang, W. Cohen, and R. Salakhudinov, “Revisiting semisupervised learning with graph embeddings,” in International conference on machine learning. PMLR, 2016, pp. 40–48.
[43] E. Gawehn, J. A. Hiss, and G. Schneider, “Deep learning in drug
discovery,” Molecular informatics, vol. 35, no. 1, pp. 3–14, 2016.
[44] R. Ying, J. You, C. Morris, X. Ren, W. L. Hamilton, and J. Leskovec,
“Hierarchical graph representation learning with differentiable pooling,” arXiv preprint arXiv:1806.08804, 2018.
[45] R. Ying, R. He, K. Chen, P. Eksombatchai, W. L. Hamilton, and
J. Leskovec, “Graph convolutional neural networks for web-scale recommender systems,” in Proceedings of the 24th ACM SIGKDD international conference on knowledge discovery & data mining, 2018,
pp. 974–983.
[46] M. Zhang and Y. Chen, “Link prediction based on graph neural networks,” Advances in Neural Information Processing Systems, vol. 31,
pp. 5165–5175, 2018.
[47] Z. Wu, S. Pan, G. Long, J. Jiang, X. Chang, and C. Zhang, “Connecting the dots: Multivariate time series forecasting with graph neural
networks,” in Proceedings of the 26th ACM SIGKDD international
conference on knowledge discovery & data mining, 2020, pp. 753–763.
[48] C. Shang, J. Chen, and J. Bi, “Discrete graph structure learning for
forecasting multiple time series,” arXiv preprint arXiv:2101.06861,
2021.
[49] Y. Li, R. Yu, C. Shahabi, and Y. Liu, “Diffusion convolutional recurrent neural network: Data-driven traffic forecasting,” arXiv preprint
arXiv:1707.01926, 2017.
152
[50] S. Guo, Y. Lin, N. Feng, C. Song, and H. Wan, “Attention based
spatial-temporal graph convolutional networks for traffic flow forecasting,” in Proceedings of the AAAI conference on artificial intelligence, vol. 33, no. 01, 2019, pp. 922–929.
[51] L. Zhao, Y. Song, C. Zhang, Y. Liu, P. Wang, T. Lin, M. Deng, and
H. Li, “T-gcn: A temporal graph convolutional network for traffic
prediction,” IEEE transactions on intelligent transportation systems,
vol. 21, no. 9, pp. 3848–3858, 2019.
[52] A. Bojchevski, J. Gasteiger, B. Perozzi, A. Kapoor, M. Blais,
B. R´ozemberczki, M. Lukasik, and S. G¨unnemann, “Scaling graph
neural networks with approximate pagerank,” in Proceedings of the
26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, 2020, pp. 2464–2473.
[53] D. Jiang, Z. Wu, C.-Y. Hsieh, G. Chen, B. Liao, Z. Wang, C. Shen,
D. Cao, J. Wu, and T. Hou, “Could graph neural networks learn better molecular representation for drug discovery? a comparison study
of descriptor-based and graph-based models,” Journal of cheminformatics, vol. 13, pp. 1–23, 2021.
[54] J. Li, D. Cai, and X. He, “Learning graph-level representation for
drug discovery,” arXiv preprint arXiv:1709.03741, 2017.
[55] M. Zitnik, M. Agrawal, and J. Leskovec, “Modeling polypharmacy
side effects with graph convolutional networks,” Bioinformatics,
vol. 34, no. 13, pp. i457–i466, 2018.
[56] J. Gilmer, S. S. Schoenholz, P. F. Riley, O. Vinyals, and G. E. Dahl,
“Neural message passing for quantum chemistry,” in International
conference on machine learning. PMLR, 2017, pp. 1263–1272.
[57] J. Gasteiger, J. Groß, and S. G¨unnemann, “Directional message passing for molecular graphs,” arXiv preprint arXiv:2003.03123, 2020.
[58] K. Sch¨utt, P.-J. Kindermans, H. E. Sauceda Felix, S. Chmiela,
A. Tkatchenko, and K.-R. M¨uller, “Schnet: A continuous-filter convolutional neural network for modeling quantum interactions,” Advances in neural information processing systems, vol. 30, 2017.
[59] O. T. Unke and M. Meuwly, “Physnet: A neural network for predicting energies, forces, dipole moments, and partial charges,” Journal
of chemical theory and computation, vol. 15, no. 6, pp. 3678–3693,
2019.
153
[60] B. Khailany, “Accelerating chip design with machine learning,” in
Proceedings of the 2020 ACM/IEEE Workshop on Machine Learning
for CAD, 2020, pp. 33–33.
[61] Y. Ma, Z. He, W. Li, L. Zhang, and B. Yu, “Understanding graphs
in eda: From shallow to deep learning,” in Proceedings of the 2020
international symposium on physical design, 2020, pp. 119–126.
[62] S. D. Chowdhury, K. Yang, and P. Nuzzo, “Reignn: State register
identification using graph neural networks for circuit reverse engineering,” in 2021 IEEE/ACM International Conference On Computer
Aided Design (ICCAD). IEEE, 2021, pp. 1–9.
[63] ——, “Simll: Similarity-based logic locking against machine learning
attacks,” in 2023 60th ACM/IEEE Design Automation Conference
(DAC). IEEE, 2023, pp. 1–6.
[64] S. D. Chowdhury, G. Zhang, Y. Hu, and P. Nuzzo, “Enhancing SATattack resiliency and cost-effectiveness of reconfigurable-logic-based
circuit obfuscation,” in IEEE International Symposium on Circuits
and Systems (ISCAS), 2021, pp. 1–5.
[65] S. D. Chowdhury, Z. Ni, Q. Peng, S. Kundu, and P. Nuzzo, “Analyzing adversarial vulnerabilities of graph lottery tickets,” in ICASSP
2024-2024 IEEE International Conference on Acoustics, Speech and
Signal Processing (ICASSP). IEEE, 2024, pp. 7830–7834.
[66] ——, “Sparse but strong: Crafting adversarially robust graph lottery
tickets,” arXiv preprint arXiv:2312.06568, 2023.
[67] ——, “Finding adversarially robust graph lottery tickets,” Transactions on Machine Learning Research, 2024.
[68] S. E. Quadir, J. Chen, D. Forte, N. Asadizanjani, S. Shahbazmohamadi, L. Wang, J. Chandy, and M. Tehranipoor, “A survey on chip
to system reverse engineering,” ACM Journal on Emerging Technologies in Computing Systems (JETC), vol. 13, no. 1, pp. 1–34, 2016.
[69] U. Guin, K. Huang, D. DiMase, J. M. Carulli, M. Tehranipoor, and
Y. Makris, “Counterfeit integrated circuits: A rising threat in the
global semiconductor supply chain,” Proceedings of the IEEE, vol.
102, no. 8, pp. 1207–1228, 2014.
[70] D. Blair, J. J. Huntsman, C. Barrett, S. Gordon, W. Lynn III,
D. Wince-Smith, and M. K. Young, “Update to the ip commission
report: The report of the commission on the theft of american intellectual property,” The National Bureau of Asian Research, 2017.
154
[71] Verified Market Research, “Semiconductor IP market size and forecast,” 2021,
https://www.verifiedmarketresearch.com/product/globalsemiconductorintellectual- property-market/.
[72] M. Yasin, J. J. Rajendran, and O. Sinanoglu, Trustworthy hardware
design: Combinational logic locking techniques. Springer, 2020.
[73] J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis
of integrated circuit camouflaging,” in Proceedings of the 2013 ACM
SIGSAC conference on Computer & communications security, 2013,
pp. 709–720.
[74] B. Erbagci, C. Erbagci, N. E. C. Akkaya, and K. Mai, “A secure camouflaged threshold voltage defined logic family,” in 2016 IEEE International symposium on hardware oriented security and trust (HOST).
IEEE, 2016, pp. 229–235.
[75] B. Shakya, H. Shen, M. Tehranipoor, and D. Forte, “Covert
gates: Protecting integrated circuits with undetectable camouflaging,” IACR transactions on cryptographic hardware and embedded
systems, pp. 86–118, 2019.
[76] N. Rangarajan, S. Patnaik, J. Knechtel, S. Rakheja, and
O. Sinanoglu, Next Era in Hardware Security. Springer, 2021.
[77] R. W. Jarvis and M. G. Mcintyre, “Split manufacturing method for
advanced semiconductor circuits,” Mar. 27 2007, uS Patent 7,195,931.
[78] Z. Chen, P. Zhou, T.-Y. Ho, and Y. Jin, “How secure is split manufacturing in preventing hardware trojan?” in 2016 IEEE Asian
Hardware-Oriented Security and Trust (AsianHOST). IEEE, 2016,
pp. 1–6.
[79] J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated circuits,” Computer, vol. 43, no. 10, pp. 30–38, 2010.
[80] A. Baumgarten, A. Tyagi, and J. Zambreno, “Preventing ic piracy using reconfigurable logic barriers,” IEEE design & Test of computers,
vol. 27, no. 1, pp. 66–75, 2010.
[81] S. Dupuis, P. Ba, G. Di Natale, M. Flottes, and B. Rouzeyre, “A
novel hardware logic encryption technique for thwarting illegal overproduction and hardware trojans,” in 2014 IEEE 20th International
On-Line Testing Symposium (IOLTS). IEEE, 2014, pp. 49–54.
155
[82] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Security analysis of logic obfuscation,” in Proceedings of the 49th Annual Design
Automation Conference, 2012, pp. 83–89.
[83] J. Rajendran, H. Zhang, C. Zhang, G. Rose, Y. Pino, O. Sinanoglu,
and R. Karri, “Fault analysis-based logic encryption,” IEEE Transactions on computers, vol. 64, no. 2, pp. 410–424, 2013.
[84] S. Plaza and I. Markov, “Solving the third-shift problem in ic piracy
with test-aware logic locking,” IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems, vol. 34, no. 6, pp.
961–971, 2015.
[85] Y. Lee and N. Touba, “Improving logic obfuscation via logic cone
analysis,” in 2015 16th Latin-American Test Symposium (LATS).
IEEE, 2015, pp. 1–6.
[86] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Pan, and Y. Jin, “Cyclic
obfuscation for creating sat-unresolvable circuits,” in Proceedings of
the on Great Lakes Symposium on VLSI 2017, 2017, pp. 173–178.
[87] G. Kolhe, H. Kamali, M. Naicker, T. Sheaves, H. Mahmoodi,
P. Manoj, H. Homayoun, S. Rafatirad, and A. Sasan, “Security and
complexity analysis of lut-based obfuscation: From blueprint to reality,” in 2019 IEEE/ACM International Conference on ComputerAided Design (ICCAD). IEEE, 2019, pp. 1–8.
[88] Y. Xie and A. Srivastava, “Mitigating sat attack on logic locking,”
in International conference on cryptographic hardware and embedded
systems. Springer, 2016, pp. 127–146.
[89] ——, “Anti-sat: Mitigating sat attack on logic locking,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 2, pp. 199–207, 2018.
[90] M. Yasin, B. Mazumdar, J. Rajendran, and O. Sinanoglu, “Sarlock:
Sat attack resistant logic locking,” in 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE,
2016, pp. 236–241.
[91] M. Yasin, A. Sengupta, M. Nabeel, M. Ashraf, J. Rajendran, and
O. Sinanoglu, “Provably-secure logic locking: From theory to practice,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1601–1618.
156
[92] Y. Hu, K. Yang, S. Nazarian, and P. Nuzzo, “Sanscrypt: A sporadicauthentication-based sequential logic encryption scheme,” in 2020
IFIP/IEEE 28th International Conference on Very Large Scale Integration (VLSI-SOC). IEEE, 2020, pp. 129–134.
[93] S. Roshanisefat, H. M. Kamali, K. Z. Azar, S. M. P. Dinakarrao,
N. Karimi, H. Homayoun, and A. Sasan, “Dfssd: Deep faults and
shallow state duality, a provably strong obfuscation solution for circuits with restricted access to scan chain,” in 2020 IEEE 38th VLSI
Test Symposium (VTS). IEEE, 2020, pp. 1–6.
[94] J. Dofe and Q. Yu, “Novel dynamic state-deflection method for gatelevel design obfuscation,” IEEE Transactions on Computer-Aided
Design of Integrated Circuits and Systems, vol. 37, no. 2, pp. 273–285,
2017.
[95] R. Torrance and D. James, “The state-of-the-art in IC reverse engineering,” in International Workshop on Cryptographic Hardware and
Embedded Systems. Springer, 2009, pp. 363–381.
[96] K. Nohl, D. Evans, S. Starbug, and H. Pl¨otz, “Reverse-engineering
a cryptographic rfid tag.” in USENIX security symposium, vol. 28,
2008.
[97] W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” in Proceedings of the 31st International Conference on Neural Information Processing Systems, 2017,
pp. 1025–1035.
[98] Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and S. Y. Philip, “A
comprehensive survey on graph neural networks,” IEEE Transactions
on Neural Networks and Learning Systems, vol. 32, no. 1, pp. 4–24,
2020.
[99] P. Veliˇckovi´c, G. Cucurull, A. Casanova, A. Romero, P. Lio,
and Y. Bengio, “Graph attention networks,” arXiv preprint
arXiv:1710.10903, 2017.
[100] W. L. Hamilton, “Graph representation learning,” Synthesis Lectures
on Artificial Intelligence and Machine Learning, vol. 14, no. 3, pp.
1–159, 2020.
[101] M. Zhang, Z. Cui, M. Neumann, and Y. Chen, “An end-to-end deep
learning architecture for graph classification,” in Thirty-Second AAAI
Conference on Artificial Intelligence, 2018.
157
[102] H. Dai, H. Li, T. Tian, X. Huang, L. Wang, J. Zhu, and L. Song,
“Adversarial attack on graph structured data,” in International conference on machine learning. PMLR, 2018, pp. 1115–1124.
[103] H. Wu, C. Wang, Y. Tyshetskiy, A. Docherty, K. Lu, and L. Zhu,
“Adversarial examples on graph data: Deep insights into attack and
defense,” arXiv preprint arXiv:1903.01610, 2019.
[104] D. Z¨ugner and S. G¨unnemann, “Adversarial attacks on graph neural
networks via meta learning.” The seventh International Conference
on Learning Representations, 2019.
[105] F. Mujkanovic, S. Geisler, S. G¨unnemann, and A. Bojchevski, “Are
defenses for graph neural networks robust?” Advances in Neural Information Processing Systems 35 (NeurIPS 2022), 2022.
[106] W. Jin, Y. Li, H. Xu, Y. Wang, and J. Tang, “Adversarial attacks and
defenses on graphs: A review and empirical study,” arXiv preprint
arXiv:2003.00653, vol. 10, no. 3447556.3447566, 2020.
[107] J. Baehr, A. Bernardini, G. Sigl, and U. Schlichtmann, “Machine
learning and structural characteristics for reverse engineering,” Integration, vol. 72, pp. 1–12, 2020.
[108] M. Hassanpourghadi, Q. Zhang, P. Sharma, J. Nam, S. Su, S. Chowdhury, J. Sathyamoorthy, W. Unglaub, F. Wang, M. Chen et al., “Automated analog mixed signal ip generator for cmos technologies,”
GOMACTech, 2019.
[109] M. Paul, N. Kapoor, R. Modak, T. Paul, R. R. Chaudhuri, S. D.
Chowdhury, and M. Sarkar, “Design of 1-bit full adder using β-driven
threshold element,” in 2017 1st International Conference on Electronics, Materials Engineering and Nano-Technology (IEMENTech).
IEEE, 2017, pp. 1–5.
[110] S. D. Chowdhury, R. R. Chaudhuri, and M. Sarkar, “Design of 1-bit
full adder using nmos based negative differential resistance,” in 2017
Devices for Integrated Circuit (DevIC). IEEE, 2017, pp. 630–636.
[111] A. Gasc´on, P. Subramanyan, B. Dutertre, A. Tiwari, D. Jovanovi´c,
and S. Malik, “Template-based circuit understanding,” in Formal
Methods in Computer-Aided Design (FMCAD). IEEE, 2014, pp.
83–90.
[112] W. Li, Z. Wasson, and S. A. Seshia, “Reverse engineering circuits
using behavioral pattern mining,” in IEEE International Symposium
on Hardware-Oriented Security and Trust (HOST), 2012, pp. 83–88.
158
[113] A. Fayyazi, S. Shababi, P. Nuzzo, S. Nazarian, and M. Pedram,
“Deep learning-based circuit recognition using sparse mapping and
level-dependent decaying sum circuit representations,” in Design, Automation & Test in Europe Conference & Exhibition (DATE), 2019,
pp. 638–641.
[114] L. Alrahis, A. Sengupta, J. Knechtel, S. Patnaik, H. Saleh, B. Mohammad, M. Al-Qutayri, and O. Sinanoglu, “Gnn-re: Graph neural
networks for reverse engineering of gate-level netlists,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2021.
[115] Y. Shi, C. W. Ting, B.-H. Gwee, and Y. Ren, “A highly efficient
method for extracting FSMs from flattened gate-level netlist,” in Proceedings of IEEE International Symposium on Circuits and Systems,
2010, pp. 2610–2613.
[116] K. S. Mcelvain, “Methods and apparatuses for automatic extraction
of finite state machines,” Jan. 30 2001, uS Patent 6,182,268.
[117] T. Meade, S. Zhang, and Y. Jin, “Netlist reverse engineering for highlevel functionality reconstruction,” in 21st Asia and South Pacific
Design Automation Conference (ASP-DAC), 2016, pp. 655–660.
[118] M. Fyrbiak, S. Wallat, J. D´echelotte, N. Albartus, S. B¨ocker,
R. Tessier, and C. Paar, “On the difficulty of FSM-based hardware
obfuscation,” IACR Transactions on Cryptographic Hardware and
Embedded Systems, pp. 293–330, 2018.
[119] T. Meade, Y. Jin, M. Tehranipoor, and S. Zhang, “Gate-level netlist
reverse engineering for hardware security: Control logic register identification,” in IEEE International Symposium on Circuits and Systems (ISCAS), 2016, pp. 1334–1337.
[120] M. Brunner, J. Baehr, and G. Sigl, “Improving on state register
identification in sequential hardware reverse engineering,” in IEEE
International Symposium on Hardware Oriented Security and Trust
(HOST), 2019, pp. 151–160.
[121] J. Geist, T. Meade, S. Zhang, and Y. Jin, “RELIC-FUN: logic identification through functional signal comparisons,” in 57th ACM/IEEE
Design Automation Conference (DAC), 2020, pp. 1–6.
[122] A. Cui, C. He, C.-H. Chang, and H. Lu, “Identification of fsm state
registers by analytics of scan-dump data,” IEEE Transactions on
Information Forensics and Security, vol. 16, pp. 5138–5153, 2021.
159
[123] T. Meade, K. Shamsi, T. Le, J. Di, S. Zhang, and Y. Jin, “The
old frontier of reverse engineering: Netlist partitioning,” Journal of
Hardware and Systems Security, vol. 2, no. 3, pp. 201–213, 2018.
[124] P. Subramanyan, N. Tsiskaridze, K. Pasricha, D. Reisman, A. Susnea,
and S. Malik, “Reverse engineering digital circuits using functional
analysis,” in Design, Automation & Test in Europe Conference &
Exhibition (DATE), 2013, pp. 1277–1280.
[125] P. Subramanyan, N. Tsiskaridze, W. Li, A. Gasc´on, W. Y. Tan,
A. Tiwari, N. Shankar, S. A. Seshia, and S. Malik, “Reverse engineering digital circuits using structural and functional analyses,”
IEEE Transactions on Emerging Topics in Computing, vol. 2, no. 1,
pp. 63–80, 2013.
[126] Z. Huang, Q. Wang, Y. Chen, and X. Jiang, “A survey on machine
learning against hardware Trojan attacks: Recent advances and challenges,” IEEE Access, vol. 8, pp. 10 796–10 826, 2020.
[127] R. Yasaei, S.-Y. Yu, and M. A. Al Faruque, “GNN4TJ: Graph neural
networks for hardware Trojan detection at register transfer level,”
in Design, Automation & Test in Europe Conference & Exhibition
(DATE), 2021, pp. 1504–1509.
[128] Y. Hu, K. Yang, S. D. Chowdhury, and P. Nuzzo, “Risk-aware
cost-effective design methodology for integrated circuit locking,”
in Design, Automation & Test in Europe Conference & Exhibition
(DATE), 2021, pp. 1182–1185.
[129] D. Sisejkovic, F. Merchant, L. M. Reimann, H. Srivastava,
A. Hallawa, and R. Leupers, “Challenging the security of logic locking schemes in the era of deep learning: A neuroevolutionary approach,” ACM Journal on Emerging Technologies in Computing Systems (JETC), vol. 17, no. 3, pp. 1–26, 2021.
[130] P. Chakraborty, J. Cruz, and S. Bhunia, “SAIL: Machine learning
guided structural analysis attack on hardware obfuscation,” in Asian
Hardware Oriented Security and Trust Symposium (AsianHOST),
2018, pp. 56–61.
[131] L. Alrahis, S. Patnaik, F. Khalid, M. A. Hanif, H. Saleh, M. Shafique,
and O. Sinanoglu, “GNNUnlock: Graph neural networks-based
oracle-less unlocking scheme for provably secure logic locking,” in
Design, Automation & Test in Europe Conference & Exhibition
(DATE), 2021, pp. 780–785.
160
[132] J. L. Hennessy and D. A. Patterson, Computer architecture: a quantitative approach. Elsevier, 2011.
[133] Y. LeCun, Y. Bengio et al., “Convolutional networks for images,
speech, and time series,” The Handbook of Brain Theory and Neural
Networks, vol. 3361, no. 10, p. 1995, 1995.
[134] S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997.
[135] R. Girshick, J. Donahue, T. Darrell, and J. Malik, “Rich feature hierarchies for accurate object detection and semantic segmentation,” in
Proceedings of the IEEE Conference on Computer Vision and Pattern
Recognition, 2014, pp. 580–587.
[136] K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for
image recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
[137] J. Redmon, S. Divvala, R. Girshick, and A. Farhadi, “You only look
once: Unified, real-time object detection,” in Proceedings of the IEEE
Conference on Computer Vision and Pattern Recognition, 2016, pp.
779–788.
[138] G. Hinton, L. Deng, D. Yu, G. E. Dahl, A.-r. Mohamed, N. Jaitly,
A. Senior, V. Vanhoucke, P. Nguyen, T. N. Sainath et al., “Deep neural networks for acoustic modeling in speech recognition: The shared
views of four research groups,” IEEE Signal Processing Magazine,
vol. 29, no. 6, pp. 82–97, 2012.
[139] T. Young, D. Hazarika, S. Poria, and E. Cambria, “Recent trends in
deep learning based natural language processing,” IEEE Computational Intelligence Magazine, vol. 13, no. 3, pp. 55–75, 2018.
[140] A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N.
Gomez, L. Kaiser, and I. Polosukhin, “Attention is all you need,” in
Advances in neural information processing systems, 2017, pp. 5998–
6008.
[141] K. Xu, W. Hu, J. Leskovec, and S. Jegelka, “How powerful are graph
neural networks?” arXiv preprint arXiv:1810.00826, 2018.
[142] B. Srinivasan and B. Ribeiro, “On the equivalence between positional node embeddings and structural graph representations,” arXiv
preprint arXiv:1910.00452, 2019.
161
[143] C. Morris, M. Ritzert, M. Fey, W. L. Hamilton, J. E. Lenssen, G. Rattan, and M. Grohe, “Weisfeiler and leman go neural: Higher-order
graph neural networks,” in Proceedings of the AAAI Conference on
Artificial Intelligence, vol. 33, no. 01, 2019, pp. 4602–4609.
[144] A. Leman and B. Weisfeiler, “A reduction of a graph to a canonical form and an algebra arising during this reduction,” NauchnoTechnicheskaya Informatsiya, vol. 2, no. 9, pp. 12–16, 1968.
[145] U. Brandes, “On variants of shortest-path betweenness centrality and
their generic computation,” Social Networks, vol. 30, no. 2, pp. 136–
145, 2008.
[146] P. Boldi and S. Vigna, “Axioms for centrality,” Internet Mathematics,
vol. 10, no. 3-4, pp. 222–262, 2014.
[147] R. Tarjan, “Depth-first search and linear graph algorithms,” SIAM
Journal on Computing, vol. 1, no. 2, pp. 146–160, 1972.
[148] M. Fey and J. E. Lenssen, “Fast graph representation learning with
PyTorch Geometric,” arXiv preprint arXiv:1903.02428, 2019.
[149] Oliscience, “OpenCores,” [Online], Available:
https://opencores.org/projects.
[150] J. Strombergson, “secworks,” [Online], Available:
https://github.com/secworks?tab=repositories.
[151] “onchipuis,” https://github.com/onchipuis?tab=repositories.
[152] “Silvaco: 45nm open cell library (2019).”
[153] R. Kohavi, “A study of cross-validation and bootstrap for accuracy
estimation and model selection,” in Proceedings of the 14th International Joint Conference on Artificial Intelligence - Volume 2, ser.
IJCAI’95, 1995, pp. 1137—-1143.
[154] N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and
R. Salakhutdinov, “Dropout: a simple way to prevent neural networks from overfitting,” Journal of Machine Learning Research
(JMLR), vol. 15, no. 1, pp. 1929–1958, 2014.
[155] M. Fyrbiak, S. Strauß, C. Kison, S. Wallat, M. Elson, N. Rummel,
and C. Paar, “Hardware reverse engineering: Overview and open
challenges,” in 2017 IEEE 2nd International Verification and Security Workshop (IVSW). IEEE, 2017, pp. 88–94.
162
[156] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of
logic encryption algorithms,” in 2015 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST). IEEE, 2015, pp.
137–143.
[157] K. Azar, H. Kamali, H. Homayoun, and A. Sasan, “Smt attack: Next
generation attack on obfuscated circuits with capabilities and performance beyond the sat attacks,” IACR Transactions on Cryptographic
Hardware and Embedded Systems, pp. 97–122, 2019.
[158] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Pan, and Y. Jin, “Appsat: Approximately deobfuscating integrated circuits,” in 2017 IEEE
International Symposium on Hardware Oriented Security and Trust
(HOST). IEEE, 2017, pp. 95–100.
[159] R. Karmakar and S. Chattopadhyay, “A particle swarm optimization
guided approximate key search attack on logic locking in the absence
of scan access,” in 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2020, pp. 448–453.
[160] L. Li and A. Orailoglu, “Piercing logic locking keys through redundancy identification,” in 2019 Design, Automation & Test in Europe
Conference & Exhibition (DATE). IEEE, 2019, pp. 540–545.
[161] A. Alaql, D. Forte, and S. Bhunia, “Sweep to the secret: A constant
propagation attack on logic locking,” in 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST). IEEE, 2019,
pp. 1–6.
[162] Y. Zhang, P. Cui, Z. Zhou, and U. Guin, “Tga: An oracle-less
and topology-guided attack on logic locking,” in Proceedings of the
3rd ACM Workshop on Attacks and Solutions in Hardware Security
Workshop. ACM, 2019, pp. 75–83.
[163] L. Alrahis, S. Patnaik, M. Shafique, and O. Sinanoglu, “Omla: An
oracle-less machine learning-based attack on logic locking,” IEEE
Transactions on Circuits and Systems II: Express Briefs, 2021.
[164] K. Shamsi, T. Meade, M. Li, D. Z. Pan, and Y. Jin, “On the approximation resiliency of logic locking and ic camouflaging schemes,”
IEEE Transactions on Information Forensics and Security, vol. 14,
no. 2, pp. 347–359, 2018.
[165] D. Sirone and P. Subramanyan, “Functional analysis attacks on logic
locking,” IEEE Transactions on Information Forensics and Security,
vol. 15, pp. 2514–2527, 2020.
163
[166] P. Chakraborty, J. Cruz, and S. Bhunia, “Surf: Joint structural functional attack on logic locking,” in 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE,
2019, pp. 181–190.
[167] M. Yasin, A. Sengupta, B. Schafer, Y. Makris, O. Sinanoglu, and
J. Rajendran, “What to lock? functional and parametric locking,” in
Proceedings of the on Great Lakes Symposium on VLSI 2017, 2017,
pp. 351–356.
[168] H. Chen, C. Fu, J. Zhao, and F. Koushanfar, “Genunlock: An automated genetic algorithm framework for unlocking logic encryption,”
in 2019 IEEE/ACM International Conference on Computer-Aided
Design (ICCAD). IEEE, 2019, pp. 1–8.
[169] S. Rahnamayan, H. Tizhoosh, and M. Salama, “A novel population
initialization method for accelerating evolutionary algorithms,” Computers & Mathematics with Applications, vol. 53, no. 10, pp. 1605–
1614, 2007.
[170] M. Massad, J. Zhang, S. Garg, and M. Tripunitara, “Logic locking
for secure outsourced chip fabrication: A new attack and provably
secure defense mechanism,” arXiv preprint arXiv:1703.10187, 2017.
[171] E. Burke and G. Kendall, Search methodologies: introductory tutorials in optimization and decision support techniques. Springer, 2014.
[172] J. Kennedy and R. Eberhart, “Particle swarm optimization,” in Proceedings of ICNN’95-international conference on neural networks,
vol. 4. IEEE, 1995, pp. 1942–1948.
[173] D. Wang, D. Tan, and L. Liu, “Particle swarm optimization algorithm: an overview,” Soft Computing, vol. 22, no. 2, pp. 387–408,
2018.
[174] A. Tangherloni, L. Rundo, and M. Nobile, “Proactive particles in
swarm optimization: A settings-free algorithm for real-parameter single objective optimization problems,” in 2017 IEEE congress on evolutionary computation (CEC). IEEE, 2017, pp. 1940–1947.
[175] S. Amir, B. Shakya, X. Xu, Y. Jin, S. Bhunia, M. Tehranipoor,
and D. Forte, “Development and evaluation of hardware obfuscation benchmarks,” Journal of Hardware and Systems Security, vol. 2,
no. 2, pp. 142–161, 2018.
164
[176] Y. Hu, K. Yang, S. D. Chowdhury, and P. Nuzzo, “Decor: Enhancing logic locking against machine learning-based attacks,” in
2024 25th International Symposium on Quality Electronic Design
(ISQED). IEEE, 2024, pp. 1–8.
[177] S. D. Chowdhury, K. Yang, and P. Nuzzo, “Similarity-based
logic locking against machine learning attacks,” arXiv preprint
arXiv:2305.05870, 2023.
[178] A. Alaql, M. M. Rahman, and S. Bhunia, “SCOPE: Synthesis-based
constant propagation attack on logic locking,” IEEE Trans. VLSI
Syst., vol. 29, no. 8, pp. 1529–1542, 2021.
[179] D. Sisejkovic et al., “Deceptive logic locking for hardware integrity
protection against machine learning attacks,” IEEE Trans. Comput.
Aided Design Integr. Circuits Syst., vol. 41, no. 6, pp. 1716–1729,
2021.
[180] L. Alrahis et al., “MuxLink: circumventing learning-resilient muxlocking using graph neural network-based link prediction,” in Design,
Automation and Test in Europe (DATE), 2022, pp. 694–699.
[181] N. Shervashidze et al., “Weisfeiler-Lehman graph kernels,” J. Machine Learning Research, vol. 12, no. 9, 2011.
[182] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of
logic encryption algorithms,” in IEEE Int. Symp. Hardware Oriented
Security and Trust (HOST), 2015, pp. 137–143.
[183] H. Kamali, K. Z. Azar, H. Homayoun, and A. Sasan, “Full-lock:
Hard distributions of sat instances for obfuscating circuits using fully
configurable logic and routing blocks,” in Proceedings of the 56th
Annual Design Automation Conference 2019, 2019, pp. 1–6.
[184] S. Roshanisefat, H. M. Kamali, and A. Sasan, “Srclock: Sat-resistant
cyclic logic locking for protecting the hardware,” in Proceedings of
the 2018 on Great Lakes Symposium on VLSI, 2018, pp. 153–158.
[185] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Cyclic
obfuscation for creating sat-unresolvable circuits,” in Proceedings of
the on Great Lakes Symposium on VLSI 2017, 2017, pp. 173–178.
[186] K. Shamsi, M. Li, D. Pan, and Y. Jin, “Cross-lock: Dense layout-level
interconnect locking using cross-bar architectures,” in Proceedings of
the 2018 on Great Lakes Symposium on VLSI, 2018, pp. 147–152.
165
[187] Y. Xie and A. Srivastava, “Mitigating sat attack on logic locking,”
in International conference on cryptographic hardware and embedded
systems. Springer, 2016, pp. 127–146.
[188] M. Yasin, B. Mazumdar, J. Rajendran, and O. Sinanoglu, “Sarlock:
Sat attack resistant logic locking,” in 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE,
2016, pp. 236–241.
[189] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran,
and O. Sinanoglu, “Provably-secure logic locking: From theory to
practice,” in Proceedings of the 2017 ACM SIGSAC Conference on
Computer and Communications Security, 2017, pp. 1601–1618.
[190] H. M. Kamali, K. Z. Azar, K. Gaj, H. Homayoun, and A. Sasan,
“Lut-lock: A novel lut-based logic obfuscation for fpga-bitstream and
asic-hardware protection,” in 2018 IEEE Computer Society Annual
Symposium on VLSI (ISVLSI). IEEE, 2018, pp. 405–410.
[191] A. Rezaei, Y. Shen, and H. Zhou, “Rescuing logic encryption in postsat era by locking & obfuscation,” in 2020 Design, Automation & Test
in Europe Conference & Exhibition (DATE). IEEE, 2020, pp. 13–18.
[192] K. Shamsi, D. Z. Pan, and Y. Jin, “On the impossibility of
approximation-resilient circuit locking,” in 2019 IEEE International
Symposium on Hardware Oriented Security and Trust (HOST).
IEEE, 2019, pp. 161–170.
[193] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal
attacks on logic locking and camouflaging techniques,” IEEE Transactions on Emerging Topics in Computing, 2017.
[194] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin, “Appsat: Approximately deobfuscating integrated circuits,” in 2017 IEEE
International Symposium on Hardware Oriented Security and Trust
(HOST). IEEE, 2017, pp. 95–100.
[195] B. Liu and B. Wang, “Embedded reconfigurable logic for asic design
obfuscation against supply chain attacks,” in 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE,
2014, pp. 1–6.
[196] D.-J. Shyy and C.-T. Lea, “Log/sub 2/(n, m, p) strictly nonblocking
networks,” IEEE Transactions on Communications, vol. 39, no. 10,
pp. 1502–1510, 1991.
166
[197] J. Yang, X. Wang, Q. Zhou, Z. Wang, H. Li, Y. Chen, and W. Zhao,
“Exploiting spin-orbit torque devices as reconfigurable logic for circuit obfuscation,” IEEE Transactions on Computer-Aided Design of
Integrated Circuits and Systems, vol. 38, no. 1, pp. 57–69, 2018.
[198] N. K. Jha and S. Gupta, Testing of Digital Systems. USA: Cambridge
University Press, 2002.
[199] L. Goldstein and E. Thigpen, “Scoap: Sandia controllability/observability analysis program,” in Proceedings of the 17th Design Automation Conference, 1980, pp. 190–196.
[200] J. Zhou, G. Cui, S. Hu, Z. Zhang, C. Yang, Z. Liu, L. Wang, C. Li,
and M. Sun, “Graph neural networks: A review of methods and
applications,” AI open, vol. 1, pp. 57–81, 2020.
[201] Z. Zhang, P. Cui, and W. Zhu, “Deep learning on graphs: A survey,”
IEEE Transactions on Knowledge and Data Engineering, vol. 34,
no. 1, pp. 249–270, 2020.
[202] T. Chen, Y. Sui, X. Chen, A. Zhang, and Z. Wang, “A unified lottery ticket hypothesis for graph neural networks,” in International
Conference on Machine Learning. PMLR, 2021, pp. 1695–1706.
[203] K. Li, Y. Liu, X. Ao, and Q. He, “Revisiting graph adversarial attack
and defense from a data distribution perspective,” in The Eleventh
International Conference on Learning Representations, 2023.
[204] N. Entezari, S. A. Al-Sayouri, A. Darvishzadeh, and E. E. Papalexakis, “All you need is low (rank) defending against adversarial attacks
on graphs,” in Proceedings of the 13th International Conference on
Web Search and Data Mining, 2020, pp. 169–177.
[205] W. Jin, Y. Ma, X. Liu, X. Tang, S. Wang, and J. Tang, “Graph
structure learning for robust graph neural networks,” in Proceedings
of the 26th ACM SIGKDD international conference on knowledge
discovery & data mining, 2020, pp. 66–74.
[206] C. Deng, X. Li, Z. Feng, and Z. Zhang, “GARNET: Reduced-rank
topology learning for robust and scalable graph neural networks,” in
Learning on Graphs Conference. PMLR, 2022, pp. 3–1.
[207] Y. Zhu, W. Xu, J. Zhang, Q. Liu, S. Wu, and L. Wang, “Deep
graph structure learning for robust representations: A survey,” arXiv
preprint arXiv:2103.03036, vol. 14, 2021.
167
[208] X. Zhang and M. Zitnik, “GNNGuard: Defending graph neural networks against adversarial attacks,” Advances in neural information
processing systems, vol. 33, pp. 9263–9275, 2020.
[209] S. Geisler, T. Schmidt, H. S¸irin, D. Z¨ugner, A. Bojchevski, and
S. G¨unnemann, “Robustness of graph neural networks at scale,” Advances in Neural Information Processing Systems, vol. 34, pp. 7637–
7649, 2021.
[210] D. Zhu, Z. Zhang, P. Cui, and W. Zhu, “Robust graph convolutional networks against adversarial attacks,” in Proceedings of the
25th ACM SIGKDD international conference on knowledge discovery & data mining, 2019, pp. 1399–1407.
[211] X. Liu, S. Si, X. Zhu, Y. Li, and C.-J. Hsieh, “A unified framework
for data poisoning attack to graph-based semi-supervised learning,”
arXiv preprint arXiv:1910.14147, 2019.
[212] J. Frankle and M. Carbin, “The lottery ticket hypothesis: Finding
sparse, trainable neural networks,” arXiv preprint arXiv:1803.03635,
2018.
[213] A. Bojchevski and S. G¨unnemann, “Adversarial attacks on node embeddings via graph poisoning,” in International Conference on Machine Learning. PMLR, 2019, pp. 695–704.
[214] H. Chang, Y. Rong, T. Xu, W. Huang, H. Zhang, P. Cui, W. Zhu, and
J. Huang, “A restricted black-box adversarial framework towards attacking graph embedding models,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, 2020, pp. 3389–3396.
[215] J. Zhu, J. Jin, M. T. Schaub, and D. Koutra, “Improving robustness
of graph neural networks with heterophily-inspired designs,” arXiv
preprint arXiv:2106.07767, vol. 3, 2021.
[216] W. Hu, M. Fey, M. Zitnik, Y. Dong, H. Ren, B. Liu, M. Catasta, and
J. Leskovec, “Open graph benchmark: Datasets for machine learning on graphs,” Advances in neural information processing systems,
vol. 33, pp. 22 118–22 133, 2020.
[217] X. Tang, Y. Li, Y. Sun, H. Yao, P. Mitra, and S. Wang, “Transferring
robustness for graph neural network against poisoning attacks,” in
Proceedings of the 13th international conference on web search and
data mining, 2020, pp. 600–608.
168
[218] B. Zhou, Y. Jiang, Y. Wang, J. Liang, J. Gao, S. Pan, and X. Zhang,
“Robust graph representation learning for local corruption recovery,”
in Proceedings of the ACM Web Conference 2023, 2023, pp. 438–448.
[219] K. Li, Y. Liu, X. Ao, J. Chi, J. Feng, H. Yang, and Q. He, “Reliable
representations make a stronger defender: Unsupervised structure
refinement for robust gnn,” in Proceedings of the 28th ACM SIGKDD
Conference on Knowledge Discovery and Data Mining, 2022, pp. 925–
935.
[220] W. Feng, J. Zhang, Y. Dong, Y. Han, H. Luan, Q. Xu, Q. Yang,
E. Kharlamov, and J. Tang, “Graph random neural networks for
semi-supervised learning on graphs,” Advances in neural information
processing systems, vol. 33, pp. 22 092–22 103, 2020.
[221] H. Chang, Y. Rong, T. Xu, Y. Bian, S. Zhou, X. Wang, J. Huang,
and W. Zhu, “Not all low-pass filters are robust in graph convolutional networks,” Advances in Neural Information Processing Systems, vol. 34, pp. 25 058–25 071, 2021.
[222] B. Perozzi, R. Al-Rfou, and S. Skiena, “DeepWalk: Online learning
of social representations,” in Proceedings of the 20th ACM SIGKDD
international conference on Knowledge discovery and data mining,
2014, pp. 701–710.
[223] M. McPherson, L. Smith-Lovin, and J. M. Cook, “Birds of a feather:
Homophily in social networks,” Annual review of sociology, vol. 27,
no. 1, pp. 415–444, 2001.
[224] B. Hui, D. Yan, X. Ma, and W.-S. Ku, “Rethinking graph lottery
tickets: Graph sparsity matters,” arXiv preprint arXiv:2305.02190,
2023.
[225] Q. Li, Z. Han, and X.-M. Wu, “Deeper insights into graph convolutional networks for semi-supervised learning,” in Proceedings of the
AAAI conference on artificial intelligence, vol. 32, 2018.
[226] Y. Li, W. Jin, H. Xu, and J. Tang, “DeepRobust: A pytorch library for adversarial attacks and defenses,” arXiv preprint
arXiv:2005.06149, 2020.
[227] E. Chien, J. Peng, P. Li, and O. Milenkovic, “Adaptive universal generalized pagerank graph neural network,” arXiv preprint
arXiv:2006.07988, 2020.
169
[228] G. Li, C. Xiong, G. Qian, A. Thabet, and B. Ghanem, “DeeperGCN:
Training deeper GCNs with generalized aggregation functions,” IEEE
Transactions on Pattern Analysis and Machine Intelligence, vol. 45,
no. 11, pp. 13 024–13 034, 2023.
[229] A. K. McCallum, K. Nigam, J. Rennie, and K. Seymore, “Automating the construction of internet portals with machine learning,” Information Retrieval, vol. 3, pp. 127–163, 2000.
[230] Y. Hu, Y. Zhang, K. Yang, D. Chen, P. A. Beerel, and P. Nuzzo,
“Fun-sat: Functional corruptibility-guided sat-based attack on sequential logic encryption,” in 2021 IEEE International Symposium
on Hardware Oriented Security and Trust (HOST). IEEE, 2021, pp.
281–291.
[231] S. Bhunia, M. M. Rahman, and A. Alaql, “Hardware intellectual
property protection through provably secure state-space obfuscation,” May 23 2023, uS Patent 11,657,127.
[232] G. Dessouky, D. Gens, P. Haney, G. Persyn, A. Kanuparthi, H. Khattri, J. M. Fung, A.-R. Sadeghi, and J. Rajendran, “{HardFails}: insights into {software-exploitable} hardware bugs,” in 28th USENIX
Security Symposium (USENIX Security 19), 2019, pp. 213–230.
[233] M. Rostami, M. Chilese, S. Zeitouni, R. Kande, J. Rajendran, and
A.-R. Sadeghi, “Beyond random inputs: A novel ml-based hardware
fuzzing,” in 2024 Design, Automation & Test in Europe Conference
& Exhibition (DATE). IEEE, 2024, pp. 1–6.
[234] Z. Zhang, M. Chen, M. Backes, Y. Shen, and Y. Zhang, “Inference
attacks against graph neural networks,” in 31st USENIX Security
Symposium (USENIX Security 22), 2022, pp. 4543–4560.
170
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Security-driven design of logic locking schemes: metrics, attacks, and defenses
PDF
Attacks and defense on privacy of hardware intellectual property and machine learning
PDF
Ultra-low-latency deep neural network inference through custom combinational logic
PDF
Analog and mixed-signal parameter synthesis using machine learning and time-based circuit architectures
PDF
Dynamic graph analytics for cyber systems security applications
PDF
Compiler and runtime support for hybrid arithmetic and logic processing of neural networks
PDF
Trustworthiness of integrated circuits: a new testing framework for hardware Trojans
PDF
Efficient graph learning: theory and performance evaluation
PDF
Human motion data analysis and compression using graph based techniques
PDF
Circuit design with nano electronic devices for biomimetic neuromorphic systems
PDF
Scaling up temporal graph learning: powerful models, efficient algorithms, and optimized systems
PDF
Hardware-software codesign for accelerating graph neural networks on FPGA
PDF
High throughput computational framework for synthesis and accelerated discovery of dielectric polymer materials using polarizable reactive molecular dynamics and graph neural networks
PDF
Simulation and machine learning at exascale
PDF
Custom hardware accelerators for boolean satisfiability
PDF
Fast and label-efficient graph representation learning
PDF
Algorithm and system co-optimization of graph and machine learning systems
PDF
Machine learning techniques for perceptual quality enhancement and semantic image segmentation
PDF
Advanced cell design and reconfigurable circuits for single flux quantum technology
PDF
An FPGA-friendly, mixed-computation inference accelerator for deep neural networks
Asset Metadata
Creator
Dutta Chowdhury, Subhajit
(author)
Core Title
Graph machine learning for hardware security and security of graph machine learning: attacks and defenses
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Electrical Engineering
Degree Conferral Date
2024-08
Publication Date
09/11/2024
Defense Date
04/24/2024
Publisher
Los Angeles, California
(original),
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
adversarial machine learning,graph neural networks,hardware security,logic locking,OAI-PMH Harvest,reverse engineering
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Nuzzo, Pierluigi (
committee chair
), Beerel, Peter (
committee member
), Nakano, Aiichiro (
committee member
)
Creator Email
duttacho@usc.edu,subhajit.duttachowdhury@amd.com
Unique identifier
UC11399ANKT
Identifier
etd-DuttaChowd-13519.pdf (filename)
Legacy Identifier
etd-DuttaChowd-13519
Document Type
Dissertation
Format
theses (aat)
Rights
Dutta Chowdhury, Subhajit
Internet Media Type
application/pdf
Type
texts
Source
20240912-usctheses-batch-1211
(batch),
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
adversarial machine learning
graph neural networks
hardware security
logic locking
reverse engineering