TY - JOUR
T1 - Adversarial Perturbation Attacks on ML-based CAD
T2 - A Case Study on CNN-based Lithographic Hotspot Detection
AU - Liu, Kang
AU - Yang, Haoyu
AU - Ma, Yuzhe
AU - Tan, Benjamin
AU - Yu, Bei
AU - Young, Evangeline F.Y.
AU - Karri, Ramesh
AU - Garg, Siddharth
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/10
Y1 - 2020/10
N2 - There is substantial interest in the use of machine learning (ML)-based techniques throughout the electronic computer-aided design (CAD) flow, particularly those based on deep learning. However, while deep learning methods have surpassed state-of-the-art performance in several applications, they have exhibited intrinsic susceptibility to adversarial perturbations - small but deliberate alterations to the input of a neural network, precipitating incorrect predictions. In this article, we seek to investigate whether adversarial perturbations pose risks to ML-based CAD tools, and if so, how these risks can be mitigated. To this end, we use a motivating case study of lithographic hotspot detection, for which convolutional neural networks (CNN) have shown great promise. In this context, we show the first adversarial perturbation attacks on state-of-the-art CNN-based hotspot detectors; specifically, we show that small (on average 0.5% modified area), functionality preserving, and design-constraint-satisfying changes to a layout can nonetheless trick a CNN-based hotspot detector into predicting the modified layout as hotspot free (with up to 99.7% success in finding perturbations that flip a detector's output prediction, based on a given set of attack constraints). We propose an adversarial retraining strategy to improve the robustness of CNN-based hotspot detection and show that this strategy significantly improves robustness (by a factor of ∼3) against adversarial attacks without compromising classification accuracy.
AB - There is substantial interest in the use of machine learning (ML)-based techniques throughout the electronic computer-aided design (CAD) flow, particularly those based on deep learning. However, while deep learning methods have surpassed state-of-the-art performance in several applications, they have exhibited intrinsic susceptibility to adversarial perturbations - small but deliberate alterations to the input of a neural network, precipitating incorrect predictions. In this article, we seek to investigate whether adversarial perturbations pose risks to ML-based CAD tools, and if so, how these risks can be mitigated. To this end, we use a motivating case study of lithographic hotspot detection, for which convolutional neural networks (CNN) have shown great promise. In this context, we show the first adversarial perturbation attacks on state-of-the-art CNN-based hotspot detectors; specifically, we show that small (on average 0.5% modified area), functionality preserving, and design-constraint-satisfying changes to a layout can nonetheless trick a CNN-based hotspot detector into predicting the modified layout as hotspot free (with up to 99.7% success in finding perturbations that flip a detector's output prediction, based on a given set of attack constraints). We propose an adversarial retraining strategy to improve the robustness of CNN-based hotspot detection and show that this strategy significantly improves robustness (by a factor of ∼3) against adversarial attacks without compromising classification accuracy.
KW - ML-based CAD
KW - adversarial perturbations
KW - lithographic hotspot detection
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85092656345&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85092656345&partnerID=8YFLogxK
U2 - 10.1145/3408288
DO - 10.1145/3408288
M3 - Article
AN - SCOPUS:85092656345
SN - 1084-4309
VL - 25
JO - ACM Transactions on Design Automation of Electronic Systems
JF - ACM Transactions on Design Automation of Electronic Systems
IS - 5
M1 - 3408288
ER -