TY - JOUR
T1 - Adversarial Perturbation Attacks on ML-based CAD
T2 - A Case Study on CNN-based Lithographic Hotspot Detection
AU - Liu, Kang
AU - Yang, Haoyu
AU - Ma, Yuzhe
AU - Tan, Benjamin
AU - Yu, Bei
AU - Young, Evangeline F.Y.
AU - Karri, Ramesh
AU - Garg, Siddharth
N1 - Funding Information:
Submitted to the Special Issue on Machine Learning for CAD (ML-CAD). S. Garg was supported in part by the National Science Foundation (NSF) through the NSF CAREER Award No. 1553419 and NSF SATC Award No. 1801495. B. Tan and R. Karri were supported in part by ONR Award No. N00014-18-1-2058. R. Karri was supported in part by the NYU/NYUAD Center for Cyber Security. Authors’ addresses: K. Liu, B. Tan, R. Karri, and S. Garg, Center for Cybersecurity, New York University Tandon School of Engineering, 370 Jay St, Brooklyn, NY 11201, USA; emails: {kang.liu, benjamin.tan, rkarri, sg175}@nyu.edu; H. Yang, Y. Ma, B. Yu, and E. F. Y. Young, Department of Computer Science and Engineering, SHB913, Chinese University of Hong Kong, Shatin, Hong Kong SAR; emails: {hyyang, yzma, byu, fyyoung}@cse.cuhk.edu.hk. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. © 2020 Association for Computing Machinery. 1084-4309/2020/08-ART48 $15.00 https://doi.org/10.1145/3408288
PY - 2020/10
Y1 - 2020/10
N2 - There is substantial interest in the use of machine learning (ML)-based techniques throughout the electronic computer-aided design (CAD) flow, particularly those based on deep learning. However, while deep learning methods have surpassed state-of-the-art performance in several applications, they have exhibited intrinsic susceptibility to adversarial perturbations - small but deliberate alterations to the input of a neural network, precipitating incorrect predictions. In this article, we seek to investigate whether adversarial perturbations pose risks to ML-based CAD tools, and if so, how these risks can be mitigated. To this end, we use a motivating case study of lithographic hotspot detection, for which convolutional neural networks (CNN) have shown great promise. In this context, we show the first adversarial perturbation attacks on state-of-the-art CNN-based hotspot detectors; specifically, we show that small (on average 0.5% modified area), functionality preserving, and design-constraint-satisfying changes to a layout can nonetheless trick a CNN-based hotspot detector into predicting the modified layout as hotspot free (with up to 99.7% success in finding perturbations that flip a detector's output prediction, based on a given set of attack constraints). We propose an adversarial retraining strategy to improve the robustness of CNN-based hotspot detection and show that this strategy significantly improves robustness (by a factor of ∼3) against adversarial attacks without compromising classification accuracy.
AB - There is substantial interest in the use of machine learning (ML)-based techniques throughout the electronic computer-aided design (CAD) flow, particularly those based on deep learning. However, while deep learning methods have surpassed state-of-the-art performance in several applications, they have exhibited intrinsic susceptibility to adversarial perturbations - small but deliberate alterations to the input of a neural network, precipitating incorrect predictions. In this article, we seek to investigate whether adversarial perturbations pose risks to ML-based CAD tools, and if so, how these risks can be mitigated. To this end, we use a motivating case study of lithographic hotspot detection, for which convolutional neural networks (CNN) have shown great promise. In this context, we show the first adversarial perturbation attacks on state-of-the-art CNN-based hotspot detectors; specifically, we show that small (on average 0.5% modified area), functionality preserving, and design-constraint-satisfying changes to a layout can nonetheless trick a CNN-based hotspot detector into predicting the modified layout as hotspot free (with up to 99.7% success in finding perturbations that flip a detector's output prediction, based on a given set of attack constraints). We propose an adversarial retraining strategy to improve the robustness of CNN-based hotspot detection and show that this strategy significantly improves robustness (by a factor of ∼3) against adversarial attacks without compromising classification accuracy.
KW - adversarial perturbations
KW - lithographic hotspot detection
KW - ML-based CAD
KW - security
UR - http://www.scopus.com/inward/record.url?scp=85092656345&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85092656345&partnerID=8YFLogxK
U2 - 10.1145/3408288
DO - 10.1145/3408288
M3 - Article
AN - SCOPUS:85092656345
VL - 25
JO - ACM Transactions on Design Automation of Electronic Systems
JF - ACM Transactions on Design Automation of Electronic Systems
SN - 1084-4309
IS - 5
M1 - 3408288
ER -