Bias Busters: Robustifying DL-Based Lithographic Hotspot Detectors against Backdooring Attacks

Kang Liu; Benjamin Tan; Gaurav Rajavendra Reddy; Siddharth Garg; Yiorgos Makris; Ramesh Karri

doi:10.1109/TCAD.2020.3033749

Bias Busters: Robustifying DL-Based Lithographic Hotspot Detectors against Backdooring Attacks

Kang Liu, Benjamin Tan, Gaurav Rajavendra Reddy, Siddharth Garg, Yiorgos Makris, Ramesh Karri

Research output: Contribution to journal › Article › peer-review

Abstract

Deep learning (DL) offers potential improvements throughout the CAD tool-flow, one promising application being lithographic hotspot detection. However, DL techniques have been shown to be especially vulnerable to inference and training time adversarial attacks. Recent work has demonstrated that a small fraction of malicious physical designers can stealthily 'backdoor' a DL-based hotspot detector during its training phase such that it accurately classifies regular layout clips but predicts hotspots containing a specially crafted trigger shape as nonhotspots. We propose a novel training data augmentation strategy as a powerful defense against such backdooring attacks. The defense works by eliminating the intentional biases introduced in the training data but does not require knowledge of which training samples are poisoned or the nature of the backdoor trigger. Our results show that the defense can drastically reduce the attack success rate from 84% to 0%.

Original language	English (US)
Pages (from-to)	2077-2089
Number of pages	13
Journal	IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems
Volume	40
Issue number	10
DOIs	https://doi.org/10.1109/TCAD.2020.3033749
State	Published - Oct 2021

Keywords

Defense
electronic design automation (EDA)
machine learning (ML)
robustness
security

ASJC Scopus subject areas

Software
Computer Graphics and Computer-Aided Design
Electrical and Electronic Engineering

Access to Document

10.1109/TCAD.2020.3033749

Cite this

@article{50581d1b54d7460d91a4d087d6fed264,

title = "Bias Busters: Robustifying DL-Based Lithographic Hotspot Detectors against Backdooring Attacks",

abstract = "Deep learning (DL) offers potential improvements throughout the CAD tool-flow, one promising application being lithographic hotspot detection. However, DL techniques have been shown to be especially vulnerable to inference and training time adversarial attacks. Recent work has demonstrated that a small fraction of malicious physical designers can stealthily 'backdoor' a DL-based hotspot detector during its training phase such that it accurately classifies regular layout clips but predicts hotspots containing a specially crafted trigger shape as nonhotspots. We propose a novel training data augmentation strategy as a powerful defense against such backdooring attacks. The defense works by eliminating the intentional biases introduced in the training data but does not require knowledge of which training samples are poisoned or the nature of the backdoor trigger. Our results show that the defense can drastically reduce the attack success rate from 84% to 0%.",

keywords = "Defense, electronic design automation (EDA), machine learning (ML), robustness, security",

author = "Kang Liu and Benjamin Tan and Reddy, {Gaurav Rajavendra} and Siddharth Garg and Yiorgos Makris and Ramesh Karri",

note = "Funding Information: Manuscript received April 18, 2020; revised July 23, 2020; accepted October 7, 2020. Date of publication October 26, 2020; date of current version September 20, 2021. The work of Benjamin Tan was supported in part by the Office of Naval Research under Award N00014-18-1-2058. The work of Gaurav Rajavendra Reddy and Yiorgos Makris was supported in part by the Semiconductor Research Corporation under Grant 2810.025. The work of Siddharth Garg was supported in part by the National Science Foundation CAREER under Award 1553419; and in part by the National Science Foundation under Grant 1801495. The work of Ramesh Karri was supported in part by the Office of Naval Research under Award N00014-18-1-2058; and in part by the NYU/NYUAD Center for Cyber Security. This article was recommended by Associate Editor F. Liu. (Kang Liu and Benjamin Tan contributed equally to this work.) (Corresponding author: Kang Liu.) Kang Liu, Benjamin Tan, Siddharth Garg, and Ramesh Karri are with the Department of Electrical and Computer Engineering, New York University, Brooklyn, NY 11201 USA (e-mail: kang.liu@nyu.edu; benjamin.tan@nyu.edu; siddharth.garg@nyu.edu; rkarri@nyu.edu). Publisher Copyright: {\textcopyright} 1982-2012 IEEE.",

year = "2021",

month = oct,

doi = "10.1109/TCAD.2020.3033749",

language = "English (US)",

volume = "40",

pages = "2077--2089",

journal = "IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems",

issn = "0278-0070",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "10",

}

TY - JOUR

T1 - Bias Busters

T2 - Robustifying DL-Based Lithographic Hotspot Detectors against Backdooring Attacks

AU - Liu, Kang

AU - Tan, Benjamin

AU - Reddy, Gaurav Rajavendra

AU - Garg, Siddharth

AU - Makris, Yiorgos

AU - Karri, Ramesh

N1 - Funding Information: Manuscript received April 18, 2020; revised July 23, 2020; accepted October 7, 2020. Date of publication October 26, 2020; date of current version September 20, 2021. The work of Benjamin Tan was supported in part by the Office of Naval Research under Award N00014-18-1-2058. The work of Gaurav Rajavendra Reddy and Yiorgos Makris was supported in part by the Semiconductor Research Corporation under Grant 2810.025. The work of Siddharth Garg was supported in part by the National Science Foundation CAREER under Award 1553419; and in part by the National Science Foundation under Grant 1801495. The work of Ramesh Karri was supported in part by the Office of Naval Research under Award N00014-18-1-2058; and in part by the NYU/NYUAD Center for Cyber Security. This article was recommended by Associate Editor F. Liu. (Kang Liu and Benjamin Tan contributed equally to this work.) (Corresponding author: Kang Liu.) Kang Liu, Benjamin Tan, Siddharth Garg, and Ramesh Karri are with the Department of Electrical and Computer Engineering, New York University, Brooklyn, NY 11201 USA (e-mail: kang.liu@nyu.edu; benjamin.tan@nyu.edu; siddharth.garg@nyu.edu; rkarri@nyu.edu). Publisher Copyright: © 1982-2012 IEEE.

PY - 2021/10

Y1 - 2021/10

N2 - Deep learning (DL) offers potential improvements throughout the CAD tool-flow, one promising application being lithographic hotspot detection. However, DL techniques have been shown to be especially vulnerable to inference and training time adversarial attacks. Recent work has demonstrated that a small fraction of malicious physical designers can stealthily 'backdoor' a DL-based hotspot detector during its training phase such that it accurately classifies regular layout clips but predicts hotspots containing a specially crafted trigger shape as nonhotspots. We propose a novel training data augmentation strategy as a powerful defense against such backdooring attacks. The defense works by eliminating the intentional biases introduced in the training data but does not require knowledge of which training samples are poisoned or the nature of the backdoor trigger. Our results show that the defense can drastically reduce the attack success rate from 84% to 0%.

AB - Deep learning (DL) offers potential improvements throughout the CAD tool-flow, one promising application being lithographic hotspot detection. However, DL techniques have been shown to be especially vulnerable to inference and training time adversarial attacks. Recent work has demonstrated that a small fraction of malicious physical designers can stealthily 'backdoor' a DL-based hotspot detector during its training phase such that it accurately classifies regular layout clips but predicts hotspots containing a specially crafted trigger shape as nonhotspots. We propose a novel training data augmentation strategy as a powerful defense against such backdooring attacks. The defense works by eliminating the intentional biases introduced in the training data but does not require knowledge of which training samples are poisoned or the nature of the backdoor trigger. Our results show that the defense can drastically reduce the attack success rate from 84% to 0%.

KW - Defense

KW - electronic design automation (EDA)

KW - machine learning (ML)

KW - robustness

KW - security

UR - http://www.scopus.com/inward/record.url?scp=85096089677&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85096089677&partnerID=8YFLogxK

U2 - 10.1109/TCAD.2020.3033749

DO - 10.1109/TCAD.2020.3033749

M3 - Article

AN - SCOPUS:85096089677

SN - 0278-0070

VL - 40

SP - 2077

EP - 2089

JO - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

JF - IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

IS - 10

ER -

Bias Busters: Robustifying DL-Based Lithographic Hotspot Detectors against Backdooring Attacks

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this