Training Data Poisoning in ML-CAD: Backdooring DL-based Lithographic Hotspot Detectors

Recent efforts to enhance computer-aided design (CAD) flows have seen the proliferation of machine learning (ML) based techniques. However, despite achieving state-of-the-art performance in many domains, techniques such as deep learning (DL) are susceptible to various adversarial attacks. In this work, we explore the threat posed by training data poisoning attacks where a malicious insider can try to insert backdoors into a deep neural network (DNN) used as part of the CAD flow. Using a case study on lithographic hotspot detection, we explore how an adversary can contaminate training data with specially crafted, yet meaningful, genuinely labeled, and design rule compliant poisoned clips. Our experiments show that very low poisoned/clean data ratio in training data is sufficient to backdoor the DNN; an adversary can “hide" specific hotspot clips at inference time by including a backdoor trigger shape in the input with 100% success. This attack provides a novel way for adversaries to sabotage and disrupt the distributed design process. After finding that training data poisoning attacks are feasible and stealthy, we explore a potential ensemble defense against possible data contamination, showing promising attack success reduction. Our results raise fundamental questions about the robustness of DL-based systems in CAD, and we provide insights into the implications of these.

[1]  Jiang Hu,et al.  Routability-Driven Macro Placement with Embedded CNN-Based Prediction Model , 2019, 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[2]  Tudor Dumitras,et al.  Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks , 2018, NeurIPS.

[3]  Ying Chen,et al.  Semi-supervised hotspot detection with self-paced multi-task learning , 2019, ASP-DAC.

[4]  Lorenzo Servadei,et al.  A Machine Learning Approach for Area Prediction of Hardware Designs from Abstract Specifications , 2018, 2018 21st Euromicro Conference on Digital System Design (DSD).

[5]  Blaine Nelson,et al.  Can machine learning be secure? , 2006, ASIACCS '06.

[6]  Ismail Bustany,et al.  Eh?Predictor: A Deep Learning Framework to Identify Detailed Routing Short Violations From a Placed Netlist , 2020, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[7]  Ankur Srivastava,et al.  Neural Trojans , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[8]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[9]  Dan Boneh,et al.  Ensemble Adversarial Training: Attacks and Defenses , 2017, ICLR.

[10]  Fabio Roli,et al.  Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning , 2018, CCS.

[11]  J. Doug Tygar,et al.  Adversarial machine learning , 2019, AISec '11.

[12]  Iris Hui-Ru Jiang,et al.  Accurate process-hotspot detection using critical design rule extraction , 2012, DAC Design Automation Conference 2012.

[13]  Xiangyu Zhang,et al.  ABS: Scanning Neural Networks for Back-doors by Artificial Brain Stimulation , 2019, CCS.

[14]  Fan Yang,et al.  Efficient Layout Hotspot Detection via Binarized Residual Neural Network , 2019, 2019 56th ACM/IEEE Design Automation Conference (DAC).

[15]  Ali Farhadi,et al.  XNOR-Net: ImageNet Classification Using Binary Convolutional Neural Networks , 2016, ECCV.

[16]  Ran El-Yaniv,et al.  Binarized Neural Networks , 2016, ArXiv.

[17]  Giovanni De Micheli,et al.  Developing Synthesis Flows Without Human Knowledge , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[18]  Brendan Dolan-Gavitt,et al.  Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks , 2018, RAID.

[19]  Atul Prakash,et al.  Robust Physical-World Attacks on Deep Learning Visual Classification , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[20]  Ben Y. Zhao,et al.  Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[21]  Xia Hu,et al.  Techniques for interpretable machine learning , 2018, Commun. ACM.

[22]  Seyed-Mohsen Moosavi-Dezfooli,et al.  Universal Adversarial Perturbations , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[23]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[24]  Changshui Zhang,et al.  Sparse DNNs with Improved Adversarial Robustness , 2018, NeurIPS.

[25]  Yukun Yang,et al.  Defending Neural Backdoors via Generative Distribution Modeling , 2019, NeurIPS.

[26]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[27]  Andrew B. Kahng,et al.  Machine Learning Applications in Physical Design: Recent Results and Directions , 2018, ISPD.

[28]  Evangeline F. Y. Young,et al.  Enabling online learning in lithography hotspot detection with information-theoretic feature optimization , 2016, 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[29]  Ramesh Karri,et al.  Poisoning the (Data) Well in ML-Based CAD: A Case Study of Hiding Lithographic Hotspots , 2020, 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[30]  Ramesh Karri,et al.  NNoculation: Broad Spectrum and Targeted Treatment of Backdoored DNNs , 2020, ArXiv.

[31]  Siddharth Garg,et al.  BadNets: Evaluating Backdooring Attacks on Deep Neural Networks , 2019, IEEE Access.

[32]  David Z. Pan,et al.  A new lithography hotspot detection framework based on AdaBoost classifier and simplified feature extraction , 2015, Advanced Lithography.

[33]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[34]  Suyog Gupta,et al.  To prune, or not to prune: exploring the efficacy of pruning for model compression , 2017, ICLR.

[35]  Xiao Wang,et al.  Defensive dropout for hardening deep neural networks under adversarial attacks , 2018, ICCAD.

[36]  Evangeline F. Y. Young,et al.  Layout hotspot detection with feature tensor generation and deep biased learning , 2017, 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC).

[37]  Evangeline F. Y. Young,et al.  Adversarial Perturbation Attacks on ML-based CAD , 2020 .

[38]  Yao Wang,et al.  Lithography Hotspot Detection with FFT-based Feature Extraction and Imbalanced Learning Rate , 2019, ACM Trans. Design Autom. Electr. Syst..

[39]  J. Andres Torres,et al.  ICCAD-2012 CAD contest in fuzzy pattern matching for physical verification and benchmark suite , 2012, 2012 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[40]  Yiran Chen,et al.  RouteNet: Routability prediction for Mixed-Size Designs Using Convolutional Neural Network , 2018, 2018 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[41]  Yiorgos Makris,et al.  Enhanced hotspot detection through synthetic pattern generation and design of experiments , 2018, 2018 IEEE 36th VLSI Test Symposium (VTS).

[42]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).