CN111177713B - XGBoost-based hardware Trojan detection method and device - Google Patents
XGBoost-based hardware Trojan detection method and device Download PDFInfo
- Publication number
- CN111177713B CN111177713B CN201911296352.5A CN201911296352A CN111177713B CN 111177713 B CN111177713 B CN 111177713B CN 201911296352 A CN201911296352 A CN 201911296352A CN 111177713 B CN111177713 B CN 111177713B
- Authority
- CN
- China
- Prior art keywords
- node
- trigger
- detection
- trigger node
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 136
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 47
- 238000012549 training Methods 0.000 claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 11
- 238000011156 evaluation Methods 0.000 claims abstract description 10
- 238000012163 sequencing technique Methods 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 16
- 238000012545 processing Methods 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 claims 1
- 230000008901 benefit Effects 0.000 abstract description 2
- 238000013461 design Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000012360 testing method Methods 0.000 description 6
- 241000283086 Equidae Species 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000004913 activation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a hardware Trojan detection method and device based on XGBoost, wherein the method comprises the following steps: s1: selecting an optimal feature set of the trigger node from the feature sets of the trigger node by taking the F-score as an evaluation standard; s2: and constructing and training a first detection model and a second detection model based on an XGBoost algorithm, extracting the optimal feature set of the trigger node of each node in the unknown netlist, respectively inputting the optimal feature set into the first detection model and the second detection model, correspondingly obtaining 2 groups of detection results, wherein each group of detection results comprises all suspicious trigger nodes and corresponding suspicious values in the unknown netlist, and selecting 1 group of detection results with high suspicious value average value from the 2 groups of detection results as a final detection result. Compared with the prior art, the invention has the advantages of wide application range, high detection precision and the like.
Description
Technical Field
The invention relates to the technical field of electronic hardware security, in particular to a hardware Trojan detection method and device based on XGBoost.
Background
Due to globalization of chip design and fabrication, some of the activities of outsourcing design and fabrication for economic benefit make it difficult to guarantee the security of the circuit, and the reliability of integrated circuit systems is degraded. A hardware trojan is defined as any intentional modification to a design that alters the original characteristics of the design, has concealment, and is capable of altering the design function under certain conditions. A typical hardware Trojan consists of a trigger circuit and a payload. When the internal signal meets the trigger condition, the trigger circuit will notify the payload circuit via the trigger node in the hardware wooden horse. The payload circuit comprises a multi-function. Because high performance hardware devices contain various functions such as information leakage, system failures and high power consumption, the interior of the hardware device is typically a black box, and users can only trust their suppliers, the potential threat of hardware trojan horses is enormous. With the continuous development of semiconductor technology, the circuit is gradually high in integration level, the hardware Trojan horse implanted in the chip can be activated only under specific conditions, and the rest of time does not affect the original circuit function, so that the difficulty of detecting the hardware Trojan horse is very high. The hardware Trojan horse is a solid circuit, and once the hardware Trojan horse is implanted in the original circuit, the hardware Trojan horse exists for a long time, the risk can be minimized only by reasonably detecting the Trojan horse of the circuit, and an effective hardware Trojan horse detection method and a prevention strategy are vital to ensuring the normal operation of a chip safety and stable circuit system.
The hardware Trojan has various types and different functions, and the implantation mode and the triggering mode of the hardware Trojan are not completely the same, so that a general hardware Trojan detection method does not exist, the detection method during chip test is the most commonly used method at present, the circuit structure of an original chip is not damaged, the original circuit design is not modified, and the detection method based on logic test and the detection method based on bypass analysis is the most mainstream. However, the logic test has the problem of low Trojan activation probability, and the electronic equipment has more I/O interfaces and has great time cost for traversing all input interfaces; a common problem with bypass analysis methods is that the system noise and device specific signal bias are present in the system and denoising the bypass signal can attenuate the original signal.
The prior art also provides a solution, chinese patent CN109684834A provides a door-level hardware Trojan horse identification method based on XGBoost, acquires characteristic data sets of each net in different door-level netlists, and divides the door-level netlist characteristic data sets into a training data set and a testing data set; and constructing a hardware Trojan detection model of the level netlist based on XGBoost, training and testing the model by adopting a leave-one-out method, counting 4 indexes of Recall, F-measure, precision and Accumacy according to the detection result, carrying out parameter adjustment optimization on the model according to the indexes, and carrying out gate level netlist hardware Trojan detection by utilizing the trained and optimized model.
The method utilizes XGBoost to effectively detect the hardware Trojan of the gate-level netlist, can better detect the hardware Trojan in the design stage of the integrated circuit gate-level netlist, does not depend on a gold sheet as a reference, has low cost, does not need special detection equipment and is not influenced by noise, and high in efficiency and accuracy;
however, this patent has the following problems in use:
firstly, up to 51 Trojan horse features are adopted to analyze a known gate-level netlist, a feature data set is extracted, too many parameters of an XGBoost model are caused by too many types of feature quantity, too many low-weight feature quantity of the Trojan horse net is interfered to be judged correctly, and the detection speed is low and the detection precision is low;
secondly, the Trojan horse detection process of the patent does not distinguish the types of Trojan horses, so that the detection process of the detection model is not specific, and the detection effect of the Trojan horse detection model on different types of Trojan horses is unstable.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a hardware Trojan horse detection method and device based on a limit gradient lifting tree, which are used for extracting the optimal feature set of a trigger node, and have wide application range and high detection precision.
The aim of the invention can be achieved by the following technical scheme:
a hardware Trojan detection method based on XGBoost comprises the following steps:
s1: selecting an optimal feature set of a trigger node from the feature set of the trigger node by taking the F-score as an evaluation standard, wherein the trigger node refers to a direct connection point between a trigger circuit and a payload;
s2: constructing a first detection model and a second detection model based on an XGBoost algorithm, extracting the optimal feature set of the trigger node of each node in the unknown netlist, respectively inputting the optimal feature set into the first detection model and the second detection model, correspondingly obtaining 2 groups of detection results, wherein each group of detection results comprises suspicious trigger nodes in the unknown netlist, each group of detection results comprises all suspicious trigger nodes and corresponding suspicious values in the unknown netlist, and selecting 1 group of detection results with high average suspicious values from the 2 groups of detection results as final detection results;
the first detection model and the second detection model are trained models, and the training process is as follows:
dividing a plurality of known netlists into a combined circuit and a sequential circuit, extracting the optimal feature sets of trigger nodes of all nodes in the known netlists, obtaining respective training sets of the combined circuit and the sequential circuit, performing weight removal and expansion processing, correspondingly training a first detection model and a second detection model by using the training sets of the combined circuit and the sequential circuit, wherein the training sets also comprise node types of each node, and the node types comprise normal nodes and trigger nodes.
Further, the XGBoost, namely the limit gradient lifting tree algorithm, trains a plurality of weak classifiers and combines the weak classifiers to obtain strong classifiers, each strong classifier is generated along the negative gradient direction of the loss function based on the weak classifier, and the XGBoost has the characteristics of high speed and supporting the self-defined loss function in the process of node type classification with various trigger node characteristics.
Further, the trigger node feature set includes LGFix, Δlgfi, FFox, Δffo, min (FFo), PI and PO,0< x <5, LGFix represents the number of logic gate fan-ins from the x stage of the trigger node, Δlgfi represents the number difference between LGFi1 and LGFi5, FFox represents the number of flip-flops from the output side of the trigger node to the x stage, Δ FFo represents the number difference between FFo1 and FFo5, min (FFo) represents the trigger level nearest to the output side of the trigger node, PI represents the minimum number of logic gates from any main input to the trigger node, and PO represents the minimum number of logic gates from the trigger node to any main output.
Further, the step S1 specifically includes:
s101: selecting different numbers of trigger node features from the trigger node feature set to form a plurality of trigger node feature subsets;
s102: constructing a third detection model based on an XGBoost algorithm, inputting 1 trigger node feature subset of each node in all known netlists into the third detection model each time to obtain 1 group of detection results, and repeating the steps to obtain a plurality of groups of detection results, wherein the number of trigger node features of the trigger node feature subset selected by the optimal 1 group of detection results of the F-score is the optimal number;
s103: and inputting the trigger node feature set of each node in all the known netlists into a third detection model, obtaining feature weights of all the trigger node features in the third detection model, sequencing, selecting the optimal number of trigger node features according to the sequence from high to low to form the trigger node optimal feature set, eliminating trigger node features with smaller influence in multiple influences, and selecting trigger node features closely related to the trigger nodes.
Further, the specific process of weight removal is as follows:
and reserving one node in a plurality of nodes with the same optimal characteristic set of the trigger node in the training set, and deleting the rest nodes.
Further, the specific process of the expansion is as follows:
the total number of the normal nodes and the trigger nodes is respectively recorded as m 1 And m 2 Trigger node optimal feature set m of duplicate trigger node 1 /m 2 Second, because there is only one trigger node in each known netlist, there are far fewer trigger nodes than normal nodes, and the trigger node best feature set of the trigger nodes is replicated to balance the training set.
Further, the specific process of training the first detection model and the second detection model is as follows:
s201: inputting a training set of the combined circuit into a first detection model for training to obtain suspicious values of each node in the combined circuit as a trigger node, sequencing from high to low, and sequencing n before sequencing 1 % of nodes are marked as suspicious trigger nodes; inputting a training set of the time sequence circuit into a second detection model for training, obtaining suspicious values of each node in the time sequence circuit, sequencing from high to low, and sequencing n before sequencing 2 % of nodes are marked as suspicious trigger nodes;
s202: using TPR (True Positive Rate), TNR (False Positive Rate), accuracy Precision and F-score as evaluation result indexes to obtain n 1 % and n 2 % of optimum.
Further, the formulas of TPR, TNR, precision and F-score are as follows:
the TP, the FP, the FN and the TN are statistical data of detection results, the TP is marked as a normal node in practice, the FP is marked as a normal node, the FP is marked as a trigger node in practice, the FN is marked as a trigger node, the TP is marked as a trigger node, and the TN is marked as a trigger node in practice.
A XGBoost-based hardware Trojan detection device comprising a memory storing a computer program and a processor invoking the program instructions to enable execution of the method as claimed in any preceding claim.
Compared with the prior art, the invention has the following beneficial effects:
(1) According to the invention, the F-score is taken as an evaluation standard, partial trigger node characteristics are selected from the trigger node characteristic set to form the trigger node optimal characteristic set, the trigger node characteristics with smaller influence in multiple influences are eliminated, the detection result is more accurate, meanwhile, the known netlist is divided into a combined circuit and a sequential circuit, the method has more pertinence and accuracy than indifferent detection, a first detection model and a second detection model are constructed based on the XGBoost algorithm, 2 groups of detection results can be obtained, the optimal result is selected from the detection results as a final result, the accuracy is high, the trigger nodes are taken as detection objects, the suspicious trigger nodes in the unknown netlist are comprehensively judged, the detection result based on the trigger node characteristics of the nodes is more accurate, meanwhile, the operation state of the simulation circuit is not needed, the detection result is not dependent on the simulation result, the application range is wide, the anti-interference capability is strong, and the result is more reliable;
(2) The invention performs weight removing and expansion processing on the acquired training set for training the model, retains one node of a plurality of nodes with the same optimal characteristic set of the trigger node in the training set, deletes other nodes, copies the optimal characteristic set of the trigger node, so that the number of the optimal characteristic sets of the trigger node is the same as that of the trigger node of the normal node, balances the number of the trigger node and the normal node, and ensures that the detection precision of the trained detection model is higher and the result is more accurate;
(3) The invention inputs the corresponding training set into a first detection model and a second detection model, obtains suspicious values of each node being a trigger node, sorts the suspicious values from high to low, and respectively takes the previous n 1 % and n 2 % of nodes are marked as suspicious trigger nodes, and n is obtained after comprehensive judgment by using TPR, TNR, precision and F-score as evaluation result indexes 1 % and n 2 % of optimal values, a plurality of suspicious trigger nodes can be given, the coverage range is wide, and only 1 trigger node exists in a Trojan circuit of one type, so that the possibility that the trigger node is misjudged as a normal node is extremely low, and the judgment accuracy of the node type is further improved.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and specific examples. The present embodiment is implemented on the premise of the technical scheme of the present invention, and a detailed implementation manner and a specific operation process are given, but the protection scope of the present invention is not limited to the following examples.
Example 1
A hardware Trojan detection method based on XGBoost comprises the following steps:
s1: selecting an optimal feature set of the trigger node from the feature sets of the trigger node by taking the F-score as an evaluation standard;
s2: constructing a first detection model and a second detection model based on an XGBoost algorithm, extracting the optimal feature set of the trigger node of each node in the unknown netlist, respectively inputting the optimal feature set into the first detection model and the second detection model, correspondingly obtaining 2 groups of detection results, wherein each group of detection results comprises suspicious trigger nodes in the unknown netlist, each group of detection results comprises all suspicious trigger nodes and corresponding suspicious values in the unknown netlist, and selecting 1 group of detection results with high average suspicious values from the 2 groups of detection results as final detection results;
the first detection model and the second detection model are trained models, and the training process is as follows:
dividing a plurality of known netlists into a combined circuit and a sequential circuit, extracting the optimal feature set of trigger nodes of all nodes in the known netlists, obtaining respective training sets of the combined circuit and the sequential circuit, performing weight removal and expansion processing, and correspondingly training a first detection model and a second detection model by utilizing the training sets of the combined circuit and the sequential circuit, wherein the training sets also comprise node types of each node, and the node types comprise normal nodes and trigger nodes.
The Trust-HUB is a hardware reference circuit platform, which comprises various typical circuits with different types such as size, insertion stage, abstraction level, insertion position and the like, has perfect coverage of a trigger mechanism and realization functions and good universality, and is widely applied to hardware Trojan detection and design experiments.
The combined Trojan horse refers to a combined circuit which is activated when a special condition occurs on a certain internal signal or node of the circuit, and the time sequence Trojan horse refers to a time sequence circuit which is activated when a finite state machine FMS detects that a special sequence occurs on a certain internal circuit signal state.
XGBoost trains a plurality of weak classifiers and combines the plurality of weak classifiers to obtain strong classifiers, each strong classifier being generated based on the weak classifier along a negative gradient direction of a loss function, XGBoost algorithm is as follows:
the step S1 specifically comprises the following steps:
s101: selecting different numbers of trigger node features from the trigger node feature set to form a plurality of trigger node feature subsets;
s102: constructing a third detection model based on an XGBoost algorithm, inputting 1 trigger node feature subset of each node in all known netlists into the third detection model each time to obtain 1 group of detection results, and repeating the steps to obtain a plurality of groups of detection results, wherein the number of trigger node features of the trigger node feature subset selected by the optimal 1 group of detection results of the F-score is the optimal number;
s103: and acquiring a plurality of known netlists Verilog-HDL from the Trust-HUB, inputting the trigger node feature sets of all nodes in all the known netlists into a third detection model, acquiring feature weights of all the trigger node features in the third detection model, sequencing, selecting the optimal number of trigger node features according to the sequence from high to low to form the trigger node optimal feature set, eliminating trigger node features with smaller influence in multiple influences, and selecting trigger node features closely related to the trigger nodes.
The specific process of weight removal is as follows: and reserving one node in a plurality of nodes with the same optimal characteristic set of the trigger node in the training set, and deleting the rest nodes.
The specific process of expansion is as follows: the total number of the normal nodes and the trigger nodes is respectively recorded as m 1 And m 2 Trigger node optimal feature set m of duplicate trigger node 1 /m 2 Second, because there are only 1 trigger node in each known netlist, there are far fewer trigger nodes than normal nodes, replicating and balancing the training set.
The specific process of training the first detection model and the second detection model is as follows:
s201: inputting a training set of the combined circuit into a first detection model for training to obtain suspicious values of each node in the combined circuit as a trigger node, sequencing from high to low, and sequencing n before sequencing 1 % of nodes are marked as suspicious trigger nodes; inputting a training set of the time sequence circuit into a second detection model for training, obtaining suspicious values of each node in the time sequence circuit, sequencing from high to low, and sequencing n before sequencing 2 % of nodes are marked as suspicious trigger nodes;
s202: using TPR (True Positive Rate), TNR (False Positive Rate), accuracy Precision and F-score as evaluation result indexes to obtain n 1 % and n 2 % of optimum.
TPR, TNR, precision and F-score are calculated as follows:
wherein TP, FP, FN and TN are statistical data of detection results, TP (True Positive) is marked as a normal node, FP (False Positive) is marked as a trigger node, FN (False negative) is marked as a trigger node, TN (True negative) is marked as a trigger node, and is actually a trigger node;
the trigger node feature set of the gate level reference circuit extracted in step S1 is shown in table 1, and the 9 trigger node optimal features and the corresponding feature weights in the trigger node optimal feature set determined in step S1 are shown in table 2:
table 1 trigger node features and descriptions thereof
| Triggering node features | Characterization (0)<x<5) |
| LGFix | Indicating the number of logic gate fan-ins X stages from the trigger node |
| ΔLGFi | Representing the number difference between LGFi1 and LGFi5 |
| FFox | Representing the number of flip-flops from the output side of the trigger node to the X level |
| ΔFFo | Representing the number difference between FFo and FFo5 |
| min(FFo) | Representing the trigger level closest to the trigger node output side |
| PI | Representing the minimum number of logic gates of any primary input to the trigger node |
| PO | Representing the minimum number of logic gates that trigger a node to any master output |
Table 2 trigger node best feature set
| Triggering node features | Feature weights | |
| 1 | LGFi4 | 0.063 |
| 2 | LGFi5 | 0.086 |
| 3 | ΔLGFi | 0.105 |
| 4 | FFo3 | 0.135 |
| 5 | FFo4 | 0.074 |
| 6 | min(FFo) | 0.167 |
| 7 | ΔFFo | 0.053 |
| 8 | PI | 0.103 |
| 9 | PO | 0.213 |
The known netlist Verilog-HDL and classification results obtained from Trust-HUB are shown in Table 3:
TABLE 3Trust-HUB reference Circuit types and node Total
Example two
The embodiment provides a hardware Trojan detection device based on XGBoost, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor calls the program instructions to execute the method according to any one of the embodiments.
According to the method, whether the unknown netlist contains the hardware Trojan or not is checked according to the trigger node characteristics of the nodes through the XGBoost-based detection model, an input test mode is not required to be generated, the application range is wide, even a newly developed hardware Trojan is newly developed, the method can also detect through using existing hardware Trojan related information, the F-score is used as an evaluation standard to select part of trigger node characteristics in the trigger node characteristic set to form an optimal characteristic set of the trigger node, the trigger node characteristics with smaller influence in multiple influences are eliminated, a first detection model and a second detection model are constructed based on the XGBoost algorithm, finally, 2 groups of detection results can be obtained, suspicious trigger nodes in the unknown netlist are comprehensively judged, meanwhile, the value of each trigger node of each netlist can only be 1 or 0, and meanwhile, the first detection model and the second detection model output a plurality of suspicious trigger nodes, so that the probability that the real trigger node is missed is extremely low compared with the method adopting a plurality of Trojan in the netlist.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention by one of ordinary skill in the art without undue burden. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by the person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (5)
1. The hardware Trojan detection method based on XGBoost is characterized by comprising the following steps of:
s1: selecting an optimal feature set of the trigger node from the feature sets of the trigger node by taking the F-score as an evaluation standard;
s2: constructing and training a first detection model and a second detection model based on an XGBoost algorithm, extracting the optimal feature set of the trigger node of each node in the unknown netlist, respectively inputting the optimal feature set into the first detection model and the second detection model, correspondingly obtaining 2 groups of detection results, wherein each group of detection results comprises all suspicious trigger nodes and corresponding suspicious values in the unknown netlist, and selecting 1 group of detection results with high suspicious value average value from the 2 groups of detection results as a final detection result;
the training process comprises the following steps:
dividing a plurality of known netlists into a combined circuit and a sequential circuit, extracting the optimal feature set of trigger nodes of all nodes in the known netlists, obtaining respective training sets of the combined circuit and the sequential circuit, performing weight removal and expansion processing, and correspondingly training a first detection model and a second detection model by utilizing the training sets of the combined circuit and the sequential circuit;
the step S1 specifically comprises the following steps:
s101: selecting different numbers of trigger node features from the trigger node feature set to form a plurality of trigger node feature subsets;
s102: constructing a third detection model based on an XGBoost algorithm, inputting 1 trigger node feature subset of each node in all known netlists into the third detection model each time to obtain 1 group of detection results, and repeating the steps to obtain a plurality of groups of detection results, wherein the number of trigger node features of the trigger node feature subset selected by the optimal 1 group of detection results of the F-score is the optimal number;
s103: inputting the trigger node feature set of each node in all the known netlists into a third detection model, obtaining feature weights of all the trigger node features in the third detection model, sequencing, and selecting the optimal number of trigger node features according to the sequence from high to low to form the trigger node optimal feature set;
the specific process of the expansion is as follows: the total number of the normal nodes and the trigger nodes is respectively recorded as m 1 And m 2 Trigger node optimal feature set m of duplicate trigger node 1 /m 2 Secondary times;
the specific process of training the first detection model and the second detection model is as follows:
s201: inputting a training set of the combined circuit into a first detection model for training to obtain suspicious values of each node in the combined circuit as a trigger node, sequencing from high to low, and sequencing n before sequencing 1 % of nodes are marked as suspicious trigger nodes; inputting a training set of the time sequence circuit into a second detection model for training, obtaining suspicious values of each node in the time sequence circuit, sequencing from high to low, and sequencing n before sequencing 2 % of nodes are marked as suspicious trigger nodes;
s202: adopting TPR, TNR, accuracy Precision and F-score as evaluation result indexes to obtain n 1 % and n 2 % of optimum.
2. The XGBoost-based hardware Trojan detection method according to claim 1, wherein the trigger node feature set includes LGFix, Δlgfi, FFox, Δffo, min (FFo), PI and PO, LGFix represents a number of logic gate fan-ins from the trigger node x stage, Δlgfi represents a number difference between LGFi1 and LGFi5, FFox represents a number of flip-flops from the output side of the trigger node to the x stage, Δ FFo represents a number difference between FFo1 and FFo5, min (FFo) represents a number of flip-flops closest to the output side of the trigger node, PI represents a minimum number of logic gates from any main input to the trigger node, and PO represents a minimum number of logic gates from the trigger node to any main output.
3. The XGBoost-based hardware Trojan detection method according to claim 1, wherein the specific process of weight removal is as follows: and reserving one node in a plurality of nodes with the identical characteristic values of all trigger nodes in the training set, and deleting the rest nodes.
4. The XGBoost-based hardware Trojan detection method according to claim 1, wherein the calculation formulas of the TPR, the TNR, the accuracy Precision and the F-score are as follows:
the TP, the FP, the FN and the TN are statistical data of detection results, the TP is marked as a normal node in practice, the FP is marked as a normal node, the FP is marked as a trigger node in practice, the FN is marked as a trigger node, the TP is marked as a trigger node, and the TN is marked as a trigger node in practice.
5. A XGBoost-based hardware Trojan detection device comprising a memory storing a computer program and a processor invoking the program instructions to perform the method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911296352.5A CN111177713B (en) | 2019-12-16 | 2019-12-16 | XGBoost-based hardware Trojan detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911296352.5A CN111177713B (en) | 2019-12-16 | 2019-12-16 | XGBoost-based hardware Trojan detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111177713A CN111177713A (en) | 2020-05-19 |
| CN111177713B true CN111177713B (en) | 2023-10-31 |
Family
ID=70650246
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911296352.5A Active CN111177713B (en) | 2019-12-16 | 2019-12-16 | XGBoost-based hardware Trojan detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177713B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104849648A (en) * | 2015-05-26 | 2015-08-19 | 大连理工大学 | Test vector generation method for improving Trojan activity |
| WO2016080380A1 (en) * | 2014-11-18 | 2016-05-26 | 学校法人早稲田大学 | Method of detecting hardware trojan, program for detecting hardware trojan, and device for detecting hardware trojan |
| CN109684834A (en) * | 2018-12-21 | 2019-04-26 | 福州大学 | A kind of gate leve hardware Trojan horse recognition method based on XGBoost |
-
2019
- 2019-12-16 CN CN201911296352.5A patent/CN111177713B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016080380A1 (en) * | 2014-11-18 | 2016-05-26 | 学校法人早稲田大学 | Method of detecting hardware trojan, program for detecting hardware trojan, and device for detecting hardware trojan |
| CN104849648A (en) * | 2015-05-26 | 2015-08-19 | 大连理工大学 | Test vector generation method for improving Trojan activity |
| CN109684834A (en) * | 2018-12-21 | 2019-04-26 | 福州大学 | A kind of gate leve hardware Trojan horse recognition method based on XGBoost |
Non-Patent Citations (1)
| Title |
|---|
| 高洪波 ; 李磊 ; 周婉婷 ; 向祎尧.基于XGBoost的硬件木马检测方法. 电子技术应用.2019,全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111177713A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hasegawa et al. | Hardware Trojans classification for gate-level netlists based on machine learning | |
| Hasegawa et al. | Trojan-feature extraction at gate-level netlists and its application to hardware-Trojan detection using random forest classifier | |
| Yasaei et al. | Gnn4tj: Graph neural networks for hardware trojan detection at register transfer level | |
| CN108090567B (en) | Fault diagnosis method and device for power communication system | |
| Hasegawa et al. | A hardware-Trojan classification method using machine learning at gate-level netlists based on Trojan features | |
| CN110414277B (en) | Gate-level hardware Trojan horse detection method based on multi-feature parameters | |
| CN109740348B (en) | Hardware Trojan horse positioning method based on machine learning | |
| CN109657461B (en) | RTL hardware Trojan horse detection method based on gradient lifting algorithm | |
| CN109684834A (en) | A kind of gate leve hardware Trojan horse recognition method based on XGBoost | |
| Kok et al. | Net classification based on testability and netlist structural features for hardware Trojan detection | |
| Choo et al. | Register-transfer-level features for machine-learning-based hardware trojan detection | |
| CN113626812A (en) | Machine learning Trojan horse detection method based on structural feature screening and load expansion | |
| Zhao et al. | Density-based clustering method for hardware trojan detection based on gate-level structural features | |
| Esirci et al. | Hardware Trojan detection based on correlated path delays in defiance of variations with spatial correlations | |
| CN108595986B (en) | Bounded model-based micro Trojan horse detection method | |
| CN110719278A (en) | Method, device, equipment and medium for detecting network intrusion data | |
| Li et al. | A XGBoost based hybrid detection scheme for gate-level hardware Trojan | |
| CN111177713B (en) | XGBoost-based hardware Trojan detection method and device | |
| Lee et al. | A multi-reasoner, justification-based approach to reasoner correctness | |
| Yang et al. | Hardware Trojans detection through RTL features extraction and machine learning | |
| CN114692227A (en) | Large-scale chip network table level hardware Trojan horse detection method | |
| Cruz et al. | A machine learning based automatic hardware trojan attack space exploration and benchmarking framework | |
| CN114626106A (en) | Hardware Trojan horse detection method based on cascade structure characteristics | |
| US8181146B1 (en) | Equivalence checker | |
| CN113821840A (en) | Bagging-based hardware Trojan detection method, medium and computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |