CN112084541A - Hardware Trojan horse detection method and system, computer equipment and readable storage medium - Google Patents
Hardware Trojan horse detection method and system, computer equipment and readable storage medium Download PDFInfo
- Publication number
- CN112084541A CN112084541A CN202010799367.XA CN202010799367A CN112084541A CN 112084541 A CN112084541 A CN 112084541A CN 202010799367 A CN202010799367 A CN 202010799367A CN 112084541 A CN112084541 A CN 112084541A
- Authority
- CN
- China
- Prior art keywords
- signal
- hardware trojan
- chip
- circuit
- original bypass
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 118
- 238000001514 detection method Methods 0.000 title claims abstract description 65
- 238000003860 storage Methods 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000004458 analytical method Methods 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 claims abstract description 15
- 238000012360 testing method Methods 0.000 claims abstract description 8
- 230000015654 memory Effects 0.000 claims description 16
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 7
- 238000010606 normalization Methods 0.000 claims description 7
- 238000000605 extraction Methods 0.000 claims description 6
- 230000000630 rising effect Effects 0.000 claims description 5
- 230000005670 electromagnetic radiation Effects 0.000 claims description 4
- 238000012935 Averaging Methods 0.000 claims description 3
- 230000009466 transformation Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012549 training Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000005070 sampling Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000001066 destructive effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000002203 pretreatment Methods 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007635 classification algorithm Methods 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000010884 ion-beam technique Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000005498 polishing Methods 0.000 description 1
- 238000000513 principal component analysis Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application relates to the technical field of chip testing, and particularly discloses a hardware Trojan horse detection method, a hardware Trojan horse detection system, computer equipment and a readable storage medium. The method comprises the steps of obtaining an original bypass signal of a chip to be tested; extracting a plurality of sections of circuit characteristics from the obtained original bypass signal according to the clock signal; respectively extracting statistical characteristics from the circuit characteristics of each section; and analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be tested has a hardware Trojan according to the analysis result. According to the hardware Trojan horse detection method, after the multiple sections of circuit characteristics are extracted from the original bypass signal, the statistical characteristics of the circuit characteristics are analyzed, namely, the high-dimensional original bypass signal is divided into the multiple sections of low-dimensional signals and then analyzed, the signal processing dimensionality is reduced, the Trojan horse with a smaller area is detected, the problem that the Trojan horse with the smaller area is missed to be detected due to the fact that the high-dimensional signals are directly analyzed is solved, the hardware Trojan horse detection accuracy is improved, and the missed detection rate is reduced.
Description
Technical Field
The invention relates to the technical field of chip testing, in particular to a hardware Trojan horse detection method, a hardware Trojan horse detection system, computer equipment and a readable storage medium.
Background
With the advancement of Integrated Circuit (IC) technology and the acceleration of globalization, many chip companies adopt hardware-out-of-package design and foundry-tape approach in order to shorten the design cycle of IC and reduce the manufacturing cost. Because these "third parties" can not be completely trusted, artificial unsafe factors may exist, and even malicious attack and damage of competitors exist, in recent years, a novel integrated circuit chip hardware attack mode, called "hardware trojan horse", has attracted great attention. The hardware trojan refers to a tiny malicious circuit inserted into an original circuit, and harmfulness and concealment are basic characteristics of the hardware trojan. Once inserted into a complex chip, the hardware trojan is difficult to detect.
In recent years, hardware Trojan horse detection technology is rapidly developed, and detection methods such as layout comparison and bypass signal analysis are mainly included. The layout comparison method is a destructive detection method, and is long in time consumption and high in cost; the hardware Trojan detection method based on bypass signal analysis is a detection method which is used more at present, and mainly judges whether the Trojan exists in a circuit by detecting and analyzing a bypass signal in the circuit. For a small-area hardware trojan circuit, the trojan is particularly easy to be submerged in test noise, so that the traditional bypass data processing method is difficult to smoothly distinguish the characteristics of a trojan chip and a non-trojan chip.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a hardware trojan detection method, system, computer device and readable storage medium for solving the problem that a hardware trojan with a small area is difficult to detect.
A hardware Trojan horse detection method comprises the following steps:
acquiring an original bypass signal of a chip to be tested;
extracting a plurality of sections of circuit characteristics from the obtained original bypass signal according to a clock signal;
extracting statistical characteristics from the circuit characteristics of each section respectively;
and analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be tested has a hardware Trojan according to the analysis result.
In one embodiment, the step of obtaining the original bypass signal of the chip to be tested includes:
and collecting any one or more of a leakage current signal, a maximum working frequency signal, a delay signal, a power consumption signal, an electromagnetic radiation signal and a thermal signal of the chip to be tested.
In one embodiment, before the step of extracting the multiple segments of circuit features from the obtained original bypass signal according to the clock signal, the method further includes:
and performing signal preprocessing on the original bypass signal.
In one embodiment, the step of obtaining the original bypass signal of the chip to be tested includes: collecting original bypass signals of a chip to be tested for multiple times;
the step of signal preprocessing the original bypass signal comprises:
averaging the original bypass signals acquired for multiple times;
and denoising the obtained average value based on wavelet transformation.
In one embodiment, the step of extracting multiple segments of circuit features from the obtained original bypass signal according to a clock signal includes:
dividing the original bypass signal into a plurality of clock cycles according to the rising edge signal and the falling edge signal;
and respectively extracting the bypass signals corresponding to each clock period as the characteristics of each section of circuit.
In one embodiment, the statistical features include at least two of mean, variance, skewness, kurtosis, and curvature.
In one embodiment, the step of analyzing the statistical characteristics of the circuit characteristics of each segment and determining whether the chip to be tested has a hardware trojan according to the analysis result includes:
normalizing each statistical characteristic of each section of the circuit characteristic;
classifying the statistical characteristics after the normalization processing by a classification vector machine or an Euclidean distance classification method, and judging whether the chip to be tested has a hardware Trojan.
A hardware trojan detection system, comprising:
the acquisition unit is used for acquiring an original bypass signal of the chip to be detected;
the first extraction unit is used for extracting multiple sections of circuit characteristics from the acquired original bypass signals according to clock signals;
the second extraction unit is used for extracting statistical characteristics from the circuit characteristics of each section respectively;
and the detection unit is used for analyzing the statistical characteristics of the circuit characteristics of each section and judging whether the chip to be detected has a hardware Trojan according to the analysis result.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the above method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method.
The hardware Trojan horse detection method comprises the steps of firstly obtaining an original bypass signal of a chip to be detected, then extracting a plurality of sections of circuit characteristics from the original bypass signal according to a clock signal, then respectively extracting statistical characteristics from the circuit characteristics of each section, finally analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be detected has the hardware Trojan horse or not according to an analysis result. In this application, after extracting the multistage circuit characteristic from original bypass signal, analyze to the statistical character of each section circuit characteristic again, promptly, divide into the original bypass signal of high dimension and analyze again behind the multistage low dimension signal, reduced the signal processing dimension, help detecting out the less Trojan of area, solved direct analysis high dimension signal and leaded to missing the problem of examining the less Trojan of area, increased the accuracy that hardware Trojan detected, reduced the missed detection rate.
Drawings
Fig. 1 is a flowchart of an implementation manner of a hardware trojan detection method according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of an original bypass signal acquired in a hardware Trojan horse detection method provided in an embodiment of the present application;
fig. 3 is a schematic diagram of a clock signal corresponding to an original bypass signal acquired in a hardware Trojan horse detection method provided in the embodiment of the present application;
fig. 4 is a schematic diagram of a section of circuit characteristics extracted from an original bypass signal in one clock cycle in a hardware trojan detection method according to an embodiment of the present disclosure;
fig. 5 is a block flow diagram of another implementation of a hardware Trojan horse detection method according to an embodiment of the present application;
fig. 6 is a flowchart of an implementation manner of step S11 in the hardware Trojan horse detection method according to the embodiment of the present application;
fig. 7 is a flowchart of an implementation manner of step S12 in the hardware Trojan horse detection method according to the embodiment of the present application;
fig. 8 is a flowchart of an implementation manner of step S16 in the hardware Trojan horse detection method according to the embodiment of the present application;
fig. 9 is a Trojan detection result obtained by a classification SVM algorithm in the hardware Trojan detection method according to the embodiment of the present application;
fig. 10 is a Trojan detection result obtained by an euclidean distance method in the hardware Trojan detection method provided in the embodiment of the present application;
fig. 11 is a schematic structural diagram of a hardware Trojan horse detection system according to an embodiment of the present disclosure;
fig. 12 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
To facilitate an understanding of the invention, the invention will now be described more fully with reference to the accompanying drawings. Preferred embodiments of the present invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
In the present invention, unless otherwise expressly stated or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; they may be directly connected or indirectly connected through intervening media, or they may be connected internally or in any other suitable relationship, unless expressly stated otherwise. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
As described in the background, as Integrated Circuit (IC) technology advances and globalization progresses, many chip companies adopt hardware outsourcing design and foundry tape-out to shorten the design cycle of IC and reduce the manufacturing cost. Because these "third parties" can not be completely trusted, artificial unsafe factors may exist, and even malicious attack and damage of competitors exist, in recent years, a novel integrated circuit chip hardware attack mode, called "hardware trojan horse", has attracted great attention. The hardware trojan refers to a tiny malicious circuit inserted into an original circuit, and harmfulness and concealment are basic characteristics of the hardware trojan. Once inserted into a complex chip, the hardware trojan is difficult to detect.
In recent years, hardware Trojan horse detection technology is rapidly developed, and detection methods such as layout comparison and bypass signal analysis are mainly included.
The layout comparison technology comprises the steps of firstly dissecting a packaged chip by using a mechanical polishing mode to obtain a bare chip, then selecting a part of the chip to be verified, performing failure analysis by using an electron microscope, an electron transmission microscope, a focused ion beam and the like to obtain a layout image or a gate-level netlist of an original circuit, and finally performing comparative analysis on a reverse result and the original circuit so as to judge whether the chip contains a hardware Trojan. The method is a destructive detection method, and has long time consumption and high cost.
A hardware Trojan detection method based on bypass signal analysis is a detection method which is used more at present, and is mainly used for judging whether Trojan exists in a circuit or not by detecting bypass signals in an analysis circuit, such as leakage current, maximum working frequency, time delay, power consumption, electromagnetism, heat effect and the like. Due to instrument accuracy limitations and test noise effects, bypass testing is commonly used to test various trojans with large areas. For a small-area hardware Trojan horse circuit, a chip bypass signal needs to be sampled for a long time, the sampling precision is higher and higher, the dimensionality of one bypass signal reaches tens of thousands or even hundreds of thousands of sampling points, namely, the bypass signal is a high-dimensional signal, but the Trojan horse only exists in a few clock cycles, and the Trojan horse is particularly easy to submerge in test noise because the sampled bypass signal has very high dimensionality, so that the characteristics of the Trojan horse chip and a non-Trojan horse chip are difficult to distinguish smoothly by a traditional bypass signal analysis method.
In view of the foregoing problems, the present application provides a hardware Trojan horse detection method, system, computer device and readable storage medium.
As shown in fig. 1, a hardware Trojan horse detection method provided in an embodiment of the present application includes the following steps:
and step S10, acquiring an original bypass signal of the chip to be tested.
Generally, a hardware trojan is triggered under a certain triggering condition, so that a bypass signal of a chip to be tested needs to be observed for a long time, and an original bypass signal of the chip to be tested is obtained. The sampling precision is high, the dimensionality of one original bypass signal can reach tens of thousands or even hundreds of thousands of sampling points, namely, the obtained original bypass signal is a high-dimensional signal.
In one embodiment, the bypass signal may be of various types, such as a leakage current signal, a maximum operating frequency signal, a delay signal, a power consumption signal, an electromagnetic radiation signal, a thermal signal, and the like. Specifically, step S10 may include: and collecting any one or more of a leakage current signal, a maximum working frequency signal, a delay signal, a power consumption signal, an electromagnetic radiation signal and a thermal signal of the chip to be tested.
And step S12, extracting multi-segment circuit characteristics from the acquired original bypass signal according to the clock signal.
The Trojan horse needs to satisfy a certain triggering condition to be triggered, which may exist only for a short time, and if the original bypass signal is directly processed and analyzed, the Trojan horse may be submerged in the original bypass signal with high dimension and cannot be detected. According to the method and the device, after the original bypass signal is obtained, the multi-section circuit characteristics can be extracted from the original bypass signal according to the clock signal of the circuit, namely, the original bypass signal is divided into the multi-section circuit characteristics according to the clock signal of the circuit, the follow-up processing and analysis can be carried out aiming at the circuit characteristics, the dimensionality of the processed signal is reduced, and the problems that the traditional method is directly used for processing and analyzing the high-dimensional bypass circuit signal and the operation amount is large and the omission ratio is high are solved.
For example, fig. 2 shows the original bypass signal, which has signal dimensions of 125000 dimensions, and only the first 250 dimensions are shown in fig. 2. Fig. 3 is a clock signal of a circuit, and fig. 4 is a section of circuit characteristics extracted from an original bypass signal according to the clock signal of the circuit, wherein a security chip signal and a hardware trojan signal may exist in each section of circuit characteristics.
The original bypass signal is divided according to the clock signal of the circuit in various ways, and the original bypass signal can be divided according to the clock period or in a self-defined rule, as long as the original bypass signal can be divided, and the dimensionality of the processed signal is reduced. The division is performed by taking a clock cycle as an example, and the circuit characteristics in one clock cycle are shown in the figure.
And step S14, extracting statistical characteristics from the circuit characteristics of each segment.
After extracting multiple segments of circuit features from the original bypass signal, statistics, referred to herein as statistical features, may be extracted for each segment of circuit features. The types of the statistical characteristics can be various, and each statistical characteristic can be used for reflecting the difference of the existence of the Trojan signal, so that the detection difficulty is reduced, and the Trojan detection accuracy is increased.
In one embodiment, the statistical features include mean, variance, skewness, kurtosis, and curvature. Two or three or four or five of the above five statistical features may be extracted, and are not particularly limited herein. In this embodiment, the five statistical features are preferably extracted as features for detecting the Trojan horse.
The mean, variance, skewness, warp and curvature correspond to the first, second, third, fourth and derivative related features of the circuit signal, respectively. The calculation formulas are respectively as follows:
mean value:
variance:
skewness:
kurtosis:
curvature:
wherein x isiFor the ith segment of circuit characteristics, n is the total number of circuit characteristics and E is the mathematical expected value.
And step S16, analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be tested has a hardware Trojan according to the analysis result.
And when the statistical characteristics of the circuit characteristics of each section are extracted, processing and analyzing the statistical characteristics, and further judging whether the chip to be tested has a hardware Trojan. The statistical characteristics of the circuit characteristics of each section are analyzed, so that the Trojan horse detection accuracy is improved, and the omission factor is reduced.
The hardware Trojan horse detection method comprises the steps of firstly obtaining an original bypass signal of a chip to be detected, then extracting a plurality of sections of circuit characteristics from the original bypass signal according to a clock signal, then respectively extracting statistical characteristics from the circuit characteristics of each section, finally analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be detected has the hardware Trojan horse or not according to an analysis result. In this application, after extracting the multistage circuit characteristic from original bypass signal, analyze to the statistical character of each section circuit characteristic again, promptly, divide into the original bypass signal of high dimension and analyze again behind the multistage low dimension signal, reduced the signal processing dimension, help detecting out the less Trojan of area, solved direct analysis high dimension signal and leaded to missing the problem of examining the less Trojan of area, increased the accuracy that hardware Trojan detected, reduced the missed detection rate.
In one embodiment, as shown in fig. 5, before step S12, that is, before the step of extracting multiple segments of circuit features from the acquired original bypass signal according to the clock signal, the hardware trojan detection method provided in this embodiment further includes:
and step S11, performing signal preprocessing on the original bypass signal. After the original bypass signal is obtained, signal preprocessing may be performed on the original bypass signal, and then subsequent steps may be performed.
In one embodiment, the signal preprocessing is denoising. In step S10, the step of acquiring the original bypass signal of the chip to be tested includes: and collecting original bypass signals of the chip to be tested for multiple times.
As shown in fig. 6, step S11, the step of performing signal preprocessing on the original bypass signal, further includes:
and step S111, averaging the original bypass signals acquired for multiple times.
And step S112, denoising the obtained average value based on wavelet transformation.
Of course, other pretreatment methods than the above-described pretreatment method may be employed.
In one embodiment, as shown in fig. 7, in step S12, the step of extracting the multiple segments of circuit features from the obtained original bypass signal according to the clock signal further includes:
step S121, dividing the original bypass signal into a plurality of clock cycles according to the rising edge signal and the falling edge signal.
Generally, the original bypass signal is inverted along with a rising edge or a falling edge of a clock cycle, and the signal has a certain periodicity, so that the rising edge and the falling edge of the clock cycle are used as dividing bases, two adjacent time intervals for generating inversion are used as one clock cycle, and the original bypass signal is divided into a plurality of clock cycles.
Step S122, respectively extracting the bypass signals corresponding to each clock cycle as the circuit characteristics of each segment.
After the original bypass signal is divided into a plurality of clock cycles, each clock cycle is taken as a window, and corresponding bypass signals are respectively extracted, so that the circuit characteristics in each clock cycle can be obtained.
In one embodiment, as shown in fig. 8, step S16, namely, analyzing the statistical features of the circuit features of each segment, and determining whether the hardware trojan exists in the chip to be tested according to the analysis result further includes:
step S161, normalization processing is performed on each statistical characteristic of each segment of circuit characteristic.
After the statistical characteristics of each section of circuit characteristics are extracted, in order to eliminate the influence of characteristic dimension, normalization processing can be carried out on each statistical characteristic by using a Gaussian normalization preprocessing method.
And step S163, classifying the statistical characteristics after the normalization processing through a classification vector machine or Euclidean distance classification method, and judging whether the chip to be tested has a hardware Trojan.
A classification vector machine may be used to classify each statistical feature after the normalization process. In the hardware Trojan detection, the training sample only has measurement data of one class without Trojan chips and does not have measurement data of other Trojan chips, so that the method belongs to the single classification problem.
The classification SVM comprises the following steps:
given training sample set
Is given from RMNon-linear mapping phi (x) to some high-dimensional feature space chii) E x, establishing a hyperplane w in the high-dimensional spaceTPhi (x) -p is 0, the mapped samples are separated from the origin by an interval p, where w is the weight vector, is the normal vector to the hyperplane, and p is the intercept of the hyperplane. In order to keep the hyperplane as far away from the origin as possible, the Euclidean distance ρ/w between the origin and the target data is maximized to find the optimal hyperplane.
In order to make the algorithm have certain robustness, a relaxation factor is introducedi≧ 0, the optimization problem for a categorical SVM at this time can be described by equation (1):
s.t.wTφ(xi)≥ρ-i,
i≥0. (1)
wherein w ∈ χ and rho ∈ R are hyperplane parameters. The parameter v ∈ (0, 1) is a predefined percentage parameter estimate, which means the proportion of training samples that are finally classified as negative.
The decision function is shown in equation (2):
f(x)=sgn(wTφ(x)-ρ) (2)
fig. 9 shows the detection results obtained by a classification SVM classification algorithm.
The normalized statistical features can also be classified by a Euclidean distance classification method.
Specifically, in order to quantitatively depict the difference between the hardware trojan chip and the non-hardware trojan chip, the square of the Euclidean distance is used for describing the difference, and the calculation formula is shown as (3). Wherein xiRepresenting the statistical characteristics in each clock cycle, c the number of signal cycles,
represents the mean value of all training samples in the feature, and equation (3) represents the sum and mean of the samples in each clock cycleThe values are subtracted and the differences in all clock cycles are summed by squaring.
And (3) taking the maximum value of the sum of squares calculated by all samples according to the formula (3) as a threshold value for judging the hardware Trojan horse, wherein n represents the number of training samples as shown in the formula (4).
Meanwhile, Mean +2std (min) of the distance can be used as a threshold value for hardware trojan judgment.
For the sample x to be measuredtIf the square sum calculated according to equation (3) exceeds the threshold value, the chip is identified as Trojan, otherwise, the chip is identified as non-Trojan, i.e., if d (x)t)>Max or d (x)t)<Min, then the sample x to be measured is determinedtIs a trojan chip. The detection results are shown in fig. 10.
The two thresholds calculated by the formulas (4) and (5) and (6) may be selected alternatively or simultaneously, that is, only the maximum threshold may be used as the threshold in the euclidean distance classification method, only the minimum threshold may be used as the threshold in the euclidean distance classification method, or both the maximum threshold and the minimum threshold may be used as the thresholds in the euclidean distance classification method. The above three ways can achieve the purpose of the present application, and are not limited herein.
It should be noted that, in the detection of the Trojan horse, the classification result of a classification vector machine and the classification result of the Euclidean distance classification method may be considered together, for example, if one of the methods detects the Trojan horse, the Trojan horse is considered to be present.
In one embodiment, after step S161 and before step S163, the method may further include:
step S162, reducing each statistical feature to two dimensions using principal component analysis. Thereby facilitating the display and analysis of the features.
The method for combining the circuit characteristics and the statistical characteristics is provided, the method for combining the circuit characteristics and the statistical characteristics is not only used, the characteristics of the circuit are analyzed in combination with the characteristics of the circuit, the circuit characteristics are extracted by considering the activation time of the Trojan horse, and the four statistical mean values, the variance, the skewness, the warping degree and the curvature of each circuit characteristic are used as the characteristics for detecting the Trojan horse, so that the detection accuracy is improved.
The embodiment of the application provides a hardware trojan detection system, as shown in fig. 11, which includes an obtaining unit 10, a first extracting unit 12, a second extracting unit 14, and a detecting unit 16.
The obtaining unit 10 is configured to obtain an original bypass signal of a chip to be tested; the first extraction unit 12 is configured to extract a plurality of segments of circuit features from the acquired original bypass signal according to a clock signal; the second extraction unit 14 is used for extracting statistical characteristics from each segment of circuit characteristics; the detection unit 16 is configured to analyze statistical characteristics of circuit characteristics of each segment, and determine whether a hardware trojan exists in a chip to be detected according to an analysis result.
The hardware Trojan horse detection system firstly obtains an original bypass signal of a chip to be detected, then extracts a plurality of sections of circuit characteristics from the original bypass signal according to a clock signal, then respectively extracts statistical characteristics from the circuit characteristics of each section, finally analyzes the statistical characteristics of the circuit characteristics of each section, and judges whether the hardware Trojan horse exists in the chip to be detected according to an analysis result. In this application, after extracting the multistage circuit characteristic from original bypass signal, analyze to the statistical character of each section circuit characteristic again, promptly, divide high-dimensional original bypass signal into and analyze again behind the multistage low-dimensional signal, the signal processing dimension has been reduced, the signal processing ability has been improved, help detecting out the less Trojan of area, solved direct analysis high-dimensional signal and leaded to missing the problem of examining the less Trojan of area, the rate of accuracy that hardware Trojan detected has been increased, the rate of missing the inspection is reduced.
For specific contents of the obtaining unit 10, the first extracting unit 12, the second extracting unit 14, and the detecting unit 16, reference may be made to descriptions of corresponding parts in the hardware Trojan horse detecting method, which is not described herein again.
An electronic device is provided in the embodiment of the present application, and as shown in fig. 12, the electronic device includes a memory 100 and a processor 200. The memory 100 and the processor 200 are communicatively connected to each other through a bus or other means, and fig. 12 illustrates the connection through the bus as an example.
The memory 100, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions corresponding to the hardware Trojan detection method in the embodiment of the present invention. The processor 200 executes various functional applications and data processing of the processor 200, i.e., implements a hardware trojan detection method, by running non-transitory software programs, instructions, and modules stored in the memory 100.
The memory 100 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 200, and the like. Further, the memory 100 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 100 may optionally include memory located remotely from processor 200, which may be connected to the processor via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A hardware Trojan horse detection method is characterized by comprising the following steps:
acquiring an original bypass signal of a chip to be tested;
extracting a plurality of sections of circuit characteristics from the obtained original bypass signal according to a clock signal;
extracting statistical characteristics from the circuit characteristics of each section respectively;
and analyzing the statistical characteristics of the circuit characteristics of each section, and judging whether the chip to be tested has a hardware Trojan according to the analysis result.
2. The hardware trojan detection method according to claim 1, wherein the step of obtaining an original bypass signal of a chip under test comprises:
and collecting any one or more of a leakage current signal, a maximum working frequency signal, a delay signal, a power consumption signal, an electromagnetic radiation signal and a thermal signal of the chip to be tested.
3. The hardware trojan horse detection method according to claim 1, wherein before the step of extracting a plurality of segments of circuit characteristics from the obtained original bypass signal according to a clock signal, the method further comprises:
and performing signal preprocessing on the original bypass signal.
4. The hardware Trojan horse detection method according to claim 3, wherein the step of obtaining an original bypass signal of a chip to be tested comprises: collecting original bypass signals of the chip to be tested for multiple times;
the step of signal preprocessing the original bypass signal comprises:
averaging the original bypass signals acquired for multiple times;
and denoising the obtained average value based on wavelet transformation.
5. The hardware trojan detection method according to claim 1, wherein the step of extracting the plurality of segments of circuit features from the obtained original bypass signal according to a clock signal comprises:
dividing the original bypass signal into a plurality of clock cycles according to the rising edge signal and the falling edge signal;
and respectively extracting the bypass signals corresponding to each clock period as the circuit characteristics of each section.
6. The hardware Trojan horse detection method of claim 1, wherein the statistical features comprise at least two of mean, variance, skewness, kurtosis, and curvature.
7. The hardware trojan detection method according to claim 1, wherein the step of analyzing the statistical characteristics of the circuit characteristics of each segment and determining whether the hardware trojan exists in the chip to be tested according to the analysis result comprises:
normalizing each statistical characteristic of each section of the circuit characteristic;
classifying the statistical characteristics after the normalization processing by a classification vector machine or an Euclidean distance classification method, and judging whether the chip to be tested has a hardware Trojan.
8. A hardware trojan detection system, comprising:
the acquisition unit is used for acquiring an original bypass signal of the chip to be detected;
the first extraction unit is used for extracting multiple sections of circuit characteristics from the acquired original bypass signals according to clock signals;
the second extraction unit is used for extracting statistical characteristics from the circuit characteristics of each section respectively;
and the detection unit is used for analyzing the statistical characteristics of the circuit characteristics of each section and judging whether the chip to be detected has a hardware Trojan according to the analysis result.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010799367.XA CN112084541A (en) | 2020-08-11 | 2020-08-11 | Hardware Trojan horse detection method and system, computer equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010799367.XA CN112084541A (en) | 2020-08-11 | 2020-08-11 | Hardware Trojan horse detection method and system, computer equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112084541A true CN112084541A (en) | 2020-12-15 |
Family
ID=73735495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010799367.XA Pending CN112084541A (en) | 2020-08-11 | 2020-08-11 | Hardware Trojan horse detection method and system, computer equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112084541A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113945824A (en) * | 2021-09-26 | 2022-01-18 | 成都嘉纳海威科技有限责任公司 | Radio frequency chip screening method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101382978A (en) * | 2008-10-30 | 2009-03-11 | 中国人民解放军国防科学技术大学 | Method for early alarming by-path attack in safety chip |
| CN104215894A (en) * | 2014-08-28 | 2014-12-17 | 工业和信息化部电子第五研究所 | Integrated circuit hardware Trojan horse detection method and system |
| CN107169062A (en) * | 2017-05-02 | 2017-09-15 | 江苏大学 | A kind of time series symbol polymerization approximate representation method based on whole story distance |
| CN108062477A (en) * | 2017-12-12 | 2018-05-22 | 北京电子科技学院 | Hardware Trojan horse detection method based on side Multiple Channel Analysis |
| CN109063475A (en) * | 2018-07-31 | 2018-12-21 | 西南交通大学 | A kind of detection method of hardware Trojan horse, equipment and computer storage medium |
| CN109388781A (en) * | 2017-08-14 | 2019-02-26 | 比亚迪股份有限公司 | The treating method and apparatus of measurement data |
-
2020
- 2020-08-11 CN CN202010799367.XA patent/CN112084541A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101382978A (en) * | 2008-10-30 | 2009-03-11 | 中国人民解放军国防科学技术大学 | Method for early alarming by-path attack in safety chip |
| CN104215894A (en) * | 2014-08-28 | 2014-12-17 | 工业和信息化部电子第五研究所 | Integrated circuit hardware Trojan horse detection method and system |
| CN107169062A (en) * | 2017-05-02 | 2017-09-15 | 江苏大学 | A kind of time series symbol polymerization approximate representation method based on whole story distance |
| CN109388781A (en) * | 2017-08-14 | 2019-02-26 | 比亚迪股份有限公司 | The treating method and apparatus of measurement data |
| CN108062477A (en) * | 2017-12-12 | 2018-05-22 | 北京电子科技学院 | Hardware Trojan horse detection method based on side Multiple Channel Analysis |
| CN109063475A (en) * | 2018-07-31 | 2018-12-21 | 西南交通大学 | A kind of detection method of hardware Trojan horse, equipment and computer storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 孙宸等: "多维统计特征分析的芯片硬件木马检测方法", 《电子产品可靠性与环境试验》, vol. 38, no. 1, pages 69 - 73 * |
| 蔡琛: "基于主成分分析的AES算法相关功耗分析攻击", 《中国优秀硕士学位论文全文数据库信息科技辑》, pages 35 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113945824A (en) * | 2021-09-26 | 2022-01-18 | 成都嘉纳海威科技有限责任公司 | Radio frequency chip screening method |
| CN113945824B (en) * | 2021-09-26 | 2023-12-22 | 成都嘉纳海威科技有限责任公司 | Radio frequency chip screening method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI639824B (en) | Method, apparatus, and non-transitory computer readable storage medium for integration of automatic and manual defect classification | |
| CN110414277B (en) | Gate-level hardware Trojan horse detection method based on multi-feature parameters | |
| CN105718795B (en) | Malicious code evidence collecting method and system under Linux based on condition code | |
| Kurihara et al. | Hardware-trojan classification based on the structure of trigger circuits utilizing random forests | |
| Jang et al. | Mal-netminer: malware classification based on social network analysis of call graph | |
| CN112084541A (en) | Hardware Trojan horse detection method and system, computer equipment and readable storage medium | |
| CN110866899A (en) | Method and device for detecting female parent chip-free hardware Trojan horse based on static heat map | |
| CN113343228B (en) | Event credibility analysis method and device, electronic equipment and readable storage medium | |
| CN112464297B (en) | Hardware Trojan detection method, device and storage medium | |
| KR102318991B1 (en) | Method and device for detecting malware based on similarity | |
| CN115186772B (en) | Method, device and equipment for detecting partial discharge of power equipment | |
| CN113839963B (en) | Network security vulnerability intelligent detection method based on artificial intelligence and big data | |
| Ghahramani et al. | Deep Image: A precious image based deep learning method for online malware detection in IoT Environment | |
| JP4883408B2 (en) | Method and apparatus for testing similarity between series data | |
| CN111929656B (en) | Entropy value statistics-based noise estimation method for vehicle-mounted millimeter wave radar system | |
| JP2021111034A (en) | Abnormality detection program, abnormality detection method, and information processing device | |
| Bozkır et al. | Local image descriptor based phishing web page recognition as an open-set problem | |
| Kaur et al. | Comparative analysis of white blood cell by different segmentation methods using knowledge based learning | |
| Gavrylenko et al. | Investigation of intrusion in computer systems based on the hurst exponent | |
| Halak et al. | Applications of Machine Learning in Hardware Security | |
| Benamor et al. | A comparative study of machine learning algorithms for intrusion detection in IoT networks | |
| JP2015197788A (en) | Laminar flow smoke detection device and laminar flow smoke detection method | |
| JP6457727B2 (en) | Laminar smoke detection device and laminar smoke detection method | |
| Makandar et al. | Detection and retrieval of malware using classification | |
| CN117834311B (en) | Malicious behavior identification system for network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |