Graph neural networks (GNNs) have shown great success in detecting intellectual property (IP) piracy and hardware Trojans (HTs). However, the machine learning community has demonstrated that GNNs are susceptible to data poisoning attacks, which result in GNNs performing abnormally on graphs with pre-defined backdoor triggers (realized using crafted subgraphs). Thus, it is imperative to ensure that the adoption of GNNs should not introduce security vulnerabilities in critical security frameworks. Existing backdoor attacks on GNNs generate random subgraphs with specific sizes/densities to act as backdoor triggers. However, for Boolean circuits, backdoor triggers cannot be randomized since the added structures should not affect the functionality of a design. We explore this threat and develop PoisonedGNN as the first backdoor attack on GNNs in the context of hardware design. We design and inject backdoor triggers into the register-transfer- or the gate-level representation of a given design without affecting the functionality to evade some GNN-based detection procedures. To demonstrate the effectiveness of PoisonedGNN, we consider two case studies: (i) Hiding HTs and (ii) IP piracy. Our experiments on TrustHub datasets demonstrate that PoisonedGNN can hide HTs and IP piracy from advanced GNN-based detection platforms with an attack success rate of up to 100%.

翻译：图神经网络（GNNs）在检测知识产权（IP）盗版和硬件木马（HTs）方面已取得巨大成功。然而，机器学习领域的研究表明，GNNs易受数据投毒攻击的影响，导致其在含有预定义后门触发器（通过精心构造的子图实现）的图上表现异常。因此，确保采用GNNs不会在关键安全框架中引入安全漏洞至关重要。现有的GNN后门攻击通过生成具有特定尺寸/密度的随机子图作为后门触发器。但对于布尔电路而言，后门触发器无法随机化，因为添加的结构不得影响设计功能。我们探讨了这一威胁，并开发了PoisonedGNN，这是首个针对硬件设计场景中GNNs的后门攻击。我们在不影响功能的前提下，将后门触发器注入给定设计的寄存器传输级或门级表示，以绕过某些基于GNN的检测程序。为验证PoisonedGNN的有效性，我们考虑两个案例研究：（i）隐藏硬件木马和（ii）知识产权盗版。在TrustHub数据集上的实验表明，PoisonedGNN能够以高达100%的攻击成功率，从先进的基于GNN的检测平台中隐藏硬件木马和知识产权盗版行为。