Graph neural networks (GNNs) have shown promise in hardware security by learning structural motifs from netlist graphs. However, this reliance on motifs makes GNNs vulnerable to adversarial netlist rewrites; even small-scale edits can mislead GNN predictions. Existing adversarial approaches, ranging from synthesis-recipe perturbations to gate transformations, come with high design overheads. We present NetDeTox, an automated end-to-end framework that orchestrates large language models (LLMs) with reinforcement learning (RL) in a systematic manner, enabling focused local rewriting. The RL agent identifies netlist components critical for GNN-based reasoning, while the LLM devises rewriting plans to diversify motifs that preserve functionality. Iterative feedback between the RL and LLM stages refines adversarial rewritings to limit overheads. Compared to the SOTA work AttackGNN, NetDeTox successfully degrades the effectiveness of all security schemes with fewer rewrites and substantially lower area overheads (reductions of 54.50% for GNN-RE, 25.44% for GNN4IP, and 41.04% for OMLA, respectively). For GNN4IP, ours can even optimize/reduce the original benchmarks' area, in particular for larger circuits, demonstrating the practicality and scalability of NetDeTox.

翻译：图神经网络（GNNs）通过学习网表图的结构模式，在硬件安全领域展现出潜力。然而，这种对结构模式的依赖使得GNNs容易受到对抗性网表重写的攻击；即使是小规模的编辑也可能误导GNN的预测。现有的对抗性方法，从综合方案扰动到门级变换，均伴随着较高的设计开销。本文提出NetDeTox，一种自动化的端到端框架，以系统化的方式将大语言模型（LLMs）与强化学习（RL）协同编排，实现聚焦式的局部重写。RL智能体识别对基于GNN的推理至关重要的网表组件，而LLM则制定重写计划以多样化保持功能性的结构模式。RL与LLM阶段之间的迭代反馈优化对抗性重写，以限制开销。与最先进的工作AttackGNN相比，NetDeTox以更少的重写次数和显著降低的面积开销（分别对GNN-RE、GNN4IP和OMLA方案降低54.50%、25.44%和41.04%）成功降低了所有安全方案的有效性。对于GNN4IP，我们的方法甚至能够优化/减少原始基准测试的面积，特别是在较大规模电路中，这证明了NetDeTox的实用性和可扩展性。