SVM算法在硬件木馬旁路分析檢測(cè)中的應(yīng)用

佟鑫; 李瑩; 陳嵐

doi:10.11999/JEIT190532

SVM算法在硬件木馬旁路分析檢測(cè)中的應(yīng)用

doi: 10.11999/JEIT190532 cstr: 32379.14.JEIT190532

中國(guó)科學(xué)院微電子研究所EDA中心北京 100029

基金項(xiàng)目: 國(guó)家物聯(lián)網(wǎng)與智慧城市重點(diǎn)專項(xiàng)對(duì)接(Z181100003518002)，北京市自然科學(xué)基金(4184106)，北京市科技專項(xiàng)(Z171100001117147)

詳細(xì)信息

作者簡(jiǎn)介:
佟鑫：女，1987年生，助理研究員，主要研究方向?yàn)槲锫?lián)網(wǎng)硬件安全與集成電路設(shè)計(jì)

李瑩：女，1982年生，副研究員，主要研究方向?yàn)槲锫?lián)網(wǎng)硬件安全與集成電路設(shè)計(jì)

陳嵐：女，1968年生，研究員，博士生導(dǎo)師，主要研究方向?yàn)橛?jì)算機(jī)系統(tǒng)架構(gòu)與集成電路設(shè)計(jì)、集成電路硬件安全

通訊作者:
李瑩　liying1@ime.ac.cn

¹⁾ 將正常組數(shù)據(jù)(Trojan Free, TF)標(biāo)記為1，木馬組(T1, T2, ···)數(shù)據(jù)為–1。²⁾ 按照采樣模式對(duì)數(shù)據(jù)進(jìn)行分組抽樣，每次抽出一部分木馬數(shù)據(jù)做測(cè)試驗(yàn)證集，其余做訓(xùn)練集，測(cè)試集可選擇未知標(biāo)簽的數(shù)據(jù)。³⁾ 閾值A(chǔ)為用戶期望達(dá)到的模型測(cè)試準(zhǔn)確率閾值B是用戶定義的數(shù)據(jù)組中木馬個(gè)數(shù)的占比，用于判斷該組數(shù)據(jù)是否為木馬組。
⁴⁾ 閾值A(chǔ)為用戶期望達(dá)到的模型測(cè)試準(zhǔn)確率閾值B是用戶定義的數(shù)據(jù)組中占比多數(shù)的數(shù)據(jù)是否為木馬，用于判斷該組數(shù)據(jù)是否為木馬組。
中圖分類號(hào): TN406
計(jì)量
- 文章訪問數(shù): 3727
- HTML全文瀏覽量: 1833
- PDF下載量: 93
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-07-15
- 修回日期: 2020-03-06
- 網(wǎng)絡(luò)出版日期: 2020-04-22
- 刊出日期: 2020-07-23

Application of SVM Machine Learning to Hardware Trojan Detection Using Side-channel Analysis

EDA Center of Institute of Microelectronics, Chinese Academy of Sciences, Beijing 100029, China

Funds: The National Internet of Things and Smart City Key Project Docking(Z181100003518002), The Natural Science Foundation of Beijing (4184106), The Beijing Science and Technology Project (Z171100001117147)

摘要

摘要:
集成電路(ICs)面臨著硬件木馬(HTs)造成的嚴(yán)峻威脅。傳統(tǒng)的旁路檢測(cè)手段中黃金模型不易獲得，且隱秘的木馬可以利用固硬件聯(lián)合操作將惡意行為隱藏在常規(guī)的芯片運(yùn)行中，更難以檢測(cè)。針對(duì)這種情況，該文提出利用機(jī)器學(xué)習(xí)支持向量機(jī)(SVM)算法從系統(tǒng)操作層次對(duì)旁路分析檢測(cè)方法進(jìn)行改進(jìn)。使用現(xiàn)場(chǎng)可編程門陣列(FPGA)驗(yàn)證的實(shí)驗(yàn)結(jié)果表明，存在黃金模型時(shí)，有監(jiān)督SVM可得到86.8%的訓(xùn)練及測(cè)試綜合的平均檢測(cè)準(zhǔn)確率，進(jìn)一步采用分組和歸一化去離群點(diǎn)方法可將檢測(cè)率提升4%。若黃金模型無法獲得，則可使用半監(jiān)督SVM方法進(jìn)行檢測(cè)，平均檢測(cè)率為52.9%～79.5%。與現(xiàn)有同類方法相比，驗(yàn)證了SVM算法在指令級(jí)木馬檢測(cè)中的有效性，明確了分類學(xué)習(xí)條件與檢測(cè)性能的關(guān)系。
- 硬件木馬 /
- 旁路檢測(cè) /
- 支持向量機(jī) /
- 有監(jiān)督學(xué)習(xí) /
- 半監(jiān)督學(xué)習(xí)
Abstract:
Integrated Circuits (ICs) are suffering severer threats caused by Hardware Trojans (HTs), some of which hide in routine operations by coercing firmware or hardware. Along with conventional side-channel detection not always getting golden-chip, HTs become more difficult to detect. An improved Support Vector Machine (SVM) machine learning frameworks for this is proposed using system-level side-channel analysis. Cross validation experimental results on Field Programmable Gate Array (FPGA) show that in the condition of golden-chip, supervised SVM achieves 85.8% test accuracy in average. After grouping, outlier-removing and normalization, it rises by 4%. Even if golden-chip is out of hand, semi-supervised SVM has accuracy to judge HTs existence, averaging in 52.9%-79.5% under different test modes. Comparing with existing researches, this work verifies the efficiency of SVM for HT detection in instruction level, and points out the relationship between diversified learning conditions with detection performance.
- Hardware Trojan (HT) /
- Side-channel analysis /
- Support Vector Machine (SVM) /
- Supervised learning /
- Semi-supervised learning
¹⁾ 將正常組數(shù)據(jù)(Trojan Free, TF)標(biāo)記為1，木馬組(T1, T2, ···)數(shù)據(jù)為–1。²⁾ 按照采樣模式對(duì)數(shù)據(jù)進(jìn)行分組抽樣，每次抽出一部分木馬數(shù)據(jù)做測(cè)試驗(yàn)證集，其余做訓(xùn)練集，測(cè)試集可選擇未知標(biāo)簽的數(shù)據(jù)。³⁾ 閾值A(chǔ)為用戶期望達(dá)到的模型測(cè)試準(zhǔn)確率閾值B是用戶定義的數(shù)據(jù)組中木馬個(gè)數(shù)的占比，用于判斷該組數(shù)據(jù)是否為木馬組。

⁴⁾ 閾值A(chǔ)為用戶期望達(dá)到的模型測(cè)試準(zhǔn)確率閾值B是用戶定義的數(shù)據(jù)組中占比多數(shù)的數(shù)據(jù)是否為木馬，用于判斷該組數(shù)據(jù)是否為木馬組。

HTML全文

圖 1 基于SVM算法的硬件木馬檢測(cè)框架

下載: 全尺寸圖片幻燈片

圖 2 指令功耗數(shù)據(jù)分組的SVM有監(jiān)督學(xué)習(xí)分類流程

下載: 全尺寸圖片幻燈片

圖 3 指令功耗數(shù)據(jù)分組的SVM半監(jiān)督學(xué)習(xí)分類流程

下載: 全尺寸圖片幻燈片

圖 4 半監(jiān)督學(xué)習(xí)下準(zhǔn)確率均值隨TF數(shù)據(jù)占比變化的情況

下載: 全尺寸圖片幻燈片

圖 5 各條指令表現(xiàn)的敏感度差異情況

下載: 全尺寸圖片幻燈片

圖 6 MOD4不同條件下的準(zhǔn)確率變化情況

下載: 全尺寸圖片幻燈片

表 1 指令集

指令序號(hào)及名稱			指令類型	描述
1-NOP			類型1 NOP	無操作
2-MOV_A_RR 5-MOV_RR_A 8-MOV_D_A	3-MOV_A_D 6-MOV_RR_D 9-MOV_D_RR	4- MOV_A_DATA 7-MOV_RR_DATA 10-MOV_D_DATA	類型2 MOV	移動(dòng)存儲(chǔ)器，復(fù)制操作數(shù)2到操作數(shù)1
11-ADD_A_RR	12-ADD_A_D	13-ADD_A_DATA	類型3 ADD	加法器加操作，將操作數(shù)的值加到加法器上并存儲(chǔ)
14-SUBB_A_RR	15-SUBB_A_D	16-SUBB_A_DATA	類型4 SUBB	從加法器中借位減操作
17-INC_A	18-INC_D	19-INC_RR	類型5 INC	增加操作數(shù)
20-JMP_A_DPTR			類型6 JMP	跳轉(zhuǎn)至數(shù)據(jù)指針+ DPTR代表的加法器地址
21-JNC			類型7 JNC	跳轉(zhuǎn)至相關(guān)地址如果進(jìn)位沒有設(shè)置

下載: 導(dǎo)出CSV

表 2 木馬基準(zhǔn)電路

名稱	描述
HT1	MC8051-T200，這個(gè)木馬在空閑模式激活8051內(nèi)部計(jì)時(shí)器
HT2	MC8051-T300，這個(gè)木馬在8051通過UART發(fā)送特定數(shù)據(jù)串時(shí)被觸發(fā)。目的是通過UART收到任意信息
HT3	MC8051-T500，這個(gè)木馬的觸發(fā)器檢測(cè)特定的命令，當(dāng)木馬激活后其負(fù)載可以替換特定的數(shù)據(jù)
HT4	MC8051-T600，這個(gè)木馬使得微控制器上運(yùn)行算法的任何跳轉(zhuǎn)失效
HT5	MC8051-T700，這個(gè)木馬用敵人預(yù)設(shè)數(shù)據(jù)替換一些輸入數(shù)據(jù)
HT6	MC8051-T800，這個(gè)木馬當(dāng)UART接收特殊字符時(shí)篡改堆棧指針

下載: 導(dǎo)出CSV

表 3 SVM常用核函數(shù)

名稱	表達(dá)式	參數(shù)
線性核	$\kappa ({{{x}}_i},{{{x}}_j}) = {{{x}}_i}^{\rm{T}}{{{x}}_j}$
多項(xiàng)式核	$\kappa ({{{x}}_i},{{{x}}_j}) = {({{{x}}_i}^{\rm{T}}{{{x}}_j})^d}$	$d \ge 1$為多項(xiàng)式的次數(shù)
高斯核	$\kappa ({ {{x} }_i},{ {{x} }_j}) = \exp \left( - \dfrac{ { { {\left\\| { { {{x} }_i} - { {{x} }_j} } \right\\|}^2} } }{ {2{\sigma ^2} } }\right)$	$\sigma > 0$為高斯核的帶寬

下載: 導(dǎo)出CSV

表 4 MOD1檢測(cè)率及運(yùn)行時(shí)間對(duì)比表

	線性核函數(shù)準(zhǔn)確率及運(yùn)行時(shí)間			多項(xiàng)式核函數(shù)準(zhǔn)確率及時(shí)間			高斯核函數(shù)準(zhǔn)確率及時(shí)間
	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)
無預(yù)處理	83.30	100.00	0.02620	83.30	67.31	0.06912	83.30	57.24	0.10902
預(yù)處理+分組	98.00	83.30	0.01261	85.80	99.10	0.03929	98.00	83.30	0.02698

下載: 導(dǎo)出CSV

表 5 MOD3檢測(cè)率及運(yùn)行時(shí)間對(duì)比表

	線性核函數(shù)準(zhǔn)確率及時(shí)間			多項(xiàng)式核函數(shù)準(zhǔn)確率及時(shí)間			高斯核函數(shù)準(zhǔn)確率及時(shí)間
	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)
無預(yù)處理	83.30	100.00	0.06944	83.30	100.00	0.06193	83.30	100.00	0.06800
預(yù)處理+分組	98.80	83.30	0.06526	66.70	100.00	0.07183	88.00	84.90	0.07139

下載: 導(dǎo)出CSV

表 6 MOD4檢測(cè)率及運(yùn)行時(shí)間對(duì)比表

	線性核函數(shù)準(zhǔn)確率及時(shí)間			多項(xiàng)式核函數(shù)準(zhǔn)確率及時(shí)間			高斯核函數(shù)準(zhǔn)確率及時(shí)間
	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)	訓(xùn)練(%)	測(cè)試(%)	時(shí)間(s)
無預(yù)處理	85.94	85.08	0.02049	85.60	86.07	0.03807	85.83	85.38	0.05487
預(yù)處理+分組	97.80	97.80	0.01222	86.70	87.00	0.03904	97.60	98.40	0.03709

下載: 導(dǎo)出CSV

參考文獻(xiàn)(16)

鐘晶鑫, 王建業(yè), 闞保強(qiáng). 基于溫度特征分析的硬件木馬檢測(cè)方法[J]. 電子與信息學(xué)報(bào), 2018, 40(3): 743–749. doi: 10.11999/JEIT170443

ZHONG Jingxin, WANG Jianye, and KAN Baoqiang. Hardware Trojan detection through temperature characteristics analysis[J]. Journal of Electronics &Information Technology, 2018, 40(3): 743–749. doi: 10.11999/JEIT170443

RAD R M, WANG Xiaoxiao, TEHRANIPOOR M, et al. Power supply signal calibration techniques for improving detection resolution to hardware Trojans[C]. 2008 IEEE/ACM International Conference on Computer-Aided Design, San Jose, USA, 2008: 632–639. doi: 10.1109/ICCAD.2008.4681643.

LAMECH C, AARESTAD J, PLUSQUELLIC J, et al. REBEL and TDC: Two embedded test structures for on-chip measurements of within-die path delay variations[C]. 2011 IEEE/ACM International Conference on Computer-Aided Design, San Jose, USA, 2011: 170–177. doi: 10.1109/ICCAD.2011.6105322.

DU Dongdong, NARASIMHAN S, CHAKRABORTY R S, et al. Self-referencing: A scalable side-channel approach for hardware Trojan detection[C]. The 12th International Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, USA, 2010: 173–187. doi: 10.1007/978-3-642-15031-9_12.

HE Jiaji, ZHAO Yiqiang, GUO Xiaolong, et al. Hardware Trojan detection through chip-free electromagnetic side-channel statistical analysis[J]. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2017, 25(10): 2939–2948. doi: 10.1109/TVLSI.2017.2727985

NARASIMHAN S, DU Dongdong, CHAKRABORTY R S, et al. Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach[C]. 2010 IEEE International Symposium on Hardware-Oriented Security and Trust, Anaheim, USA, 2010: 13–18. doi: 10.1109/HST.2010.5513122.

LIU Yu, JIN Yier, NOSRATINIA A, et al. Silicon demonstration of hardware Trojan design and detection in wireless cryptographic ICs[J]. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2017, 25(4): 1506–1519. doi: 10.1109/TVLSI.2016.2633348

FORTE D, BAO Chongxi, and SRIVASTAVA A. Temperature tracking: An innovative run-time approach for hardware Trojan detection[C]. 2013 IEEE/ACM International Conference on Computer-Aided Design, San Jose, USA, 2013: 532–539. doi: 10.1109/ICCAD.2013.6691167.

ZHAO Hong, KWIAT K, KAMHOUA C, et al. Applying chaos theory for runtime hardware Trojan detection[C]. 2015 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Verona, USA, 2015: 1–6. doi: 10.1109/CISDA.2015.7208642.

JAP D, HE Wei, and BHASIN S. Supervised and unsupervised machine learning for side-channel based Trojan detection[C]. The 27th IEEE International Conference on Application-specific Systems, Architectures and Processors, London, UK, 2016: 17–24. doi: 10.1109/ASAP.2016.7760768.

BAO Chongxi, FORTE D, and SRIVASTAVA A. On reverse engineering-based hardware Trojan detection[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2016, 35(1): 49–57. doi: 10.1109/TCAD.2015.2488495

INOUE T, HASEGAWA K, YANAGISAWA M, et al. Designing hardware Trojans and their detection based on a SVM-based approach[C]. The 12th IEEE International Conference on ASIC, Guiyang, China, 2017: 811–814. doi: 10.1109/ASICON.2017.8252600.

KULKARNI A, PINO Y, and MOHSENIN T. SVM-based real-time hardware Trojan detection for many-core platform[C]. 2016 17th International Symposium on Quality Electronic Design, Santa Clara, USA, 2016: 362–367. doi: 10.1109/ISQED.2016.7479228.

LODHI F K, HASAN S R, HASAN O, et al. Power profiling of microcontroller′s instruction set for runtime hardware Trojans detection without golden circuit models[C]. The Design, Automation & Test in Europe Conference & Exhibition, Lausanne, Switzerland, 2017: 294–297. doi: 10.23919/DATE.2017.7927002.

TEHRANIPOOR M and SALAMANI H. trust-HUB[OL]. https://www.trust-hub.org/, 2018.

李瑩, 周崟灝, 陳嵐. 一種旁路檢測(cè)方法及裝置[P]. 中國(guó)專利, CN109684881A, 2019.

LI Ying, ZHOU Yinhao, and CHEN Lan. A bypass detection method and device[P]. China patent, CN109684881A, 2019.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)