Bias Busters: Robustifying DL-based Lithographic Hotspot Detectors Against Backdooring Attacks
This work addresses a security problem for semiconductor design engineers by providing a robust defense against backdoor attacks in CAD tools, though it is incremental as it builds on existing research in adversarial machine learning.
The paper tackles the vulnerability of deep learning-based lithographic hotspot detectors to backdooring attacks, where malicious actors can manipulate training data to cause misclassification. The authors propose a novel training data augmentation defense that reduces the attack success rate from 84% to approximately 0%.
Deep learning (DL) offers potential improvements throughout the CAD tool-flow, one promising application being lithographic hotspot detection. However, DL techniques have been shown to be especially vulnerable to inference and training time adversarial attacks. Recent work has demonstrated that a small fraction of malicious physical designers can stealthily "backdoor" a DL-based hotspot detector during its training phase such that it accurately classifies regular layout clips but predicts hotspots containing a specially crafted trigger shape as non-hotspots. We propose a novel training data augmentation strategy as a powerful defense against such backdooring attacks. The defense works by eliminating the intentional biases introduced in the training data but does not require knowledge of which training samples are poisoned or the nature of the backdoor trigger. Our results show that the defense can drastically reduce the attack success rate from 84% to ~0%.