Detect hardware Trojans using machine learning technology

Hardware Trojans embedded in semiconductor chips are increasing

Keysight Technologies' three experts include Mr. Kiyoshi Chikamatsu - R&D Project Director, Masaharu Goto - Principal Research Engineer and Alan Wadsworth - Business Development Director of Precision and Source Products for the Americas of Keysight has an analysis of the difficulties and challenges of detecting and effective ways to identify these types of malicious computer programs.

According to experts, the threat of cybersecurity from hardware Trojans embedded in semiconductors with malicious intent is increasing (Artwork).

Billions of electronic devices are used every day, according to experts' analysis, and this number will increase dramatically as the Internet of Things (IoT) expands. Along with this development is the growing cybersecurity threat of hardware Trojans embedded in maliciously targeted semiconductors.

As it becomes more common to outsource the design, manufacture of circuits, and use of IP (intellectual property) from outside vendors, the risk of hardware Trojans also increases. Deploying devices with these vulnerabilities could put society at great risk, especially if those devices affect essential systems like e-commerce encryption, self-driving cars, or aeronautical control control systems. Due to the need to ensure that these systems do not contain any harmful electrical circuits, the ability to detect hardware Trojans in electronic systems is of utmost importance.

A research team led by Mr. Nozomi Togawa, led by professor at Waseda University's Faculty of Science and Engineering - who has extensive experience in hardware Trojan detection, used an electric waveform analyzer. Keysight's CX3300A device to significantly improve their Trojan detection capabilities. The CX3300 features state-of-the-art dynamic current measurement technology capable of recognizing difficult to measure at high bandwidths. This analyzer also supports an advanced machine learning algorithm capable of identifying small anomalies in very large (> 1 Terabyte) databases.

Many challenges in Trojan detection

Hardware Trojans can cause serious damage in a variety of ways such as signal downtime and destruction. The Trojan does these operations just by inserting certain ports into the board during IC design, so these ports are difficult to detect.

The best way to detect the Trojan is from the schematic or main channel communication signals. Unfortunately, the increasing outsourcing of circuit design and manufacturing, as well as the use of IPs by other companies, has made it difficult to understand and verify every detail of chip design and I / patterns. O.

This makes detecting the Trojan after manufacturing the circuit by checking the main channel signal more difficult and unreliable. The side-channel signal from the current, on the other hand, contains a wealth of information about the inner workings of the semiconductor chip. If there is any harmful activity, it will appear as variation in the supply current.

However, experts also point out that detecting a Trojan by monitoring the power current has some challenges.

Specifically, in terms of high-bandwidth, high-resolution current measurement, semiconductor chips operate under high-frequency clocks with many tasks running simultaneously, so their supply current variation is quite erratic and has a very small value. This means high-bandwidth and high-resolution current measurement technology is required to determine Trojan activity.

As for machine learning for waveform big data analysis, since hardware Trojan activity rarely occurs, it is necessary to be able to continuously measure at high speed and resolution without interruption in time. long time. But collecting high-resolution data over a long period of time can create extremely large databases. For example, recording a 10MSa / s data stream for 24 hours would produce a waveform database larger than 1 Terabyte. Therefore, there needs to be some kind of machine learning algorithm that can quickly process huge databases. However, the available technologies so far have not met these requirements.

On the other hand, Keysight's research shows that only high-resolution and high-bandwidth current sensing technology, such as the one used in Keysight's CX1101A series sensor, can. accurately measure the dynamic current of the side-channel signals, so that current variation can be detected.

Machine learning is for analyzing big data about measurement

Unattended machine learning algorithms are often used to detect anomalies, such as those generated by Trojans. Among the unsupervised learning algorithms, the clustering algorithm has become an essential tool for analyzing big data in many applications. Although this algorithm has been implemented in many different forms, most cannot handle large amounts of waveform data, as these are index arrays containing thousands of data points.

A database containing millions of waveform segments, each consisting of thousands of data points, presents a difficult data analysis and classification challenge. It takes a lot of computing resources and processing time to be able to sort and classify such a huge database using conventional algorithms.

However, Keysight developed a new algorithm that can handle large amounts of waveform data using a low-cost PC platform with the same processing time as using large compute server solutions. . The Keysight algorithm's computation time is linearly proportional to the volume and size of the data, even in cases where the size of the measurement database is much larger than the main CPU memory.

With many improvements, the performance of the Keysight algorithm running on an old PC is equivalent to the performance of other algorithms running on large servers containing 300-400 CPUs. The processing speed of this algorithm is 100 - 1000 times higher than conventional algorithms.

Thanks to these features, analysis can begin immediately after data collection is completed, and key data analysis operations can be completed in 10 seconds or less. Near real-time display of measured waveforms and the ability to instantly detect specific waveforms allow a waveform to be quickly and easily identified among millions of waveforms.

Successfully detected Trojan

The oscilloscope and the standard probe do not have the resolution and bandwidth required to analyze the power supply current waveforms of the side channel. In addition, conventional machine learning algorithms cannot handle the number and complexity of these waveforms. To date, the combination of the CX3300's broadband high-resolution dynamic current measurement and Keysight's ultra-fast clustering algorithm is the only effective means of identifying Trojans.

In addition to hardware Trojan detection, this technology has many other uses, as it is a versatile tool for detecting anomalies in any large measurement data environment. Going forward, Keysight plans to continue to develop advanced machine learning algorithms and state-of-the-art measurement technology.