By navigating our site, you agree to allow us to use cookies, in accordance with our Privacy Policy.

Detecting Hardware Trojans using Machine Learning

State-of-the-art measurement technology and extremely fast clustering algorithm

Introduction

In our modern society, literally billions of electronic devices are used every day. In the future, this number will rise dramatically with the expansion of the Internet of Things (IoT). Accompanying this increase is the growing cybersecurity threat of hardware Trojans embedded in semiconductor chips for malicious purposes. With the increase in the outsourcing of circuit design, manufacturing, and the use of IP from outside suppliers, the risks from hardware Trojans are on the rise. Deploying devices with these vulnerabilities could put our society at huge risk, especially if they impact critical systems like e-commerce encryption, autonomous driving vehicles, or aviation controllers. Since it is essential  that these systems are free of any malicious circuitry, the ability to detect hardware Trojans in electronic systems is extremely important. A research team headed by Nozomi Togawa, a professor at Waseda University’s Faculty of Science and Engineering, who have been researching hardware Trojan detection, used Keysight’s CX3300A Device Current Waveform Analyzer to dramatically improve their Trojan detection capabilities. The CX3300 has state-of-the-art dynamic current measurement technology capable of capturing hard-to-measure signatures at high bandwidth. It also supports an advanced machine learning algorithm capable of identifying small anomalies in very large databases (>1 Terabyte). In this article, we will describe how these technologies improved Trojan detection.

Trojan detection challenges

Hardware Trojans can cause serious damage via operations such as signal stoppage and destruction. These operations can be achieved by inserting only a dozen gates into the circuit in the IC design phase (making them hard to discover). The best way to detect Trojans is from circuit schematics or main channel communication signals. Unfortunately, increased outsourcing of circuit design and manufacturing, as well as the use of IP from other companies, make it difficult to understand and verify  very detail of chip design and I/O patterns. This makes post silicon detection of Trojans by examining the main channel signal difficult and unreliable. On the other hand, the side channel signal from the supply current contains rich information about the semiconductor chip’s internal operations. If any malicious activities are present, then they will appear as supply current deviations. However, detecting Trojans by monitoring the supply current presents several challenges:

A. High-bandwidth, high-resolution current measurement

Semiconductor chips operate under high frequency clocks with multiple activities running concurrently, so their supply current deviations are fleeting and very small. This means that high-bandwidth and high-resolution current measurement technology is needed to identify Trojan activity.

Figure 1 (a). Side channel signal is shown when MCU operates AES-128 encryption during
its active period. The encryption is disabled once in thousand times to simulate Trojan.

Trojan-Activity
(b) When Trojan is active (AES is deactivated).                                                     (c) Normal state (AES is not deactivated).

B. Machine learning for big waveform data analytics

Since hardware Trojan activity rarely occurs, the ability to continuously measure at high speed and with high resolution uninterrupted for long time periods is required. However, this long-term, high-resolution data collection can create extremely large databases. For example, recording a 10MSa/s data stream for 24 hours creates a waveform database greater in size than 1 Terabyte. This mandates the use of some sort of machine learning algorithm that can rapidly sort through huge databases. Until recently, existing technologies fell short of meeting these requirements. The following sections describe how Keysight Technologies solved these challenges.

High-bandwidth, high-resolution current sensing

The following figures show an example of detecting Trojan activity through analysis of the side-channel supply current signal. In this example, a low-power MCU has been programmed to encrypt payload data using AES-128 during its active period, with no activity occurring during sleep mode. However, in this case, there is a Trojan that disables the encryption occasionally. A supply current pulse train infected by the Trojan is shown in Figure1 (a). It is difficult to distinguish the pulses that are normal and infected visually. The magnified views show the signal differences when the Trojan is active (b) and inactive (c). Still, it is hard to distinguish between the two signals. If we expand the initial portion of the pulses, then we can see that there are micro-ampere-level differences with frequency components of several MHz.

Detection is only possible using high-resolution and high- bandwidth current sensing technology (beyond the performance capabilities of conventional current probes). Many current sensing technologies exist. For example, popular clamp-on current probes have a minimum measurable current of only at around 1-3mA [2]. This is insufficient for Trojan detection. In contrast, Keysight’s CX1101A current sensor can measure currents as small as 3μA with up to 100 MHz of bandwidth using an internal shunt resistor of 0.41ohm [3]. This low-level and high-bandwidth measurement capability is enabled by an innovative current sensing scheme that combines resistive current sensing at DC and low-frequency with magnetic current sensing at higher frequencies. Due to its small insertion resistance, large current spikes cannot cause a large power rail voltage drop sufficient to trigger MCU device brown-out. For these reasons, Keysight’s CX1101A current sensor can precisely capture dynamic current flow of the side channel signals.

Machine Learning for Big Measurement Data Analytics

Machine learning algorithms are classified into two categories: supervised and unsupervised. Supervised learning is used to detect known patterns, while unsupervised learning is best when the goal is to detect unknown anomalies. Since the signature created by Trojans is unknown, unsupervised learning is more useful when attempting to detect them. Among unsupervised learning algorithms, clustering has become an essential tool for analyzing big data in many applications. While many implementations of unsupervised machine learning algorithms utilizing clustering have been developed, most have been unable to handle large amounts of waveform data. The issue is that waveforms are numerical arrays containing thousands of data points. A waveform database containing millions of waveform segments each consisting of thousands of data points presents a difficult challenge in terms of data analysis and classification. Sorting and classifying such a massive database using conventional algorithms requires extensive computing resources and long processing times. However, Keysight has developed a new algorithm that can process huge amounts of waveform data using a low-cost PC platform in the same amount of time as large computing server solutions. The computation time of Keysight’s algorithm is linear versus data volume and imension, even if the size of the measurement database exceeds far beyond the CPU main memory (Figure 2 (a)). Due to numerous innovations, the performance of Keysight’s algorithm running on an off-the-shelf PC is equivalent to that of comparable algorithms running on large computing servers containing 300-400 CPU cores. This represents a x100-x1000 speed improvement over conventional algorithms.

During data acquisition, the software uses the oscilloscope trigger function to define waveforms, which are simultaneously pre-sorted into approximate clusters (or tags) by a Real-Time Tagging process (Figure 2 (b)). The pre-sorted results are stored into the Tag database, which is a concise summary of all the waveforms. The size of the tag database is about 1/100 to 1/500 of the lossless database, which contains a complete archive of all the waveforms. These capabilities enable a user to begin analysis immediately after data acquisition completes. Because the tag database utilizes waveform meta-data, major data analysis operations can complete in 10 seconds or less. Changes to the number of clusters and sub-clustering (breaking a selected cluster down into further clusters), also complete very quickly. If the tag database does not have enough resolution to allow sub-clustering, then detail clustering using the lossless database can be performed. In addition to these features, a cluster focused playback capability allows near real-time viewing of captured waveforms, as well as the ability to locate specific waveform shapes rapidly. This technology allows quick and easy identification of even a one-in-a-million waveform.

Ultra-fast Clustering Algorithm
Figure 2. Ultra-fast Clustering Algorithm.

Successful Trojan detection

Figure 3 shows an example of Trojan detection through analysis of the side channel supply current waveforms. Immediately after data acquisition completed, the software divided the captured waveforms into four clusters. The two main clusters (coded yellow and green) comprise the majority of the waveforms, but the software can differentiate the infected waveforms (coded in red) even though they only differ slightly from the main clusters. This type of analysis is not possible using an oscilloscope and current probe, because they lack the necessary resolution and bandwidth. In addition, conventional machine learning algorithms cannot handle waveforms of this number and complexity. Only the combination of the CX3300’s high-bandwidth high-resolution dynamic current measurement capabilities and Keysight’s ultra-fast clustering algorithm can provide such an efficient means to identify Trojans.

Figure 3. Clustering result of Trojan detection.

This technology has many uses beyond just hardware Trojan detection, as it is a very general-purpose tool for detecting anomalies in any big measurement data environment. Keysight plans on continuing to develop leading-edge machine learning algorithms and the state-of-the-art measurement technologies in the future.

References

[1] M. Goto, N. Kobayashi, G. Ren, M. Ogihara, “Scaling Up Heterogeneous Waveform Clustering for Long-Duration Monitoring Signal Acquisition, Analysis, and Interaction: Bridging Big Data Analytics with Measurement Instrument Usage Pattern”, IEEE International Conference of Big Data, Los Angeles, CA. USA. 2019, pp. 1794-1803.

[2] Keysight Technologies, “Evaluating current probe technologies for low-power measurements.” http://literature.cdn.keysight.com/litweb/pdf/ 5991-4375EN.pdf.

[3] Keysight Technologies, “CX3300 Series Device Current Waveform Analyzer Datasheet.” https://literature.cdn.keysight.com/litweb/pdf/ 5992-1430EN.pdf?id=2727780.

[4] K. Hasegawa, K. Chikamatsu, and N. Togawa, “Empirical Evaluation on Anomaly Behavior Detection for Low-Cost Micro-Controllers Utilizing Accurate Power Analysis”, IEEE International Symposium on On-Line Testing and Robust System Design (IOLTS), 2019, pp. 54-57.

About the Authors

Kiyoshi ChikamatsuKiyoshi Chikamatsu

Kiyoshi Chikamatsu is an R&D project manager at Keysight Technologies. Before joining Keysight, he was involved in military surveillance radar project for Japan Self-Defense Forces at NEC corporation, where he engaged in the development of 4GHz silicon power amplifiers. At Keysight, he pursued the cutting-edge device development to be used for high-sensitive precision test and measurement instruments, such as low-current relay which can switch on and off current down to a femto-ampere, equivalent to the current when ~6000 electrons move per second. Also, he invented the new type of current sensing technique combining resistive and magnetic method, described in the article, to measure the unmeasurable. These unique devices and techniques differentiated the Keysight Parametric Test System, Device Semiconductor Analyzer, and Device Current Waveform Analyzer. His interest is always somewhere around enabling technologies to break through the limitation in test and measurement to meet the unmet customer needs.

Masaharu Goto

Masaharu-GotoMasaharu Goto is a Principal Research Engineer in Keysight Technologies. He co-developed the ROOT/CINT scientific data analysis framework (https://root.cern.ch) for CERN’s LHC (Large Hadron Collider) experiment which was the world’s first big data project. He provided C++ interpreter (https://root.cern.ch/cint) for seamlessly connecting interactive big data exploration and high-performance computing. At Keysight, he spearheaded the research and development of various test and measurement systems for big measurement data environments. These systems enable the massive parametric measurements for the most advanced semiconductor research and high-volume production. His current research project combines big data analytics with real-time data processing for various test and measurement applications.

Alan Wadsworth

Alan Wadsworth is the Business Development Manager for Precision and Power Products for the Americas region at Keysight Technologies.He has over 30 years of industry experience in both IC design and parametric test, and he is the author of Keysight’s 277-page Parametric Measurement Handbook.

Tags

BiS Team

BIS Infotech is a vivid one stop online source protracting all the exclusive affairs of the Consumer and Business Technology. We have well accomplished on delivering expert views, reviews, and stories empowering millions with impartial and nonpareil opinions. Technology has become an inexorable part of our daily lifestyle and with BIS Infotech expertise, millions of intriguers everyday are finding for itself a crony hangout zone.

Related Articles