More Web Proxy on the site http://driver.im/

research-article

Rethink before Releasing Your Model: ML Model Extraction Attack in EDA

Authors:

Chen-Chia Chang,

Yiran ChenAuthors Info & Claims

ASPDAC '23: Proceedings of the 28th Asia and South Pacific Design Automation Conference

Pages 252 - 257

https://doi.org/10.1145/3566097.3567896

Published: 31 January 2023 Publication History

Abstract

Machine learning (ML)-based techniques for electronic design automation (EDA) have boosted the performance of modern integrated circuits (ICs). Such achievement makes ML model to be of importance for the EDA industry. In addition, ML models for EDA are widely considered having high development cost because of the time-consuming and complicated training data generation process. Thus, confidentiality protection for EDA models is a critical issue. However, an adversary could apply model extraction attacks to steal the model in the sense of achieving the comparable performance to the victim's model. As model extraction attacks have posed great threats to other application domains, e.g., computer vision and natural language process, in this paper, we study model extraction attacks for EDA models under two real-world scenarios. It is the first work that (1) introduces model extraction attacks on EDA models and (2) proposes two attack methods against the unlimited and limited query budget scenarios. Our results show that our approach can achieve competitive performance with the well-trained victim model without any performance degradation. Based on the results, we demonstrate that model extraction attacks truly threaten the EDA model privacy and hope to raise concerns about ML security issues in EDA.

References

[1]

[n.d.]. NanGate 45nm Open Cell Library. https://si2.org/open-cell-library/

[2]

Christoph Albrecht. 2005. IWLS 2005 benchmarks. In International Workshop for Logic Synthesis (IWLS): http://www.iwls.org.

[3]

Franc Brglez et al. 1989. Combinational profiles of sequential benchmark circuits. In IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 1929--1934.

[4]

Ismail S Bustany et al. 2015. ISPD 2015 benchmarks with fence regions and routing blockages for detailed-routing-driven placement. In Proceedings of the 2015 Symposium on International Symposium on Physical Design. 157--164.

[5]

Cadence. 2021. Cadence Cerebrus Intelligent Chip Explorer. https://www.cadence.com/en_US/home/tools/digital-design-and-signoff/soc-implementation-and-floorplanning/cerebrus-intelligent-chip-explorer.html

[6]

Cadence. 2021. Innovus Implementation System. https://www.cadence.com/en_US/home/tools/digital-design-and-signoff/soc-implementation-and-floorplanning/innovus-implementation-system.html

[7]

Chen-Chia Chang et al. 2021. Automatic Routability Predictor Development Using Neural Architecture Search. In 2021 IEEE/ACM International Conference On Computer Aided Design (ICCAD). IEEE, 1--9.

[8]

Jingsong Chen et al. 2020. PROS: A plug-in for routability optimization applied in the state-of-the-art commercial eda tool using deep learning. In International Conference On Computer Aided Design (ICCAD). IEEE.

[9]

Fulvio Corno, Matteo Sonza Reorda, and Giovanni Squillero. 2000. RT-level ITC'99 benchmarks and first ATPG results. Design & Test of computers (2000).

[10]

Yarin Gal and Zoubin Ghahramani. 2016. Dropout as a bayesian approximation: Representing model uncertainty in deep learning. In international conference on machine learning. PMLR, 1050--1059.

[11]

Guyue Huang et al. 2021. Machine learning for electronic design automation: A survey. ACM Transactions on Design Automation of Electronic Systems (TODAES) 26, 5 (2021), 1--46.

Digital Library

[12]

Yu-Hung Huang, Zhiyao Xie, Guan-Qi Fang, Tao-Chun Yu, Haoxing Ren, Shao-Yun Fang, Yiran Chen, and Jiang Hu. 2019. Routability-driven macro placement with embedded cnn-based prediction model. In Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE.

[13]

Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. 2020. High accuracy and high fidelity extraction of neural networks. In 29th USENIX Security Symposium (USENIX Security 20). 1345--1362.

[14]

Diederik P Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014).

[15]

Kalpesh Krishna et al. 2019. Thieves on sesame street! model extraction of bert-based apis. arXiv preprint arXiv:1910.12366 (2019).

[16]

Dong-Hyun Lee et al. 2013. Pseudo-label: The simple and efficient semi-supervised learning method for deep neural networks. In Workshop on challenges in representation learning, ICML, Vol. 3. 896.

[17]

Rongjian Liang et al. 2020. DRC hotspot prediction at sub-10nm process nodes using customized convolutional network. In International Symposium on Physical Design (ISPD).

[18]

Kang Liu et al. 2020. Adversarial perturbation attacks on ML-based CAD: A case study on CNN-based lithographic hotspot detection. ACM Transactions on Design Automation of Electronic Systems (TODAES) 25, 5 (2020), 1--31.

Digital Library

[19]

Microsoft. 2021. Microsoft Azure. https://azure.microsoft.com/services/machine-learning

[20]

Tribhuvanesh Orekondy et al. 2019. Knockoff nets: Stealing functionality of black-box models. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 4954--4963.

[21]

Tobias Scheffer et al. 2001. Active hidden markov models for information extraction. In International Symposium on Intelligent Data Analysis. Springer, 309--318.

[22]

Burr Settles. 2009. Active learning literature survey. (2009).

[23]

Claude Elwood Shannon. 2001. A mathematical theory of communication. ACM SIGMOBILE mobile computing and communications review 5, 1 (2001), 3--55.

[24]

Synopsys. 2021. Design Compiler Implementation System. https://www.synopsys.com/implementation-and-signoff/rtl-synthesis-test/dc-ultra.html

[25]

Synopsys. 2021. DSO.ai: AI-Driven Design Applications. https://www.synopsys.com/implementation-and-signoff/ml-ai-design/dso-ai.html

[26]

Jesper E Van Engelen and Holger H Hoos. 2020. A survey on semi-supervised learning. Machine Learning 109, 2 (2020), 373--440.

[27]

Keze Wang et al. 2016. Cost-effective active learning for deep image classification. IEEE Transactions on Circuits and Systems for Video Technology 27, 12 (2016), 2591--2600.

Digital Library

[28]

Zhiyao Xie et al. 2018. RouteNet: Routability prediction for mixed-size designs using convolutional neural network. In IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE.

[29]

Zhiyao Xie et al. 2022. The Dark Side: Security Concerns in Machine Learning for EDA. arXiv preprint arXiv:2203.10597 (2022).

[30]

Haoyu Yang et al. 2021. Attacking a CNN-based Layout Hotspot Detector Using Group Gradient Method. In 2021 26th Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE, 885--891.

[31]

Cunxi Yu and Zhiru Zhang. 2019. Painting on placement: Forecasting routing congestion using conditional generative adversarial nets. In Design Automation Conference (DAC).

Digital Library

[32]

C. Yu and Z. Zhang. 2019. Painting on placement: forecasting routing congestion using conditional generative adversarial nets. In ACM/IEEE Design Automation Conference.

Cited By

Kwon NPark D(2023)Shallow Clock Tree Pre-Estimation for Designing Clock Tree Synthesizable Verilog RTLsElectronics10.3390/electronics1220434012:20(4340)Online publication date: 19-Oct-2023
https://doi.org/10.3390/electronics12204340
Xie ZZhang TPeng Y(2023)Security and Reliability Challenges in Machine Learning for EDA: Latest Advances2023 24th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED57927.2023.10129359(1-6)Online publication date: 5-Apr-2023
https://doi.org/10.1109/ISQED57927.2023.10129359
D. Peribáñez AFernández-Isabel AMartín de Diego ICondado AM. Moguerza J(2023)Extracting Knowledge from Incompletely Known ModelsIntelligent Data Engineering and Automated Learning – IDEAL 202310.1007/978-3-031-48232-8_24(257-268)Online publication date: 22-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-48232-8_24

Index Terms

Rethink before Releasing Your Model: ML Model Extraction Attack in EDA

Index terms have been assigned to the content through auto-classification.

Recommendations

It's time to rethink DDoS protection

When you think of distributed denial of service (DDoS) attacks, chances are you conjure up an image of an overwhelming flood of traffic that incapacitates a network. This kind of cyber attack is all about overt, brute force used to take a ...
Time to Rethink the Design of Qi Standard? Security and Privacy Vulnerability Analysis of Qi Wireless Charging
ACSAC '21: Proceedings of the 37th Annual Computer Security Applications Conference

With the ever-growing deployment of Qi wireless charging for mobile devices, the potential impact of its vulnerabilities is an increasing concern. In this paper, we conduct the first thorough study to explore its potential security and privacy ...
Privacy Preservation Techniques for Sequential Data Releasing
IAIT '21: Proceedings of the 12th International Conference on Advances in Information Technology

Privacy violation is a serious issue that must be considered when datasets are released for public use. To address this issue, a well-known privacy preservation model, l-Diversity, is proposed. Unfortunately, l-Diversity is generally proposed to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPDAC '23: Proceedings of the 28th Asia and South Pacific Design Automation Conference

January 2023

807 pages

ISBN:9781450397834

DOI:10.1145/3566097

General Chair:
Atsushi Takahashi
Tokyo Institute of Technology

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGDA: ACM Special Interest Group on Design Automation

In-Cooperation

IPSJ
IEEE CAS
IEEE CEDA
IEICE

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Qualifiers

Research-article

Conference

ASPDAC '23

Sponsor:

SIGDA

ASPDAC '23: 28th Asia and South Pacific Design Automation Conference

January 16 - 19, 2023

Tokyo, Japan

Acceptance Rates

ASPDAC '23 Paper Acceptance Rate 102 of 328 submissions, 31%;

Overall Acceptance Rate 466 of 1,454 submissions, 32%

Upcoming Conference

ASPDAC '25

Sponsor:
sigda

30th Asia and South Pacific Design Automation Conference

January 20 - 23, 2025

Tokyo , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
249
Total Downloads

Downloads (Last 12 months)92
Downloads (Last 6 weeks)8

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kwon NPark D(2023)Shallow Clock Tree Pre-Estimation for Designing Clock Tree Synthesizable Verilog RTLsElectronics10.3390/electronics1220434012:20(4340)Online publication date: 19-Oct-2023
https://doi.org/10.3390/electronics12204340
Xie ZZhang TPeng Y(2023)Security and Reliability Challenges in Machine Learning for EDA: Latest Advances2023 24th International Symposium on Quality Electronic Design (ISQED)10.1109/ISQED57927.2023.10129359(1-6)Online publication date: 5-Apr-2023
https://doi.org/10.1109/ISQED57927.2023.10129359
D. Peribáñez AFernández-Isabel AMartín de Diego ICondado AM. Moguerza J(2023)Extracting Knowledge from Incompletely Known ModelsIntelligent Data Engineering and Automated Learning – IDEAL 202310.1007/978-3-031-48232-8_24(257-268)Online publication date: 22-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-48232-8_24

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents