I Introduction
Recently, the globalization of modern integrated circuit (IC) industry has raised more and more hardware security challenges. For example, intellectual property (IP) cores and EDA tools provided by the thirdparty are widely used in IC design to reduce development cost and to shorten the marketing cycle [1]. As thirdparty IP cores are designed by outsourced vendors, an adversary can easily implement some malicious logics into IP cores, referred to as Hardware Trojans (HTs).
HTs are lightweight structures in largescale IC designs, which commonly contain two components called Trojan trigger and Trojan payload [2]. Trojan trigger is responsible for monitoring signals to determine whether the trigger signal has arrived. If Trojan trigger is not activated, HTs stay dormant and do not have effect on the original circuit. If Trojan trigger is activated, Trojan payload will perform specific malicious operations such as to change functionality, to degrade performance and to reveal secret information [3]. Since most of HTs usually have extremely rare trigger conditions, it is very challenging to detect suspicious Trojan logics in circuit under detection (CUD).
The existing HTs detection techniques can be roughly classified into five major groups: reverse engineering
[4, 5, 6], side channel analysis [7, 8, 9, 10, 11, 12, 13], static structure analysis [15, 16, 17, 18, 19, 20], statistical feature analysis [21, 22, 23, 24, 25], and functional testing [26, 27, 28, 29]. In reverse engineering, a fabricated chip is completely dissected layerbylayer in order to reconstruct the IC design to detect malicious modifications. Reverse engineering approaches consume prohibitively high cost, and it is impossible to carry out reverse engineering for each chip under test. In sidechannel analysis, the impacts of HTs on circuit delay, transient current, leakage power and so on can be used to detect whether there are the HTs in CUD. Sidechannel analysis approaches can detect HTs inserted in the postfabrication stage. However, sidechannel analysis usually requires a “Golden Circuit” for impact comparison and it also is susceptible to process variations or environmental noise, which can result in lots of false positives. Like software virus detection technique, static structure analysis methods perform HT detection by analyzing circuit structure characteristics. Though static structure analysis is an effective HT detection approach, it can only detect known types of HTs. There are intrinsic differences between Trojan logics and normal circuit, so statistical feature analysis approaches can be used to detect potentail HTs in CUD. Functional testing approaches try to generate test vectors to activate potential HTs and propagate HTs’ effects to the primary outputs. Though functional testing is independent with process variations and environmental noise, functional testing usually consume significant amount of time due to the high concealment of HTs.
The key insight of our approach is that Trojans usually be inserted in the regions with low controllability and low observability in order to maintain high concealment, which will result in that Trojan logics appear extremely low transitions during the simulation. In the field of information theory, if the event is improbable, it will provide much more information when the event happens. That is, the logical regions with the low transitions will provide us with much more abundant and more important information for Trojan detection. In this paper, we propose a novel HT detection method using information entropy based clustering, named HTDet. Firstly, the digital stimuli is generated for the CUD. Then the information entropy of signal sequence of each wire is calculated, and a typical densitybased clustering algorithm called DensityBased Spatial Clustering of Applications with Noise (DBSCAN) is applied to obtain all suspicious Trojan logics. Further, a heuristic test patterns generation method using mutual information is developed to increase the transitions of these suspicious Trojan logics. In summary, this paper has the following contributions:

To the best of our knowledge, this is the first attempt to use information entropy technology to detect HTs in hardware design, and HTDet can achieve good experimental results.

Unsupervised learning algorithm, DBSCAN, is used for Trojan detection, which means that HTDet does not require “Golden Circuit”. Further, HTDet does not require that the Trojan logic is pushed the triggering state. As long as the transitions of logical regions are extremely low, HTDet can detect them based on densityreachable relationship.

We develop a heuristic test patterns generation method using mutual information technology to increase the transitions of suspicious Trojan logics.

We carry out lots of evalutaion work on TrustHub benchmarks [34], which shows that the proposed technique can detect suspicious Trojan logics with negligible false positives.
The rest of this paper is organized as follows. Section 2 and Section 3 introduces the theoretical basis and the threat model, respectively. We present proposed HT detection method in detail in Section 4. Section 5 presents test patterns generation method for suspicious Trojan logics in detail. Experimental analysis is presented in Section 6. Section 7 briefly summarize the related work. Finally, we conclude this paper and in Section 8.
Ii Theoretical Basis
In this paper, we perform the HT detection using information theory technology [30]. In this section, we give the theoretical basis of the proposed approach.
Iia Information Entropy
Information Entropy is also known as the selfinformation, which is the average rate at which information is produced by a source of data. Entropy is a measure of uncertainty about random variable.
Let X be a discrete random variable, and its probability distribution is consistent with
, where . Hence, the entropy of X can be explicitly written as(1) 
, where b is the base of the logarithm used. In this paper, b is equal to the mathematical constant e. In the case of , the value of is taken to be 0, which is consistent with the limit.
(2) 
IiB Joint Entropy
In information theory, joint entropy is a measure of the uncertainty associated with a set of variables. In this paper, we focus on the joint entropy of two random variables.
Similarly, let X and Y be two discrete random variables, and their probability distribution is , where and . Hence, the joint entropy of X， Y can be presented as
(3) 
IiC Conditional Entropy
In information theory, the conditional entropy quantifies the amount of information needed to describe the outcome of a random variable Y given the value of another random variable X is known.
The entropy of Y conditioned on X can be defined as following formula.
(4)  
IiD Mutual Information
The mutual information of two variables is a measure of the mutual dependence between the two variables. More specifically, the mutual information quantifies the amount of information obtained about one random variable through observing the other random variable.
Let X, Y be two discrete random variables, and their joint probability distribution is . Hence, the mutual information between X and Y can be defined as
(6) 
According to the correlation between probability distributions and the chain rule, Can also be expressed as
(7)  
Iii Threat Model
The threat model of proposed method is based on several assumptions.

With the globalization of chip design, the adversaries can have more opportunities to insert HTs into a digital circuit design than before. It can be gatelevel netlist or register transfer language (RTL).

Our threat model assumes that the hardware design that we are given is in the form of digital circuit design.

The goal of attack is to change functionality, destroy the IC, and/or leak secret information through logical attack, rather than through sidechannels such as current, power or electromagnetic.
Iv HTDet Methodology
In this section, first, we provide the feasibility analysis of proposed HT detection method. Then the technical details of HTDet is presented. The core problem is whether the information entropy technology and clustering algorithm can be used to detect suspicious Trojan logics in the circuit under detection (CUD).
Iva Feasibility Analysis
The key insight of HTDet is that there is the significant difference between the Trojan logic and the rest of the circuit. More specifically, the HT usually be inserted in the logical regions with low controllability and low observability, which causes that Trojan logic has a very low transition probability. Moreover, in the field of information theory [30], if an event is very probable, the little information was provided when it happens. Conversely, if the event is improbable, it will provide much more information when the event happens.
That is, the logical regions with the low transitions will provide us with more abundant and more important information for HT detection. However, if we directly apply the transition probability for Trojan detection, which will result in high false positives. Fox example, we consider that the signal wires (from to ) have the transition probabilities listed in Table 1.
Wire  

Transition Probability 
Due to the densityreachable relationship between low transition probability and high transition probability, signal wires from to can be reported as suspicious Trojan logic as shown in Figure 1 (blue line). While the use of information entropy can significantly reduce false positives. As shown in Figure 1 (orange line), signal wires from to can be reported as suspicious Trojan logic.
This is because information entropy can gap the connectivity between low transition probability and high transition probability, and it is more sensitive to low transition probability as shown in Figure 2. It can be seen that the densityreachable relationship between signal wires (from to ) is much closer than the densityreachable relationship between low transition probability and high transition probability.
It has been proven that the information entropy takes the maximum value when is equal to . In other words, when = = 0.5, the corresponding information entropy can take the maximum value. The transition probabilityinformation entropy curve is as shown in Figure 3 according to formula (1). Because the information entropy has the symmetry, the minimum value can be taken when = 0 or = 1. Therefore, we should exclude the noise data that has very low information entropy because of much large .
Besides, the mutual information technology can measure the correlations between primary inputs and internal signal wires, which is beneficial to test patterns generation. Therefore, we first propose applying the information theory technology in the field of HT detection.
IvB The Application of Information Entropy
In order to apply the information entropy technology for HT detection, we first use functional testing to generate digital stimuli for the CUD. We believe that the set of test patterns developed during design verification can satisfy this step. The goal of this step is to perform functional tests for the CUD with high coverage as much as possible. After the functional tests, we can obtain the original waveform of each signal wire in the CUD, which contain only binary values (0 or 1). Our goal is to use the information entropy to evaluate the controllability and observability of each logical region such that we can effectively distinguish Trojan logic from the rest of circuit.
However, we can not use the original waveform for HT detection directly. For example, the transition of signal only occurs once in , while have five transitions of signal as shown in Figure 4(a). Because the HT usually is inserted in the logical regions with a low controllability and low observability, which cause that the Trojan logic has a very low transition probability. Hence, the logical region of should be more likely to be Trojan logic than . However, the information entropy of both and are 0.6931 according to formula (1) because the probability of 0 (0.5) and 1 (0.5) in is the same as in .
Therefore, we should focus on the distribution of signal transitions rather than the distribution of 0 and 1 such that we can use the information entropy to evaluate the controllability and observability of each logical region. To this end, we encode the original waveform according to the following rules. We assume that the original waveform OW = . For each signal pair , i = 1, 2, …, n, if = , we encode as 0; if = , we encode as 1; if = , we encode as 1; if = , we encode as 0. The encoded waveform corresponding to the original waveform of and are shown in the Figure 4(b). Then, we use formula (1) to calculate the information entropy of each encoded waveform. The information entropy of (corresponding to ) is approximately equal to 0.3488, and the information entropy of (corresponding to ) is approximately equal to 0.6870, which is more in line with the results that we expect.
We apply the information entropy to distinguish differences between Trojan logic and the normal circuit. Lots of experiments demonstrate that the information entropy of each wire is almost consistent with the controllability measure [32] of this signal wire in the CUD. As shown in Figure 5, we can obtain information entropy of each wire in the given circuit after functional testing ( cycles). It can be seen that the information entropy at the output of the AND gate is 0.13820, the information entropy at the input (top) of the AND gate is 0.22966 and the information entropy at the input ( bottom) of the AND gate is 0.66271 due to different circuit structures.
IvC HT Detection based Clustering
It’s worth noting that our circuit analysis focuses on the state of internal wires in CUD rather than circuit structure. For the sake of the convenience of discussion, we define CUD = , where PI is the set of primary inputs, W is the set of internal signal wires and POUT is the set of primary outpus. More formally, PI = , and W = and POUT = . After functional testing, we encode each original waveform of CUD and calculate the information entropy of each encoded waveform. Once the above step is complete, we apply a typical densitybased clustering algorithm called DensityBased Spatial Clustering of Applications with Noise (DBSCAN) to perform HT detection in the information entropy space composed by W and POUT.
In the given data space, the density is defined as the number of data points within a specified radius (r), and the core point that has more than specified number of data points (MinPts) within its rneighborhood, and the border point that has fewer than MinPts within its rneighborhood but it is in the rneighborhood of a core point, and and any point that is not a core point or border point is called noise point. Moreover, date point q is directly densityreachable from another point p, if p is a core point and q is within the rneighborhood of p. Data point q is densityreachable from another point p, if there is a path of points (p) … (q) such that point is directly densityreachable from point . Data point p and data point q are densityconnected if there is a data point o such that both p and q are densityreachable from o.
The basic idea of DBSCAN is to find the maximal sets of densityconnected points. That is, all points within the cluster are mutually densityconnected. Algorithm 1 shows the clustering process in the information entropy space.
V Test Pattern Generation for Suspicious Trojan Logics using Mutual Information
In section 4, the proposed HT detection method can find suspicious Trojan logics. This section introduces a heuristic test pattern generation method using mutual information, which can further increase the transitions of suspicious Trojan logics. As is depicted in Figure 6, the correlation between each suspicious Trojan logic and each primary input is measured by mutual information. If the mutual information is greater than the threshold, corresponding primary input is referred to as strongly correlated primary input (SCPI) to this suspicious Trojan logic. Therefore, each suspicious Trojan logic will maintain a set of SCPI (SSCPI). Then, a heuristic algorithm is developed to select minimum SCPIs but to cover all suspicious Trojan logics.
Va Feasibility Analysis
In the field of information theory, the mutual information between X and Y can measure the mutual dependence between the two variables. That is, mutual information can measure the correlation between two variables [33]. If X and Y are independent, their mutual information is zero. If X is a deterministic function of Y (Y also is a deterministic function of X), so knowing the value of X can determine the value of Y and vice versa. In this case, the mutual information between X and Y is the same as the H(X) and as the H(Y).
Natively, each circuit logic can be expressed as a Boolean function of different primary inputs, which conforms statement of the correlation. For example, we can obtain three Boolean formula d = ab, e = and f = ab + for the given circuit structure, as shown in Figure 7. Hence, we can know that d and c, e and a, e and b, are independent such that their mutual information must be zero, and e is a deterministic function of c such that their mutual information is the same as H(c) and H(e), and the mutual information I(d; a) should be equal to the mutual information I(d; b) because of same circuit logic. It is worth noting that the mutual information I(f; a) is different from the mutual information I(f; c) because of different circuit logic (AND gate and Inverter). In short, the mutual information of two variables is higher, the correlation of variables is stronger.
VB Correlation Calculation using Mutual Information
We consider that the set of primary inputs PI = , and consider that the set of suspicious Trojan logics (wires) SW = , where t m+n. Firstly, we calculate mutual information I(; ) between each suspicious Trojan logic and each primary input , where i = 1, 2, …, t and j = 1, 2, …, l. According to formula (7), I(; ) = H() + H()  H(, ). Because each encoded waveform only contains 0 (nontransition) and 1 (transition), H(,) =  according to formula (3). If I(; ) is greater than the threshold, we refer to the primary input as the SCPI of suspicious Trojan logic . For each , its threshold is equal to , where l is the number of primary inputs. Finally, each suspicious trojan logic will have a SSCPI, and the strong correlation between primary inputs and suspicious trojan logics can constitute a strong correlation list as shown in Table 2.
…  
1  0  1  …  1  
0  1  1  …  1  
…  …  …  …  …  … 
1  1  0  …  1 
VC Test Patterns Generation
Our goal is to select minimum number of SCPIs but to cover all suspicious Trojan logics. We define that is set of suspicious Trojan logics whose SSCPI includes , and define ‘+’ operation between sets is equivalent to the ‘union’ operation between sets, and define ‘’ operation between sets is equivalent to the ‘difference’ operation between sets. For example, = , = , + = , and  = . Therefore, the problem can be abstracted as the following formula, where . If is selected, = 1, otherwise 0.
(8)  
We develop a heuristic method to solve this problem. We define indicates the optimal solution when and . As shown in formula (9), it can be seen that is the optimal solution of formula (8). Algorithm 2 shows the core of solution. Then we perform constrainedrandom simulation, setting all the primary input at logic 0 or logic 1, which is not in SCPIs. For the rest of the primary inputs in SCPIs, we still generate fullrandom stimuli to perform simulation.
(9) 
Vi Experimens and Evaluations
Proposed approach is evaluated on the different digital circuit designs from TrustHub benchmark [34]. All circuits are synthesized by Synopsys Design Compiler (DC) with Semiconductor Manufacturing International Corporation cell library for 90nm silicononinsulator process. All circuits are simulated by Verilog Compiled Simulator (VCS) with high coverage as much as possible. We conduct data processing experiments and data analysis experiments on a computer with 2.8 GHz Intel Core i7 CPU and 8GB memory [35]. Brief information about the benchmarks used in our experiments is provided in Table 3.
Circuit  # units  Features of HT 

RS232_T1000  215  Trojan trigger is a combinational comparator; change functionality 
RS232_T1100  217  Trojan trigger is a sequential comparator; change functionality 
RS232_T1200  216  Trojan trigger is a sequential comparator; change functionality 
RS232_T1300  213  Trojan trigger is a combinational comparator; change functionality 
RS232_T1400  215  Trojan trigger is a sequential comparator; change functionality 
RS232_T1500  216  Trojan trigger is a sequential comparator; change functionality 
RS232_T1600  214  Trojan trigger is a sequential comparator; change functionality 
s15850_T100  2182  Trojan trigger consists of two comparators and two flipflops; leak an internal signal. 
s35932_T200  5438  Trojan trigger is a comparator; denial of Service. 
s38417_T100  5341  Trojan trigger is a comparator; change functionality, denial of service. 
Via Clustering Comparison between Information Entropy Space and Transition Probability Space
In our experiments, our method can detect all suspicious Trojan logics in the CUD. Taking RS232_T1000 and RS232_T1100 as examples, we present the difference of clustering between information entropy space and transition probability space. Figure 8(a) and Figure 8(b) shows the result of clustering for RS232_T1000 benchmark and RS232_T1100 benchmark, respectively. It is worth noting that the clustering process only focuses on the densityreachable relationship of information entropy space.
As shown in Figure 8, though the clustering algorithm can divide the information entropy space into several cluters (2 or 3), the circuit logics with extremely low information entropy are always divided into one cluster according to the densityreachable relationship. Similarly, we also use transition probability for Trojan detection. Under the same parameters, Figure 9(a) and Figure 9(b) shows the result of clustering for RS232_T1000 and RS232_T1100, respectively.
It can be seen that transitions will result in high false positives. However, the information entropy can effectively distinguish the difference between Trojan logics and normal logics. In order to have a more intuitive insight on the difference between information entropy and transition probability, we sort the information entropy space and transition probability space of RS232_T1000 benchmark from lowest to highest, respectively. Then the distribution of information entropy and transition probability are shown in Figure 10. As shown in Figure 10(a), the area with low information entropy (red) and other area (green) have obvious densityunreachable relationship. However, the area with low transition probability and other area are still densityreachable (red) in transition probability space shown in Figure 10(b), which will lead to poor Trojan detection performance. Because the information entropy can amplify the difference between low transition probability and high transition probability, it can detect effectively suspicious Trojan logics.
ViB HT Detection Performance and Parameter Analysis
To further evaluate the effectiveness of HTDet, we manually check the suspicious Trojan logics reported by the clustering algorithm. The results are shown in Table 4. MinPts and r are the parameters used in clustering process. The sensitivity of the results is measured by the true positive rate (TPR), i.e. the number of Trojan wires correctly detected as a percentage of the total number of Trojan logics. We also provide the true negative rage (TNR) results, which tells us the ratio of the true negatives over the number of nonTrojan logics. False positive rate (FPR = 1  TNR) is the fraction of logics that are falsely flagged as being suspicious Trojan logics. It can be seen that HTDet can effectively detect Trojan logics of CUD with the extremely low false positives.
We also analyze the effect of parameters MinPts and r on HT detection performance using control variable method. When r is fixed to 0.05, both TPR and TNR decline as MinPts increases, as shown in Figure 11(a). This is because the number of noise point gradually increases when MinPts increases. Similarly, when MinPts is fixed to 5 and r increases, TPR gradually decline but TNR almost is constant, as shown in Figure 11(b). This is because all data points are clustered into normal logcis when r is equal to 0.06 or 0.07. Hence, the appropriate values of parameters are also necessary for Trojan detection.
Circuit  MinPts  r  TPR  TNR 

RS232_T1000  2  0.05  62%  99% 
RS232_T1100  5  0.04  67%  99% 
RS232_T1200  5  0.04  89%  99% 
RS232_T1300  2  0.05  89%  99% 
RS232_T1400  5  0.04  61%  99% 
RS232_T1500  5  0.04  73%  99% 
RS232_T1600  5  0.04  62%  99% 
s15850_T100  4  0.05  96%  99% 
s35932_T200  5  0.05  93%  99% 
s38417_T100  4  0.05  100%  99% 
ViC Comparison to existing methods
we compare the experimental results to existing methods in the point of TPR and TNR. Reference [16] proposed a HT detection method based on static structure analysis, and Reference [23] proposed a HT detection method based on signal correlations. Table 5 shows the comparison to [16], and Table 6 shows the comparison to [23]. Obviously, our approach can obtain better HT detection performance in order to achieve the good tradeoff between TPR and TNR. In the point of average TNR, it can obtain the 99% average TNR value, which indicates that proposed technique, HTDet, can significantly reduce false positives.
TPR  TNR  

Circuit  [16]  Ours  [16]  Ours 
RS232_T1000  53%  62%  31%  99% 
RS232_T1100  58%  67%  27%  99% 
RS232_T1200  80%  89%  26%  99% 
RS232_T1300  89%  89%  26%  99% 
RS232_T1400  83%  61%  22%  99% 
RS232_T1500  83%  73%  24%  99% 
RS232_T1600  89%  62%  26%  99% 
s15850_T100  93%  96%  66%  99% 
s35932_T200  100%  93%  59%  99% 
s38417_T100  100%  100%  76%  99% 
Average  83%  79%  39%  99% 
TPR  TNR  

Circuit  [23]  Ours  [23]  Ours 
s15850_T100  61%  96%  99%  99% 
s35932_T200  27%  93%  99%  99% 
s38417_T100  100%  100%  99%  99% 
Average  63%  96%  99%  99% 
In this paper, we do not attempt to find all Trojan logics (wires), but try the best to find a set of most suspicious logics, which can effectively reduce the authentication time. That is, a manual check after the automatic HT detection is always necessary.
ViD Effectiveness Analysis of Test Patterns Generation Method
We randomly selected three benchmarks (RS232_T1000, RS232_T1100 and s15850_T100) to evaluate the effectiveness of proposed test patterns generation method. Let the transition of each suspicious logic be during the simulation, where , and i = 1, 2, …, t. Let be the maximum of . Let be equal to . Then, maximum transition and average transition are used to measure the effectiveness of test patterns. After obtaining SCPIs, we set that all the primary inputs, which are not in SCPIs, at logic 0 or logic 1. For the primary inputs in SCPIs, we still generate fullrandom stimuli to perform simulation. After cycles of simulation, the transitions of suspicious Trojan logics are summarized in Table 7.
It can be seen that proposed test patterns generation method can increase effectively the maximum transition and average transition of these suspicious logics, which means that it can reduce activation time.
Circuit  

Before_RS232_T1000  722  224.67 
After_RS232_T1000  768  230.89 
Before_RS232_T1100  719  224.39 
After_RS232_T1100  746  231.56 
Before_s15850_T100  716  64.19 
After_s15850_T100  954  96.48 
Vii Related Works
HT detection is a challenging problem. Lots of researches on HT detection have been proposed in the past decades, which can be roughly classified into reverse engineering, side channel analysis, static structure analysis, statistical feature analysis and functional testing.
Bao proposed that using reverse engineering to dissect the chip under detection can guarantee that any malicious modifications in chip can be detected [5, 6]. However, the limitation of this method is that the time cost is too much, it even takes several weeks to analyze the chip under detection. Hence, the reverse engineering can only be applied to the IC with small scale and simple structure.
In side channel analysis [7, 8, 9, 10, 11, 12, 13], the impacts of HTs (e.g., circuit delay, transient current, leakage power and heat analysis) are used to detect whether there are the HTs in CUD. However, the characteristics of circuit is more susceptible to process variations and environmental noise due to the present nanoscale technologies [14].
A scorebased classification method is proposed for identifying HTs in CUD [15]. This technique comprehensively analyzes the characteristics of Trojan logics introduced at TrustHub [34], then uses a strategy of conditional judgment for HT detection. Hasegawa proposed learning structure features for Trojan detection [16, 17, 18]
. For this purpose, support vector machine, multilayer neural network and random forest is applied to learn circuit structure features, respectively. Reference
[19] summarized the triggering characteristics of Trojan circuits and proposed a feature analysis technique based on flipflop level information flow graph. Then, a multilevel HT detection framework is proposed [20], which combines flipflop level and combinational logic level structure feature analysis.Reference [21]
analyzes time to generate a transition in functional Trojans. Transition is modeled by geometric distribution and the number of clock cycles required to generate a transition is estimated. FANCI
[22] considers that the inputtooutput dependency has significant difference between Trojan logic and normal logic, so it flags logics which have weak inputtooutput dependency as suspicious Trojan logics by Boolean function analysis. In [23], a HT detection method using signal correlation has been proposed. It basically estimates the statistical correlation between signals in a circuit for Trojan detection with the use of ordering points to identify the clustering structure algorithm. Furthermore, [24] proposed a referencefree HT detection scheme based on controllability and observability. This paper indicates that the characteristics of controllability and observability between Trojan gates and genuine gates have significant difference. In [25], a novel HT detection approach through distinguishing the “unnaturalness” of HT from the “naturalness” of normal circuits by applying natural language processing technology. This paper considers that design teams of commercial chips will have the specific design style due to the existence of established design specifications, so the statistical method can be used to detect abnormal circuit logics.
Functional testingbased HT detection approaches [26, 27, 28, 29] try to generate random test patterns to activate the HTs in CUD. If the logical values of primary outputs do not match the correct results, a Trojan is detected. The primary challenge of functional testingbased method is that the Trojan circuit is much smaller than the original circuit, and HTs usually have the dormant nature. Hence, it is difficult to detect potential HTs in CUD by traditional functional testing.
Different from traditional functional verification approaches, we propose HTDet, a novel HT detection technique based on information entropy. We consider that the Trojan usually be inserted in the regions with low controllability and low observability in order to maintain high concealment, which will result in that Trojan logics appear extremely low transitions during the simulation. Our approach does not require that the Trojan logic is pushed the triggering state. As long as the transitions of circuit logics are extremely low, HTDet can flag them as suspicious Trojan logics using densityreachable relationship. Although the information theory has been applied in many fields, to the best of our knowledge, this is the first attempt to use the information theory technology to detect HTs in hardware design.
Viii Conclusions
In this paper, we propose a novel HT detection method named HTDet, which can distinguish effectively the transitions difference betwwen normal logics and Trojan logics using information entropy technique. HTDet is an unsupervised learning method and can find quickly suspicious Trojan logics without the requirement on the “Golden Circuit”. HTDet does not require that the Trojan logic is pushed the activation state during the simulation, and it flags circuit logics with extremely low information entropy as suspicious Trojan logics. Besides, we develop a heuristic method to increase transitions of suspicious Trojan logics using mutual information. Experimental results demonstrate the effectiveness of HTDet.
References
 [1] Mohammad Tehranipoor, Hassan Salmani, Xuehui Zhang, Michel Wang, Ramesh Karri, Jeyavijayan Rajendran, and Kurt Rosenfeld. Trustworthy hardware: Trojan detection and designfortrust challenges. Computer, 44(7):66–74, 2011.
 [2] Qianqian Wang, Randall L Geiger, and Degang Chen. Hardware trojans embedded in the dynamic operation of analog and mixedsignal circuits. In 2015 National aerospace and electronics conference (NAECON), pages 155–158. IEEE, 2015.
 [3] Bicky Shakya, Tony He, Hassan Salmani, Domenic Forte, Swarup Bhunia, and Mark Tehranipoor. Benchmarking of hardware trojans and maliciously affected circuits. Journal of Hardware and Systems Security, 1(1):85–102, 2017.
 [4] Wenchao Li, Zach Wasson, and Sanjit A Seshia. Reverse engineering circuits using behavioral pattern mining. In 2012 IEEE international symposium on hardwareoriented security and trust, pages 83–88. IEEE, 2012.
 [5] Chongxi Bao, Domenic Forte, and Ankur Srivastava. On application of oneclass svm to reverse engineeringbased hardware trojan detection. In Fifteenth International Symposium on Quality Electronic Design, pages 47–54. IEEE, 2014.
 [6] Chongxi Bao, Domenic Forte, and Ankur Srivastava. On reverse engineeringbased hardware trojan detection. IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems, 35(1):49–57, 2016.
 [7] Reza M Rad, Xiaoxiao Wang, Mohammad Tehranipoor, and Jim Plusquellic. Power supply signal calibration techniques for improving detection resolution to hardware trojans. In Proceedings of the 2008 IEEE/ACM International Conference on ComputerAided Design, pages 632–639. IEEE Press, 2008.
 [8] Sheng Wei and Miodrag Potkonjak. Scalable hardware trojan diagnosis. IEEE Transactions on very large scale integration (VLSI) systems, 20(6):1049–1057, 2012.
 [9] Jie Li and John Lach. Atspeed delay characterization for ic authentication and trojan horse detection. In 2008 IEEE International Workshop on HardwareOriented Security and Trust, pages 8–14. IEEE, 2008.
 [10] Peilin Song, Franco Stellari, Dirk Pfeiffer, Jim Culp, Al Weger, Alyssa Bonnoit, Bob Wisnieff, and Marc Taubenblatt. Marvel—malicious alteration recognition and verification by emission of light. In 2011 IEEE International Symposium on HardwareOriented Security and Trust, pages 117–121. IEEE, 2011.
 [11] Kangqiao Hu, Abdullah Nazma Nowroz, Sherief Reda, and Farinaz Koushanfar. Highsensitivity hardware trojan detection using multimodal characterization. In Proceedings of the Conference on Design, Automation and Test in Europe, pages 1271–1276. EDA Consortium, 2013.
 [12] Abdullah Nazma Nowroz, Kangqiao Hu, Farinaz Koushanfar, and Sherief Reda. Novel techniques for highsensitivity hardware trojan detection using thermal and power maps. IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems, 33(12):1792–1805, 2014.
 [13] Seetharam Narasimhan, Dongdong Du, Rajat Subhra Chakraborty, Somnath Paul, Francis G Wolff, Christos A Papachristou, Kaushik Roy, and Swarup Bhunia. Hardware trojan detection by multipleparameter sidechannel analysis. IEEE Transactions on computers, 62(11):2183–2195, 2013.

[14]
Zheng Zhang, TsuiWei Weng, and Luca Daniel.
A bigdata approach to handle process variations: Uncertainty quantification by tensor recovery.
In 2016 IEEE 20th Workshop on Signal and Power Integrity (SPI), pages 1–4. IEEE, 2016.  [15] Masaru Oya, Youhua Shi, Masao Yanagisawa, and Nozomu Togawa. A scorebased classification method for identifying hardwaretrojans at gatelevel netlists. In Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pages 465–470. EDA Consortium, 2015.

[16]
Kento Hasegawa, Masaru Oya, Masao Yanagisawa, and Nozomu Togawa.
Hardware trojans classification for gatelevel netlists based on machine learning.
In 2016 IEEE 22nd International Symposium on OnLine Testing and Robust System Design (IOLTS), pages 203–206. IEEE, 2016.  [17] Kento Hasegawa, Masao Yanagisawa, and Nozomu Togawa. Hardware trojans classification for gatelevel netlists using multilayer neural networks. In 2017 IEEE 23rd International Symposium on OnLine Testing and Robust System Design (IOLTS), pages 227–232. IEEE, 2017.

[18]
Kento Hasegawa, Masao Yanagisawa, and Nozomu Togawa.
Trojanfeature extraction at gatelevel netlists and its application to hardwaretrojan detection using random forest classifier.
In 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pages 1–4. IEEE, 2017.  [19] Song Yao, Xiaoming Chen, Jie Zhang, Qiaoyi Liu, Jia Wang, Qiang Xu, Yu Wang, and Huazhong Yang. Fastrust: Feature analysis for thirdparty ip trust verification. In 2015 IEEE International Test Conference (ITC), pages 1–10. IEEE, 2015.
 [20] Xiaoming Chen, Qiaoyi Liu, Song Yao, Jia Wang, Qiang Xu, Yu Wang, Yongpan Liu, and Huazhong Yang. Hardware trojan detection in thirdparty digital intellectual property cores by multilevel feature analysis. IEEE Transactions on ComputerAided Design of Integrated Circuits and Systems, 37(7):1370–1383, 2018.
 [21] Hassan Salmani, Mohammad Tehranipoor, and Jim Plusquellic. A novel technique for improving hardware trojan detection and reducing trojan activation time. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 20(1):112–125, 2012.
 [22] Adam Waksman, Matthew Suozzo, and Simha Sethumadhavan. Fanci: identification of stealthy malicious logic using boolean functional analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 697–708. ACM, 2013.
 [23] Burcin Cakir and Sharad Malik. Hardware trojan detection for gatelevel ics using signal correlation based clustering. In Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pages 471–476. EDA Consortium, 2015.
 [24] Hassan Salmani. Cotd: Referencefree hardware trojan detection and recovery based on controllability and observability in gatelevel netlist. IEEE Transactions on Information Forensics and Security, 12(2):338–350, 2017.
 [25] Haihua Shen, Huazhe Tan, Huawei Li, Feng Zhang, and Xiaowei Li. Lmdet: A “naturalness” statistical method for hardware trojan detection. IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 26(4):720–732, 2018.
 [26] Rajat Subhra Chakraborty, Somnath Paul, and Swarup Bhunia. Ondemand transparency for improving hardware trojan detectability. In 2008 IEEE International Workshop on HardwareOriented Security and Trust, pages 48–50. IEEE, 2008.
 [27] Francis Wolff, Chris Papachristou, Swarup Bhunia, and Rajat S Chakraborty. Towards trojanfree trusted ics: Problem analysis and detection scheme. In Proceedings of the conference on Design, automation and test in Europe, pages 1362–1365. ACM, 2008.
 [28] WuTung Cheng, Manish Sharma, Thomas Rinderknecht, Liyang Lai, and Chris Hill. Signature based diagnosis for logic bist. In 2006 IEEE International Test Conference, pages 1–9. IEEE, 2006.
 [29] Graham Hetherington, Tony Fryars, Nagesh Tamarapalli, Mark Kassab, Abu Hassan, and Janusz Rajski. Logic bist for large industrial designs: Real issues and case studies. In International Test Conference 1999. Proceedings (IEEE Cat. No. 99CH37034), pages 358–367. IEEE, 1999.
 [30] Hirotogu Akaike. Information theory and an extension of the maximum likelihood principle. In Selected papers of hirotugu akaike, pages 199–213. Springer, 1998.
 [31] WeiTung Wang, YiLeh Wu, ChengYuan Tang, and MawKae Hor. Adaptive densitybased spatial clustering of applications with noise (dbscan) according to data. In 2015 International Conference on Machine Learning and Cybernetics (ICMLC), volume 1, pages 445–451. IEEE, 2015.
 [32] Lawrence H Goldstein and Evelyn L Thigpen. Scoap: Sandia controllability/observability analysis program. In 17th Design Automation Conference, pages 190–196. IEEE, 1980.
 [33] Hanchuan Peng, Fuhui Long, and Chris Ding. Feature selection based on mutual information: criteria of maxdependency, maxrelevance, and minredundancy. IEEE Transactions on Pattern Analysis & Machine Intelligence, (8):1226–1238, 2005.
 [34] Hassan Salmani, Mohammad Tehranipoor, and Ramesh Karri. On design vulnerability analysis and trust benchmarks development. In 2013 IEEE 31st international conference on computer design (ICCD), pages 471–474. IEEE, 2013.
 [35] Lars Buitinck, Gilles Louppe, Mathieu Blondel, Fabian Pedregosa, Andreas Mueller, Olivier Grisel, Vlad Niculae, Peter Prettenhofer, Alexandre Gramfort, Jaques Grobler, Robert Layton, Jake VanderPlas, Arnaud Joly, Brian Holt, and Gaël Varoquaux. API design for machine learning software: experiences from the scikitlearn project. In ECML PKDD Workshop: Languages for Data Mining and Machine Learning, pages 108–122, 2013.
Comments
There are no comments yet.