Training Data Poisoning in ML CAD: Backdooring DL based Lithographic Hotspot Detectors

Recent efforts to enhance computer-aided design (CAD) flows have seen the proliferation of machine learning (ML) based techniques. However, despite achieving state-of-the-art performance in many domains, techniques such as deep learning (DL) are susceptible to various adversarial attacks. In this work, we explore the threat posed by training data poisoning attacks where a malicious insider can try to insert backdoors into a deep neural network (DNN) used as part of the CAD flow. Using a case study on lithographic hotspot detection, we explore how an adversary can contaminate training data with specially crafted, yet meaningful, genuinely labeled, and design rule compliant poisoned clips. Our experiments show that very low poisoned/clean data ratio in training data is sufficient to backdoor the DNN; an adversary can “hide" specific hotspot clips at inference time by including a backdoor trigger shape in the …