Hardware Trojan Detection using Unsupervised Learning and Simulation-Based Side-Channel Features

• Overview This project presents a groundbreaking methodology for detecting hardware Trojans in integrated circuits using machine learning techniques applied to simulation-based side-channel features. Our approach eliminates the dependency on golden reference models, addressing a critical limitation in real-world supply chain security scenarios.

• Key Achievements 90% detection accuracy without golden references. Detection of subtle Trojans affecting only 2-5% of circuit logic. Real-time monitoring potential with low resource overhead.

• Features Simulation-Based Detection: Extract behavioral features from Quartus Prime and ModelSim simulations.
  Multiple Feature Types: Toggle counts, timing patterns, and Hamming weight analysis.
  Unsupervised Learning: PCA-based dimensionality reduction with K-Means and DBSCAN clustering.
  Comprehensive Circuit Support: Counters, combinational logic, and complex pipeline structures.
  Automated Pipeline: Streamlined workflow from Verilog to detection results.

• Detection Performance by Circuit Type 4-bit Counter: 93.5% accuracy ||
  Combinational Multiplier: 60% accuracy ||
  Adder Chain: 57% accuracy

• Prerequisites Intel Quartus Prime (20.1.1 or later) ,
  ModelSim-Altera (2020.1 or later) ,
  Python 3.8+

Reach out to otank@umass.edu or on linkedin.com/omtank to access the detailed Verilog Code and Guide (After May 2026)

• ModelSim-Altera Simulation Environment For behavioral simulation, we employed ModelSim-Altera Starter Edition (version 2020.1), which is tightly integrated with the Quartus Prime development environment. ModelSim provides comprehensive simulation capabilities for both pre-synthesis (RTL) and post-synthesis (gate-level) simulation.

Our simulation methodology comprised the following steps:

Testbench Creation: For each circuit variant (clean and Trojan-infected), we developed comprehensive testbenches in Verilog HDL. These testbenches included clock generation, reset signal generation, systematic test vector application, specific test vectors targeting potential Trojan activation conditions, automated results verification, and Value Change Dump (VCD) file generation for waveform analysis.

RTL Simulation: Pre-synthesis simulation to verify logical correctness, with full signal tracing for comprehensive waveform analysis and a simulation runtime of 10,000 clock cycles (200μs).

Gate-Level Simulation: Post-synthesis simulation including timing information, using the netlist generated by Quartus Prime, with Standard Delay Format (SDF) files for accurate timing simulation and back-annotation for precise delay modeling. Feature Extraction: From each simulation run, we collected and exported signal toggle counts (number of transitions), timing information (propagation delays), Hamming weight measurements (count of '1' bits in signals), and execution patterns (sequence of states or output values).

For detailed waveform analysis, we used ModelSim's integrated wave viewer and custom-developed Tcl scripts to automate the extraction of relevant metrics. These scripts calculated toggle counts, timing patterns, and Hamming weight distributions that would serve as features for our unsupervised learning algorithms.

• Circuit Design and Trojan Implementation Approach Our approach to circuit design and Trojan implementation focused on creating representative examples of hardware Trojans with varying complexity and activation mechanisms. We developed three primary types of circuit designs:

Sequential Logic Circuits: Including simple counters and state machines, where Trojan implementations typically involved modification of state transitions based on specific trigger conditions. For example, our counter implementations included a clean version with standard incrementing behavior and a Trojan version that would reset under specific count values.

Combinational Logic Circuits: Such as arithmetic units and multipliers, where Trojans were implemented by modifying output values when specific input patterns occurred. These designs tested the ability to detect purely combinational Trojans without state elements.

Complex Pipeline Structures: Such as chains of adders with multiple stages, where Trojans could introduce subtle timing modifications or occasionally alter data propagation. These designs represented more sophisticated circuits where Trojans might be more difficult to detect.

• Circuit Implementation We implemented three distinct types of circuits to evaluate our detection methodology across different design patterns.

4-bit Counter Implementation :

Our primary test case was a simple 4-bit counter, implemented in both clean and Trojan-infected versions. The Trojan counter implementation is shown below:

• Testbench Implementation To simulate and compare the behavior of clean and Trojan-infected counters, we developed a comprehensive testbench:

• Simulation Results and Feature Extraction

The waveform clearly shows the behavioral difference between the two counters. The clean counter (top) increments continuously through all values, while the Trojan counter (bottom) resets to zero when it reaches the value 10 (binary 1010). This difference, while easily visible in this simple example, would be much harder to detect in a complex design with thousands of signals.

• Toggle Count Extraction To quantify the differences in signal activity, we extracted toggle counts for each signal using a custom Python script that processed the ModelSim VCD output:

The results showed a significant difference in toggle activity between the two counters: Clean counter: 30 toggles in 300ns ||

Trojan counter: 22 toggles in 300ns

This 26.7% reduction in toggle count provides a clear indication of the Trojan's presence, even without knowing the specific behavior modification.

• Hamming Weight Analysis

To perform Hamming weight analysis, we sampled signal values at regular intervals and calculated the Hamming weight (number of '1' bits) for each sample:

The Hamming weight profiles revealed distinct patterns:

The clean counter showed a cyclical pattern with a full range of weights (0-4)

The Trojan counter showed interruptions in this pattern, with resets to 0 weight after reaching certain values

• Unsupervised Learning Implementation

With our normalized feature vectors, we applied dimensionality reduction and clustering algorithms:

• Clustering Performance

Both K-Means and DBSCAN successfully separated clean and Trojan-infected circuits with high accuracy:

The PCA visualization clearly showed two distinct clusters corresponding to clean and Trojan-infected circuits. The first principal component primarily captured toggle rate differences, while the second component represented timing pattern variations.