To remain dormant in the validation and manufacturing test, Trojans tend to have at least one trigger signal at the gate-level netlist with a very low transition probability. Our paper exploits this stealthy nature of trigger signals to detect Trojans using static and dynamic transition probabilities. The proposed trigger identification is a reference-free scheme, and no prior knowledge of a Trojan-free design is required. First, we reveal the relation between combinational 0/1-controllability and 0/1-probability and propose a static transition probability analysis based on our proposed difference-amplified controllability, which can be easily obtained by the Sandia Controllability/Observability Analysis Program. The k-means clustering method is adopted for potential trigger classification to extend the scalability and adaptability to different circuit sizes. Second, we propose to utilize the transition probability of a dynamic simulation for correction of the results. Experiments show that the proposed detection scheme can obtain a 0% false negative rate and a maximum 11.7% false positive rate on Trust-HUB benchmarks.
