To address the vulnerability of GNN-based hardware security schemes to netlist graph-structure perturbation attacks, this paper proposes the first adversarial netlist rewriting framework integrating reinforcement learning (RL) and large language models (LLMs). The framework employs RL to precisely identify critical functional nodes and leverages LLMs to generate semantically preserving local rewriting strategies; it further incorporates GNN-based analysis and iterative feedback for optimization—achieving low-overhead evasion while preserving circuit functionality. Its key innovation lies in the first systematic, synergistic integration of RL and LLMs for graph-level adversarial attacks at the hardware level. Experiments on three state-of-the-art detection models—GNN-RE, GNN4IP, and OMLA—demonstrate area overhead reductions of 54.50%, 25.44%, and 41.04%, respectively. Moreover, the framework exhibits strong scalability and compression capability on large-scale circuits.

Graph neural networks (GNNs) have shown promise in hardware security by learning structural motifs from netlist graphs. However, this reliance on motifs makes GNNs vulnerable to adversarial netlist rewrites; even small-scale edits can mislead GNN predictions. Existing adversarial approaches, ranging from synthesis-recipe perturbations to gate transformations, come with high design overheads. We present NetDeTox, an automated end-to-end framework that orchestrates large language models (LLMs) with reinforcement learning (RL) in a systematic manner, enabling focused local rewriting. The RL agent identifies netlist components critical for GNN-based reasoning, while the LLM devises rewriting plans to diversify motifs that preserve functionality. Iterative feedback between the RL and LLM stages refines adversarial rewritings to limit overheads. Compared to the SOTA work AttackGNN, NetDeTox successfully degrades the effectiveness of all security schemes with fewer rewrites and substantially lower area overheads (reductions of 54.50% for GNN-RE, 25.44% for GNN4IP, and 41.04% for OMLA, respectively). For GNN4IP, ours can even optimize/reduce the original benchmarks' area, in particular for larger circuits, demonstrating the practicality and scalability of NetDeTox.