Yun Lin,Haojun Zhao,Xuefei Ma,Ya Tu,Meiyu Wang

DOI: https://doi.org/10.1109/tr.2020.3032744

IF: 5.883

2021-01-01

IEEE Transactions on Reliability

Abstract:Deep learning (DL) models are vulnerable to adversarial attacks, by adding a subtle perturbation which is imperceptible to the human eye, a convolutional neural network (CNN) can lead to erroneous results, which greatly reduces the reliability and security of the DL tasks. Considering the wide application of modulation recognition in the communication field and the rapid development of DL, by adding a well-designed adversarial perturbation to the input signal, this article explores the performance of attack methods on modulation recognition, measures the effectiveness of adversarial attacks on signals, and provides the empirical evaluation of the reliabilities of CNNs. The results indicate that the accuracy of the target model reduce significantly by adversarial attacks, when the perturbation factor is 0.001, the accuracy of the model could drop by about 50% on average. Among them, iterative methods show greater attack performances than that of one-step method. In addition, the consistency of the waveform before and after the perturbation is examined, to consider whether the added adversarial examples are small enough (i.e., hard to distinguish by human eyes). This article also aims at inspiring researchers to further promote the CNNs reliabilities against adversarial attacks.

Yun Lin,Haojun Zhao,Ya Tu,Shiwen Mao,Zheng Dou

DOI: https://doi.org/10.1109/infocom41043.2020.9155389

2020-07-01

Abstract:With the emergence of the information age, mobile data has become more random, heterogeneous and massive. Thanks to its many advantages, deep learning is increasingly applied in communication fields such as modulation recognition. However, recent studies show that the deep neural networks (DNN) is vulnerable to adversarial examples, where subtle perturbations deliberately designed by an attacker can fool a classifier model into making mistakes. From the perspective of an attacker, this study adds elaborate adversarial examples to the modulation signal, and explores the threats and impacts of adversarial attacks on the DNN-based modulation recognition in different environments. The results show that, regardless of a white-box or a black-box model, the adversarial attack can reduce the accuracy of the target model. Among them, the performance of the iterative attack is superior to the one-step attack in most scenarios. In order to ensure the invisibility of the attack (the waveform being consistent before and after the perturbations), an appropriate perturbation level is found without losing the attack effect. Finally, it is attested that the signal confidence level is inversely proportional to the attack success rate, and several groups of signals with high robustness are obtained.

Yibing Wang,Liang Zhou,Zhutian Yang,Longwen Wu,Zhendong Yin,Yaqin Zhao,Zhilu Wu

DOI: https://doi.org/10.3390/electronics12092134

IF: 2.9

2023-01-01

Electronics

Abstract:Modulation recognition is an important technology in wireless communication systems. In recent years, deep learning-based modulation recognition algorithms, which can autonomously learn deep features and achieve superior recognition performance compared with traditional algorithms, have emerged. Yet, there are still certain limitations. In this paper, aiming at addressing the issue of poor recognition performance at low signal-to-noise ratios (SNRs) and the inability of deep features to effectively distinguish among all modulation types, we propose an optimization scheme for modulation recognition based on fine-tuning and feature re-extraction. In the proposed scheme, the network is firstly trained with the signals at high SNRs; then, the trained network is fine-tuned to the untrained network at low SNRs. Finally, on the basis of the features learned by the network, deeper features with enhanced discriminability for confused modulation types are obtained using feature re-extraction. The simulation results demonstrate that the proposed optimization scheme can maximize the performance of the neural network in the recognition of signals that are easily confused and at low SNRs. Notably, the average recognition accuracy of the proposed scheme was 91.28% within an SNR range of −8 dB to 18 dB, which is an improvement of 8% to 17% in comparison with four existing schemes.

Yi Zhao,Wenjing Yuan,Yinghua Huang,Zhenyu Chen

DOI: https://doi.org/10.1109/dsa56465.2022.00163

2022-01-01

Abstract:With the development of information technology and 5G communication, the number of wireless devices has increased significantly, and the complexity of the communication system has also been rapidly upgraded. Due to the complexity and the high dimensionality of signals, many researchers have applied deep learning to modulation recognition tasks. However, although deep learning exhibits strong capabilities for modulation recognition, its vulnerability to adversarial examples should also be addressed. In this paper, we conduct a preliminary study on the security of DNN-based modulation recognition models. We build multiple high-accuracy DNN-based models on existing research and test their robustness by implementing multiple adversarial attacks on the well-trained models. The results show that adversarial examples pose a very serious threat to DNN-based modulation recognition models.

Junyi Zhang,Chun Li,Jiayong Zhao,Wei Tang,Shichao Guan

DOI: https://doi.org/10.1109/smartiot58732.2023.00056

2023-01-01

Abstract:In recent years, Deep Neural Networks have faced the challenge of resisting example attacks, which seriously affects the security of modulation recognition models based on Deep Neural Networks. Aiming at the adversarial attack problem in signal modulation recognition, this paper uses five classic adversarial attack methods to attack three modulation recognition models based on Deep Neural Networks with different architectures. Then, the attack effectiveness of different methods is evaluated in terms of attack success rate, imperceptibility. The experimental results show that the neural network model is extremely vulnerable to adversarial attacks. The evaluation index proposed in this paper can comprehensively and accurately evaluate the signal adversarial examples, which is of great value for the research on the security and reliability of the intelligent modulation recognition model.

Mingqian Liu,Zhenju Zhang,Nan Zhao,Yunfei Chen

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798389

2022-01-01

Abstract:Modulation recognition models based on deep neural network (DNN) have the advantages of automatic feature extraction, fast recognition and high accuracy. However, due to the interpretability defects, DNN models are vulnerable to adversarial examples designed by attackers. Most existing researches focus on the accuracy of modulation recognition models, while ignoring the huge threat of adversarial examples to the safety and reliability of the models. In the field of modulation recognition, many existing attack methods have good attack performance for simple neural networks, but poor performance for more complicated DNNs. Therefore, this paper proposes an adversarial attack method based on dynamic iterative. The proposed method uses a dynamic iterative step that changes with iteration instead of being fixed. Simulation results show that the proposed attack method has better attack performance when the disturbance is specified than the traditional attack methods.

Yuhang Zhao,Yajie Wang,Chuan Zhang,Chunhai Li,Zehui Xiong,Liehuang Zhu,Dusit Niyato

DOI: https://doi.org/10.1109/tccn.2024.3499362

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:In the radio frequency field, deep neural networks have been widely used for automatic modulation recognition tasks due to their superior accuracy. However, it has been shown that these models are susceptible to adversarial examples, which are the kinds of carefully crafted perturbations that can lead to model misclassification and raise security issues in applications. To solve this problem, we propose an Ultra-Fusion Adversarial Training method, which combines adversarial training and ensemble learning to enable the model robustness to withstand different attack strengths. We explore the number and distribution of ensembled attacks and introduce a Fermi-function-like distribution to optimally balance the performance of different attack strengths. Additionally, we investigate the effect of the signal-to-noise ratio (SNR) interval on the model accuracy and robustness, suggesting the effective SNR interval for training. Considering the demand for practical application scenarios of modulation recognition, we propose a comprehensive robustness metric based on weighted integral to evaluate the robustness of the trained models. Numerical experiments demonstrate that our method improves the model’s robustness by 31.89% against white-box attacks, and achieves up to an 80.54% improvement in black-box scenarios. These results show that our method has the ability to resiliently resist potential attacks of various strengths and can be applied to spectrum application scenarios with high-security requirements.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Haojun Zhao,Yun Lin,Song Gao,Shui Yu

DOI: https://doi.org/10.1109/globecom42002.2020.9322088

2020-01-01

Abstract:The discovery of adversarial examples poses a serious risk to the deep neural networks (DNN). By adding a subtle perturbation that is imperceptible to the human eye, a well-behaved DNN model can be easily fooled and completely change the prediction categories of the input samples. However, research on adversarial attacks in the field of modulation recognition mainly focuses on increasing the prediction error of the classifier, while ignores the importance of decreasing the perceptual invisibility of attack. Aiming at the task of DNNbased modulation recognition, this study designs the Fitting Difference as a metric to measure the perturbed waveforms and proposes a new method: the Nesterov Adam Iterative Method to generate adversarial examples. We show that the proposed algorithm not only exerts excellent white-box attacks but also can initiate attacks on a black-box model. Moreover, our method decreases the waveform perceptual invisibility of attacks to a certain degree, thereby reducing the risk of an attack being detected.

Chao Han,Ruoxi Qin,Linyuan Wang,Weijia Cui,Jian Chen,Bin Yan

DOI: https://doi.org/10.1007/s11276-023-03299-4

IF: 2.701

2023-01-01

Wireless Networks

Abstract:Modulation signal intelligent recognition model based on deep learning is widely used in the field of radio signal intelligent processing, but the adversarial attack has become a huge security threat. In order to promote the safe and reliable application of the modulation recognition intelligent model, it is necessary to study its adversarial defense technology. An adversarial defense method based on ensemble learning for modulation signal intelligent recognition model is proposed in this paper. Specifically, this method is achieved by combining multiple defense models such as adversarial training, defensive distillation, and noise smoothing. Variety of attack algorithms in both the white-box and black-box scenarios under different intensities of perturbation and different signal-to-noise ratios are carried out to verify the robustness performance of the proposed method. Strikingly, the accuracy of the model is improved to over 80% when the SNR is above 0 dB under Carlini and Wagner attack.

Shisheng Hu,Yiyang Pei,Paul Pu Liang,Ying-Chang Liang

DOI: https://doi.org/10.1109/tvt.2019.2951594

IF: 6.8

2020-01-01

IEEE Transactions on Vehicular Technology

Abstract:Recently, classifying the modulation schemes of signals using deep neural network has received much attention. In this paper, we introduce a general model of deep neural network (DNN)-based modulation classifiers for single-input single-output (SISO) systems. Its feasibility is analyzed using maximum a posteriori probability (MAP) criterion and its robustness to uncertain noise conditions is compared to that of the conventional maximum likelihood (ML)-based classifiers. To reduce the design and training cost of DNN classifiers, a simple but effective pre-processing method is introduced and adopted. Furthermore, featuring multiple recurrent neural network (RNN) layers, the DNN modulation classifier is realized. Simulation results show that the proposed RNN-based classifier is robust to the uncertain noise conditions, and the performance of it approaches to that of the ideal ML classifier with perfect channel and noise information. Moreover, with a much lower complexity, it outperforms the existing ML-based classifiers, specifically, expectation maximization (EM) and expectation conditional maximization (ECM) classifiers which iteratively estimate channel and noise parameters. In addition, the proposed classifier is shown to be invariant to the signal distortion such as frequency offset. Furthermore, the adopted pre-processing method is shown to accelerate the training process of our proposed classifier, thus reducing the training cost. Lastly, the computational complexity of our proposed classifier is analyzed and compared to other traditional ones, which further demonstrates its overall advantage.

telecommunications,engineering, electrical & electronic,transportation science & technology

S. Asim Ahmed,Subhashish Chakravarty,Michael Newhouse

DOI: https://doi.org/10.48550/arXiv.1811.06103

2018-11-15

Abstract:Recent successes and advances in Deep Neural Networks (DNN) in machine vision and Natural Language Processing (NLP) have motivated their use in traditional signal processing and communications systems. In this paper, we present results of such applications to the problem of automatic modulation recognition. Variations in wireless communication channels are represented by statistical channel models and their parameterization will increase with the advent of 5G. In this paper, we report effect of simple two path channel model on our naive deep neural network based implementation. We also report impact of adversarial perturbation to the input signal.

Machine Learning,Signal Processing

Huiguo Gao,Guanding Yu,Yunlong Cai

DOI: https://doi.org/10.1109/mnet.2023.3317110

IF: 10.294

2024-01-01

IEEE Network

Abstract:Traditional rate adaptive mechanism aims to maximize spectral efficiency by choosing the optimal transmission under the premise of perfect bit-level data transmission. However, in semantic communication systems, imperfect bit transmission could still lead to good performance due to the error correction capability of neural networks. In this paper, we propose a novel rate adaptive mechanism to maximize spectral efficiency while guaranteeing the performance of semantic tasks. In order to analyze the robustness of neural network inference, we introduce the robustness verification problem in semantic communications. Then, we propose and solve the modulation scheme selection problem subject to the robustness probability threshold constraint. Afterwards, a rate adaptive mechanism with the optimal modulation scheme is proposed. Simulations are conducted to validate the effectiveness of the proposed scheme, followed by some important open challenges for future related work.

Haolin Tang,Ferhat Ozgur Catak,Murat Kuzlu,Evren Catak,Yanxiao Zhao

DOI: https://doi.org/10.1109/access.2023.3296805

IF: 3.9

2023-01-01

IEEE Access

Abstract:Automatic Modulation Recognition (AMR) is one of the critical steps in the signal processing chain of wireless networks, which can significantly improve communication performance. AMR detects the modulation scheme of the received signal without any prior information. Recently, many Artificial Intelligence (AI) based AMR methods have been proposed, inspired by the considerable progress of AI methods in various fields. On the one hand, AI-based AMR methods can outperform traditional methods in terms of accuracy and efficiency. On the other hand, they are susceptible to new types of cyberattacks, such as model poisoning or adversarial attacks. This paper explores the vulnerabilities of an AI-based AMR model to adversarial attacks in both single-input-single-output and multiple-input-multiple-output scenarios. We show that these attacks can significantly reduce the classification performance of the AI-based AMR model, which highlights the security and robustness concerns. Therefore, we propose a widely used mitigation method (i.e., defensive distillation) to reduce the vulnerabilities of the model against adversarial attacks. The simulation results indicate that the AI-based AMR model can be highly vulnerable to adversarial attacks, but their vulnerabilities can be significantly reduced by using mitigation methods.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Pu Chen,Shenqian Yin

DOI: https://doi.org/10.1109/lcomm.2024.3373222

IF: 3.5529

2024-01-01

IEEE Communications Letters

Abstract:Although Deep neural networks (DNN) can achieve higher performance in automatic modulation recognition, they are known to vulnerable to adversarial perturbations, which are strategically added to inputs can fool the DNN model. In this letter, we propose a novel sparse attack scheme based on adversarial generative networks, which enables more covert attacks while preserving communication quality. This new scheme incorporates adversarial training into the discriminator, which not only improves attack performance but also enhances the stability of the training process for adversarial generative networks. Experimental results demonstrate that the proposed scheme outperforms other sparse attack approaches in terms of generation time and transferability.

telecommunications

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Qiyu Hu,Guangyi Zhang,Zhijin Qin,Yunlong Cai,Guanding Yu,Geoffrey Ye Li

DOI: https://doi.org/10.1109/vtc2022-fall57202.2022.10012843

2022-01-01

Abstract:Although the semantic communications have exhibited satisfactory performance in a large number of tasks, the impact of semantic noise and the robustness of the systems have not been well investigated. Semantic noise is a particular kind of noise in semantic communication systems, which refers to the misleading between the intended semantic symbols and received ones. In this paper, we first propose a framework for the robust end-to-end semantic communication systems to combat the semantic noise. Particularly, we analyze the causes of semantic noise and propose a practical method to generate it. To remove the effect of semantic noise, adversarial training is proposed to incorporate the samples with semantic noise in the training dataset. Then, the masked autoencoder (MAE) is designed as the architecture of a robust semantic communication system, where a portion of the input is masked. To further improve the robustness of semantic communication systems, we firstly employ the vector quantization-variational autoencoder (VQ-VAE) to design a discrete codebook shared by the transmitter and the receiver for encoded feature representation. Thus, the transmitter simply needs to transmit the indices of these features in the codebook. Simulation results show that our proposed method significantly improves the robustness of semantic communication systems against semantic noise with significant reduction on the transmission overhead.

Wenhan Zhang,Meiyu Zhong,Ravi Tandon,Marwan Krunz

2024-10-09

Abstract:Deep Neural Network (DNN) based classifiers have recently been used for the modulation classification of RF signals. These classifiers have shown impressive performance gains relative to conventional methods, however, they are vulnerable to imperceptible (low-power) adversarial attacks. Some of the prominent defense approaches include adversarial training (AT) and randomized smoothing (RS). While AT increases robustness in general, it fails to provide resilience against previously unseen adaptive attacks. Other approaches, such as Randomized Smoothing (RS), which injects noise into the input, address this shortcoming by providing provable certified guarantees against arbitrary attacks, however, they tend to sacrifice accuracy. In this paper, we study the problem of designing robust DNN-based modulation classifiers that can provide provable defense against arbitrary attacks without significantly sacrificing accuracy. To this end, we first analyze the spectral content of commonly studied attacks on modulation classifiers for the benchmark RadioML dataset. We observe that spectral signatures of un-perturbed RF signals are highly localized, whereas attack signals tend to be spread out in frequency. To exploit this spectral heterogeneity, we propose Filtered Randomized Smoothing (FRS), a novel defense which combines spectral filtering together with randomized smoothing. FRS can be viewed as a strengthening of RS by leveraging the specificity (spectral Heterogeneity) inherent to the modulation classification problem. In addition to providing an approach to compute the certified accuracy of FRS, we also provide a comprehensive set of simulations on the RadioML dataset to show the effectiveness of FRS and show that it significantly outperforms existing defenses including AT and RS in terms of accuracy on both attacked and benign signals.

Machine Learning,Cryptography and Security,Information Theory,Networking and Internet Architecture,Signal Processing

Yan, Bin

DOI: https://doi.org/10.1007/s11036-024-02333-9

2024-05-14

Mobile Networks and Applications

Abstract:In the rapidly evolving landscape of wireless communication systems, the vulnerability of automatic modulation classification (AMC) models to adversarial attacks presents a significant security challenge. This study introduces a pruning and training methodology tailored to address the nuances of signal processing within these systems. Leveraging a pruning method based on channel activation contributions, our approach optimizes adversarial training potential, enhancing the model's capacity to improve robustness against attacks. Additionally, the approach constructs a resilient training method based on a composite strategy, integrating balanced adversarial training, soft target regularization, and gradient masking. This combination effectively broadens the model's uncertainty space and obfuscates gradients, thereby enhancing the model's defenses against a wide spectrum of adversarial tactics. The training regimen is carefully adjusted to retain sensitivity to adversarial inputs while maintaining accuracy on original data. Comprehensive evaluations conducted on the RML2016.10A dataset demonstrate the effectiveness of our method in defending against both gradient-based and optimization-based attacks within the realm of wireless communication. This research offers insightful and practical approaches to improving the security and performance of AMC models against the complex and evolving threats present in modern wireless communication environments.

computer science, information systems,telecommunications, hardware & architecture