Shuting Tang,Mingliang Tao,Xiang Zhang,Yifei Fan,Jia Su,Ling Wang

DOI: https://doi.org/10.23919/URSIGASS51995.2021.9560288

2021-01-01

Abstract:Deep learning has achieved superior performance on radio signal modulation classification. However, its security and reliability are vulnerable due to its data-oriented learning strategy. In this paper, the vulnerability of deep neural network for radio classification is investigated. Based on the radar and communication waveforms, slight optimal perturbations are generated and added onto the orig...

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Meysam Sadeghi,Erik G. Larsson

DOI: https://doi.org/10.1109/lwc.2018.2867459

IF: 6.3

2019-02-01

IEEE Wireless Communications Letters

Abstract:Deep learning (DL), despite its enormous success in many computer vision and language processing applications, is exceedingly vulnerable to adversarial attacks. We consider the use of DL for radio signal (modulation) classification tasks, and present practical methods for the crafting of white-box and universal black-box adversarial attacks in that application. We show that these attacks can considerably reduce the classification performance, with extremely small perturbations of the input. In particular, these attacks are significantly more powerful than classical jamming attacks, which raises significant security and robustness concerns in the use of DL-based algorithms for the wireless physical layer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Brian Kim,Yalin E. Sagduyu,Kemal Davaslioglu,Tugba Erpek,Sennur Ulukus

DOI: https://doi.org/10.48550/arXiv.2002.02400

2020-02-14

Abstract:We consider a wireless communication system that consists of a transmitter, a receiver, and an adversary. The transmitter transmits signals with different modulation types, while the receiver classifies its received signals to modulation types using a deep learning-based classifier. In the meantime, the adversary makes over-the-air transmissions that are received as superimposed with the transmitter's signals to fool the classifier at the receiver into making errors. While this evasion attack has received growing interest recently, the channel effects from the adversary to the receiver have been ignored so far such that the previous attack mechanisms cannot be applied under realistic channel effects. In this paper, we present how to launch a realistic evasion attack by considering channels from the adversary to the receiver. Our results show that modulation classification is vulnerable to an adversarial attack over a wireless channel that is modeled as Rayleigh fading with path loss and shadowing. We present various adversarial attacks with respect to availability of information about channel, transmitter input, and classifier architecture. First, we present two types of adversarial attacks, namely a targeted attack (with minimum power) and non-targeted attack that aims to change the classification to a target label or to any other label other than the true label, respectively. Both are white-box attacks that are transmitter input-specific and use channel information. Then we introduce an algorithm to generate adversarial attacks using limited channel information where the adversary only knows the channel distribution. Finally, we present a black-box universal adversarial perturbation (UAP) attack where the adversary has limited knowledge about both channel and transmitter input.

Signal Processing,Machine Learning,Networking and Internet Architecture

Da Ke,Zhitao Huang,Xiang Wang,Liting Sun

DOI: https://doi.org/10.1109/ICDMW.2019.00128

2019-01-01

Abstract:Cognitive radio technology is an important branch in the field of wireless communication, and automatic modulation classification (AMC), which plays critical roles in both civilian and military applications, is a major part of cognitive radio technology. Adversarial examples can reduce the performance of a deep learning-based AMC system with a hardly perceptible perturbation, which can prevent the signal being intercepted by non-cooperative deep learning-based signal receiver. In this paper, we test the attack efficiency of two kinds of adversarial examples in dataset RML2016.04C, and discuss the reason why adversarial examples can attack the deep learning-based AMC successfully, verifying the underfitting of networks of AMC is ubiquitous. Modulations which are similar in time domain and frequency domain, such as {8PSK, QPSK}, {QAM16, QAM64}, {AM-DSB, WBFM}, are easily vulnerable to adversarial examples.

Ruiqi Li,Hongshu Liao,Jiancheng An,Chau Yuen,Lu Gan

DOI: https://doi.org/10.1109/LCOMM.2023.3261423

IF: 3.5529

2023-01-01

IEEE Communications Letters

Abstract:Most existing adversarial attack methods generally rely on ideal assumptions, which is unreasonable for practical applications. In this letter, a practical threat model which utilizes adversarial attacks for anti-eavesdropping is proposed and a physical intra-class universal adversarial perturbation (IC-UAP) crafting method against DL-based wireless signal classifiers is then presented. First, an IC-UAP algorithm is proposed based on the threat model to craft a stronger UAP attack against the samples in a given class from a batch of samples in the class. Then, we develop a physical attack algorithm based on the IC-UAP method, in which perturbations are optimized under random shifting to enhance the robustness of IC-UAPs against the unsynchronization between adversarial attacks and attacked signals. Finally, the numerical results corroborate the effectiveness of the proposed approach based on the benchmark dataset.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Tailai Wen,Da Ke,Xiang Wang,Zhitao Huang

2024-02-27

Abstract:Deep learning algorithms have become an essential component in the field of cognitive radio, especially playing a pivotal role in automatic modulation classification. However, Deep learning also present risks and vulnerabilities. Despite their outstanding classification performance, they exhibit fragility when confronted with meticulously crafted adversarial examples, posing potential risks to the reliability of modulation recognition results. Addressing this issue, this letter pioneers the development of an intelligent modulation classification framework based on conformal theory, named the Conformal Shield, aimed at detecting the presence of adversarial examples in unknown signals and assessing the reliability of recognition results. Utilizing conformal mapping from statistical learning theory, introduces a custom-designed Inconsistency Soft-solution Set, enabling multiple validity assessments of the recognition outcomes. Experimental results demonstrate that the Conformal Shield maintains robust detection performance against a variety of typical adversarial sample attacks in the received signals under different perturbation-to-signal power ratio conditions.

Signal Processing

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2022.3206115

IF: 3.5529

2022-01-01

IEEE Communications Letters

Abstract:Although Deep Neural Networks (DNN) can achieve state-of-the-art performance in automatic modulation recognition (AMC) tasks, they have sufferd tremendous failures from adversarial attacks, which means the input signals are contaminated by imperceptible but intentional perturbations. However, little work has been done to consider eliminating adversarial perturbations while keeping the high classification accuracy of clean signals. In this letter, we propose an effective data preprocess framework based on Generative Adversarial Nets (GAN) to defend against the adversarial examples. The experiments show that the proposed method can effectively eliminate adversarial perturbations and maintain the high classification accuracy of clean samples.

Yunsong Huang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/TVT.2023.3267455

2023-06-19

Abstract:Recently, DL has been exploited in wireless communications such as modulation classification. However, due to the openness of wireless channel and unexplainability of DL, it is also vulnerable to adversarial attacks. In this correspondence, we investigate a so called hidden backdoor attack to modulation classification, where the adversary puts elaborately designed poisoned samples on the basis of IQ sequences into training dataset. These poisoned samples are hidden because it could not be found by traditional classification methods. And poisoned samples are same to samples with triggers which are patched samples in feature space. We show that the hidden backdoor attack can reduce the accuracy of modulation classification significantly with patched samples. At last, we propose activation cluster to detect abnormal samples in training dataset.

Signal Processing

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2024.3355156

IF: 3.5529

2024-03-13

IEEE Communications Letters

Abstract:Adversarial attacks on deep learning based modulation classification have received considerable attention recently. However, existing works mainly focus on the idealized white-box adversarial attacks and ignore the impact of the wireless channel. In this letter, we present a black-box Universal Adversarial Perturbation (UAP) attack scheme considering the wireless channel and propose the corresponding defense method. We first propose a conditional generative adversarial Nets (cGAN) approach to enlarge the training set of the channel state information (CSI) of wireless channel. Then, we introduce a cGAN aided black-box UAP attack scheme to disable the modulation classification capability of the deep neural network over the air. At last, we present a defense method that utilizes UAPs for adversarial training (AT). Simulation results show that the cGAN aided black-box UAP attack can decrease the accuracy of the modulation classifier by 19.3% when the perturbation power reaches the same level as the noise power, while the proposed defense method can improve it by 11.2%.

telecommunications

Shuting Tang,Mingliang Tao,Jia Su,Yifei Fan,Ling Wang,Tao Li

DOI: https://doi.org/10.1109/radar53847.2021.10028136

2021-01-01

Abstract:In recent years, electromagnetic spectrum becomes more and more congested and the task of spectrum sensing meets various challenges. On the other hand, there is also a counter-demand that the transmitted signal should not be detected, intercepted, or identified by the intelligent spectrum sensing equipment. In this paper, a smart deception method for radio signal using adversarial learning under the black-box assumption is investigated. By generating smart deception, the accuracy of the intelligent electromagnetic spectrum equipment to identify the radio signal decreasing more than 50.63%. The radio signal camouflage is achieved by smart deception, which will lower the interception and identification possibility of the transmitted signal.

Yun Lin,Haojun Zhao,Ya Tu,Shiwen Mao,Zheng Dou

DOI: https://doi.org/10.1109/infocom41043.2020.9155389

2020-07-01

Abstract:With the emergence of the information age, mobile data has become more random, heterogeneous and massive. Thanks to its many advantages, deep learning is increasingly applied in communication fields such as modulation recognition. However, recent studies show that the deep neural networks (DNN) is vulnerable to adversarial examples, where subtle perturbations deliberately designed by an attacker can fool a classifier model into making mistakes. From the perspective of an attacker, this study adds elaborate adversarial examples to the modulation signal, and explores the threats and impacts of adversarial attacks on the DNN-based modulation recognition in different environments. The results show that, regardless of a white-box or a black-box model, the adversarial attack can reduce the accuracy of the target model. Among them, the performance of the iterative attack is superior to the one-step attack in most scenarios. In order to ensure the invisibility of the attack (the waveform being consistent before and after the perturbations), an appropriate perturbation level is found without losing the attack effect. Finally, it is attested that the signal confidence level is inversely proportional to the attack success rate, and several groups of signals with high robustness are obtained.

Lin Hu,Han Jiang,Wen Li,Hao Han,Yang,Yutao Jiao,Haichao Wang,Yuhua Xu

DOI: https://doi.org/10.1155/2022/5472324

2022-01-01

Wireless Communications and Mobile Computing

Abstract:Deep neural network-based automatic modulation recognition (AMR) technology has become an increasingly important area due to the advantages of self-extraction of features and high identification accuracy. Based on the view of security threats to machine learning classifiers, we investigate the influence of adversarial samples on the AMR model in this paper. The traditional method is based on label gradient attack without taking advantage of the feature-level transferability, resulting in the attack effect that is not perfect. So, we exploit the feature-level transferability property that could be met to fulfill realistic imperceptibility and transfer needs. In this paper, firstly, we proposed an AMR scheme with high recognition accuracy as our attack model. Secondly, we proposed a transferable attack method based on a feature gradient-based, which increases perturbation to clean signal based on features space. Finally, we introduce a new attack strategy, in which we select two original and one adversarial target signal sample as the input of triplet loss to achieve higher attack strength and high transferability. Meanwhile, this paper proposes indicators of signal characteristics to test the effectiveness of our proposed attack method. Based on experimental results, our proposed feature gradient-based adversarial attack method outperforms the currently labeled gradient attack methods regarding attack effectiveness and transferability.

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Boxiang He,Fanggang Wang

DOI: https://doi.org/10.1109/twc.2023.3335050

IF: 10.4

2024-01-01

IEEE Transactions on Wireless Communications

Abstract:For the modulation classification problems, the deep learning approaches can determine the unknown modulation formats in high confidence. However, it has been maliciously used by eavesdroppers. In this paper, we consider the wireless communication scenario, in which Alice intends to communicate with Bob confidentially in the threat of Eve, who tries to determine the unknown modulation formats of Alice using some deep learning approach. Recent advancements in adversarial machine learning have demonstrated that the deep learning techniques are vulnerable to crafted perturbations. To prevent Eve from classifying Alice’s modulation formats, Alice transmits the modulation signal with the well-designed adversarial perturbation. We first formulate an optimization problem to determine the optimized adversarial perturbation, in which the objective is to mislead the modulation classifier of Eve subject to the communication constraints, i.e., the power efficiency, the achievable rate, and the reliability. Then, the augmented Lagrangian method is adopted to solve the perturbation optimization problem, in which the implicit objective is evaluated using the Monte Carlo method, and the gradients of the implicit constraints are obtained using the Gaussian-based estimation algorithm. We further extend the perturbation design to the both cases of Alice having and not having the prior knowledge of Eve. Finally, the input-independent universal perturbation for the specific modulation type is proposed, which is deployed via a lookup table method. Numerical results show that the designed perturbation with 10% power of the modulated signal can attack Eve’s modulation classifier with the great success while ensuring both the achievable rate and the reliability close to the ideal case (say, no perturbation). Compared to the existing methods, the designed perturbation achieves the better attack performance and is robust to the filtering, the oversampling, and the time/frequency offset. Furthermore, this paper reveals that the structure type of Eve’s model has a large impact on the attack performance, and verifies that the adversarial perturbation can effectively attack the modulation classifiers that resort to the expert knowledge.

Junyi Zhang,Chun Li,Jiayong Zhao,Wei Tang,Shichao Guan

DOI: https://doi.org/10.1109/smartiot58732.2023.00056

2023-01-01

Abstract:In recent years, Deep Neural Networks have faced the challenge of resisting example attacks, which seriously affects the security of modulation recognition models based on Deep Neural Networks. Aiming at the adversarial attack problem in signal modulation recognition, this paper uses five classic adversarial attack methods to attack three modulation recognition models based on Deep Neural Networks with different architectures. Then, the attack effectiveness of different methods is evaluated in terms of attack success rate, imperceptibility. The experimental results show that the neural network model is extremely vulnerable to adversarial attacks. The evaluation index proposed in this paper can comprehensively and accurately evaluate the signal adversarial examples, which is of great value for the research on the security and reliability of the intelligent modulation recognition model.

Dongwei Xu,Hao Yang,Chuntao Gu,Zhuangzhi Chen,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2021.3095663

2021-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:In the field of deep learning, deep neural networks (DNNs) have shown good performance on classification applications. However, a DNN model is vulnerable to adversarial examples, which is formed by adding tiny perturbations on a normal example and can mislead the DNN model to make a wrong estimate during the prediction. In this brief, for adversarial attacks in radio signals field, we propose a novel adversarial example detection strategy based on multifeature fusion and provide a framework which includes generating adversarial examples, extracting the local intrinsic dimensionality (LID) features and the constellation diagram (CD) features, detecting adversarial examples. We obtain the output values of normal examples and adversarial examples in each layer of the model respectively, and then, calculate the LID features values of examples by the maximum likelihood estimate based on a certain neighborhood range. Meanwhile, we calculate the CD features values by the range feature and density feature of the constellation diagram distribution. Finally, a logistic regression classifier is trained based on multifeature fusion values to detect adversarial examples. The experimental results across two benchmark datasets demonstrate that the proposed multifeature fusion method could accurately detect adversarial examples of radio signals. The detection accuracy is up to 98.7% when the perturbation reached 10%.

Brian Kim,Yalin E. Sagduyu,Tugba Erpek,Kemal Davaslioglu,Sennur Ulukus

DOI: https://doi.org/10.1109/gcwkshps50303.2020.9367473

2020-12-01

Abstract:We consider a wireless communication system, where a transmitter sends signals to a receiver with different modulation types while the receiver classifies the modulation types of the received signals using its deep learning-based classifier. Concurrently, an adversary transmits adversarial perturbations using its multiple antennas to fool the classifier into misclassifying the received signals. From the adversarial machine learning perspective, we show how to utilize multiple antennas at the adversary to improve the adversarial (evasion) attack performance. Two main points are considered while exploiting the multiple antennas at the adversary, namely the power allocation among antennas and the utilization of channel diversity. First, we show that multiple independent adversaries, each with a single antenna cannot improve the attack performance compared to a single adversary with multiple antennas using the same total power. Then, we consider various ways to allocate power among multiple antennas at a single adversary such as allocating power to only one antenna, and proportional or inversely proportional to the channel gain. By utilizing channel diversity, we introduce an attack to transmit the adversarial perturbation through the channel with the largest channel gain at the symbol level. We show that this attack reduces the classifier accuracy significantly compared to other attacks under different channel conditions in terms of channel variance and channel correlation across antennas. Also, we show that the attack success improves significantly as the number of antennas increases at the adversary that can better utilize channel diversity to craft adversarial attacks.