Yalin E. Sagduyu,Tugba Erpek

2023-12-28

Abstract:Low-Power Wide-Area Network (LPWAN) technologies, such as LoRa, have gained significant attention for their ability to enable long-range, low-power communication for Internet of Things (IoT) applications. However, the security of LoRa networks remains a major concern, particularly in scenarios where device identification and classification of legitimate and spoofed signals are crucial. This paper studies a deep learning framework to address these challenges, considering LoRa device identification and legitimate vs. rogue LoRa device classification tasks. A deep neural network (DNN), either a convolutional neural network (CNN) or feedforward neural network (FNN), is trained for each task by utilizing real experimental I/Q data for LoRa signals, while rogue signals are generated by using kernel density estimation (KDE) of received signals by rogue devices. Fast Gradient Sign Method (FGSM)-based adversarial attacks are considered for LoRa signal classification tasks using deep learning models. The impact of these attacks is assessed on the performance of two tasks, namely device identification and legitimate vs. rogue device classification, by utilizing separate or common perturbations against these signal classification tasks. Results presented in this paper quantify the level of transferability of adversarial attacks on different LoRa signal classification tasks as a major vulnerability and highlight the need to make IoT applications robust to adversarial attacks.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture,Signal Processing

Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Yalin E. Sagduyu,Yi Shi,Tugba Erpek

DOI: https://doi.org/10.48550/arXiv.1906.00076

2019-06-01

Abstract:Machine learning finds rich applications in Internet of Things (IoT) networks such as information retrieval, traffic management, spectrum sensing, and signal authentication. While there is a surge of interest to understand the security issues of machine learning, their implications have not been understood yet for wireless applications such as those in IoT systems that are susceptible to various attacks due the open and broadcast nature of wireless communications. To support IoT systems with heterogeneous devices of different priorities, we present new techniques built upon adversarial machine learning and apply them to three types of over-the-air (OTA) wireless attacks, namely jamming, spectrum poisoning, and priority violation attacks. By observing the spectrum, the adversary starts with an exploratory attack to infer the channel access algorithm of an IoT transmitter by building a deep neural network classifier that predicts the transmission outcomes. Based on these prediction results, the wireless attack continues to either jam data transmissions or manipulate sensing results over the air (by transmitting during the sensing phase) to fool the transmitter into making wrong transmit decisions in the test phase (corresponding to an evasion attack). When the IoT transmitter collects sensing results as training data to retrain its channel access algorithm, the adversary launches a causative attack to manipulate the input data to the transmitter over the air. We show that these attacks with different levels of energy consumption and stealthiness lead to significant loss in throughput and success ratio in wireless communications for IoT systems. Then we introduce a defense mechanism that systematically increases the uncertainty of the adversary at the inference stage and improves the performance. Results provide new insights on how to attack and defend IoT networks using deep learning.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Mingming Zha,Guozhu Meng,Chaoyang Lin,Zhe Zhou,Kai Chen

DOI: https://doi.org/10.1007/978-3-030-42921-8_6

2019-01-01

Abstract:With the advances of deep learning, license plate recognition (LPR) based on deep learning has been widely used in public transport such as electronic toll collection, car parking management and law enforcement. Deep neural networks are proverbially vulnerable to crafted adversarial examples, which has been proved in many applications like object recognition, malware detection, etc. However, it is more challenging to launch a practical adversarial attack against LPR systems as any covering or scrawling to license plate is prohibited by law. On the other hand, the created perturbations are susceptible to the surrounding environment including illumination conditions, shooting distances and angles of LPR systems. To this end, we propose the first practical adversarial attack, named as RoLMA, against deep learning-based LPR systems. We adopt illumination technologies to create a number of light spots as noises on the license plate, and design targeted and non-targeted strategies to find out the optimal adversarial example against HyperLPR, a state-of-the-art LPR system. We physicalize these perturbations on a real license plate by virtue of generated adversarial examples. Extensive experiments demonstrate that RoLMA can effectively deceive HyperLPR with an 89.15% success rate in targeted attacks and 97.3% in non-targeted attacks. Moreover, our experiments also prove its high practicality with a 91.43% success rate towards physical license plates, and imperceptibility with around 93.56% of investigated participants being able to correctly recognize license plates.

Zhida Bao,Yun Lin,Sicheng Zhang,Zixin Li,Shiwen Mao

DOI: https://doi.org/10.1109/jiot.2021.3120197

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:With the rapid development of the information technology, the number of devices in the Internet of Things (IoT) is increasing explosively, which makes device identification a great challenge. Deep neural networks (DNNs) have been used for device identification in IoT due to their superior learning ability. However, DNNs are susceptible to adversarial attacks, which can greatly degrade the accuracy of deep learning (DL) models for device identification. The adversarial attack is one of the fundamental security concerns for DNNs, and it is of great importance to study the generation of adversarial examples and to examine the attack effects for the design of robust DNN-based device identification schemes. In this article, we examine the effects of nontargeted and targeted adversarial attacks on convolutional neural network (CNN)-based device identification and propose combined evaluation indicators of logits to enrich the evaluation criteria. Our experimental results demonstrate that the identification accuracy degrades with the increase of the perturbation level and iteration step size, and the proposed combined evaluation indicators are effective to show the individual device signal differences. The insights from this study will be useful for the design of robust DL-based IoT systems.

Meysam Sadeghi,Erik G. Larsson

DOI: https://doi.org/10.1109/lwc.2018.2867459

IF: 6.3

2019-02-01

IEEE Wireless Communications Letters

Abstract:Deep learning (DL), despite its enormous success in many computer vision and language processing applications, is exceedingly vulnerable to adversarial attacks. We consider the use of DL for radio signal (modulation) classification tasks, and present practical methods for the crafting of white-box and universal black-box adversarial attacks in that application. We show that these attacks can considerably reduce the classification performance, with extremely small perturbations of the input. In particular, these attacks are significantly more powerful than classical jamming attacks, which raises significant security and robustness concerns in the use of DL-based algorithms for the wireless physical layer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Han Qiu,Tian Dong,Tianwei Zhang,Jialiang Lu,Gerard Memmi,Meikang Qiu

DOI: https://doi.org/10.1109/jiot.2020.3048038

IF: 10.6

2021-07-01

IEEE Internet of Things Journal

Abstract:Deep learning (DL) has gained popularity in network intrusion detection, due to its strong capability of recognizing subtle differences between normal and malicious network activities. Although a variety of methods have been designed to leverage DL models for security protection, whether these systems are vulnerable to adversarial examples (AEs) is unknown. In this article, we design a novel adversarial attack against DL-based network intrusion detection systems (NIDSs) in the Internet-of-Things environment, with only black-box accesses to the DL model in such NIDS. We introduce two techniques: 1) model extraction is adopted to replicate the black-box model with a small amount of training data and 2) a saliency map is then used to disclose the impact of each packet attribute on the detection results, and the most critical features. This enables us to efficiently generate AEs using conventional methods. With these tehniques, we successfully compromise one state-of-the-art NIDS, Kitsune: the adversary only needs to modify less than 0.005% of bytes in the malicious packets to achieve an average 94.31% attack success rate.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuting Tang,Mingliang Tao,Xiang Zhang,Yifei Fan,Jia Su,Ling Wang

DOI: https://doi.org/10.23919/URSIGASS51995.2021.9560288

2021-01-01

Abstract:Deep learning has achieved superior performance on radio signal modulation classification. However, its security and reliability are vulnerable due to its data-oriented learning strategy. In this paper, the vulnerability of deep neural network for radio classification is investigated. Based on the radar and communication waveforms, slight optimal perturbations are generated and added onto the orig...

Fei Xiao,Yong Huo,Yang Zuo,Kaihua Wei,Wei Wang

DOI: https://doi.org/10.48550/arxiv.2301.03760

2023-01-01

Abstract:Empowered by deep neural networks (DNNs), Wi-Fi fingerprinting has recently achieved astonishing localization performance to facilitate many security-critical applications in wireless networks, but it is inevitably exposed to adversarial attacks, where subtle perturbations can mislead DNNs to wrong predictions. Such vulnerability provides new security breaches to malicious devices for hampering wireless network security, such as malfunctioning geofencing or asset management. The prior adversarial attack on localization DNNs uses additive perturbations on channel state information (CSI) measurements, which is impractical in Wi-Fi transmissions. To transcend this limitation, this paper presents FooLoc, which fools Wi-Fi CSI fingerprinting DNNs over the realistic wireless channel between the attacker and the victim access point (AP). We observe that though uplink CSIs are unknown to the attacker, the accessible downlink CSIs could be their reasonable substitutes at the same spot. We thoroughly investigate the multiplicative and repetitive properties of over-the-air perturbations and devise an efficient optimization problem to generate imperceptible yet robust adversarial perturbations. We implement FooLoc using commercial Wi-Fi APs and Wireless Open-Access Research Platform (WARP) v3 boards in offline and online experiments, respectively. The experimental results show that FooLoc achieves overall attack success rates of about 70% in targeted attacks and of above 90% in untargeted attacks with small perturbation-to-signal ratios of about -18dB.

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Basil AsSadhan,Fabio Roli

2024-07-09

Abstract:Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.

Artificial Intelligence

Zhenju Zhang,Linru Ma,Mingqian Liu,Yunfei Chen,Nan Zhao

DOI: https://doi.org/10.1109/jiot.2023.3327953

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Modulation recognition using deep learning (DL) can efficiently recognize modulated signals in cognitive radio-enabled Internet of Things (IoT). However, it is vulnerable to the attack of adversarial examples designed by attackers, leading to a decrease in its accuracy. Different adversarial techniques can be used for attacks, but these attacks have limited efficiency. This article proposes a double loop iterative method. Different from the traditional attack methods, the new method designs an additional external loop iteration for high efficiency. When generating adversarial examples, the initial conditions of each iteration can be updated as the number of iterations changes, so that the adversarial examples can cross the decision boundary of the model as much as possible. In addition, this article uses knowledge distillation to improve the traditional adversarial training defense, which improves the robustness of the model. Simulation results show that the proposed attack and defense methods have better performance than traditional methods.

Jiakai Wang,Ye Tao,Yichi Zhang,Wanting Liu,Yusheng Kong,Shaolin Tan,Rongen Yan,Xianglong Liu

DOI: https://doi.org/10.1109/tifs.2024.3453041

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:WiFi F ingerprint-based L ocalization (WFL) has recently achieved promising results in the bloom of deep learning techniques. Unfortunately, current studies reveal the great risks of deep-learning models when facing adversarial attacks, raising broader concerns about D eep-learning-based WiFi F ingerprint L ocalization Models (DFLMs). However, real-world adversarial attacks targeting DFLMs are not fully investigated, making it unclear how to counter this potential threat. In this paper, we take the first step to introduce adversarial examples into the physical world against DFLMs. Specifically, we propose a general attack method named Phy-Adv, consisting of a physical attenuation loss and a differentiable simulation module, the generated adversarial noise could be feasibly produced in the real world and make effects on DFLMs, i.e. , misleading the DFLMs from the signal source end. Furthermore, aiming at countering this typical adversarial threat, we propose a R elaxant M ultiple B atch N ormalization (RMBN) approach, which alleviates the weak robustness of DFLMs by the data-end adaptive training-set segmenting and model-end multiple batch normalization designing. To demonstrate the de facto effectiveness of the proposed physical adversarial examples and the adversarial defense strategy, we conducted extensive experiments on 2 datasets, i.e. , BHD and TUT, and multiple deep models, e.g. , AlexNet, VGG, and ResNet. The experimental results strongly support that our Phy-Adv shows satisfactory adversarial attacking ability in the physical world, meanwhile, the RMBN enjoys considerable defense ability against the adversarial attacks.

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Ruiqi Li,Hongshu Liao,Jiancheng An,Chau Yuen,Lu Gan

DOI: https://doi.org/10.1109/LCOMM.2023.3261423

IF: 3.5529

2023-01-01

IEEE Communications Letters

Abstract:Most existing adversarial attack methods generally rely on ideal assumptions, which is unreasonable for practical applications. In this letter, a practical threat model which utilizes adversarial attacks for anti-eavesdropping is proposed and a physical intra-class universal adversarial perturbation (IC-UAP) crafting method against DL-based wireless signal classifiers is then presented. First, an IC-UAP algorithm is proposed based on the threat model to craft a stronger UAP attack against the samples in a given class from a batch of samples in the class. Then, we develop a physical attack algorithm based on the IC-UAP method, in which perturbations are optimized under random shifting to enhance the robustness of IC-UAPs against the unsynchronization between adversarial attacks and attacked signals. Finally, the numerical results corroborate the effectiveness of the proposed approach based on the benchmark dataset.

Mingqian Liu,Hongyi Zhang,Zilong Liu,Nan Zhao

DOI: https://doi.org/10.1109/tr.2022.3179491

IF: 5.883

2023-01-01

IEEE Transactions on Reliability

Abstract:Cognitive radio-based Internet of Things (CR-IoT) network provides a solution for IoT devices to efficiently utilize spectrum resources. Spectrum sensing is a critical problem in CR-IoT network, which has been investigated extensively based on deep learning (DL). Despite the unique advantages of DL in spectrum sensing, the black-box and unexplained properties of deep neural networks may lead to many security risks. This article considers the fusion of traditional interference methods and data poisoning which is an attack method on the training data of a machine learning tool. We propose a new adversarial attack for reducing the sensing accuracy in DL-based spectrum sensing systems. We introduce a novel design of jamming waveform whose interference capability is reinforced by data poisoning. Simulation results show that significant performance enhancement and higher mobility can be achieved compared with traditional white-box attack methods.

Kemal Davaslioglu,Yalin E. Sagduyu

DOI: https://doi.org/10.48550/arXiv.1910.10766

2019-10-24

Abstract:We present a Trojan (backdoor or trapdoor) attack that targets deep learning applications in wireless communications. A deep learning classifier is considered to classify wireless signals using raw (I/Q) samples as features and modulation types as labels. An adversary slightly manipulates training data by inserting Trojans (i.e., triggers) to only few training data samples by modifying their phases and changing the labels of these samples to a target label. This poisoned training data is used to train the deep learning classifier. In test (inference) time, an adversary transmits signals with the same phase shift that was added as a trigger during training. While the receiver can accurately classify clean (unpoisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers. This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a signal classifier (e.g., for authentication). We show that this attack is successful over different channel conditions and cannot be mitigated by simply preprocessing the training and test data with random phase variations. To detect this attack, activation based outlier detection is considered with statistical as well as clustering techniques. We show that the latter one can detect Trojan attacks even if few samples are poisoned.

Networking and Internet Architecture,Cryptography and Security,Machine Learning,Signal Processing

Liting Sun,Da Ke,Xiang Wang,Zhitao Huang,Kaizhu Huang

DOI: https://doi.org/10.3390/rs14194996

IF: 5

2022-01-01

Remote Sensing

Abstract:Deep learning (DL)-based specific emitter identification (SEI) technique can automatically extract radio frequency (RF) fingerprint features in RF signals to distinguish between legal and illegal devices and enhance the security of wireless network. However, deep neural network (DNN) can easily be fooled by adversarial examples or perturbations of the input data. If a malicious device emits signals containing a specially designed adversarial samples, will the DL-based SEI still work stably to correctly identify the malicious device? To the best of our knowledge, this research is still blank, let alone the corresponding defense methods. Therefore, this paper designs two scenarios of attack and defense and proposes the corresponding implementation methods to specializes in the robustness of DL-based SEI under adversarial attacks. On this basis, detailed experiments are carried out based on the real-world data and simulation data. The attack scenario is that the malicious device adds an adversarial perturbation signal specially designed to the original signal, misleading the original system to make a misjudgment. Experiments based on three different attack generation methods show that DL-based SEI is very vulnerability. Even if the intensity is very low, without affecting the probability density distribution of the original signal, the performance can be reduced to about 50%, and at −22 dB it is completely invalid. In the defense scenario, the adversarial training (AT) of DL-based SEI is added, which can significantly improve the system’s performance under adversarial attacks, with ≥60% improvement in the recognition rate compared to the network without AT. Further, AT has a more robust effect on white noise. This study fills the relevant gaps and provides guidance for future research. In the future research, the impact of adversarial attacks must be considered, and it is necessary to add adversarial training in the training process.

Brian Kim,Yalin E. Sagduyu,Kemal Davaslioglu,Tugba Erpek,Sennur Ulukus

DOI: https://doi.org/10.48550/arXiv.2002.02400

2020-02-14

Abstract:We consider a wireless communication system that consists of a transmitter, a receiver, and an adversary. The transmitter transmits signals with different modulation types, while the receiver classifies its received signals to modulation types using a deep learning-based classifier. In the meantime, the adversary makes over-the-air transmissions that are received as superimposed with the transmitter's signals to fool the classifier at the receiver into making errors. While this evasion attack has received growing interest recently, the channel effects from the adversary to the receiver have been ignored so far such that the previous attack mechanisms cannot be applied under realistic channel effects. In this paper, we present how to launch a realistic evasion attack by considering channels from the adversary to the receiver. Our results show that modulation classification is vulnerable to an adversarial attack over a wireless channel that is modeled as Rayleigh fading with path loss and shadowing. We present various adversarial attacks with respect to availability of information about channel, transmitter input, and classifier architecture. First, we present two types of adversarial attacks, namely a targeted attack (with minimum power) and non-targeted attack that aims to change the classification to a target label or to any other label other than the true label, respectively. Both are white-box attacks that are transmitter input-specific and use channel information. Then we introduce an algorithm to generate adversarial attacks using limited channel information where the adversary only knows the channel distribution. Finally, we present a black-box universal adversarial perturbation (UAP) attack where the adversary has limited knowledge about both channel and transmitter input.

Signal Processing,Machine Learning,Networking and Internet Architecture

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied