Leiyang Xu,Xiaolong Zheng,Yucheng Zhang,Liang Liu,Huadong Ma

DOI: https://doi.org/10.1145/3698592

2024-01-01

ACM Transactions on Sensor Networks

Abstract:With the widespread adoption of deep learning models in wireless sensing, substantial efforts have been made to develop sophisticated models that improve the accuracy and performance of sensing applications. However, the exploration of potential vulnerabilities in deep models has been limited, with existing studies primarily focusing on evaluating wireless adversarial performance in communication or sensing alone. Moreover, there is a lack of a comprehensive definition for attack imperceptibility. In this paper, we come up with a definition of the wireless attack imperceptibility for both communication and sensing. Our objective is to create an adversarial perturbation capable of degrading WiFi sensing performance while preserving WiFi communication integrity. To achieve this, we propose WiCAM2.0 to reveal the temporal and spatial attention of a DNN, capturing the crucial portions of its input. Then we design a mask to confine adversarial perturbations in the attended parts only, minimizing the impact on WiFi communication. WiCAM2.0 is a general adversarial framework that integrates adversarial methods like FGSM and PGD to generate perturbations, capable of initiating both non-targeted and targeted attacks. We carry out experiments on three popular WiFi sensing applications, including human activity recognition, gesture recognition, and user identification. Extensive experiments are conducted on both public datasets and self-collected datasets.

Changming Li,Mingjing Xu,Yicong Du,Limin Liu,Cong Shi,Yan Wang,Hongbo Liu,Yingying Chen

DOI: https://doi.org/10.1145/3636534.3649367

2024-01-01

Abstract:The pervasive use of WiFi has driven the recent research in WiFi sensing, converting communication tech into sensing for applications such as activity recognition, user authentication, and vital sign monitoring. Despite the integration of deep learning into WiFi sensing systems, potential security vulnerabilities to adversarial attacks remain unexplored. This paper introduces the first physical attack focusing on deep learning-based WiFi sensing systems, demonstrating how adversaries can subtly manipulate WiFi packet preambles to affect channel state information (CSI), a critical feature in such systems, and thereby influence underlying deep learning models without disrupting regular communication. To realize the proposed attack in practical scenarios, we rigorously analyze and derive the intricate relationship between the pilot symbol and CSI. A novel mechanism is proposed to facilitate quantitive control of receiver-side CSI through minimal modifications to the pilot symbols of WiFi packets at the transmitter. We further develop a perturbation optimization method based on the Carlini & Wagner (CW) attack and a penalty-based training process to ensure the attack's universal efficacy across various CSI responses and noise. The physical attack is implemented and evaluated in two representative WiFi sensing systems (i.e., activity recognition and user authentication) with 35 participants over 3 months. Extensive experiments demonstrate the remarkable attack success rates of 90.47% and 83.83% for activity recognition and user authentication, respectively.

Fei Xiao,Yong Huang,Yingying Zuo,Wei Kuang,Wei Wang

DOI: https://doi.org/10.1109/jiot.2023.3236314

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Empowered by deep neural networks (DNNs), Wi-Fi fingerprinting has recently achieved astonishing localization performance to facilitate many security-critical applications in wireless networks, but it is inevitably exposed to adversarial attacks, where subtle perturbations can mislead DNNs to wrong predictions. Such vulnerability provides new security breaches to malicious devices for hampering wireless network security, such as malfunctioning geofencing or asset management. The prior adversarial attack on localization DNNs uses additive perturbations on channel state information (CSI) measurements, which is impractical in Wi-Fi transmissions. To transcend this limitation, this article presents FooLoc, which fools Wi-Fi CSI fingerprinting DNNs over the realistic wireless channel between the attacker and the victim access point (AP). We observe that though uplink CSIs are unknown to the attacker, the accessible downlink CSIs could be their reasonable substitutes at the same spot. We thoroughly investigate the multiplicative and repetitive properties of over-the-air perturbations and devise an efficient optimization problem to generate imperceptible yet robust adversarial perturbations. We implement FooLoc using commercial Wi-Fi APs and wireless open-access research platform (WARP) v3 boards in offline and online experiments, respectively. The experimental results show that FooLoc achieves overall attack success rates of about 70% in targeted attacks and above 90% in untargeted attacks with small perturbation-to-signal ratios of about −18 dB.

Yushi Cheng,Xiaoyu Ji,Tianyang Lu,Wenyuan Xu

DOI: https://doi.org/10.1109/tmc.2019.2900919

IF: 6.075

2019-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. Extension functions of DeWiCam further enable the video resolution and audio channel inference to provide extra protection. We implemented DeWiCam on the Android platform and evaluated it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99 percent within $2.7\;\mathrm {s}$2.7s.

Hangcheng Cao,Wenbin Huang,Guowen Xu,Xianhao Chen,Ziyang He,Jingyang Hu,Hongbo Jiang,Yuguang Fang

2024-04-24

Abstract:Deep learning technologies are pivotal in enhancing the performance of WiFi-based wireless sensing systems. However, they are inherently vulnerable to adversarial perturbation attacks, and regrettably, there is lacking serious attention to this security issue within the WiFi sensing community. In this paper, we elaborate such an attack, called WiIntruder, distinguishing itself with universality, robustness, and stealthiness, which serves as a catalyst to assess the security of existing WiFi-based sensing systems. This attack encompasses the following salient features: (1) Maximizing transferability by differentiating user-state-specific feature spaces across sensing models, leading to a universally effective perturbation attack applicable to common applications; (2) Addressing perturbation signal distortion caused by device synchronization and wireless propagation when critical parameters are optimized through a heuristic particle swarm-driven perturbation generation algorithm; and (3) Enhancing attack pattern diversity and stealthiness through random switching of perturbation surrogates generated by a generative adversarial network. Extensive experimental results confirm the practical threats of perturbation attacks to common WiFi-based services, including user authentication and respiratory monitoring.

Cryptography and Security

Jiakai Wang,Ye Tao,Yichi Zhang,Wanting Liu,Yusheng Kong,Shaolin Tan,Rongen Yan,Xianglong Liu

DOI: https://doi.org/10.1109/tifs.2024.3453041

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:WiFi F ingerprint-based L ocalization (WFL) has recently achieved promising results in the bloom of deep learning techniques. Unfortunately, current studies reveal the great risks of deep-learning models when facing adversarial attacks, raising broader concerns about D eep-learning-based WiFi F ingerprint L ocalization Models (DFLMs). However, real-world adversarial attacks targeting DFLMs are not fully investigated, making it unclear how to counter this potential threat. In this paper, we take the first step to introduce adversarial examples into the physical world against DFLMs. Specifically, we propose a general attack method named Phy-Adv, consisting of a physical attenuation loss and a differentiable simulation module, the generated adversarial noise could be feasibly produced in the real world and make effects on DFLMs, i.e. , misleading the DFLMs from the signal source end. Furthermore, aiming at countering this typical adversarial threat, we propose a R elaxant M ultiple B atch N ormalization (RMBN) approach, which alleviates the weak robustness of DFLMs by the data-end adaptive training-set segmenting and model-end multiple batch normalization designing. To demonstrate the de facto effectiveness of the proposed physical adversarial examples and the adversarial defense strategy, we conducted extensive experiments on 2 datasets, i.e. , BHD and TUT, and multiple deep models, e.g. , AlexNet, VGG, and ResNet. The experimental results strongly support that our Phy-Adv shows satisfactory adversarial attacking ability in the physical world, meanwhile, the RMBN enjoys considerable defense ability against the adversarial attacks.

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Siwang Zhou,Wei Zhang,Dan Peng,Yonghe Liu,Xingwei Liao,Hongbo Jiang

DOI: https://doi.org/10.1109/lcomm.2019.2952844

IF: 3.5529

2019-01-01

IEEE Communications Letters

Abstract:Recent research on WiFi sensing focuses on the identification of a wide range of human behaviors with high recognition accuracy. However, these well-studied recognition techniques can cause privacy concerns due to the ubiquity of WiFi signal and comprehensive behavior information embedded therein. In this letter, we take the first attempt to develop an adversarial deep network architecture for human behavior preservation. Our goal is to make desirable private behaviors of a human being not recognizable by general classifiers, while the recognition of other ones remaining unaffected. To achieve this, we propose a novel loss function, using which our network is capable of intentionally modifying CSI data extracted from received WiFi signal, constraining the new classification results to match the adversarial requirements. Experimental results demonstrate that, with the proposed adversarial scheme, the recognition rate of the human behaviors needed to be protected can be significantly decreased, while still maintaining the accuracy of other ones desired to be identified. Our source codes are available at https://github.com/siwangzhou/WiFi-ADG.

Sainan Sun,Bin Song,Xiaohui Cai,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1016/j.neucom.2022.05.065

IF: 6

2022-01-01

Neurocomputing

Abstract:The emergence of adversarial examples has aroused widespread attention to the safety of deep learning. Most recent research focuses on how to obtain adversarial examples which make networks’ predictions wrong, and rarely observe the changes in feature embedding space from the perspective of interpretability. In addition, researchers have proposed various attack algorithms for a single task, but there are few general methods that can perform multiple tasks at the same time, such as image classification, object detection, and face recognition. To resolve these issues, we propose a new attack algorithm CAMA for deep neural networks (DNNs). CAMA perturbs each feature extraction layer through adaptive feature measurement function, thereby disrupting the predicted class activation mapping of DNNs. Experiments show that CAMA is good at creating white-box adversarial examples on classification networks and has the highest attack success rate. To solve the problem of the disappearance of aggression caused by image transformation, we propose spread-spectrum compression CAMA, which achieve a better attack success rate under various defensive measures. In addition, we successfully attack face recognition networks and object detection networks using CAMA, and achieve excellent performance. It verifies that our algorithm is a general attack algorithm for attacking different tasks.

Ruiqi Li,Hongshu Liao,Jiancheng An,Chau Yuen,Lu Gan

DOI: https://doi.org/10.1109/LCOMM.2023.3261423

IF: 3.5529

2023-01-01

IEEE Communications Letters

Abstract:Most existing adversarial attack methods generally rely on ideal assumptions, which is unreasonable for practical applications. In this letter, a practical threat model which utilizes adversarial attacks for anti-eavesdropping is proposed and a physical intra-class universal adversarial perturbation (IC-UAP) crafting method against DL-based wireless signal classifiers is then presented. First, an IC-UAP algorithm is proposed based on the threat model to craft a stronger UAP attack against the samples in a given class from a batch of samples in the class. Then, we develop a physical attack algorithm based on the IC-UAP method, in which perturbations are optimized under random shifting to enhance the robustness of IC-UAPs against the unsynchronization between adversarial attacks and attacked signals. Finally, the numerical results corroborate the effectiveness of the proposed approach based on the benchmark dataset.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Le Cheng,Kui Ren

DOI: https://doi.org/10.1109/INFOCOM48880.2022.9796920

2022-01-01

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while neglecting the security aspects. In this paper, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also propose three methods to mitigate the hazard of such attacks.

Li Lu,Meng Chen,Jiadi Yu,Zhongjie Ba,Feng Lin,Jinsong Han,Yanmin Zhu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2024.3403839

2024-01-01

Abstract:Recent years have witnessed enormous research efforts on WiFi sensing to enable intelligent services of Internet of Things. However, due to the omni-directional broadcasting manner of WiFi signals, the activity semantic underlying the signals can be leaked to adversaries for surveillance, as demonstrated by our previous work. In this paper, we further extend the attack capability of ActListener to impersonation attack, which could eavesdrop on users’ behavioral uniqueness imperceptibly using a WiFi infrastructure in any location of user sensing area. In particular, ActListener detects each human activity and converts the eavesdropped signals to that by legitimate devices based on our proposed signal propagation models. To extract noise-resilient individual behavioral uniqueness from converted CSI of WiFi signals, we further add user identification models into the substitute model set for training the signal pattern calibration generative model. Experimental results demonstrate that ActListener could achieve over 80% accuracy in activity semantics retrieval and impersonation by using the converted signals.

Yanzi Zhu,Zhujun Xiao,Yuxin Chen,Zhijing Li,Max Liu,Ben Y. Zhao,Haitao Zheng

2018-01-01

Abstract:Our work demonstrates a new set of silent reconnaissance attacks, which leverages the presence of commodity WiFi devices to track users inside private homes and offices, without compromising any WiFi network, data packets, or devices. We show that just by sniffing existing WiFi signals, an adversary can accurately detect and track movements of users inside a building. This is made possible by our new signal model that links together human motion near WiFi transmitters and variance of multipath signal propagation seen by the attacker sniffer outside of the property. The resulting attacks are cheap, highly effective, and yet difficult to detect. We implement the attack using a single commodity smartphone, deploy it in 11 real-world offices and residential apartments, and show it is highly effective. Finally, we evaluate potential defenses, and propose a practical and effective defense based on AP signal obfuscation.

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3261328

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while rarely studying the security aspects. In this article, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also show that our attack approaches can be generalized to other WiFi-based sensing applications, such as user authentication.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Dongwei Xu,Jiangpeng Li,Zhuangzhi Chen,Qi Xuan,Weiguo Shen,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2023.3312532

2024-01-01

Abstract:Automatic Modulation Classification (AMC), which based on deep learning has been extensively researched and implemented in wireless communication systems. Universal adversarial perturbation refers to a single perturbation that can cause most samples to be misclassified by deep learning models. In this paper, we aim to achieve imperceptible universal adversarial attacks on AMC models, and thus an imperceptible universal adversarial perturbations (imperceptible UAPs) framework was proposed. Specifically, loss functions were separately designed for target signals and non-target signals, and then a total loss was calculated. This total loss function can be modified by hyperparameters to achieve class-specific universal adversarial attacks (CUAAs), class-discriminative universal adversarial attacks (CD-UAAs), and class-discriminative target universal adversarial attacks (CD-TUAAs). Meanwhile, wavelet reconstruction was applied to the training data, thus further improving the discriminability of the generated UAPs. After CUAAs were implemented, the class dominant in radio signals was visualized and analyzed by confusion matrices. Furthermore, with the confusion matrices of CUAAs, CD-TUAAs were efficiently implemented. The experiments were conducted on two radio signal datasets and models. In most scenarios, CD-UAAs achieved excellent performance with an average ΔAcc of 58. 20% and CD-TUAAs achieved an average ΔK of 73.78%.

Haojun Zhao,Yun Lin,Song Gao,Shui Yu

DOI: https://doi.org/10.1109/globecom42002.2020.9322088

2020-01-01

Abstract:The discovery of adversarial examples poses a serious risk to the deep neural networks (DNN). By adding a subtle perturbation that is imperceptible to the human eye, a well-behaved DNN model can be easily fooled and completely change the prediction categories of the input samples. However, research on adversarial attacks in the field of modulation recognition mainly focuses on increasing the prediction error of the classifier, while ignores the importance of decreasing the perceptual invisibility of attack. Aiming at the task of DNNbased modulation recognition, this study designs the Fitting Difference as a metric to measure the perturbed waveforms and proposes a new method: the Nesterov Adam Iterative Method to generate adversarial examples. We show that the proposed algorithm not only exerts excellent white-box attacks but also can initiate attacks on a black-box model. Moreover, our method decreases the waveform perceptual invisibility of attacks to a certain degree, thereby reducing the risk of an attack being detected.

Alireza Bahramali,Milad Nasr,Amir Houmansadr,Dennis Goeckel,Don Towsley

DOI: https://doi.org/10.1145/3460120.3484777

2021-11-12

Abstract:There is significant enthusiasm for the employment of Deep Neural Networks (DNNs) for important tasks in major wireless communication systems: channel estimation and decoding in orthogonal frequency division multiplexing (OFDM) systems, end-to-end autoencoder system design, radio signal classification, and signal authentication. Unfortunately, DNNs can be susceptible to adversarial examples, potentially making such wireless systems fragile and vulnerable to attack. In this work, by designing robust adversarial examples that meet key criteria, we perform a comprehensive study of the threats facing DNN-based wireless systems. We model the problem of adversarial wireless perturbations as an optimization problem that incorporates domain constraints specific to different wireless systems. This allows us to generate wireless adversarial perturbations that can be applied to wireless signals on-the-fly (i.e., with no need to know the target signals a priori), are undetectable from natural wireless noise, and are robust against removal. We show that even in the presence of significant defense mechanisms deployed by the communicating parties, our attack performs significantly better compared to existing attacks against DNN-based wireless systems. In particular, the results demonstrate that even when employing well-considered defenses, DNN-based wireless communication systems are vulnerable to adversarial attacks and call into question the employment of DNNs for a number of tasks in robust wireless communication.

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2024.3355156

IF: 3.5529

2024-03-13

IEEE Communications Letters

Abstract:Adversarial attacks on deep learning based modulation classification have received considerable attention recently. However, existing works mainly focus on the idealized white-box adversarial attacks and ignore the impact of the wireless channel. In this letter, we present a black-box Universal Adversarial Perturbation (UAP) attack scheme considering the wireless channel and propose the corresponding defense method. We first propose a conditional generative adversarial Nets (cGAN) approach to enlarge the training set of the channel state information (CSI) of wireless channel. Then, we introduce a cGAN aided black-box UAP attack scheme to disable the modulation classification capability of the deep neural network over the air. At last, we present a defense method that utilizes UAPs for adversarial training (AT). Simulation results show that the cGAN aided black-box UAP attack can decrease the accuracy of the modulation classifier by 19.3% when the perturbation power reaches the same level as the noise power, while the proposed defense method can improve it by 11.2%.

telecommunications