Junyi Zhang,Chun Li,Jiayong Zhao,Wei Tang,Shichao Guan

DOI: https://doi.org/10.1109/smartiot58732.2023.00056

2023-01-01

Abstract:In recent years, Deep Neural Networks have faced the challenge of resisting example attacks, which seriously affects the security of modulation recognition models based on Deep Neural Networks. Aiming at the adversarial attack problem in signal modulation recognition, this paper uses five classic adversarial attack methods to attack three modulation recognition models based on Deep Neural Networks with different architectures. Then, the attack effectiveness of different methods is evaluated in terms of attack success rate, imperceptibility. The experimental results show that the neural network model is extremely vulnerable to adversarial attacks. The evaluation index proposed in this paper can comprehensively and accurately evaluate the signal adversarial examples, which is of great value for the research on the security and reliability of the intelligent modulation recognition model.

Yun Lin,Haojun Zhao,Ya Tu,Shiwen Mao,Zheng Dou

DOI: https://doi.org/10.1109/infocom41043.2020.9155389

2020-07-01

Abstract:With the emergence of the information age, mobile data has become more random, heterogeneous and massive. Thanks to its many advantages, deep learning is increasingly applied in communication fields such as modulation recognition. However, recent studies show that the deep neural networks (DNN) is vulnerable to adversarial examples, where subtle perturbations deliberately designed by an attacker can fool a classifier model into making mistakes. From the perspective of an attacker, this study adds elaborate adversarial examples to the modulation signal, and explores the threats and impacts of adversarial attacks on the DNN-based modulation recognition in different environments. The results show that, regardless of a white-box or a black-box model, the adversarial attack can reduce the accuracy of the target model. Among them, the performance of the iterative attack is superior to the one-step attack in most scenarios. In order to ensure the invisibility of the attack (the waveform being consistent before and after the perturbations), an appropriate perturbation level is found without losing the attack effect. Finally, it is attested that the signal confidence level is inversely proportional to the attack success rate, and several groups of signals with high robustness are obtained.

Yi Zhao,Wenjing Yuan,Yinghua Huang,Zhenyu Chen

DOI: https://doi.org/10.1109/dsa56465.2022.00163

2022-01-01

Abstract:With the development of information technology and 5G communication, the number of wireless devices has increased significantly, and the complexity of the communication system has also been rapidly upgraded. Due to the complexity and the high dimensionality of signals, many researchers have applied deep learning to modulation recognition tasks. However, although deep learning exhibits strong capabilities for modulation recognition, its vulnerability to adversarial examples should also be addressed. In this paper, we conduct a preliminary study on the security of DNN-based modulation recognition models. We build multiple high-accuracy DNN-based models on existing research and test their robustness by implementing multiple adversarial attacks on the well-trained models. The results show that adversarial examples pose a very serious threat to DNN-based modulation recognition models.

Mingqian Liu,Zhenju Zhang,Nan Zhao,Yunfei Chen

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798389

2022-01-01

Abstract:Modulation recognition models based on deep neural network (DNN) have the advantages of automatic feature extraction, fast recognition and high accuracy. However, due to the interpretability defects, DNN models are vulnerable to adversarial examples designed by attackers. Most existing researches focus on the accuracy of modulation recognition models, while ignoring the huge threat of adversarial examples to the safety and reliability of the models. In the field of modulation recognition, many existing attack methods have good attack performance for simple neural networks, but poor performance for more complicated DNNs. Therefore, this paper proposes an adversarial attack method based on dynamic iterative. The proposed method uses a dynamic iterative step that changes with iteration instead of being fixed. Simulation results show that the proposed attack method has better attack performance when the disturbance is specified than the traditional attack methods.

Zhenju Zhang,Mingqian Liu,Yunfei Chen,Nan Zhao

DOI: https://doi.org/10.1109/globecom54140.2023.10437844

2023-01-01

Abstract:Applying deep learning (DL) to modulation recognition can significantly improve the efficiency of communication in cognitive radio (CR) systems, but it may be attacked by adversarial examples. The black-box attack has vital practical significance because it does not need to master the parameters and architecture of the target model. The ensemble attack is an essential black-box attack method, which attacks the model by improving the transferability of adversarial examples. However, the existing ensemble attacks only simply adopt the average method when fusing the outputs of different networks, without fully considering the characteristics of the ensemble model, resulting in poor transferability. This paper proposes an attention-based ensemble attack method, which uses the prediction performance of different networks to assign attention factors to express the influence of these networks, so that the example can pass through the decision boundaries of all networks within a limited number of iterations. Simulation results show that the proposed method can improve the transferability of adversarial examples and effectively attack the black-box modulation recognition model.

Yuhang Zhao,Yajie Wang,Chuan Zhang,Chunhai Li,Zehui Xiong,Liehuang Zhu,Dusit Niyato

DOI: https://doi.org/10.1109/tccn.2024.3499362

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:In the radio frequency field, deep neural networks have been widely used for automatic modulation recognition tasks due to their superior accuracy. However, it has been shown that these models are susceptible to adversarial examples, which are the kinds of carefully crafted perturbations that can lead to model misclassification and raise security issues in applications. To solve this problem, we propose an Ultra-Fusion Adversarial Training method, which combines adversarial training and ensemble learning to enable the model robustness to withstand different attack strengths. We explore the number and distribution of ensembled attacks and introduce a Fermi-function-like distribution to optimally balance the performance of different attack strengths. Additionally, we investigate the effect of the signal-to-noise ratio (SNR) interval on the model accuracy and robustness, suggesting the effective SNR interval for training. Considering the demand for practical application scenarios of modulation recognition, we propose a comprehensive robustness metric based on weighted integral to evaluate the robustness of the trained models. Numerical experiments demonstrate that our method improves the model’s robustness by 31.89% against white-box attacks, and achieves up to an 80.54% improvement in black-box scenarios. These results show that our method has the ability to resiliently resist potential attacks of various strengths and can be applied to spectrum application scenarios with high-security requirements.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Zhuangzhi Chen,Zhangwei Wang,Dongwei Xu,Jiawei Zhu,Weiguo Shen,Shilian Zheng,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tifs.2024.3361172

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Automatic modulation recognition (AMR) of radio signal is an important research topic in the area of non-cooperative communication and cognitive radio. Recently deep learning (DL) techniques enable significant progress in AMR. However, the techniques of adversarial machine learning cause the threats of adversarial attacks in DL-based AMR. In this paper, we aim to make AMR model robust, accurate and lightweight, thus propose a multi-distillation mechanism for robust training of DL-based AMR models, namely Adversarial Multi-Distillation (AMD). In the framework of AMD, by knowledge distillation, two powerful teacher models transfer the learned classification knowledge and defense knowledge, respectively, to the student model to form robust training. Our experiments with public dataset RML2016.10a show that the proposed method can significantly improve the defense of AMR models to against adversarial perturbations and keep relatively high classification accuracy, which enables robust decision making with lightweight models under adversarial attacks.

Yun Lin,Haojun Zhao,Xuefei Ma,Ya Tu,Meiyu Wang

DOI: https://doi.org/10.1109/tr.2020.3032744

IF: 5.883

2021-01-01

IEEE Transactions on Reliability

Abstract:Deep learning (DL) models are vulnerable to adversarial attacks, by adding a subtle perturbation which is imperceptible to the human eye, a convolutional neural network (CNN) can lead to erroneous results, which greatly reduces the reliability and security of the DL tasks. Considering the wide application of modulation recognition in the communication field and the rapid development of DL, by adding a well-designed adversarial perturbation to the input signal, this article explores the performance of attack methods on modulation recognition, measures the effectiveness of adversarial attacks on signals, and provides the empirical evaluation of the reliabilities of CNNs. The results indicate that the accuracy of the target model reduce significantly by adversarial attacks, when the perturbation factor is 0.001, the accuracy of the model could drop by about 50% on average. Among them, iterative methods show greater attack performances than that of one-step method. In addition, the consistency of the waveform before and after the perturbation is examined, to consider whether the added adversarial examples are small enough (i.e., hard to distinguish by human eyes). This article also aims at inspiring researchers to further promote the CNNs reliabilities against adversarial attacks.

Haolin Tang,Ferhat Ozgur Catak,Murat Kuzlu,Evren Catak,Yanxiao Zhao

DOI: https://doi.org/10.1109/access.2023.3296805

IF: 3.9

2023-01-01

IEEE Access

Abstract:Automatic Modulation Recognition (AMR) is one of the critical steps in the signal processing chain of wireless networks, which can significantly improve communication performance. AMR detects the modulation scheme of the received signal without any prior information. Recently, many Artificial Intelligence (AI) based AMR methods have been proposed, inspired by the considerable progress of AI methods in various fields. On the one hand, AI-based AMR methods can outperform traditional methods in terms of accuracy and efficiency. On the other hand, they are susceptible to new types of cyberattacks, such as model poisoning or adversarial attacks. This paper explores the vulnerabilities of an AI-based AMR model to adversarial attacks in both single-input-single-output and multiple-input-multiple-output scenarios. We show that these attacks can significantly reduce the classification performance of the AI-based AMR model, which highlights the security and robustness concerns. Therefore, we propose a widely used mitigation method (i.e., defensive distillation) to reduce the vulnerabilities of the model against adversarial attacks. The simulation results indicate that the AI-based AMR model can be highly vulnerable to adversarial attacks, but their vulnerabilities can be significantly reduced by using mitigation methods.

Shuting Tang,Mingliang Tao,Xiang Zhang,Yifei Fan,Jia Su,Ling Wang

DOI: https://doi.org/10.23919/URSIGASS51995.2021.9560288

2021-01-01

Abstract:Deep learning has achieved superior performance on radio signal modulation classification. However, its security and reliability are vulnerable due to its data-oriented learning strategy. In this paper, the vulnerability of deep neural network for radio classification is investigated. Based on the radar and communication waveforms, slight optimal perturbations are generated and added onto the orig...

Mingqian Liu,Zhenju Zhang,Yunfei Chen,Jianhua Ge,Nan Zhao

DOI: https://doi.org/10.1109/tits.2023.3262347

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Air transportation communication jamming recognition model based on deep learning (DL) can quickly and accurately identify and classify communication jamming, to improve the safety and reliability of air traffic.However, due to the vulnerability of deep learning, the jamming recognition model can be easily attacked by the attacker's carefully designed adversarial examples.Although some defense methods have been proposed, they have strong pertinence to attacks.Thus, new attack methods are needed to improve the defense performance of the model.In this work, we improve the existing attack methods and propose a double level attack method.By constructing the dynamic iterative step size and analyzing the class characteristics of the signals, this method can use the adversarial losses of feature layer and decision layer to generate adversarial examples with stronger attack performance.In order to improve the robustness of the recognition model, we use adversarial examples to train the model, and transfer the knowledge learned from the model to the jamming recognition models in other wireless communication environments by transfer learning.Simulation results show that the proposed attack and defense methods have good performance.

Tailai Wen,Da Ke,Xiang Wang,Zhitao Huang

2024-02-27

Abstract:Deep learning algorithms have become an essential component in the field of cognitive radio, especially playing a pivotal role in automatic modulation classification. However, Deep learning also present risks and vulnerabilities. Despite their outstanding classification performance, they exhibit fragility when confronted with meticulously crafted adversarial examples, posing potential risks to the reliability of modulation recognition results. Addressing this issue, this letter pioneers the development of an intelligent modulation classification framework based on conformal theory, named the Conformal Shield, aimed at detecting the presence of adversarial examples in unknown signals and assessing the reliability of recognition results. Utilizing conformal mapping from statistical learning theory, introduces a custom-designed Inconsistency Soft-solution Set, enabling multiple validity assessments of the recognition outcomes. Experimental results demonstrate that the Conformal Shield maintains robust detection performance against a variety of typical adversarial sample attacks in the received signals under different perturbation-to-signal power ratio conditions.

Signal Processing

Rajeev Sahay,Christopher G. Brinton,David J. Love

DOI: https://doi.org/10.1109/tccn.2021.3114154

IF: 6.359

2022-03-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Deep learning-based automatic modulation classification (AMC) models are susceptible to adversarial attacks. Such attacks inject specifically crafted wireless interference into transmitted signals to induce erroneous classification predictions. Furthermore, adversarial interference is transferable in black box environments, allowing an adversary to attack multiple deep learning models with a single perturbation crafted for a particular classification model. In this work, we propose a novel wireless receiver architecture to mitigate the effects of adversarial interference in various black box attack environments. We begin by evaluating the architecture uncertainty environment, where we show that adversarial attacks crafted to fool specific AMC DL architectures are not directly transferable to different DL architectures. Next, we consider the domain uncertainty environment, where we show that adversarial attacks crafted on time domain and frequency domain features to not directly transfer to the altering domain. Using these insights, we develop our Assorted Deep Ensemble (ADE) defense, which is an ensemble of deep learning architectures trained on time and frequency domain representations of received signals. Through evaluation on two wireless signal datasets under different sources of uncertainty, we demonstrate that our ADE obtains substantial improvements in AMC classification performance compared with baseline defenses across different adversarial attacks and potencies.

telecommunications

Haojun Zhao,Yun Lin,Song Gao,Shui Yu

DOI: https://doi.org/10.1109/globecom42002.2020.9322088

2020-01-01

Abstract:The discovery of adversarial examples poses a serious risk to the deep neural networks (DNN). By adding a subtle perturbation that is imperceptible to the human eye, a well-behaved DNN model can be easily fooled and completely change the prediction categories of the input samples. However, research on adversarial attacks in the field of modulation recognition mainly focuses on increasing the prediction error of the classifier, while ignores the importance of decreasing the perceptual invisibility of attack. Aiming at the task of DNNbased modulation recognition, this study designs the Fitting Difference as a metric to measure the perturbed waveforms and proposes a new method: the Nesterov Adam Iterative Method to generate adversarial examples. We show that the proposed algorithm not only exerts excellent white-box attacks but also can initiate attacks on a black-box model. Moreover, our method decreases the waveform perceptual invisibility of attacks to a certain degree, thereby reducing the risk of an attack being detected.

Zhenju Zhang,Linru Ma,Mingqian Liu,Yunfei Chen,Nan Zhao

DOI: https://doi.org/10.1109/jiot.2023.3327953

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Modulation recognition using deep learning (DL) can efficiently recognize modulated signals in cognitive radio-enabled Internet of Things (IoT). However, it is vulnerable to the attack of adversarial examples designed by attackers, leading to a decrease in its accuracy. Different adversarial techniques can be used for attacks, but these attacks have limited efficiency. This article proposes a double loop iterative method. Different from the traditional attack methods, the new method designs an additional external loop iteration for high efficiency. When generating adversarial examples, the initial conditions of each iteration can be updated as the number of iterations changes, so that the adversarial examples can cross the decision boundary of the model as much as possible. In addition, this article uses knowledge distillation to improve the traditional adversarial training defense, which improves the robustness of the model. Simulation results show that the proposed attack and defense methods have better performance than traditional methods.

Wei Dong,Zan Zhou,Xiping Li,Shujie Yang,Zhenhui Yuan,Changqiao Xu

DOI: https://doi.org/10.1109/icc51166.2024.10622631

2024-01-01

Abstract:Automatic modulation classification (AMC) plays an indispensable role in wireless communication systems. Deep learning-based AMC has become the mainstream solution due to its high accuracy and no need for manual feature engineering. However, every coin has two sides. DL-based AMC is susceptible to adversarial perturbations, which are carefully crafted to be superimposed on the transmitted signals in an iteratively try-and-error manner, resulting in incorrect classification. In this paper, we propose a model diversity-based moving target defense mechanism (MD-MTD), which employs multiple classifiers and switches periodically, preventing intelligent attackers from deducing universal adversarial perturbations (UAP). Besides, to jointly optimize the robustness and accuracy of different AMC models to be trained, we design a novel multi-agent reinforcement learning (MARL) module. It is worth mentioning that the proposed algorithm significantly mitigates the curse of dimensionality during the large-scale training process via integrating value-decomposition networks and illegal action masking, improving the feasibility of our solution in real-world wireless communication systems. Experimental results on the GNU radio dataset also exhibit the remarkable advantages of our method in terms of convergence and defense performance.

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Basil AsSadhan,Fabio Roli

2024-07-09

Abstract:Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.

Artificial Intelligence

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences