Dongwei Xu,Jiangpeng Li,Zhuangzhi Chen,Qi Xuan,Weiguo Shen,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2023.3312532

2024-01-01

Abstract:Automatic Modulation Classification (AMC), which based on deep learning has been extensively researched and implemented in wireless communication systems. Universal adversarial perturbation refers to a single perturbation that can cause most samples to be misclassified by deep learning models. In this paper, we aim to achieve imperceptible universal adversarial attacks on AMC models, and thus an imperceptible universal adversarial perturbations (imperceptible UAPs) framework was proposed. Specifically, loss functions were separately designed for target signals and non-target signals, and then a total loss was calculated. This total loss function can be modified by hyperparameters to achieve class-specific universal adversarial attacks (CUAAs), class-discriminative universal adversarial attacks (CD-UAAs), and class-discriminative target universal adversarial attacks (CD-TUAAs). Meanwhile, wavelet reconstruction was applied to the training data, thus further improving the discriminability of the generated UAPs. After CUAAs were implemented, the class dominant in radio signals was visualized and analyzed by confusion matrices. Furthermore, with the confusion matrices of CUAAs, CD-TUAAs were efficiently implemented. The experiments were conducted on two radio signal datasets and models. In most scenarios, CD-UAAs achieved excellent performance with an average ΔAcc of 58. 20% and CD-TUAAs achieved an average ΔK of 73.78%.

Chao Wang,Xianglin Wei,Jianhua Fan,Yongyang Hu,Long Yu

DOI: https://doi.org/10.1109/jiot.2023.3254648

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In spite of unique advantages like higher recognition accuracy and better generalization capability, Automatic Modulation Classification (AMC) oriented Deep Neural Networks (ADNNs) are still vulnerable to adversarial examples (AEs). Recent results revealed that an attacker can easily fool ADNNs through adding a small and imperceptible perturbation to the original signal. Among different AE generation methods, Universal Adversarial Perturbation (UAP) has unique characteristics including input-agnostic and shift-invariance. However, applying UAP directly to RF signals faces three main challenges, i.e., perturbation neutralization, high perceptibility, and dependency of original signals. In this backdrop, a novel Universal Adversarial Perturbation under Frequency and Data constraints (UAP-FD) attack is put forward for solving these problems in this paper. First, an individual perturbation is filtered based on the representation visualization algorithm to counter the neutralization problem in perturbation integration. Second, the high-frequency components in the integrated UAP is eliminated through signal decomposition and reconstruction for promoting the imperceptibility. Third, a proxy signal generation method is proposed to help UAP-FD adapt to data-free black-box settings. A series of experiments is conducted to evaluate the aggressiveness and imperceptibility of UAP-FD attack in different settings on a public dataset. Results show that, compared with existing proposal, UAP-FD has a 40% higher fooling rate, and it can reduce the accuracy of the ADNN model from 83% to 9%, while maintaining a good imperceptibility and shift-invariance property. In addition, UAP-FD is applied to real world captured signals over the transmission channel; and it can reduce the model accuracy from 98.3% to 12.5%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2024.3355156

IF: 3.5529

2024-03-13

IEEE Communications Letters

Abstract:Adversarial attacks on deep learning based modulation classification have received considerable attention recently. However, existing works mainly focus on the idealized white-box adversarial attacks and ignore the impact of the wireless channel. In this letter, we present a black-box Universal Adversarial Perturbation (UAP) attack scheme considering the wireless channel and propose the corresponding defense method. We first propose a conditional generative adversarial Nets (cGAN) approach to enlarge the training set of the channel state information (CSI) of wireless channel. Then, we introduce a cGAN aided black-box UAP attack scheme to disable the modulation classification capability of the deep neural network over the air. At last, we present a defense method that utilizes UAPs for adversarial training (AT). Simulation results show that the cGAN aided black-box UAP attack can decrease the accuracy of the modulation classifier by 19.3% when the perturbation power reaches the same level as the noise power, while the proposed defense method can improve it by 11.2%.

telecommunications

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Peihan Qi,Tao Jiang,Lizhan Wang,Xu Yuan,Zan Li

DOI: https://doi.org/10.1109/tr.2022.3161138

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Advances in adversarial attack and defense technologies will enhance the reliability of deep learning (DL) systems spirally. Most existing adversarial attack methods make overly ideal assumptions, which creates the illusion that the DL system can be attacked simply and has restricted the further improvement on DL systems. To perform practical adversarial attacks, a detection tolerant black-box adversarial-attack (DTBA) method against DL-based automatic modulation classification (AMC) is presented in this article. In the DTBA method, the local DL model as a substitution of the remote target DL model is trained first. The training dataset is generated by an attacker, labeled by the target model, and augmented by Jacobian transformation. Then, the conventional gradient attack method is utilized to generate adversarial attack examples toward the local DL model. Moreover, before launching attack to the target model, the local model estimates the misclassification probability of the perturbed examples in advance and deletes those invalid adversarial examples. Compared with related attack methods of different criteria on public datasets, the DTBA method can reduce the attack cost while increasing the rate of successful attack. Adversarial attack transferability of the proposed method on the target model has increased by more than 20%. The DTBA method will be suitable for launching flexible and effective black-box adversarial attacks against DL-based AMC systems.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Basil AsSadhan,Fabio Roli

2024-07-09

Abstract:Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.

Artificial Intelligence

Yang Peng,Lantu Guo,Jun Yan,Mengyuan Tao,Xue Fu,Yun Lin,Guan Gui

DOI: https://doi.org/10.3390/drones7060390

IF: 5.532

2023-06-12

Drones

Abstract:Automatic modulation classification (AMC) is a signal processing technology used to identify the modulation type of unknown signals without prior information such as modulation parameters for drone communications. In recent years, deep learning (DL) has been widely used in AMC methods due to its powerful feature extraction ability. The significant performance of DL-based AMC methods is highly dependent on large amount of data. However, with the increasingly complex signal environment and the emergence of new signals, several recognition tasks have difficulty obtaining sufficient high-quality signals. To address this problem, we propose an AMC method based on a deep residual neural network with masked modeling (DRMM). Specifically, masked modeling is adopted to improve the performance of a deep neural network with limited signal samples. Both complex-valued and real-valued residual neural networks (ResNet) play an important role in extracting signal features for identification. Several typical experiments are conducted to evaluate our proposed DRMM-based AMC method on the RadioML 2016.10A dataset and a simulated dataset, and comparison experiments with existing AMC methods are also conducted. The simulation results illustrate that our proposed DRMM-based AMC method achieves better performance in the case of limited signal samples with low signal-to-noise ratio (SNR) than other existing methods.

Jingchun Wang,Peihao Dong,Fuhui Zhou,Qihui Wu

2024-10-15

Abstract:Deep learning (DL) has significantly improved automatic modulation classification (AMC) by leveraging neural networks as the feature <a class="link-external link-http" href="http://extractor.However" rel="external noopener nofollow">this http URL</a>, as the DL-based AMC becomes increasingly widespread, it is faced with the severe secure issue from various adversarial attacks. Existing defense methods often suffer from the high computational cost, intractable parameter tuning, and insufficient <a class="link-external link-http" href="http://robustness.This" rel="external noopener nofollow">this http URL</a> paper proposes an eXplainable artificial intelligence (XAI) defense approach, which uncovers the negative information caused by the adversarial attack through measuring the importance of input features based on the SHapley Additive exPlanations (SHAP).By properly removing the negative information in adversarial samples and then fine-tuning(FT) the model, the impact of the attacks on the classification result can be <a class="link-external link-http" href="http://mitigated.Experimental" rel="external noopener nofollow">this http URL</a> results demonstrate that the proposed SHAP-FT improves the classification performance of the model by 15%-20% under different attack levels,which not only enhances model robustness against various attack levels but also reduces the resource consumption, validating its effectiveness in safeguarding communication networks.

Signal Processing

Sicheng Zhang,Jiangzhi Fu,Jiarun Yu,Huaitao Xu,Haoran Zha,Shiwen Mao,Yun Lin

DOI: https://doi.org/10.1109/tccn.2024.3382126

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:With the improvement of basic designs and the evolution of key algorithms, artificial intelligence (AI) has been considered by both industry and academia as the most promising solution for many electromagnetic space problems, such as automatic modulation classification (AMC). However, the fact that AI-based AMC models are vulnerable to adversarial examples mystifies the optimism. Adversarial attacks help researchers to reexamine AI-based AMC models and promote safe applications. In this paper, we study the frequency leakage and glitch problems caused by high frequency components in the adversarial perturbations of existing attack algorithms. We propose a Spectrum-focused Frequency Adversarial Attack (SFAA) algorithm to suppress the high frequency components to alleviate such problems. Next, we leverage meta-learning to improve the transferability of the proposed algorithm for black-box attacks. We also train a Channel-robust Class-universal Spectrum-focused Frequency Adversarial Attack (CrCu-SFAA) generative model using the generative adversarial network framework. Finally, extensive experiments using qualitative and quantitative indicators demonstrate that the proposed algorithm achieves an improved attack performance, and our proposed approach of reducing out-of-band high frequency components of the adversarial perturbations improves the concealment and adversarial signal quality.

telecommunications

Xuanshen Wan,Wei Liu,Chaoyang Niu,Wanjie Lu,Meng Du,Yuanli Li

DOI: https://doi.org/10.1109/jstars.2024.3384188

IF: 4.715

2024-04-30

IEEE Journal of Selected Topics in Applied Earth Observations and Remote Sensing

Abstract:Synthetic aperture radar automatic target recognition (SAR-ATR) models based on deep neural networks (DNNs) are vulnerable to attacks of adversarial examples. Universal adversarial attack algorithms can help evaluate and improve the robustness of the SAR-ATR models and have become a research hotspot. However, current universal adversarial attack algorithms have limitations. First, considering the difficulty in obtaining information on the attacking SAR-ATR models, there is an urgent need to design a universal adversarial attack algorithm under a black-box scenario. Second, given the difficulty of acquiring synthetic aperture radar images, the effectiveness of attacks under small-sample conditions requires improvement. To address these limitations, this study proposed a black-box universal adversarial attack algorithm: transferable universal adversarial network (TUAN). Based on the idea of the generative adversarial network, we implemented the game of generator and attenuator to improve the transferability of universal adversarial perturbation (UAP). We designed loss functions for the generator and the attenuator, respectively, which can effectively improve the success rate of black-box attacks and the stealthiness of attacks. In addition, U-Net was used as a network structure of the generator and the attenuator to fully learn the distribution of examples, thereby enhancing the attack success rate under small-sample conditions. The TUAN attained a higher black-box attack success rate and superior stealthiness than up-to-date UAP algorithms in non-targeted and targeted attacks.

engineering, electrical & electronic,imaging science & photographic technology,remote sensing,geography, physical

Sicheng Zhang,Yun Lin,Jiarun Yu,Jianting Zhang,Qi Xuan,Dongwei Xu,Juzhen Wang,Meiyu Wang

DOI: https://doi.org/10.1109/tccn.2024.3360514

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Deep neural networks provide intelligent solutions for Automatic Modulation Classification (AMC) tasks in the field of communication. However, their susceptibility to adversarial examples due to the interpretability problem presents a challenge as it leads to anomalous decisions. Emerging studies suggest that the high-frequency constituents within signals constitute a fundamental source of adversarial vulnerability. To address this issue, this paper introduces a Homomorphic Filtering Adversarial Defense (HFAD) algorithm that aims to effectively defend against adversarial examples by applying frequency domain filtering on the signal. This approach enhances the security and reliability of the AMC model by attenuating high-frequency components of the signal through homomorphic filtering, thereby reducing errors caused by adversarial perturbations on model outputs. The robustness of the AMC model is further enhanced through the integration of HFAD with data augmentation strategies. Experimental results demonstrate that the proposed defense algorithm not only maintains high signal recognition accuracy but also preserves communication signal transmission quality. Moreover, HFAD effectively withstands a wide range of white-box adversarial attacks and demonstrates resilience against black-box adversarial attacks, thereby enhancing the robustness of the AMC model against adversarial examples and exhibiting strong transfer performance.

Yuhang Zhao,Yajie Wang,Chuan Zhang,Chunhai Li,Zehui Xiong,Liehuang Zhu,Dusit Niyato

DOI: https://doi.org/10.1109/tccn.2024.3499362

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:In the radio frequency field, deep neural networks have been widely used for automatic modulation recognition tasks due to their superior accuracy. However, it has been shown that these models are susceptible to adversarial examples, which are the kinds of carefully crafted perturbations that can lead to model misclassification and raise security issues in applications. To solve this problem, we propose an Ultra-Fusion Adversarial Training method, which combines adversarial training and ensemble learning to enable the model robustness to withstand different attack strengths. We explore the number and distribution of ensembled attacks and introduce a Fermi-function-like distribution to optimally balance the performance of different attack strengths. Additionally, we investigate the effect of the signal-to-noise ratio (SNR) interval on the model accuracy and robustness, suggesting the effective SNR interval for training. Considering the demand for practical application scenarios of modulation recognition, we propose a comprehensive robustness metric based on weighted integral to evaluate the robustness of the trained models. Numerical experiments demonstrate that our method improves the model’s robustness by 31.89% against white-box attacks, and achieves up to an 80.54% improvement in black-box scenarios. These results show that our method has the ability to resiliently resist potential attacks of various strengths and can be applied to spectrum application scenarios with high-security requirements.

Zhida Bao,Jiawei He,Quanjun Zhang,Chunrong Fang,Keshav Sood,Yun Lin

DOI: https://doi.org/10.1109/globecom54140.2023.10437810

2023-01-01

Abstract:Recently, with the explosive growth of the mobile devices, spectrum sensing for wireless devices has become an attractive research. Automatic modulation classification (AMC) is an important task in spectrum sensing and plays an important role in blind signal recognition, and deep learning has been shown to greatly improve the performance of AMC networks. However, deep learning models for AMC are considered vulnerable against adversarial attacks, resulting in unreliable sensor systems. In this paper, we study how to deal with the threats of adversarial attacks by optimizing neural networks. We propose an adversarial defense method based on genetic algorithm (GA) to optimize adversarial training. The optimizations are performed between the layers of the neural networks to obtain the weights with maximum fitness, to improve the adversarial robustness of the models. In addition, an indicator to quantitatively evaluate the adversarial robustness of the models is also proposed. We conduct experiments in the different perturbation-to-noise ratios (PNRs) to verify the effectiveness of the defensive models. The results show that the GA-optimized approach can greatly improve the classification accuracy of the models to adversarial examples, and provides a better fitting ability than the mainstream adversarial training methods.

Shi Yunhao,Xu Hua,Jiang Lei,Qi Zisen

DOI: https://doi.org/10.1109/lcomm.2022.3179003

IF: 3.5529

2022-08-12

IEEE Communications Letters

Abstract:Automatic modulation classification (AMC) is the key technique in both military and civilian wireless communication. However, the performance is unsatisfactory, even several deep learning-based methods are involved. Targeting its low accuracy at low SNR, high computational cost and label overdependence, we propose a novel AMC framework, where the autoencoder (AE) serves as the backbone and Convolution-AE and LSTM-AE are combined in a parallel way as temporal and spatial feature extractors. The comparisons with serval algorithms on the radioML2016.10a show that our proposed network can achieve higher classification accuracy at low SNR with a low cost. In addition, it suits the semi-supervised scenario since the dependence on labels is loosen.

telecommunications

Juanjuan Weng,Zhiming Luo,Dazhen Lin,Shaozi Li

2023-06-20

Abstract:The vulnerability of Convolutional Neural Networks (CNNs) to adversarial samples has recently garnered significant attention in the machine learning community. Furthermore, recent studies have unveiled the existence of universal adversarial perturbations (UAPs) that are image-agnostic and highly transferable across different CNN models. In this survey, our primary focus revolves around the recent advancements in UAPs specifically within the image classification task. We categorize UAPs into two distinct categories, i.e., noise-based attacks and generator-based attacks, thereby providing a comprehensive overview of representative methods within each category. By presenting the computational details of these methods, we summarize various loss functions employed for learning UAPs. Furthermore, we conduct a comprehensive evaluation of different loss functions within consistent training frameworks, including noise-based and generator-based. The evaluation covers a wide range of attack settings, including black-box and white-box attacks, targeted and untargeted attacks, as well as the examination of defense mechanisms. Our quantitative evaluation results yield several important findings pertaining to the effectiveness of different loss functions, the selection of surrogate CNN models, the impact of training data and data size, and the training frameworks involved in crafting universal attackers. Finally, to further promote future research on universal adversarial attacks, we provide some visualizations of the perturbations and discuss the potential research directions.

Computer Vision and Pattern Recognition

Fan Wang,Tao Shang,Chenhan Hu,Qing Liu

DOI: https://doi.org/10.3390/s23094187

IF: 3.9

2023-04-23

Sensors

Abstract:Automatic modulation classification (AMC) plays an important role in intelligent wireless communications. With the rapid development of deep learning in recent years, neural network-based automatic modulation classification methods have become increasingly mature. However, the high complexity and large number of parameters of neural networks make them difficult to deploy in scenarios and receiver devices with strict requirements for low latency and storage. Therefore, this paper proposes a lightweight neural network-based AMC framework. To improve classification performance, the framework combines complex convolution with residual networks. To achieve a lightweight design, depthwise separable convolution is used. To compensate for any performance loss resulting from a lightweight design, a hybrid data augmentation scheme is proposed. The simulation results demonstrate that the lightweight AMC framework reduces the number of parameters by approximately 83.34% and the FLOPs by approximately 83.77%, without a degradation in performance.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Shuyuan Yang,Tiantian Wang,Jiawei Zhang,Zhixi Feng

DOI: https://doi.org/10.1109/TCCN.2023.3252580

IF: 6.359

2023-06-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:With the evolutionary development of modern communications technology, automatic modulation classification (AMC) has played an increasing role in the complex wireless communication environment. Existing AMC schemes based on deep learning use a neural network to extract features and calculate feature maps, then feed them into fully connected layers for classification. However, existing schemes still are insufficient in utilizing feature maps. To overcome this limitation, a novel adaptive wavelet network (AWN) is proposed, which combines adaptive wavelet decomposition based on the lifting scheme and channel attention mechanism.In contrast to the previous models, the multi-level decomposition of AWN explicitly extracts the features of multiple frequency bands. The channel attention mechanism further selects the optimal frequencies from the candidate frequencies. AWN explores a novel AMC paradigm that efficiently integrates the inherent properties of the signal by introducing prior knowledge in the frequency domain. Simulation results demonstrate that our proposed AMC scheme outperforms the benchmark scheme and has rather low computational complexity.

Computer Science,Engineering

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Mengtao Wang,Shengliang Fang,Youchen Fan,Jinming Li,Yi Zhao,Yuying Wang

DOI: https://doi.org/10.1038/s41598-024-72867-1

2024-09-15

Abstract:Unmanned aerial vehicle (UAV)-assisted communication based on automatic modulation classification (AMC) technology is considered an effective solution to improve the transmission efficiency of wireless communication systems, as it can adaptively select the most suitable modulation method according to the current communication environment. However, many existing deep learning (DL)-based AMC methods cannot be directly applied to UAV platform with limited computing power and storage space, because of the contradiction between accuracy and efficiency. This paper mainly studies the lightweight of DL-based AMC networks to improve adaptability in resource-constrained scenarios. To address this challenge, we propose an ultra-lightweight neural network (ULNN). This network incorporates a lightweight convolutional structure, attention mechanism, and cross-channel feature fusion technique. Additionally, we introduce data augmentation (DA) based on signal phase offsets during the model training process, aimed at improving the model's generalization ability and preventing overfitting. Through experimental validation on the public dataset RML2016.10 A, the ULNN we proposed achieves an average precision of 62.83% with only 8815 parameters and reaches a peak classification accuracy of 92.11% at SNR = 10 dB. The experimental results show that ULNN can achieve high recognition accuracy while keeping the model lightweight, and is suitable for UAV platform with limited resources.

Jiawei Zhang,Tiantian Wang,Zhixi Feng,Shuyuan Yang

2023-04-02

Abstract:Automatic modulation classification (AMC) is a crucial stage in the spectrum management, signal monitoring, and control of wireless communication systems. The accurate classification of the modulation format plays a vital role in the subsequent decoding of the transmitted data. End-to-end deep learning methods have been recently applied to AMC, outperforming traditional feature engineering techniques. However, AMC still has limitations in low signal-to-noise ratio (SNR) environments. To address the drawback, we propose a novel AMC-Net that improves recognition by denoising the input signal in the frequency domain while performing multi-scale and effective feature extraction. Experiments on two representative datasets demonstrate that our model performs better in efficiency and effectiveness than the most current methods.

Signal Processing,Machine Learning,Networking and Internet Architecture