Jun Xia,Zhihao Yue,Yingbo Zhou,Zhiwei Ling,Xian Wei,Mingsong Chen

2023-10-19

Abstract:Due to the popularity of Artificial Intelligence (AI) technology, numerous backdoor attacks are designed by adversaries to mislead deep neural network predictions by manipulating training samples and training processes. Although backdoor attacks are effective in various real scenarios, they still suffer from the problems of both low fidelity of poisoned samples and non-negligible transfer in latent space, which make them easily detectable by existing backdoor detection algorithms. To overcome the weakness, this paper proposes a novel frequency-based backdoor attack method named WaveAttack, which obtains image high-frequency features through Discrete Wavelet Transform (DWT) to generate backdoor triggers. Furthermore, we introduce an asymmetric frequency obfuscation method, which can add an adaptive residual in the training and inference stage to improve the impact of triggers and further enhance the effectiveness of WaveAttack. Comprehensive experimental results show that WaveAttack not only achieves higher stealthiness and effectiveness, but also outperforms state-of-the-art (SOTA) backdoor attack methods in the fidelity of images by up to 28.27\% improvement in PSNR, 1.61\% improvement in SSIM, and 70.59\% reduction in IS.

Computer Vision and Pattern Recognition,Artificial Intelligence

Zhicong Zheng,Xinfeng Li,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1145/3581783.3613843

2023-01-01

Abstract:Backdoor Attacks have been shown to pose significant threats to automatic speech recognition systems (ASRs). Existing success largely assumes backdoor triggering in the digital domain, or the victim will not notice the presence of triggering sounds in the physical domain. However, in practical victim-present scenarios, the over-the-air distortion of the backdoor trigger and the victim awareness raised by its audibility may invalidate such attacks. In this paper, we propose SMA, an inaudible grey-box backdoor attack that can be generalized to real-world scenarios where victims are present by exploiting both the vulnerability of microphones and neural networks. Specifically, we utilize the nonlinear effects of microphones to inject an inaudible ultrasonic trigger. To accurately characterize the microphone response to the crafted ultrasound, we construct a novel nonlinear transfer function for effective optimization. We also design optimization objectives to ensure triggers' robustness in the physical world and transferability on unseen ASR models. In practice, SMA can bypass the microphone's built-in filters and human perception, activating the implanted trigger in the ASRs inaudibly, regardless of whether the user is speaking. Extensive experiments show that the attack success rate of SMA can reach nearly 100% in the digital domain and over 85% against most microphones in the physical domains by only poisoning about 0.5% of the training audio dataset. Moreover, our attack can resist typical defense countermeasures to backdoor attacks.

Junning Ze,Xinfeng Li,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ICPADS56603.2022.00033

2022-01-01

Abstract:Automatic speaker verification (ASV) systems have been widely applied in voice user interfaces to conduct person identification and access control via voiceprints. A typical ASV system consists of three stages, i.e., training, enrollment, and verification. Previous work has revealed that the ASV system can be bypassed at the training stage by backdoor attacks and at the verification stage by adversarial example attacks. In this paper, we propose a new type of backdoor attack aimed at the enrollment stage via adversarial ultrasound, named UltraBD, which is highly imperceptible, synchronization-free, and content-independent. By simultaneously injecting the ultrasound backdoor examples when the legitimate user initiates the enrollment, the polluted voiceprints stored in the ASV systems grant access to both the legitimate user and the adversary with relatively high confidence. Despite the challenges, i.e., when, what, and how the legitimate user articulates at the enrollment stage can be remarkably unpredictable and various, we managed to launch UltraBD by augmenting the generation and optimization process of the ultrasound backdoor examples with the randomness of synchronous time and relative amplitude ratio. Furthermore, we optimize the modulation mechanism of adversarial ultrasound by tuning the baseband signal on limited signal frequency points to improve its robustness in the physical world setting. We validate UltraBD on two common datasets together with two open-source ASV models. Results show that UltraBD can be robust to various configurations, e.g., different speakers and utterance content. In sum, our attack calls attention to a new attack surface of ASV systems and sheds light on its fundamental mechanisms.

Zhengyao Song,Yongqiang Li,Danni Yuan,Li Liu,Shaokui Wei,Baoyuan Wu

2024-05-24

Abstract:This work explores an emerging security threat against deep neural networks (DNNs) based image classification, i.e., backdoor attack. In this scenario, the attacker aims to inject a backdoor into the model by manipulating training data, such that the backdoor could be activated by a particular trigger and bootstraps the model to make a target prediction at inference. Currently, most existing data poisoning-based attacks struggle to achieve success at low poisoning ratios, increasing the risk of being defended by defense methods. In this paper, we propose a novel frequency-based backdoor attack via Wavelet Packet Decomposition (WPD), WPD decomposes the original image signal to a spectrogram that contains frequency information with different semantic meanings. We leverage WPD to statistically analyze the frequency distribution of the dataset to infer the key frequency regions the DNNs would focus on, and the trigger information is only injected into the key frequency regions. Our method mainly includes three parts: 1) the selection of the poisoning frequency regions in spectrogram; 2) trigger generation; 3) the generation of the poisoned dataset. Our method is stealthy and precise, evidenced by the 98.12% Attack Success Rate (ASR) on CIFAR-10 with the extremely low poisoning ratio 0.004% (i.e., only 2 poisoned samples among 50,000 training samples) and can bypass most existing defense methods. Besides, we also provide visualization analyses to explain why our method works.

Cryptography and Security

Yunsong Huang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/TVT.2023.3267455

2023-06-19

Abstract:Recently, DL has been exploited in wireless communications such as modulation classification. However, due to the openness of wireless channel and unexplainability of DL, it is also vulnerable to adversarial attacks. In this correspondence, we investigate a so called hidden backdoor attack to modulation classification, where the adversary puts elaborately designed poisoned samples on the basis of IQ sequences into training dataset. These poisoned samples are hidden because it could not be found by traditional classification methods. And poisoned samples are same to samples with triggers which are patched samples in feature space. We show that the hidden backdoor attack can reduce the accuracy of modulation classification significantly with patched samples. At last, we propose activation cluster to detect abnormal samples in training dataset.

Signal Processing

DOI: https://doi.org/10.1007/s11280-023-01153-3

2023-05-11

World Wide Web

Abstract:Deep learning models are vulnerable to backdoor attacks, where an adversary aims to inject a hidden backdoor into the deep learning models, such that the victim models perform well on clean data but output predefined wrong results on data containing specific triggers (e.g., a pattern, or a specific accessory). While existing attack methods are effective, they are commonly not stealthy and robust, i.e., the backdoor triggers are unnatural and easily detected, and they are hard to resist data augmentation operations. To address these issues, in this paper, we explore new types of attack methods that significantly improve the stealthiness and robustness of backdoor attacks. Specifically, inspired by digital watermarking techniques, we propose two backdoor trigger injection algorithms based on discrete Fourier transform and discrete cosine transform. These algorithms select the frequency domain instead of the spatial domain for trigger injection, ensuring the stealthiness. Besides they divide the original data into multiple data blocks for multiple injections of triggers to improve the robustness. We experimentally evaluated the proposed methods on GTSRB and CIFAR10 datasets, and the results demonstrate that our methods remarkably improve the stealthiness and robustness of backdoor attacks without compromising effectiveness. For example, on GTSRB, compared with the Badnets and Blend, our methods generate more natural poisoned data, and improve at least 80.99%, 68.09%, 25.49%, and 63.31% in random horizontal flip, random vertical flip, random cropping (padding=2), and random cropping (padding=4).

computer science, information systems, software engineering

Qianmei Wu,Fan Zhang,Shize Guo,Kun Yang,Haoting Shen

DOI: https://doi.org/10.1109/tc.2024.3416682

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:As a common defense against side-channel attacks, random delay insertion introduces noise into the executive flow of encryption, which increases attack complexity. Accordingly, various techniques are exploited to mitigate the defense effect of such insertions. As an advanced mathematical technique, wavelet analysis is considered to be a more effective technology according to its detailed and comprehensive interpretation of signals. In this paper, we propose a unified and fully automated wavelet-based attack framework (denoted as UWAF), whose data processing is kept within one unified wavelet domain, with three enhanced components: denoising, alignment and key extraction. We put forward a new idea of combining machine learning with wavelet analysis to realize the full automation of the program for attack framework, rendering it possible to search exhaustively for the optimal combination of parameter settings in wavelet transform. Our proposal finds a new setting of wavelet parameters that have not been exploited ever before and achieves the performance enhancement for about 20 times fewer traces required for successful key recovery. UWAF is compared with several mainstream attack frameworks. Experimental results show that it outperforms those counterparts, and can be considered as an effective framework-level solution to defeat the countermeasure of random delay insertion.

Nikolaus Dräger,Yonghao Xu,Pedram Ghamisi

DOI: https://doi.org/10.1109/tgrs.2023.3289307

IF: 8.2

2023-07-07

IEEE Transactions on Geoscience and Remote Sensing

Abstract:Recent years have witnessed the great success of deep learning algorithms in the geoscience and remote sensing (RS) realm. Nevertheless, the security and robustness of deep learning models deserve special attention when addressing safety-critical RS tasks. In this article, we provide a systematic analysis of backdoor attacks for RS data, where both scene classification and semantic segmentation tasks are considered. While most of the existing backdoor attack algorithms rely on visible triggers such as squared patches with well-designed patterns, we propose a novel wavelet transform-based attack (WABA) method, which can achieve invisible attacks by injecting the trigger image into the poisoned image in the low-frequency domain. In this way, the high-frequency information in the trigger image can be filtered out in the attack, resulting in stealthy data poisoning. Despite its simplicity, the proposed method can significantly cheat the current state-of-the-art deep learning models with a high attack success rate. We further analyze how different trigger images and the hyperparameters in the wavelet transform would influence the performance of the proposed method. Extensive experiments on four benchmark RS datasets demonstrate the effectiveness of the proposed method for both scene classification and semantic segmentation tasks and thus highlight the importance of designing advanced backdoor defense algorithms to address this threat in RS scenarios. The code will be available online at https://github.com/ndraeger/waba.

imaging science & photographic technology,remote sensing,engineering, electrical & electronic,geochemistry & geophysics

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xue Wei,Dola Saha

DOI: https://doi.org/10.1109/tmlcn.2023.3343326

2024-01-01

Abstract:Wireless signals are vulnerable to various security threats, like eavesdropping and jamming, due to the inherent broadcast nature of the wireless channel. Encryption may ensure the confidentiality of the data but does not guarantee successful communication among legitimate users in the presence of strong adversaries, like wideband jammers. In this scenario, hiding a secret signal in presence of another mundane ongoing communication is one of the ways to minimize its chances of getting intercepted. Wireless Steganography is a process of embedding a secret signal inside another signal that acts as a cover to hide the signal of interest. In this paper, we propose to encode secret bits into covert signals that are statistically indistinguishable from a hardware noise generated by a low-cost transmitter. As the covert signal resembles hardware noise, it can be transmitted over any waveform, making it adaptable and portable to any communication link. Each generated complex signal sample is merged with a cover signal sample, yielding a 50% embedding rate. We create the encoding and decoding models by creating a pair of complex-valued neural networks (NNs), which is trained in presence of another NN model, critic. The critic model differentiates between true hardware noise and encoder-generated covert signal, thus providing essential feedback to the NN pair to improve the encoding technique. The decoder undergoes a transfer learning process to adapt to the residual channel effects in over-the-air experiments. In an indoor testbed, we successfully decoded the covert communication that mimics a range of hardware noises and is transmitted using different modulation orders of cover OFDM waveform. Our steganalysis indicates that the covert signal can be generated to mimic specific hardware, which remains indistinguishable in different statistical tests. Our method performs an order of magnitude better in statistical steganalysis compared to the state-of-the-art method in this field.

Zhenghao Zhang,Jianwei Ding,Qi Zhang,Qiyao Deng

DOI: https://doi.org/10.1016/j.cose.2024.103767

IF: 5.105

2024-05-01

Computers & Security

Abstract:Backdoor attacks have been proven to pose effective threats to deep neural networks in various domains, such as biometrics, authentication, and autonomous driving. Attackers compromise the integrity of the model, causing it to behave normally on benign samples under normal circumstances but perform attacker-specified actions on samples containing specific triggers. However, existing attack methods often suffer from two main drawbacks: permissions and concealment. While some attack methods may not require high levels of permissions from the attacker, the triggers are typically visible to the naked eye, significantly reducing the attack's concealment and making it susceptible to detection by existing defense mechanisms. Although many advanced attack methods enhance concealment, they often necessitate control over the model's training process, thereby significantly limiting the practical applicability of the attack. To circumvent the two aforementioned drawbacks, we propose a novel backdoor attack method called WaTrojan, which implements the attack by adding triggers in the wavelet domain. The key to this attack lies in adding perturbations to the wavelet domain of an image, thereby altering the entire spatial domain of pixels. This approach challenges many assumptions of existing defense methods and makes poisoned images nearly indistinguishable from clean images visually. We evaluate WaTrojan on five benchmark datasets, including MNIST, CIFAR-10, GTSRB, CelebA, and ImageNet. The results indicate that our attack achieves an extremely high attack success rate while causing almost no drop in accuracy on benign samples. The visual quality of the poisoned images is high, with little perceptual difference from benign images. Furthermore, we assess the performance of WaTrojan under existing defense measures, and the results show that WaTrojan is robust and can significantly evade and resist the impacts generated by these defense measures.

computer science, information systems

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Dimitrios Varkatzas,Antonios Argyriou

2023-10-03

Abstract:In this paper we propose a method for defending against an eavesdropper that uses a Deep Neural Network (DNN) for learning the modulation of wireless communication signals. Our method is based on manipulating the emitted waveform with the aid of a continuous time frequency-modulated (FM) obfuscating signal that is mixed with the modulated data. The resulting waveform allows a legitimate receiver (LRx) to demodulate the data but it increases the test error of a pre-trained or adversarially-trained DNN classifier at the eavesdropper. The scheme works for analog modulation and digital single carrier and multi carrier orthogonal frequency division multiplexing (OFDM) waveforms, while it can implemented in frame-based wireless protocols. The results indicate that careful selection of the parameters of the obfuscating waveform can drop classification performance at the eavesdropper to less than 10% in AWGN and fading channels with no performance loss at the LRx.

Cryptography and Security,Signal Processing

Lei Zhang,Ya Peng,Lifei Wei,Congcong Chen,Xiaoyu Zhang

DOI: https://doi.org/10.1155/2023/9308909

IF: 1.968

2023-05-11

Security and Communication Networks

Abstract:Backdoor attacks have been recognized as a major AI security threat in deep neural networks (DNNs) recently. The attackers inject backdoors into DNNs during the model training such as federated learning. The infected model behaves normally on the clean samples in AI applications while the backdoors are only activated by the predefined triggers and resulted in the specified results. Most of the existing defensing approaches assume that the trigger settings on different poisoned samples are visible and identical just like a white square in the corner of the image. Besides, the sample-specific triggers are always invisible and difficult to detect in DNNs, which also becomes a great challenge against the existing defensing protocols. In this paper, to address the above problems, we propose a backdoor detecting and mitigating protocol based on a wider separate-then-reunion network (WISERNet) equipped with a cryptographic deep steganalyzer for color images, which detects the backdoors hiding behind the poisoned samples even if the embedding algorithm is unknown and further feeds the poisoned samples into the infected model for backdoor unlearning and mitigation. The experimental results show that our work performs better in the backdoor defensing effect compared to state-of-the-art backdoor defensing methods such as fine-pruning and ABL against three typical backdoor attacks. Our protocol reduces the attack success rate close to 0% on the test data and slightly decreases the classification accuracy on the clean samples within 3%.

computer science, information systems,telecommunications

Sicheng Zhang,Yun Lin,Jiarun Yu,Jianting Zhang,Qi Xuan,Dongwei Xu,Juzhen Wang,Meiyu Wang

DOI: https://doi.org/10.1109/tccn.2024.3360514

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Deep neural networks provide intelligent solutions for Automatic Modulation Classification (AMC) tasks in the field of communication. However, their susceptibility to adversarial examples due to the interpretability problem presents a challenge as it leads to anomalous decisions. Emerging studies suggest that the high-frequency constituents within signals constitute a fundamental source of adversarial vulnerability. To address this issue, this paper introduces a Homomorphic Filtering Adversarial Defense (HFAD) algorithm that aims to effectively defend against adversarial examples by applying frequency domain filtering on the signal. This approach enhances the security and reliability of the AMC model by attenuating high-frequency components of the signal through homomorphic filtering, thereby reducing errors caused by adversarial perturbations on model outputs. The robustness of the AMC model is further enhanced through the integration of HFAD with data augmentation strategies. Experimental results demonstrate that the proposed defense algorithm not only maintains high signal recognition accuracy but also preserves communication signal transmission quality. Moreover, HFAD effectively withstands a wide range of white-box adversarial attacks and demonstrates resilience against black-box adversarial attacks, thereby enhancing the robustness of the AMC model against adversarial examples and exhibiting strong transfer performance.

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Hongyue Zha,Weiming Zhang,Chuan Qin,Nenghai Yu

DOI: https://doi.org/10.1109/icip.2019.8804415

2019-01-01

Abstract:Due to the amazing progresses in deep learning techniques, steganography has now been challenged to tackle not only artificial feature-based but also effective deep-learning-based steganalysis. Recent steganographers have tried to conduct adversarial attacks to defend the steganalysis networks by fine-tuning the embedding details with the help of adversarial information, which, however, mostly are white-box attacks. This research studies a novel method to conduct stegano-graphic adversarial attacks in practical scenario where stegos are sandwiched between black boxes. In our case, the toolboxes to generate stegos are steganographic black boxes where embedding adjustments are prohibited, and networks to detect stegos are semi-black boxes where most of the steganalysis networks’ details are unavailable. By reforming few-pixel-attack into the form of extraction conservation noises and add them directly onto stegos, we ensure the message extraction and launch the attack in practical scenario. Experiments show that the proposed method can significantly boost the error rate of the deep-learning-based steganalysis and at the same time keep a comparable error rate when facing artificial feature-based steganalysis.

Zan Chen,Chaocheng Ma,Yuanjing Feng,Xingsong Hou,Xueming Qian

DOI: https://doi.org/10.1007/s11042-023-14939-4

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:This paper proposes a deep-based compressive sensing (CS) image steganography scheme that inserts the plain image into the directional lifting wavelet transform (DLWT) domain of the carrier image. For the data hiding processing, we exploit two logistic maps to create the measurement matrix and simulated noise respectively, which are used to randomly under-sample and diffuse the plain image to obtain the secret image. Then, we employ singular value decomposition (SVD) to embed the secret image into the DLWT domain of the carrier image, which generates the meaningful stego image. For the data extraction, we introduce the deep-based CS reconstruction algorithm to enhance the quality of the reconstructed image. Experimental results show that the proposed approach maintains security while achieving a high quality of the stego image and the reconstructed image.

Huajie Chen,Tianqing Zhu,Yuan Zhao,Bo Liu,Xin Yu,Wanlei Zhou

2023-03-24

Abstract:Image deep steganography (IDS) is a technique that utilizes deep learning to embed a secret image invisibly into a cover image to generate a container image. However, the container images generated by convolutional neural networks (CNNs) are vulnerable to attacks that distort their high-frequency components. To address this problem, we propose a novel method called Low-frequency Image Deep Steganography (LIDS) that allows frequency distribution manipulation in the embedding process. LIDS extracts a feature map from the secret image and adds it to the cover image to yield the container image. The container image is not directly output by the CNNs, and thus, it does not contain high-frequency artifacts. The extracted feature map is regulated by a frequency loss to ensure that its frequency distribution mainly concentrates on the low-frequency domain. To further enhance robustness, an attack layer is inserted to damage the container image. The retrieval network then retrieves a recovered secret image from a damaged container image. Our experiments demonstrate that LIDS outperforms state-of-the-art methods in terms of robustness, while maintaining high fidelity and specificity. By avoiding high-frequency artifacts and manipulating the frequency distribution of the embedded feature map, LIDS achieves improved robustness against attacks that distort the high-frequency components of container images.

Cryptography and Security,Computer Vision and Pattern Recognition

Rajeev Sahay,Christopher G. Brinton,David J. Love

DOI: https://doi.org/10.1109/tccn.2021.3114154

IF: 6.359

2022-03-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Deep learning-based automatic modulation classification (AMC) models are susceptible to adversarial attacks. Such attacks inject specifically crafted wireless interference into transmitted signals to induce erroneous classification predictions. Furthermore, adversarial interference is transferable in black box environments, allowing an adversary to attack multiple deep learning models with a single perturbation crafted for a particular classification model. In this work, we propose a novel wireless receiver architecture to mitigate the effects of adversarial interference in various black box attack environments. We begin by evaluating the architecture uncertainty environment, where we show that adversarial attacks crafted to fool specific AMC DL architectures are not directly transferable to different DL architectures. Next, we consider the domain uncertainty environment, where we show that adversarial attacks crafted on time domain and frequency domain features to not directly transfer to the altering domain. Using these insights, we develop our Assorted Deep Ensemble (ADE) defense, which is an ensemble of deep learning architectures trained on time and frequency domain representations of received signals. Through evaluation on two wireless signal datasets under different sources of uncertainty, we demonstrate that our ADE obtains substantial improvements in AMC classification performance compared with baseline defenses across different adversarial attacks and potencies.

telecommunications