Yi Zhao,Wenjing Yuan,Yinghua Huang,Zhenyu Chen

DOI: https://doi.org/10.1109/dsa56465.2022.00163

2022-01-01

Abstract:With the development of information technology and 5G communication, the number of wireless devices has increased significantly, and the complexity of the communication system has also been rapidly upgraded. Due to the complexity and the high dimensionality of signals, many researchers have applied deep learning to modulation recognition tasks. However, although deep learning exhibits strong capabilities for modulation recognition, its vulnerability to adversarial examples should also be addressed. In this paper, we conduct a preliminary study on the security of DNN-based modulation recognition models. We build multiple high-accuracy DNN-based models on existing research and test their robustness by implementing multiple adversarial attacks on the well-trained models. The results show that adversarial examples pose a very serious threat to DNN-based modulation recognition models.

Mingqian Liu,Zhenju Zhang,Nan Zhao,Yunfei Chen

DOI: https://doi.org/10.1109/infocomwkshps54753.2022.9798389

2022-01-01

Abstract:Modulation recognition models based on deep neural network (DNN) have the advantages of automatic feature extraction, fast recognition and high accuracy. However, due to the interpretability defects, DNN models are vulnerable to adversarial examples designed by attackers. Most existing researches focus on the accuracy of modulation recognition models, while ignoring the huge threat of adversarial examples to the safety and reliability of the models. In the field of modulation recognition, many existing attack methods have good attack performance for simple neural networks, but poor performance for more complicated DNNs. Therefore, this paper proposes an adversarial attack method based on dynamic iterative. The proposed method uses a dynamic iterative step that changes with iteration instead of being fixed. Simulation results show that the proposed attack method has better attack performance when the disturbance is specified than the traditional attack methods.

Haojun Zhao,Yun Lin,Song Gao,Shui Yu

DOI: https://doi.org/10.1109/globecom42002.2020.9322088

2020-01-01

Abstract:The discovery of adversarial examples poses a serious risk to the deep neural networks (DNN). By adding a subtle perturbation that is imperceptible to the human eye, a well-behaved DNN model can be easily fooled and completely change the prediction categories of the input samples. However, research on adversarial attacks in the field of modulation recognition mainly focuses on increasing the prediction error of the classifier, while ignores the importance of decreasing the perceptual invisibility of attack. Aiming at the task of DNNbased modulation recognition, this study designs the Fitting Difference as a metric to measure the perturbed waveforms and proposes a new method: the Nesterov Adam Iterative Method to generate adversarial examples. We show that the proposed algorithm not only exerts excellent white-box attacks but also can initiate attacks on a black-box model. Moreover, our method decreases the waveform perceptual invisibility of attacks to a certain degree, thereby reducing the risk of an attack being detected.

Yun Lin,Haojun Zhao,Xuefei Ma,Ya Tu,Meiyu Wang

DOI: https://doi.org/10.1109/tr.2020.3032744

IF: 5.883

2021-01-01

IEEE Transactions on Reliability

Abstract:Deep learning (DL) models are vulnerable to adversarial attacks, by adding a subtle perturbation which is imperceptible to the human eye, a convolutional neural network (CNN) can lead to erroneous results, which greatly reduces the reliability and security of the DL tasks. Considering the wide application of modulation recognition in the communication field and the rapid development of DL, by adding a well-designed adversarial perturbation to the input signal, this article explores the performance of attack methods on modulation recognition, measures the effectiveness of adversarial attacks on signals, and provides the empirical evaluation of the reliabilities of CNNs. The results indicate that the accuracy of the target model reduce significantly by adversarial attacks, when the perturbation factor is 0.001, the accuracy of the model could drop by about 50% on average. Among them, iterative methods show greater attack performances than that of one-step method. In addition, the consistency of the waveform before and after the perturbation is examined, to consider whether the added adversarial examples are small enough (i.e., hard to distinguish by human eyes). This article also aims at inspiring researchers to further promote the CNNs reliabilities against adversarial attacks.

Junyi Zhang,Chun Li,Jiayong Zhao,Wei Tang,Shichao Guan

DOI: https://doi.org/10.1109/smartiot58732.2023.00056

2023-01-01

Abstract:In recent years, Deep Neural Networks have faced the challenge of resisting example attacks, which seriously affects the security of modulation recognition models based on Deep Neural Networks. Aiming at the adversarial attack problem in signal modulation recognition, this paper uses five classic adversarial attack methods to attack three modulation recognition models based on Deep Neural Networks with different architectures. Then, the attack effectiveness of different methods is evaluated in terms of attack success rate, imperceptibility. The experimental results show that the neural network model is extremely vulnerable to adversarial attacks. The evaluation index proposed in this paper can comprehensively and accurately evaluate the signal adversarial examples, which is of great value for the research on the security and reliability of the intelligent modulation recognition model.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Chao Han,Ruoxi Qin,Linyuan Wang,Weijia Cui,Jian Chen,Bin Yan

DOI: https://doi.org/10.1007/s11276-023-03299-4

IF: 2.701

2023-01-01

Wireless Networks

Abstract:Modulation signal intelligent recognition model based on deep learning is widely used in the field of radio signal intelligent processing, but the adversarial attack has become a huge security threat. In order to promote the safe and reliable application of the modulation recognition intelligent model, it is necessary to study its adversarial defense technology. An adversarial defense method based on ensemble learning for modulation signal intelligent recognition model is proposed in this paper. Specifically, this method is achieved by combining multiple defense models such as adversarial training, defensive distillation, and noise smoothing. Variety of attack algorithms in both the white-box and black-box scenarios under different intensities of perturbation and different signal-to-noise ratios are carried out to verify the robustness performance of the proposed method. Strikingly, the accuracy of the model is improved to over 80% when the SNR is above 0 dB under Carlini and Wagner attack.

Javier Maroto,Gérôme Bovet,Pascal Frossard

DOI: https://doi.org/10.48550/arXiv.2103.14977

2021-03-28

Abstract:Given the rapid changes in telecommunication systems and their higher dependence on artificial intelligence, it is increasingly important to have models that can perform well under different, possibly adverse, conditions. Deep Neural Networks (DNNs) using convolutional layers are state-of-the-art in many tasks in communications. However, in other domains, like image classification, DNNs have been shown to be vulnerable to adversarial perturbations, which consist of imperceptible crafted noise that when added to the data fools the model into misclassification. This puts into question the security of DNNs in communication tasks, and in particular in modulation recognition. We propose a novel framework to test the robustness of current state-of-the-art models where the adversarial perturbation strength is dependent on the signal strength and measured with the "signal to perturbation ratio" (SPR). We show that current state-of-the-art models are susceptible to these perturbations. In contrast to current research on the topic of image classification, modulation recognition allows us to have easily accessible insights on the usefulness of the features learned by DNNs by looking at the constellation space. When analyzing these vulnerable models we found that adversarial perturbations do not shift the symbols towards the nearest classes in constellation space. This shows that DNNs do not base their decisions on signal statistics that are important for the Bayes-optimal modulation recognition model, but spurious correlations in the training data. Our feature analysis and proposed framework can help in the task of finding better models for communication systems.

Signal Processing,Machine Learning

Brian Kim,Yalin E. Sagduyu,Kemal Davaslioglu,Tugba Erpek,Sennur Ulukus

DOI: https://doi.org/10.48550/arXiv.2002.02400

2020-02-14

Abstract:We consider a wireless communication system that consists of a transmitter, a receiver, and an adversary. The transmitter transmits signals with different modulation types, while the receiver classifies its received signals to modulation types using a deep learning-based classifier. In the meantime, the adversary makes over-the-air transmissions that are received as superimposed with the transmitter's signals to fool the classifier at the receiver into making errors. While this evasion attack has received growing interest recently, the channel effects from the adversary to the receiver have been ignored so far such that the previous attack mechanisms cannot be applied under realistic channel effects. In this paper, we present how to launch a realistic evasion attack by considering channels from the adversary to the receiver. Our results show that modulation classification is vulnerable to an adversarial attack over a wireless channel that is modeled as Rayleigh fading with path loss and shadowing. We present various adversarial attacks with respect to availability of information about channel, transmitter input, and classifier architecture. First, we present two types of adversarial attacks, namely a targeted attack (with minimum power) and non-targeted attack that aims to change the classification to a target label or to any other label other than the true label, respectively. Both are white-box attacks that are transmitter input-specific and use channel information. Then we introduce an algorithm to generate adversarial attacks using limited channel information where the adversary only knows the channel distribution. Finally, we present a black-box universal adversarial perturbation (UAP) attack where the adversary has limited knowledge about both channel and transmitter input.

Signal Processing,Machine Learning,Networking and Internet Architecture

Shuting Tang,Mingliang Tao,Xiang Zhang,Yifei Fan,Jia Su,Ling Wang

DOI: https://doi.org/10.23919/URSIGASS51995.2021.9560288

2021-01-01

Abstract:Deep learning has achieved superior performance on radio signal modulation classification. However, its security and reliability are vulnerable due to its data-oriented learning strategy. In this paper, the vulnerability of deep neural network for radio classification is investigated. Based on the radar and communication waveforms, slight optimal perturbations are generated and added onto the orig...

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Gang Yang,XiaoLei Wang,LuLu Wang,Yi Zhang,Yu Han,Xin Tan,Shang Yong Zhang

DOI: https://doi.org/10.1109/icicsp55539.2022.10050592

2022-01-01

Abstract:Convolutional network models (CNN) are very vulnerable to adversarial samples, which poses a serious challenge to the security of CNN models. Based on the task of CNN's modulation and identification of communication signals, we propose a white-box attack algorithm, the shortest distance attack method (SD-Alg), which can generate extremely small disturbances and greatly reduce the classification performance of the model. Experiments show that our algorithm excels in attack success rate, running time and adversarial perturbation size among the same type of algorithms.

Dimitrios Varkatzas,Antonios Argyriou

2023-10-03

Abstract:In this paper we propose a method for defending against an eavesdropper that uses a Deep Neural Network (DNN) for learning the modulation of wireless communication signals. Our method is based on manipulating the emitted waveform with the aid of a continuous time frequency-modulated (FM) obfuscating signal that is mixed with the modulated data. The resulting waveform allows a legitimate receiver (LRx) to demodulate the data but it increases the test error of a pre-trained or adversarially-trained DNN classifier at the eavesdropper. The scheme works for analog modulation and digital single carrier and multi carrier orthogonal frequency division multiplexing (OFDM) waveforms, while it can implemented in frame-based wireless protocols. The results indicate that careful selection of the parameters of the obfuscating waveform can drop classification performance at the eavesdropper to less than 10% in AWGN and fading channels with no performance loss at the LRx.

Cryptography and Security,Signal Processing

Peihan Qi,Tao Jiang,Lizhan Wang,Xu Yuan,Zan Li

DOI: https://doi.org/10.1109/tr.2022.3161138

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Advances in adversarial attack and defense technologies will enhance the reliability of deep learning (DL) systems spirally. Most existing adversarial attack methods make overly ideal assumptions, which creates the illusion that the DL system can be attacked simply and has restricted the further improvement on DL systems. To perform practical adversarial attacks, a detection tolerant black-box adversarial-attack (DTBA) method against DL-based automatic modulation classification (AMC) is presented in this article. In the DTBA method, the local DL model as a substitution of the remote target DL model is trained first. The training dataset is generated by an attacker, labeled by the target model, and augmented by Jacobian transformation. Then, the conventional gradient attack method is utilized to generate adversarial attack examples toward the local DL model. Moreover, before launching attack to the target model, the local model estimates the misclassification probability of the perturbed examples in advance and deletes those invalid adversarial examples. Compared with related attack methods of different criteria on public datasets, the DTBA method can reduce the attack cost while increasing the rate of successful attack. Adversarial attack transferability of the proposed method on the target model has increased by more than 20%. The DTBA method will be suitable for launching flexible and effective black-box adversarial attacks against DL-based AMC systems.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Lin Hu,Han Jiang,Wen Li,Hao Han,Yang,Yutao Jiao,Haichao Wang,Yuhua Xu

DOI: https://doi.org/10.1155/2022/5472324

2022-01-01

Wireless Communications and Mobile Computing

Abstract:Deep neural network-based automatic modulation recognition (AMR) technology has become an increasingly important area due to the advantages of self-extraction of features and high identification accuracy. Based on the view of security threats to machine learning classifiers, we investigate the influence of adversarial samples on the AMR model in this paper. The traditional method is based on label gradient attack without taking advantage of the feature-level transferability, resulting in the attack effect that is not perfect. So, we exploit the feature-level transferability property that could be met to fulfill realistic imperceptibility and transfer needs. In this paper, firstly, we proposed an AMR scheme with high recognition accuracy as our attack model. Secondly, we proposed a transferable attack method based on a feature gradient-based, which increases perturbation to clean signal based on features space. Finally, we introduce a new attack strategy, in which we select two original and one adversarial target signal sample as the input of triplet loss to achieve higher attack strength and high transferability. Meanwhile, this paper proposes indicators of signal characteristics to test the effectiveness of our proposed attack method. Based on experimental results, our proposed feature gradient-based adversarial attack method outperforms the currently labeled gradient attack methods regarding attack effectiveness and transferability.

Ruiqi Li,Hongshu Liao,Jiancheng An,Chau Yuen,Lu Gan

DOI: https://doi.org/10.1109/LCOMM.2023.3261423

IF: 3.5529

2023-01-01

IEEE Communications Letters

Abstract:Most existing adversarial attack methods generally rely on ideal assumptions, which is unreasonable for practical applications. In this letter, a practical threat model which utilizes adversarial attacks for anti-eavesdropping is proposed and a physical intra-class universal adversarial perturbation (IC-UAP) crafting method against DL-based wireless signal classifiers is then presented. First, an IC-UAP algorithm is proposed based on the threat model to craft a stronger UAP attack against the samples in a given class from a batch of samples in the class. Then, we develop a physical attack algorithm based on the IC-UAP method, in which perturbations are optimized under random shifting to enhance the robustness of IC-UAPs against the unsynchronization between adversarial attacks and attacked signals. Finally, the numerical results corroborate the effectiveness of the proposed approach based on the benchmark dataset.

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Alireza Bahramali,Milad Nasr,Amir Houmansadr,Dennis Goeckel,Don Towsley

DOI: https://doi.org/10.1145/3460120.3484777

2021-11-12

Abstract:There is significant enthusiasm for the employment of Deep Neural Networks (DNNs) for important tasks in major wireless communication systems: channel estimation and decoding in orthogonal frequency division multiplexing (OFDM) systems, end-to-end autoencoder system design, radio signal classification, and signal authentication. Unfortunately, DNNs can be susceptible to adversarial examples, potentially making such wireless systems fragile and vulnerable to attack. In this work, by designing robust adversarial examples that meet key criteria, we perform a comprehensive study of the threats facing DNN-based wireless systems. We model the problem of adversarial wireless perturbations as an optimization problem that incorporates domain constraints specific to different wireless systems. This allows us to generate wireless adversarial perturbations that can be applied to wireless signals on-the-fly (i.e., with no need to know the target signals a priori), are undetectable from natural wireless noise, and are robust against removal. We show that even in the presence of significant defense mechanisms deployed by the communicating parties, our attack performs significantly better compared to existing attacks against DNN-based wireless systems. In particular, the results demonstrate that even when employing well-considered defenses, DNN-based wireless communication systems are vulnerable to adversarial attacks and call into question the employment of DNNs for a number of tasks in robust wireless communication.

Haojun Zhao,Qiao Tian,Lei Pan,Yun Lin

DOI: https://doi.org/10.1016/j.phycom.2020.101199

IF: 2.379

2020-01-01

Physical Communication

Abstract:The wide application of contour stellar images has helped researchers transform signal classification problems into image classification problems to solve signal recognition based on deep learning. However, deep neural networks (DNN) are quite vulnerable to adversarial examples, thus simply evaluating the adversarial attack performance on the signal sequence recognition model cannot meet the current security requirements. From the perspective of an attacker, this study converts individual signals into stellar contour images, and then generates adversarial examples to evaluate the adversarial attack impacts. The results show that whether the current input sample is a signal sequence or a converted image, the DNN is vulnerable to the threat of adversarial examples. In the selected methods, whether it is under different perturbations or signal-to-noise ratio (SNRs), the momentum iteration method has the best performance among them, and under the perturbation of 0.01, the attack performance is more than 10% higher than the fast gradient sign method. Also, to measure the invisibility of adversarial examples, the contour stellar images before and after the attack were compared to maintain a balance between the attack success rate and the attack concealment.

Keyu Lu,Zhisheng Qian,Manxi Wang,Dewang Wang,Pengfei Ma

DOI: https://doi.org/10.1002/dac.5494

2023-04-13

International Journal of Communication Systems

Abstract:This work proposes an adversarial attack approach for misleading deep‐learning‐based modulation classifiers. We first introduce a convolutional neural network (CNN)‐based universal adversarial perturbation (UAP) generation model that contains an FIR filter layer to control the bandwidth of the output perturbation. Besides, we propose a scheme that ensures the shift‐invariant property of adversarial perturbations. We also design a composite loss function that improves the imperceptibility of the adversarial perturbation in both time and frequency domains. Summary With the development of deep‐learning technology, how to prevent signal modulation from being correctly classified by deep‐learning‐based intruders becomes a challenging issue. Adversarial attack provides an ideal solution as deep‐learning models are proved to be vulnerable to intentionally designed perturbations. However, applying adversarial attacks to communication systems faces several practical problems such as shift‐invariant, imperceptibility, and bandwidth compatibility. To this end, a shift‐invariant universal adversarial attack approach is proposed in this work for misleading deep‐learning‐based modulation classifiers used by intruders. Specifically, this work first introduces a convolutional neural network (CNN)‐based UAP (universal adversarial perturbation) generation model that contains an finite impulse response (FIR) filter layer to control the bandwidth of the output perturbation. Besides, this work proposes a circular shift scheme that simulates the random signal cropping in the inference phase and thus ensures the shift‐invariant property of adversarial perturbations. In addition, this work designs a composite loss function that improves the imperceptibility of the adversarial perturbation in both time and frequency domains without decreasing the effectiveness of the adversarial attack. Experimental results demonstrate the effectiveness of the proposed approach, achieving about 50% accuracy drop on the target model when the perturbation‐to‐signal ratio (PSR) is −10 dB. Furthermore, extensive experiments are conducted to validate the shift‐invariant, imperceptibility, bandwidth compatibility, and transferability of the proposed approach for modulation classification tasks.

telecommunications,engineering, electrical & electronic