Dongwei Xu,Jiangpeng Li,Zhuangzhi Chen,Qi Xuan,Weiguo Shen,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2023.3312532

2024-01-01

Abstract:Automatic Modulation Classification (AMC), which based on deep learning has been extensively researched and implemented in wireless communication systems. Universal adversarial perturbation refers to a single perturbation that can cause most samples to be misclassified by deep learning models. In this paper, we aim to achieve imperceptible universal adversarial attacks on AMC models, and thus an imperceptible universal adversarial perturbations (imperceptible UAPs) framework was proposed. Specifically, loss functions were separately designed for target signals and non-target signals, and then a total loss was calculated. This total loss function can be modified by hyperparameters to achieve class-specific universal adversarial attacks (CUAAs), class-discriminative universal adversarial attacks (CD-UAAs), and class-discriminative target universal adversarial attacks (CD-TUAAs). Meanwhile, wavelet reconstruction was applied to the training data, thus further improving the discriminability of the generated UAPs. After CUAAs were implemented, the class dominant in radio signals was visualized and analyzed by confusion matrices. Furthermore, with the confusion matrices of CUAAs, CD-TUAAs were efficiently implemented. The experiments were conducted on two radio signal datasets and models. In most scenarios, CD-UAAs achieved excellent performance with an average ΔAcc of 58. 20% and CD-TUAAs achieved an average ΔK of 73.78%.

Weiguo Shen,Jiangpeng Li,Chuntao Gu,Qi Xuan,Dongwei Xu,Xiaoniu Yang

DOI: https://doi.org/10.1109/icct59356.2023.10419687

2023-01-01

Abstract:Automatic Modulation Classification (AMC), which is based on deep learning, has been extensively implemented in wireless communication systems. Universal adversarial perturbation (UAP), which is a type of sample-agnostic adversarial attack, can add to all natural samples to change most of their predicted labels. In this paper, we aim to achieve universal adversarial attacks on AMC models, and thus we proposed a method based on AutoEncoder, a novel strategy that takes advantage of the feature extraction capability and dimensionality reduction of AutoEncoder to generate UAP. Firstly, we used white-box and black-box methods to generate universal adversarial perturbations. Secondly, we proved that small perturbations to the original input can significantly reduce the accuracy of the model. Moreover, once the UAP generated, the adversarial attack will no longer depend on their input and only a small number of samples are needed to generate a powerful UAP. This property eases the attack procedure for real-time applications. Finally, the UAP generated by our method can attack across models with similar structures, exhibiting strong transferability.

Chao Wang,Xianglin Wei,Jianhua Fan,Yongyang Hu,Long Yu

DOI: https://doi.org/10.1109/jiot.2023.3254648

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In spite of unique advantages like higher recognition accuracy and better generalization capability, Automatic Modulation Classification (AMC) oriented Deep Neural Networks (ADNNs) are still vulnerable to adversarial examples (AEs). Recent results revealed that an attacker can easily fool ADNNs through adding a small and imperceptible perturbation to the original signal. Among different AE generation methods, Universal Adversarial Perturbation (UAP) has unique characteristics including input-agnostic and shift-invariance. However, applying UAP directly to RF signals faces three main challenges, i.e., perturbation neutralization, high perceptibility, and dependency of original signals. In this backdrop, a novel Universal Adversarial Perturbation under Frequency and Data constraints (UAP-FD) attack is put forward for solving these problems in this paper. First, an individual perturbation is filtered based on the representation visualization algorithm to counter the neutralization problem in perturbation integration. Second, the high-frequency components in the integrated UAP is eliminated through signal decomposition and reconstruction for promoting the imperceptibility. Third, a proxy signal generation method is proposed to help UAP-FD adapt to data-free black-box settings. A series of experiments is conducted to evaluate the aggressiveness and imperceptibility of UAP-FD attack in different settings on a public dataset. Results show that, compared with existing proposal, UAP-FD has a 40% higher fooling rate, and it can reduce the accuracy of the ADNN model from 83% to 9%, while maintaining a good imperceptibility and shift-invariance property. In addition, UAP-FD is applied to real world captured signals over the transmission channel; and it can reduce the model accuracy from 98.3% to 12.5%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Basil AsSadhan,Fabio Roli

2024-07-09

Abstract:Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.

Artificial Intelligence

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Da Ke,Xiang Wang,Zhitao Huang

DOI: https://doi.org/10.1109/tifs.2024.3352423

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Although Deep learning (DL) provides state-of-art results for most spectrum sensing tasks, it is vulnerable to adversarial examples. Based on this phenomenon, we consider a non-cooperative communication scenario where an intruder tries to recognize the modulation type of the intercepted signal. Specifically, this paper aims to minimize the intruder’s accuracy while guaranteeing that the intended receiver can still recover the underlying message with the highest reliability. This process is implemented by adding adversarial perturbations to the channel input symbols at the encoder. In image classification, the perturbation is limited to be imperceptible to a human observer by minimizing the ℓp norm, while in this work, we enriched the connotation of adversarial examples, and first proposed that the imperceptibility of adversarial examples in the field of wireless signals is the imperceptibility of filters. Based on this perspective, we optimized the model of adversarial examples and constrained the adversarial perturbation to a narrow frequency band so that filters cannot filter it out. We also define a new set of metrics to describe the imperceptibility of the wireless signal adversarial example. The simulation results demonstrate the viability of our approach in securing wireless communication against state-of-the-art DL-based intruders while minimizing communication performance reduction.

computer science, theory & methods,engineering, electrical & electronic

Brian Kim,Yalin E. Sagduyu,Tugba Erpek,Kemal Davaslioglu,Sennur Ulukus

DOI: https://doi.org/10.1109/gcwkshps50303.2020.9367473

2020-12-01

Abstract:We consider a wireless communication system, where a transmitter sends signals to a receiver with different modulation types while the receiver classifies the modulation types of the received signals using its deep learning-based classifier. Concurrently, an adversary transmits adversarial perturbations using its multiple antennas to fool the classifier into misclassifying the received signals. From the adversarial machine learning perspective, we show how to utilize multiple antennas at the adversary to improve the adversarial (evasion) attack performance. Two main points are considered while exploiting the multiple antennas at the adversary, namely the power allocation among antennas and the utilization of channel diversity. First, we show that multiple independent adversaries, each with a single antenna cannot improve the attack performance compared to a single adversary with multiple antennas using the same total power. Then, we consider various ways to allocate power among multiple antennas at a single adversary such as allocating power to only one antenna, and proportional or inversely proportional to the channel gain. By utilizing channel diversity, we introduce an attack to transmit the adversarial perturbation through the channel with the largest channel gain at the symbol level. We show that this attack reduces the classifier accuracy significantly compared to other attacks under different channel conditions in terms of channel variance and channel correlation across antennas. Also, we show that the attack success improves significantly as the number of antennas increases at the adversary that can better utilize channel diversity to craft adversarial attacks.

Yunsong Huang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/TVT.2023.3267455

2023-06-19

Abstract:Recently, DL has been exploited in wireless communications such as modulation classification. However, due to the openness of wireless channel and unexplainability of DL, it is also vulnerable to adversarial attacks. In this correspondence, we investigate a so called hidden backdoor attack to modulation classification, where the adversary puts elaborately designed poisoned samples on the basis of IQ sequences into training dataset. These poisoned samples are hidden because it could not be found by traditional classification methods. And poisoned samples are same to samples with triggers which are patched samples in feature space. We show that the hidden backdoor attack can reduce the accuracy of modulation classification significantly with patched samples. At last, we propose activation cluster to detect abnormal samples in training dataset.

Signal Processing

Peihan Qi,Tao Jiang,Lizhan Wang,Xu Yuan,Zan Li

DOI: https://doi.org/10.1109/tr.2022.3161138

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Advances in adversarial attack and defense technologies will enhance the reliability of deep learning (DL) systems spirally. Most existing adversarial attack methods make overly ideal assumptions, which creates the illusion that the DL system can be attacked simply and has restricted the further improvement on DL systems. To perform practical adversarial attacks, a detection tolerant black-box adversarial-attack (DTBA) method against DL-based automatic modulation classification (AMC) is presented in this article. In the DTBA method, the local DL model as a substitution of the remote target DL model is trained first. The training dataset is generated by an attacker, labeled by the target model, and augmented by Jacobian transformation. Then, the conventional gradient attack method is utilized to generate adversarial attack examples toward the local DL model. Moreover, before launching attack to the target model, the local model estimates the misclassification probability of the perturbed examples in advance and deletes those invalid adversarial examples. Compared with related attack methods of different criteria on public datasets, the DTBA method can reduce the attack cost while increasing the rate of successful attack. Adversarial attack transferability of the proposed method on the target model has increased by more than 20%. The DTBA method will be suitable for launching flexible and effective black-box adversarial attacks against DL-based AMC systems.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Meysam Sadeghi,Erik G. Larsson

DOI: https://doi.org/10.1109/lwc.2018.2867459

IF: 6.3

2019-02-01

IEEE Wireless Communications Letters

Abstract:Deep learning (DL), despite its enormous success in many computer vision and language processing applications, is exceedingly vulnerable to adversarial attacks. We consider the use of DL for radio signal (modulation) classification tasks, and present practical methods for the crafting of white-box and universal black-box adversarial attacks in that application. We show that these attacks can considerably reduce the classification performance, with extremely small perturbations of the input. In particular, these attacks are significantly more powerful than classical jamming attacks, which raises significant security and robustness concerns in the use of DL-based algorithms for the wireless physical layer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Han Xiao,Wenqiang Tian,Wendong Liu,Jia Shen

DOI: https://doi.org/10.1109/lwc.2021.3140102

IF: 6.3

2022-03-01

IEEE Wireless Communications Letters

Abstract:The increasing complexity on channel modeling and the cost on collecting plenty of high-quality wireless channel data have become the main bottlenecks of developing deep learning (DL) based wireless communications. In this letter, a DL-based channel modeling and generating approach namely ChannelGAN is proposed. Specifically, the ChannelGAN is designed on a small set of 3rd generation partnerships project (3GPP) link-level multiple-input multiple-output (MIMO) channel. Moreover, two evaluation mechanisms including i) power comparison from the perspective of delay and antenna domain and ii) cross validation are implemented where the power comparison proves the consistency between the modeled fake channel and real channel, and the cross validation verifies the effectiveness and availability of the generated fake channel for supporting related DL-based channel state information (CSI) feedback.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Sujata Sinha,Alkan Soysal

2023-12-01

Abstract:We introduce a Channel Distribution Information (CDI)-aware Generative Adversarial Network (GAN), designed to address the unique challenges of adversarial attacks in wireless communication systems. The generator in this CDI-aware GAN maps random input noise to the feature space, generating perturbations intended to deceive a target modulation classifier. Its discriminators play a dual role: one enforces that the perturbations follow a Gaussian distribution, making them indistinguishable from Gaussian noise, while the other ensures these perturbations account for realistic channel effects and resemble no-channel perturbations. Our proposed CDI-aware GAN can be used as an attacker and a defender. In attack scenarios, the CDI-aware GAN demonstrates its prowess by generating robust adversarial perturbations that effectively deceive the target classifier, outperforming known methods. Furthermore, CDI-aware GAN as a defender significantly improves the target classifier's resilience against adversarial attacks.

Information Theory,Networking and Internet Architecture,Signal Processing

Yuhang Zhao,Yajie Wang,Chuan Zhang,Chunhai Li,Zehui Xiong,Liehuang Zhu,Dusit Niyato

DOI: https://doi.org/10.1109/tccn.2024.3499362

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:In the radio frequency field, deep neural networks have been widely used for automatic modulation recognition tasks due to their superior accuracy. However, it has been shown that these models are susceptible to adversarial examples, which are the kinds of carefully crafted perturbations that can lead to model misclassification and raise security issues in applications. To solve this problem, we propose an Ultra-Fusion Adversarial Training method, which combines adversarial training and ensemble learning to enable the model robustness to withstand different attack strengths. We explore the number and distribution of ensembled attacks and introduce a Fermi-function-like distribution to optimally balance the performance of different attack strengths. Additionally, we investigate the effect of the signal-to-noise ratio (SNR) interval on the model accuracy and robustness, suggesting the effective SNR interval for training. Considering the demand for practical application scenarios of modulation recognition, we propose a comprehensive robustness metric based on weighted integral to evaluate the robustness of the trained models. Numerical experiments demonstrate that our method improves the model’s robustness by 31.89% against white-box attacks, and achieves up to an 80.54% improvement in black-box scenarios. These results show that our method has the ability to resiliently resist potential attacks of various strengths and can be applied to spectrum application scenarios with high-security requirements.

Fanghao Xu,Chao Wang,Jiakai Liang,Chenyang Zuo,Keqiang Yue,Wenjun Li

DOI: https://doi.org/10.1049/cmu2.12793

IF: 1.345

2024-06-14

IET Communications

Abstract:We propose an adversarial attack defense system for the lightweight automatic modulation classification model, which can enhance the robustness when subjected to adversarial attacks. Automatic modulation classification models based on deep learning models are at risk of being interfered by adversarial attacks. In an adversarial attack, the attacker causes the classification model to misclassify the received signal by adding carefully crafted adversarial interference to the transmitted signal. Based on the requirements of efficient computing and edge deployment, a lightweight automatic modulation classification model is proposed. Considering that the lightweight automatic modulation classification model is more susceptible to interference from adversarial attacks and that adversarial training of the lightweight auto‐modulation classification model fails to achieve the desired results, an adversarial attack defense system for the lightweight automatic modulation classification model is further proposed, which can enhance the robustness when subjected to adversarial attacks. The defense method aims to transfer the adversarial robustness from a trained large automatic modulation classification model to a lightweight model through the technique of adversarial robust distillation. The proposed method exhibits better adversarial robustness than current defense techniques in feature fusion based automatic modulation classification models in white box attack scenarios.

engineering, electrical & electronic

Yi Zhao,Wenjing Yuan,Yinghua Huang,Zhenyu Chen

DOI: https://doi.org/10.1109/dsa56465.2022.00163

2022-01-01

Abstract:With the development of information technology and 5G communication, the number of wireless devices has increased significantly, and the complexity of the communication system has also been rapidly upgraded. Due to the complexity and the high dimensionality of signals, many researchers have applied deep learning to modulation recognition tasks. However, although deep learning exhibits strong capabilities for modulation recognition, its vulnerability to adversarial examples should also be addressed. In this paper, we conduct a preliminary study on the security of DNN-based modulation recognition models. We build multiple high-accuracy DNN-based models on existing research and test their robustness by implementing multiple adversarial attacks on the well-trained models. The results show that adversarial examples pose a very serious threat to DNN-based modulation recognition models.

Jinyin Chen,Jie Ge,Shilian Zheng,Linhui Ye,Haibin Zheng,Weiguo Shen,Keqiang Yue,Xiaoniu Yang

DOI: https://doi.org/10.1109/twc.2024.3374699

IF: 10.4

2024-01-01

IEEE Transactions on Wireless Communications

Abstract:A wireless communications system usually consists of a transmitter which transmits the information and a receiver which recovers the original information from the received distorted signal. Deep learning (DL) has been used to improve the performance of the receiver in complicated channel environments and state-of-the-art (SOTA) performance has been achieved. However, its robustness has not been investigated. In order to evaluate the robustness of DL-based information recovery models under adversarial circumstances, we investigate adversarial attacks on the SOTA DL-based information recovery model, i.e., DeepReceiver. We formulate the problem as an optimization problem with power and peak-to-average power ratio (PAPR) constraints. We design different adversarial attack methods according to the adversary’s knowledge of DeepReceiver’s model and/or testing samples. Extensive experiments show that the DeepReceiver is vulnerable to the designed attack methods in all of the considered scenarios. Even in the scenario of both model and test sample restricted, the adversary can attack the DeepReceiver and increase its bit error rate (BER) above 10%. It can also be found that the DeepReceiver is vulnerable to adversarial perturbations even with very low power and limited PAPR. These results suggest that defense measures should be taken to enhance the robustness of DeepReceiver.

telecommunications,engineering, electrical & electronic

Zhida Bao,Jiawei He,Quanjun Zhang,Chunrong Fang,Keshav Sood,Yun Lin

DOI: https://doi.org/10.1109/globecom54140.2023.10437810

2023-01-01

Abstract:Recently, with the explosive growth of the mobile devices, spectrum sensing for wireless devices has become an attractive research. Automatic modulation classification (AMC) is an important task in spectrum sensing and plays an important role in blind signal recognition, and deep learning has been shown to greatly improve the performance of AMC networks. However, deep learning models for AMC are considered vulnerable against adversarial attacks, resulting in unreliable sensor systems. In this paper, we study how to deal with the threats of adversarial attacks by optimizing neural networks. We propose an adversarial defense method based on genetic algorithm (GA) to optimize adversarial training. The optimizations are performed between the layers of the neural networks to obtain the weights with maximum fitness, to improve the adversarial robustness of the models. In addition, an indicator to quantitatively evaluate the adversarial robustness of the models is also proposed. We conduct experiments in the different perturbation-to-noise ratios (PNRs) to verify the effectiveness of the defensive models. The results show that the GA-optimized approach can greatly improve the classification accuracy of the models to adversarial examples, and provides a better fitting ability than the mainstream adversarial training methods.

Tugba Erpek,Yalin E. Sagduyu,Yi Shi

DOI: https://doi.org/10.1109/tccn.2018.2884910

IF: 6.359

2019-03-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:An adversarial machine learning approach is introduced to launch jamming attacks on wireless communications and a defense strategy is presented. A cognitive transmitter uses a pre-trained classifier to predict the current channel status based on recent sensing results and decides whether to transmit or not, whereas a jammer collects channel status and ACKs to build a deep learning classifier that reliably predicts the next successful transmissions and effectively jams them. This jamming approach is shown to reduce the transmitter’s performance much more severely compared with random or sensing-based jamming. The deep learning classification scores are used by the jammer for power control subject to an average power constraint. Next, a generative adversarial network is developed for the jammer to reduce the time to collect the training dataset by augmenting it with synthetic samples. As a defense scheme, the transmitter deliberately takes a small number of wrong actions in spectrum access (in form of a causative attack against the jammer) and therefore prevents the jammer from building a reliable classifier. The transmitter systematically selects when to take wrong actions and adapts the level of defense to mislead the jammer into making prediction errors and consequently increase its throughput.

telecommunications