Sicheng Zhang,Yun Lin,Jiarun Yu,Jianting Zhang,Qi Xuan,Dongwei Xu,Juzhen Wang,Meiyu Wang

DOI: https://doi.org/10.1109/tccn.2024.3360514

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:Deep neural networks provide intelligent solutions for Automatic Modulation Classification (AMC) tasks in the field of communication. However, their susceptibility to adversarial examples due to the interpretability problem presents a challenge as it leads to anomalous decisions. Emerging studies suggest that the high-frequency constituents within signals constitute a fundamental source of adversarial vulnerability. To address this issue, this paper introduces a Homomorphic Filtering Adversarial Defense (HFAD) algorithm that aims to effectively defend against adversarial examples by applying frequency domain filtering on the signal. This approach enhances the security and reliability of the AMC model by attenuating high-frequency components of the signal through homomorphic filtering, thereby reducing errors caused by adversarial perturbations on model outputs. The robustness of the AMC model is further enhanced through the integration of HFAD with data augmentation strategies. Experimental results demonstrate that the proposed defense algorithm not only maintains high signal recognition accuracy but also preserves communication signal transmission quality. Moreover, HFAD effectively withstands a wide range of white-box adversarial attacks and demonstrates resilience against black-box adversarial attacks, thereby enhancing the robustness of the AMC model against adversarial examples and exhibiting strong transfer performance.

Jingchun Wang,Peihao Dong,Fuhui Zhou,Qihui Wu

2024-10-15

Abstract:Deep learning (DL) has significantly improved automatic modulation classification (AMC) by leveraging neural networks as the feature <a class="link-external link-http" href="http://extractor.However" rel="external noopener nofollow">this http URL</a>, as the DL-based AMC becomes increasingly widespread, it is faced with the severe secure issue from various adversarial attacks. Existing defense methods often suffer from the high computational cost, intractable parameter tuning, and insufficient <a class="link-external link-http" href="http://robustness.This" rel="external noopener nofollow">this http URL</a> paper proposes an eXplainable artificial intelligence (XAI) defense approach, which uncovers the negative information caused by the adversarial attack through measuring the importance of input features based on the SHapley Additive exPlanations (SHAP).By properly removing the negative information in adversarial samples and then fine-tuning(FT) the model, the impact of the attacks on the classification result can be <a class="link-external link-http" href="http://mitigated.Experimental" rel="external noopener nofollow">this http URL</a> results demonstrate that the proposed SHAP-FT improves the classification performance of the model by 15%-20% under different attack levels,which not only enhances model robustness against various attack levels but also reduces the resource consumption, validating its effectiveness in safeguarding communication networks.

Signal Processing

Zhuangzhi Chen,Zhangwei Wang,Dongwei Xu,Jiawei Zhu,Weiguo Shen,Shilian Zheng,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tifs.2024.3361172

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Automatic modulation recognition (AMR) of radio signal is an important research topic in the area of non-cooperative communication and cognitive radio. Recently deep learning (DL) techniques enable significant progress in AMR. However, the techniques of adversarial machine learning cause the threats of adversarial attacks in DL-based AMR. In this paper, we aim to make AMR model robust, accurate and lightweight, thus propose a multi-distillation mechanism for robust training of DL-based AMR models, namely Adversarial Multi-Distillation (AMD). In the framework of AMD, by knowledge distillation, two powerful teacher models transfer the learned classification knowledge and defense knowledge, respectively, to the student model to form robust training. Our experiments with public dataset RML2016.10a show that the proposed method can significantly improve the defense of AMR models to against adversarial perturbations and keep relatively high classification accuracy, which enables robust decision making with lightweight models under adversarial attacks.

Peihan Qi,Tao Jiang,Lizhan Wang,Xu Yuan,Zan Li

DOI: https://doi.org/10.1109/tr.2022.3161138

IF: 5.883

2022-01-01

IEEE Transactions on Reliability

Abstract:Advances in adversarial attack and defense technologies will enhance the reliability of deep learning (DL) systems spirally. Most existing adversarial attack methods make overly ideal assumptions, which creates the illusion that the DL system can be attacked simply and has restricted the further improvement on DL systems. To perform practical adversarial attacks, a detection tolerant black-box adversarial-attack (DTBA) method against DL-based automatic modulation classification (AMC) is presented in this article. In the DTBA method, the local DL model as a substitution of the remote target DL model is trained first. The training dataset is generated by an attacker, labeled by the target model, and augmented by Jacobian transformation. Then, the conventional gradient attack method is utilized to generate adversarial attack examples toward the local DL model. Moreover, before launching attack to the target model, the local model estimates the misclassification probability of the perturbed examples in advance and deletes those invalid adversarial examples. Compared with related attack methods of different criteria on public datasets, the DTBA method can reduce the attack cost while increasing the rate of successful attack. Adversarial attack transferability of the proposed method on the target model has increased by more than 20%. The DTBA method will be suitable for launching flexible and effective black-box adversarial attacks against DL-based AMC systems.

engineering, electrical & electronic,computer science, software engineering, hardware & architecture

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Guisheng Liao,Ambra Demontis,Fabio Roli

2024-07-09

Abstract:Motivated by the superior performance of deep learning in many applications including computer vision and natural language processing, several recent studies have focused on applying deep neural network for devising future generations of wireless networks. However, several recent works have pointed out that imperceptible and carefully designed adversarial examples (attacks) can significantly deteriorate the classification accuracy. In this paper, we investigate a defense mechanism based on both training-time and run-time defense techniques for protecting machine learning-based radio signal (modulation) classification against adversarial attacks. The training-time defense consists of adversarial training and label smoothing, while the run-time defense employs a support vector machine-based neural rejection (NR). Considering a white-box scenario and real datasets, we demonstrate that our proposed techniques outperform existing state-of-the-art technologies.

Artificial Intelligence

Dongwei Xu,Jiangpeng Li,Zhuangzhi Chen,Qi Xuan,Weiguo Shen,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2023.3312532

2024-01-01

Abstract:Automatic Modulation Classification (AMC), which based on deep learning has been extensively researched and implemented in wireless communication systems. Universal adversarial perturbation refers to a single perturbation that can cause most samples to be misclassified by deep learning models. In this paper, we aim to achieve imperceptible universal adversarial attacks on AMC models, and thus an imperceptible universal adversarial perturbations (imperceptible UAPs) framework was proposed. Specifically, loss functions were separately designed for target signals and non-target signals, and then a total loss was calculated. This total loss function can be modified by hyperparameters to achieve class-specific universal adversarial attacks (CUAAs), class-discriminative universal adversarial attacks (CD-UAAs), and class-discriminative target universal adversarial attacks (CD-TUAAs). Meanwhile, wavelet reconstruction was applied to the training data, thus further improving the discriminability of the generated UAPs. After CUAAs were implemented, the class dominant in radio signals was visualized and analyzed by confusion matrices. Furthermore, with the confusion matrices of CUAAs, CD-TUAAs were efficiently implemented. The experiments were conducted on two radio signal datasets and models. In most scenarios, CD-UAAs achieved excellent performance with an average ΔAcc of 58. 20% and CD-TUAAs achieved an average ΔK of 73.78%.

Mengtao Wang,Youchen Fan,Shengliang Fang,Tianshu Cui,Donghang Cheng

DOI: https://doi.org/10.3390/s22176500

2022-08-29

Abstract:Automatic modulation discrimination (AMC) is one of the critical technologies in spatial cognitive communication systems. Building a high-performance AMC model in intelligent receivers can help to realize adaptive signal synchronization and demodulation. However, tackling the intra-class diversity problem is challenging to AMC based on deep learning (DL), as 16QAM and 64QAM are not easily distinguished by DL networks. In order to overcome the problem, this paper proposes a joint AMC model that combines DL and expert features. In this model, the former builds a neural network that can extract the time series and phase features of in-phase and quadrature component (IQ) samples, which improves the feature extraction capability of the network in similar models; the latter achieves accurate classification of QAM signals by constructing effective feature parameters. Experimental results demonstrate that our proposed joint AMC model performs better than the benchmark networks. The classification accuracy is increased by 11.5% at a 10 dB signal-to-noise ratio (SNR). At the same time, it also improves the discrimination of QAM signals.

Wenwei Zhao,Xiaowen Li,Shangqing Zhao,Jie Xu,Yao Liu,Zhuo Lu

2024-02-14

Abstract:Machine learning has been adopted for efficient cooperative spectrum sensing. However, it incurs an additional security risk due to attacks leveraging adversarial machine learning to create malicious spectrum sensing values to deceive the fusion center, called adversarial spectrum attacks. In this paper, we propose an efficient framework for detecting adversarial spectrum attacks. Our design leverages the concept of the distance to the decision boundary (DDB) observed at the fusion center and compares the training and testing DDB distributions to identify adversarial spectrum attacks. We create a computationally efficient way to compute the DDB for machine learning based spectrum sensing systems. Experimental results based on realistic spectrum data show that our method, under typical settings, achieves a high detection rate of up to 99\% and maintains a low false alarm rate of less than 1\%. In addition, our method to compute the DDB based on spectrum data achieves 54\%--64\% improvements in computational efficiency over existing distance calculation methods. The proposed DDB-based detection framework offers a practical and efficient solution for identifying malicious sensing values created by adversarial spectrum attacks.

Cryptography and Security,Networking and Internet Architecture

Yuhang Zhao,Yajie Wang,Chuan Zhang,Chunhai Li,Zehui Xiong,Liehuang Zhu,Dusit Niyato

DOI: https://doi.org/10.1109/tccn.2024.3499362

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:In the radio frequency field, deep neural networks have been widely used for automatic modulation recognition tasks due to their superior accuracy. However, it has been shown that these models are susceptible to adversarial examples, which are the kinds of carefully crafted perturbations that can lead to model misclassification and raise security issues in applications. To solve this problem, we propose an Ultra-Fusion Adversarial Training method, which combines adversarial training and ensemble learning to enable the model robustness to withstand different attack strengths. We explore the number and distribution of ensembled attacks and introduce a Fermi-function-like distribution to optimally balance the performance of different attack strengths. Additionally, we investigate the effect of the signal-to-noise ratio (SNR) interval on the model accuracy and robustness, suggesting the effective SNR interval for training. Considering the demand for practical application scenarios of modulation recognition, we propose a comprehensive robustness metric based on weighted integral to evaluate the robustness of the trained models. Numerical experiments demonstrate that our method improves the model’s robustness by 31.89% against white-box attacks, and achieves up to an 80.54% improvement in black-box scenarios. These results show that our method has the ability to resiliently resist potential attacks of various strengths and can be applied to spectrum application scenarios with high-security requirements.

Chao Wang,Xianglin Wei,Jianhua Fan,Yongyang Hu,Long Yu

DOI: https://doi.org/10.1109/jiot.2023.3254648

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In spite of unique advantages like higher recognition accuracy and better generalization capability, Automatic Modulation Classification (AMC) oriented Deep Neural Networks (ADNNs) are still vulnerable to adversarial examples (AEs). Recent results revealed that an attacker can easily fool ADNNs through adding a small and imperceptible perturbation to the original signal. Among different AE generation methods, Universal Adversarial Perturbation (UAP) has unique characteristics including input-agnostic and shift-invariance. However, applying UAP directly to RF signals faces three main challenges, i.e., perturbation neutralization, high perceptibility, and dependency of original signals. In this backdrop, a novel Universal Adversarial Perturbation under Frequency and Data constraints (UAP-FD) attack is put forward for solving these problems in this paper. First, an individual perturbation is filtered based on the representation visualization algorithm to counter the neutralization problem in perturbation integration. Second, the high-frequency components in the integrated UAP is eliminated through signal decomposition and reconstruction for promoting the imperceptibility. Third, a proxy signal generation method is proposed to help UAP-FD adapt to data-free black-box settings. A series of experiments is conducted to evaluate the aggressiveness and imperceptibility of UAP-FD attack in different settings on a public dataset. Results show that, compared with existing proposal, UAP-FD has a 40% higher fooling rate, and it can reduce the accuracy of the ADNN model from 83% to 9%, while maintaining a good imperceptibility and shift-invariance property. In addition, UAP-FD is applied to real world captured signals over the transmission channel; and it can reduce the model accuracy from 98.3% to 12.5%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiangrong Zhang,Yifan Chen,Guanchun Wang,Yifang Zhang,Licheng Jiao

DOI: https://doi.org/10.1109/jstsp.2024.3453559

IF: 7.695

2024-01-01

IEEE Journal of Selected Topics in Signal Processing

Abstract:The development of deep learning technology has injected new vitality into the task of automatic modulation recognition (AMR). Despite achieving promising progress, existing models tend to lose recognition capability in low-quality communication environments due to the neglect of latent distributions within the data, i.e., classifying samples in a single feature space, resulting in unsatisfactory performance. Motivated by this observation, this paper aims to rethink the modulation signals classification from a new perspective on the latent data distribution. To address this, we propose a novel efficient divide-and-conquer domain adapter (EDDA) for AMR tasks, significantly enhancing the existing model's performance in challenging scenarios, irrespective of its architecture. Specifically, we first follow a divide-and-conquer approach to divide the raw data into multiple sub-domain spaces by signal-to-noise ratio (SNR), and then encourage the domain adapter to estimate the latent distributions and learn domain internally-invariant feature projections. Subsequently, we introduce a dynamic strategy for updating domain labels to overcome the limitations of the initial domain label partition by SNR. Finally, we provide theoretical support for EDDA and validate its effectiveness on two widely used benchmark datasets, RadioML2016.10a and RadioML2016.10b. Experimental results show that EDDA achieves average accuracy improvements of 11.63% and 2.32% on the respective datasets. Theoretical and experimental results demonstrate the superiority and versatility of EDDA.

Yi Zhao,Wenjing Yuan,Yinghua Huang,Zhenyu Chen

DOI: https://doi.org/10.1109/dsa56465.2022.00163

2022-01-01

Abstract:With the development of information technology and 5G communication, the number of wireless devices has increased significantly, and the complexity of the communication system has also been rapidly upgraded. Due to the complexity and the high dimensionality of signals, many researchers have applied deep learning to modulation recognition tasks. However, although deep learning exhibits strong capabilities for modulation recognition, its vulnerability to adversarial examples should also be addressed. In this paper, we conduct a preliminary study on the security of DNN-based modulation recognition models. We build multiple high-accuracy DNN-based models on existing research and test their robustness by implementing multiple adversarial attacks on the well-trained models. The results show that adversarial examples pose a very serious threat to DNN-based modulation recognition models.

Ruiyun Zhang,Shuo Chang,Zhiqing Wei,Yifan Zhang,Sai Huang,Zhiyong Feng

DOI: https://doi.org/10.1109/jiot.2022.3163892

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) permeates every aspect of our daily lives as billions of interconnected devices are deployed in the physical world. However, IoT networks operate in an untrusted environment and often suffer from many malicious active attacks. Automatic modulation classification (AMC), which can identify the modulation format of intercepted signals without prior knowledge, is a vital technology in countering physical-layer threats of IoT. However, most of the existing algorithms assume the channel is time invariant, and the AMC in time-varying channels is not been well studied. To deal with this dilemma, a novel AMC algorithm MCBLDN consisting of multiple convolutional neural networks (CNNs), a bidirectional long short-term memory network (BLSTM), and a deep neural network (DNN) is proposed. In MCBLDN, a multislot constellation diagram (CD) method is proposed to extract time-evolution characteristics for generating more discriminative features. Specifically, different grayscale subimages generated by slotted CDs are processed serially by their respective CNNs. Therefore, MCBLDN is overparameterized and time consuming. In addition, the frequency offset and phase offset caused by time-varying channels are neglected in MCBLDN, which is detrimental to the performance of AMC. To address the mentioned disadvantages, a lightweight MCBLDN with a spatial transformer network (SLCBDN) is proposed. First, the multiple CNNs in MCBLDN are pruned into a lightweight classification model, and the input data are rearranged to facilitate parallel processing by the lightweight CNN. Additionally, the spatial transformer network (STN) is utilized to reduce the influence of frequency offset and phase offset. Numerical results verify that the proposed method achieves superior performance and higher speed compared to the baseline algorithm MCBLDN.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sicheng Zhang,Jiangzhi Fu,Jiarun Yu,Huaitao Xu,Haoran Zha,Shiwen Mao,Yun Lin

DOI: https://doi.org/10.1109/tccn.2024.3382126

IF: 6.359

2024-01-01

IEEE Transactions on Cognitive Communications and Networking

Abstract:With the improvement of basic designs and the evolution of key algorithms, artificial intelligence (AI) has been considered by both industry and academia as the most promising solution for many electromagnetic space problems, such as automatic modulation classification (AMC). However, the fact that AI-based AMC models are vulnerable to adversarial examples mystifies the optimism. Adversarial attacks help researchers to reexamine AI-based AMC models and promote safe applications. In this paper, we study the frequency leakage and glitch problems caused by high frequency components in the adversarial perturbations of existing attack algorithms. We propose a Spectrum-focused Frequency Adversarial Attack (SFAA) algorithm to suppress the high frequency components to alleviate such problems. Next, we leverage meta-learning to improve the transferability of the proposed algorithm for black-box attacks. We also train a Channel-robust Class-universal Spectrum-focused Frequency Adversarial Attack (CrCu-SFAA) generative model using the generative adversarial network framework. Finally, extensive experiments using qualitative and quantitative indicators demonstrate that the proposed algorithm achieves an improved attack performance, and our proposed approach of reducing out-of-band high frequency components of the adversarial perturbations improves the concealment and adversarial signal quality.

telecommunications

Wenhan Zhang,Meiyu Zhong,Ravi Tandon,Marwan Krunz

2024-10-09

Abstract:Deep Neural Network (DNN) based classifiers have recently been used for the modulation classification of RF signals. These classifiers have shown impressive performance gains relative to conventional methods, however, they are vulnerable to imperceptible (low-power) adversarial attacks. Some of the prominent defense approaches include adversarial training (AT) and randomized smoothing (RS). While AT increases robustness in general, it fails to provide resilience against previously unseen adaptive attacks. Other approaches, such as Randomized Smoothing (RS), which injects noise into the input, address this shortcoming by providing provable certified guarantees against arbitrary attacks, however, they tend to sacrifice accuracy. In this paper, we study the problem of designing robust DNN-based modulation classifiers that can provide provable defense against arbitrary attacks without significantly sacrificing accuracy. To this end, we first analyze the spectral content of commonly studied attacks on modulation classifiers for the benchmark RadioML dataset. We observe that spectral signatures of un-perturbed RF signals are highly localized, whereas attack signals tend to be spread out in frequency. To exploit this spectral heterogeneity, we propose Filtered Randomized Smoothing (FRS), a novel defense which combines spectral filtering together with randomized smoothing. FRS can be viewed as a strengthening of RS by leveraging the specificity (spectral Heterogeneity) inherent to the modulation classification problem. In addition to providing an approach to compute the certified accuracy of FRS, we also provide a comprehensive set of simulations on the RadioML dataset to show the effectiveness of FRS and show that it significantly outperforms existing defenses including AT and RS in terms of accuracy on both attacked and benign signals.

Machine Learning,Cryptography and Security,Information Theory,Networking and Internet Architecture,Signal Processing

Yan, Bin

DOI: https://doi.org/10.1007/s11036-024-02333-9

2024-05-14

Mobile Networks and Applications

Abstract:In the rapidly evolving landscape of wireless communication systems, the vulnerability of automatic modulation classification (AMC) models to adversarial attacks presents a significant security challenge. This study introduces a pruning and training methodology tailored to address the nuances of signal processing within these systems. Leveraging a pruning method based on channel activation contributions, our approach optimizes adversarial training potential, enhancing the model's capacity to improve robustness against attacks. Additionally, the approach constructs a resilient training method based on a composite strategy, integrating balanced adversarial training, soft target regularization, and gradient masking. This combination effectively broadens the model's uncertainty space and obfuscates gradients, thereby enhancing the model's defenses against a wide spectrum of adversarial tactics. The training regimen is carefully adjusted to retain sensitivity to adversarial inputs while maintaining accuracy on original data. Comprehensive evaluations conducted on the RML2016.10A dataset demonstrate the effectiveness of our method in defending against both gradient-based and optimization-based attacks within the realm of wireless communication. This research offers insightful and practical approaches to improving the security and performance of AMC models against the complex and evolving threats present in modern wireless communication environments.

computer science, information systems,telecommunications, hardware & architecture

Jiawei Zhang,Tiantian Wang,Zhixi Feng,Shuyuan Yang

2023-04-02

Abstract:Automatic modulation classification (AMC) is a crucial stage in the spectrum management, signal monitoring, and control of wireless communication systems. The accurate classification of the modulation format plays a vital role in the subsequent decoding of the transmitted data. End-to-end deep learning methods have been recently applied to AMC, outperforming traditional feature engineering techniques. However, AMC still has limitations in low signal-to-noise ratio (SNR) environments. To address the drawback, we propose a novel AMC-Net that improves recognition by denoising the input signal in the frequency domain while performing multi-scale and effective feature extraction. Experiments on two representative datasets demonstrate that our model performs better in efficiency and effectiveness than the most current methods.

Signal Processing,Machine Learning,Networking and Internet Architecture

Abu Shafin Mohammad Mahdee Jameel,Ahmed P. Mohamed,Jinho Yi,Aly El Gamal,Akshay Malhotra

2024-01-07

Abstract:Deep learning based automatic modulation classification (AMC) has received significant attention owing to its potential applications in both military and civilian use cases. Recently, data-driven subsampling techniques have been utilized to overcome the challenges associated with computational complexity and training time for AMC. Beyond these direct advantages of data-driven subsampling, these methods also have regularizing properties that may improve the adversarial robustness of the modulation classifier. In this paper, we investigate the effects of an adversarial attack on an AMC system that employs deep learning models both for AMC and for subsampling. Our analysis shows that subsampling itself is an effective deterrent to adversarial attacks. We also uncover the most efficient subsampling strategy when an adversarial attack on both the classifier and the subsampler is anticipated.

Machine Learning,Cryptography and Security,Signal Processing

Fanghao Xu,Chao Wang,Jiakai Liang,Chenyang Zuo,Keqiang Yue,Wenjun Li

DOI: https://doi.org/10.1049/cmu2.12793

IF: 1.345

2024-06-14

IET Communications

Abstract:We propose an adversarial attack defense system for the lightweight automatic modulation classification model, which can enhance the robustness when subjected to adversarial attacks. Automatic modulation classification models based on deep learning models are at risk of being interfered by adversarial attacks. In an adversarial attack, the attacker causes the classification model to misclassify the received signal by adding carefully crafted adversarial interference to the transmitted signal. Based on the requirements of efficient computing and edge deployment, a lightweight automatic modulation classification model is proposed. Considering that the lightweight automatic modulation classification model is more susceptible to interference from adversarial attacks and that adversarial training of the lightweight auto‐modulation classification model fails to achieve the desired results, an adversarial attack defense system for the lightweight automatic modulation classification model is further proposed, which can enhance the robustness when subjected to adversarial attacks. The defense method aims to transfer the adversarial robustness from a trained large automatic modulation classification model to a lightweight model through the technique of adversarial robust distillation. The proposed method exhibits better adversarial robustness than current defense techniques in feature fusion based automatic modulation classification models in white box attack scenarios.

engineering, electrical & electronic