Meysam Sadeghi,Erik G. Larsson

DOI: https://doi.org/10.1109/lwc.2018.2867459

IF: 6.3

2019-02-01

IEEE Wireless Communications Letters

Abstract:Deep learning (DL), despite its enormous success in many computer vision and language processing applications, is exceedingly vulnerable to adversarial attacks. We consider the use of DL for radio signal (modulation) classification tasks, and present practical methods for the crafting of white-box and universal black-box adversarial attacks in that application. We show that these attacks can considerably reduce the classification performance, with extremely small perturbations of the input. In particular, these attacks are significantly more powerful than classical jamming attacks, which raises significant security and robustness concerns in the use of DL-based algorithms for the wireless physical layer.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yunsong Huang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/TVT.2023.3267455

2023-06-19

Abstract:Recently, DL has been exploited in wireless communications such as modulation classification. However, due to the openness of wireless channel and unexplainability of DL, it is also vulnerable to adversarial attacks. In this correspondence, we investigate a so called hidden backdoor attack to modulation classification, where the adversary puts elaborately designed poisoned samples on the basis of IQ sequences into training dataset. These poisoned samples are hidden because it could not be found by traditional classification methods. And poisoned samples are same to samples with triggers which are patched samples in feature space. We show that the hidden backdoor attack can reduce the accuracy of modulation classification significantly with patched samples. At last, we propose activation cluster to detect abnormal samples in training dataset.

Signal Processing

Ruiqi Li,Hongshu Liao,Jiancheng An,Chau Yuen,Lu Gan

DOI: https://doi.org/10.1109/LCOMM.2023.3261423

IF: 3.5529

2023-01-01

IEEE Communications Letters

Abstract:Most existing adversarial attack methods generally rely on ideal assumptions, which is unreasonable for practical applications. In this letter, a practical threat model which utilizes adversarial attacks for anti-eavesdropping is proposed and a physical intra-class universal adversarial perturbation (IC-UAP) crafting method against DL-based wireless signal classifiers is then presented. First, an IC-UAP algorithm is proposed based on the threat model to craft a stronger UAP attack against the samples in a given class from a batch of samples in the class. Then, we develop a physical attack algorithm based on the IC-UAP method, in which perturbations are optimized under random shifting to enhance the robustness of IC-UAPs against the unsynchronization between adversarial attacks and attacked signals. Finally, the numerical results corroborate the effectiveness of the proposed approach based on the benchmark dataset.

Zenghui Jiang,Weijun Zeng,Xingyu Zhou,Peilun Feng,Pu Chen,Shenqian Yin,Changzhi Han,Lin Li

DOI: https://doi.org/10.3390/electronics12183752

IF: 2.9

2023-09-06

Electronics

Abstract:Automatic modulation recognition (AMR) serves as a crucial component in domains such as cognitive radio and electromagnetic countermeasures, acting as a significant prerequisite for the efficient signal processing of receivers. Deep neural networks (DNNs), despite their effectiveness, are known to be vulnerable to adversarial attacks. This vulnerability has inspired the introduction of subtle interference to wireless communication signals—interference so minuscule that it is difficult for the human eye to discern. Such interference can mislead eavesdroppers into erroneous modulation pattern recognition when using DNNs, thereby camouflaging communication signal modulation patterns. Nonetheless, the majority of current camouflage methods used for electromagnetic signal modulation recognition rely on a global perturbation of the signal. They fail to consider the local agility of signal disturbance and the concealment requirements for bait signals that are intercepted by the interceptor. This paper presents a generator framework designed to produce perturbations with sparse properties. Furthermore, we introduce a method to reduce spectral loss, which minimizes the spectral difference between adversarial perturbation and the original signal. This method makes perturbation more challenging to monitor, thereby deceiving enemy electromagnetic signal modulation recognition systems. The experimental results validated that the proposed method significantly outperformed existing methods in terms of generation time. Moreover, it can generate adversarial signals characterized by high deceivability and transferability even under extremely sparse conditions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Brian Kim,Yalin E. Sagduyu,Kemal Davaslioglu,Tugba Erpek,Sennur Ulukus

DOI: https://doi.org/10.48550/arXiv.2002.02400

2020-02-14

Abstract:We consider a wireless communication system that consists of a transmitter, a receiver, and an adversary. The transmitter transmits signals with different modulation types, while the receiver classifies its received signals to modulation types using a deep learning-based classifier. In the meantime, the adversary makes over-the-air transmissions that are received as superimposed with the transmitter's signals to fool the classifier at the receiver into making errors. While this evasion attack has received growing interest recently, the channel effects from the adversary to the receiver have been ignored so far such that the previous attack mechanisms cannot be applied under realistic channel effects. In this paper, we present how to launch a realistic evasion attack by considering channels from the adversary to the receiver. Our results show that modulation classification is vulnerable to an adversarial attack over a wireless channel that is modeled as Rayleigh fading with path loss and shadowing. We present various adversarial attacks with respect to availability of information about channel, transmitter input, and classifier architecture. First, we present two types of adversarial attacks, namely a targeted attack (with minimum power) and non-targeted attack that aims to change the classification to a target label or to any other label other than the true label, respectively. Both are white-box attacks that are transmitter input-specific and use channel information. Then we introduce an algorithm to generate adversarial attacks using limited channel information where the adversary only knows the channel distribution. Finally, we present a black-box universal adversarial perturbation (UAP) attack where the adversary has limited knowledge about both channel and transmitter input.

Signal Processing,Machine Learning,Networking and Internet Architecture

Lu Zhang,Sangarapillai Lambotharan,Gan Zheng,Basil AsSadhan,Fabio Roli

2024-07-09

Abstract:Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.

Artificial Intelligence

Shuting Tang,Mingliang Tao,Xiang Zhang,Yifei Fan,Jia Su,Ling Wang

DOI: https://doi.org/10.23919/URSIGASS51995.2021.9560288

2021-01-01

Abstract:Deep learning has achieved superior performance on radio signal modulation classification. However, its security and reliability are vulnerable due to its data-oriented learning strategy. In this paper, the vulnerability of deep neural network for radio classification is investigated. Based on the radar and communication waveforms, slight optimal perturbations are generated and added onto the orig...

Jinyin Chen,Jie Ge,Shilian Zheng,Linhui Ye,Haibin Zheng,Weiguo Shen,Keqiang Yue,Xiaoniu Yang

DOI: https://doi.org/10.1109/twc.2024.3374699

IF: 10.4

2024-01-01

IEEE Transactions on Wireless Communications

Abstract:A wireless communications system usually consists of a transmitter which transmits the information and a receiver which recovers the original information from the received distorted signal. Deep learning (DL) has been used to improve the performance of the receiver in complicated channel environments and state-of-the-art (SOTA) performance has been achieved. However, its robustness has not been investigated. In order to evaluate the robustness of DL-based information recovery models under adversarial circumstances, we investigate adversarial attacks on the SOTA DL-based information recovery model, i.e., DeepReceiver. We formulate the problem as an optimization problem with power and peak-to-average power ratio (PAPR) constraints. We design different adversarial attack methods according to the adversary’s knowledge of DeepReceiver’s model and/or testing samples. Extensive experiments show that the DeepReceiver is vulnerable to the designed attack methods in all of the considered scenarios. Even in the scenario of both model and test sample restricted, the adversary can attack the DeepReceiver and increase its bit error rate (BER) above 10%. It can also be found that the DeepReceiver is vulnerable to adversarial perturbations even with very low power and limited PAPR. These results suggest that defense measures should be taken to enhance the robustness of DeepReceiver.

telecommunications,engineering, electrical & electronic

Da Ke,Xiang Wang,Kaizhu Huang,Haoyuan Wang,Zhitao Huang

DOI: https://doi.org/10.1007/s12559-022-10062-y

IF: 4.89

2022-10-20

Cognitive Computation

Abstract:Integrating cognitive radio (CR) technique with wireless networks is an effective way to solve the increasingly crowded spectrum. Automatic modulation classification (AMC) plays an important role in CR. AMC significantly improves the intelligence of CR system by classifying the modulation type and signal parameters of received communication signals. AMC can provide more information for decision making of the CR system. In addition, AMC can help the CR system dynamically adjust the modulation type and coding rate of the communication signal to adapt to different channel qualities, and the AMC technique help eliminate the cost of broadcast modulation type and coding rate. Deep learning (DL) has recently emerged as one most popular method in AMC of communication signals. Despite their success, DL models have recently been shown vulnerable to adversarial attacks in pattern recognition and computer vision. Namely, they can be easily deceived if a small and carefully designed perturbation called an adversarial attack is imposed on the input, typically an image in pattern recognition. Owing to the very different nature of communication signals, it is interesting yet crucially important to study if adversarial perturbation could also fool AMC. In this paper, we make a first attempt to investigate how we can design a special adversarial attack on AMC. we start from the assumption of a linear binary classifier which is further extended to multi-way classifier. We consider the minimum power consumption that is different from existing adversarial perturbation but more reasonable in the context of AMC. We then develop a novel adversarial perturbation generation method that leads to high attack success to communication signals. Experimental results on real data show that the method is able to successfully spoof the 11-class modulation classification at a model with a minimum cost of about − 21 dB in automatic modulation classification task. The visualization results demonstrate that the adversarial perturbation manifests in the time domain as imperceptible undulations of the signal, and in the frequency domain as small noise outside the signal band.

computer science, artificial intelligence,neurosciences

Alireza Bahramali,Milad Nasr,Amir Houmansadr,Dennis Goeckel,Don Towsley

DOI: https://doi.org/10.1145/3460120.3484777

2021-11-12

Abstract:There is significant enthusiasm for the employment of Deep Neural Networks (DNNs) for important tasks in major wireless communication systems: channel estimation and decoding in orthogonal frequency division multiplexing (OFDM) systems, end-to-end autoencoder system design, radio signal classification, and signal authentication. Unfortunately, DNNs can be susceptible to adversarial examples, potentially making such wireless systems fragile and vulnerable to attack. In this work, by designing robust adversarial examples that meet key criteria, we perform a comprehensive study of the threats facing DNN-based wireless systems. We model the problem of adversarial wireless perturbations as an optimization problem that incorporates domain constraints specific to different wireless systems. This allows us to generate wireless adversarial perturbations that can be applied to wireless signals on-the-fly (i.e., with no need to know the target signals a priori), are undetectable from natural wireless noise, and are robust against removal. We show that even in the presence of significant defense mechanisms deployed by the communicating parties, our attack performs significantly better compared to existing attacks against DNN-based wireless systems. In particular, the results demonstrate that even when employing well-considered defenses, DNN-based wireless communication systems are vulnerable to adversarial attacks and call into question the employment of DNNs for a number of tasks in robust wireless communication.

Dongwei Xu,Hao Yang,Chuntao Gu,Zhuangzhi Chen,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.1109/tcsii.2021.3095663

2021-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:In the field of deep learning, deep neural networks (DNNs) have shown good performance on classification applications. However, a DNN model is vulnerable to adversarial examples, which is formed by adding tiny perturbations on a normal example and can mislead the DNN model to make a wrong estimate during the prediction. In this brief, for adversarial attacks in radio signals field, we propose a novel adversarial example detection strategy based on multifeature fusion and provide a framework which includes generating adversarial examples, extracting the local intrinsic dimensionality (LID) features and the constellation diagram (CD) features, detecting adversarial examples. We obtain the output values of normal examples and adversarial examples in each layer of the model respectively, and then, calculate the LID features values of examples by the maximum likelihood estimate based on a certain neighborhood range. Meanwhile, we calculate the CD features values by the range feature and density feature of the constellation diagram distribution. Finally, a logistic regression classifier is trained based on multifeature fusion values to detect adversarial examples. The experimental results across two benchmark datasets demonstrate that the proposed multifeature fusion method could accurately detect adversarial examples of radio signals. The detection accuracy is up to 98.7% when the perturbation reached 10%.

Shuting Tang,Mingliang Tao,Jia Su,Yifei Fan,Ling Wang,Tao Li

DOI: https://doi.org/10.1109/radar53847.2021.10028136

2021-01-01

Abstract:In recent years, electromagnetic spectrum becomes more and more congested and the task of spectrum sensing meets various challenges. On the other hand, there is also a counter-demand that the transmitted signal should not be detected, intercepted, or identified by the intelligent spectrum sensing equipment. In this paper, a smart deception method for radio signal using adversarial learning under the black-box assumption is investigated. By generating smart deception, the accuracy of the intelligent electromagnetic spectrum equipment to identify the radio signal decreasing more than 50.63%. The radio signal camouflage is achieved by smart deception, which will lower the interception and identification possibility of the transmitted signal.

Liting Sun,Da Ke,Xiang Wang,Zhitao Huang,Kaizhu Huang

DOI: https://doi.org/10.3390/rs14194996

IF: 5

2022-01-01

Remote Sensing

Abstract:Deep learning (DL)-based specific emitter identification (SEI) technique can automatically extract radio frequency (RF) fingerprint features in RF signals to distinguish between legal and illegal devices and enhance the security of wireless network. However, deep neural network (DNN) can easily be fooled by adversarial examples or perturbations of the input data. If a malicious device emits signals containing a specially designed adversarial samples, will the DL-based SEI still work stably to correctly identify the malicious device? To the best of our knowledge, this research is still blank, let alone the corresponding defense methods. Therefore, this paper designs two scenarios of attack and defense and proposes the corresponding implementation methods to specializes in the robustness of DL-based SEI under adversarial attacks. On this basis, detailed experiments are carried out based on the real-world data and simulation data. The attack scenario is that the malicious device adds an adversarial perturbation signal specially designed to the original signal, misleading the original system to make a misjudgment. Experiments based on three different attack generation methods show that DL-based SEI is very vulnerability. Even if the intensity is very low, without affecting the probability density distribution of the original signal, the performance can be reduced to about 50%, and at −22 dB it is completely invalid. In the defense scenario, the adversarial training (AT) of DL-based SEI is added, which can significantly improve the system’s performance under adversarial attacks, with ≥60% improvement in the recognition rate compared to the network without AT. Further, AT has a more robust effect on white noise. This study fills the relevant gaps and provides guidance for future research. In the future research, the impact of adversarial attacks must be considered, and it is necessary to add adversarial training in the training process.

Fei Xiao,Yong Huang,Yingying Zuo,Wei Kuang,Wei Wang

DOI: https://doi.org/10.1109/jiot.2023.3236314

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Empowered by deep neural networks (DNNs), Wi-Fi fingerprinting has recently achieved astonishing localization performance to facilitate many security-critical applications in wireless networks, but it is inevitably exposed to adversarial attacks, where subtle perturbations can mislead DNNs to wrong predictions. Such vulnerability provides new security breaches to malicious devices for hampering wireless network security, such as malfunctioning geofencing or asset management. The prior adversarial attack on localization DNNs uses additive perturbations on channel state information (CSI) measurements, which is impractical in Wi-Fi transmissions. To transcend this limitation, this article presents FooLoc, which fools Wi-Fi CSI fingerprinting DNNs over the realistic wireless channel between the attacker and the victim access point (AP). We observe that though uplink CSIs are unknown to the attacker, the accessible downlink CSIs could be their reasonable substitutes at the same spot. We thoroughly investigate the multiplicative and repetitive properties of over-the-air perturbations and devise an efficient optimization problem to generate imperceptible yet robust adversarial perturbations. We implement FooLoc using commercial Wi-Fi APs and wireless open-access research platform (WARP) v3 boards in offline and online experiments, respectively. The experimental results show that FooLoc achieves overall attack success rates of about 70% in targeted attacks and above 90% in untargeted attacks with small perturbation-to-signal ratios of about −18 dB.

Mingqian Liu,Hongyi Zhang,Zilong Liu,Nan Zhao

DOI: https://doi.org/10.1109/tr.2022.3179491

IF: 5.883

2023-01-01

IEEE Transactions on Reliability

Abstract:Cognitive radio-based Internet of Things (CR-IoT) network provides a solution for IoT devices to efficiently utilize spectrum resources. Spectrum sensing is a critical problem in CR-IoT network, which has been investigated extensively based on deep learning (DL). Despite the unique advantages of DL in spectrum sensing, the black-box and unexplained properties of deep neural networks may lead to many security risks. This article considers the fusion of traditional interference methods and data poisoning which is an attack method on the training data of a machine learning tool. We propose a new adversarial attack for reducing the sensing accuracy in DL-based spectrum sensing systems. We introduce a novel design of jamming waveform whose interference capability is reinforced by data poisoning. Simulation results show that significant performance enhancement and higher mobility can be achieved compared with traditional white-box attack methods.

Zhaowei Wang,Weicheng Liu,Hui-Ming Wang

DOI: https://doi.org/10.1109/lcomm.2024.3355156

IF: 3.5529

2024-03-13

IEEE Communications Letters

Abstract:Adversarial attacks on deep learning based modulation classification have received considerable attention recently. However, existing works mainly focus on the idealized white-box adversarial attacks and ignore the impact of the wireless channel. In this letter, we present a black-box Universal Adversarial Perturbation (UAP) attack scheme considering the wireless channel and propose the corresponding defense method. We first propose a conditional generative adversarial Nets (cGAN) approach to enlarge the training set of the channel state information (CSI) of wireless channel. Then, we introduce a cGAN aided black-box UAP attack scheme to disable the modulation classification capability of the deep neural network over the air. At last, we present a defense method that utilizes UAPs for adversarial training (AT). Simulation results show that the cGAN aided black-box UAP attack can decrease the accuracy of the modulation classifier by 19.3% when the perturbation power reaches the same level as the noise power, while the proposed defense method can improve it by 11.2%.

telecommunications

Mingqian Liu,Zhenju Zhang,Yunfei Chen,Jianhua Ge,Nan Zhao

DOI: https://doi.org/10.1109/tits.2023.3262347

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Air transportation communication jamming recognition model based on deep learning (DL) can quickly and accurately identify and classify communication jamming, to improve the safety and reliability of air traffic.However, due to the vulnerability of deep learning, the jamming recognition model can be easily attacked by the attacker's carefully designed adversarial examples.Although some defense methods have been proposed, they have strong pertinence to attacks.Thus, new attack methods are needed to improve the defense performance of the model.In this work, we improve the existing attack methods and propose a double level attack method.By constructing the dynamic iterative step size and analyzing the class characteristics of the signals, this method can use the adversarial losses of feature layer and decision layer to generate adversarial examples with stronger attack performance.In order to improve the robustness of the recognition model, we use adversarial examples to train the model, and transfer the knowledge learned from the model to the jamming recognition models in other wireless communication environments by transfer learning.Simulation results show that the proposed attack and defense methods have good performance.

Qing Liu,Jiajia Guo,Chao-Kai Wen,Shi Jin

DOI: https://doi.org/10.1109/jcn.2020.000016

2020-01-01

Journal of Communications and Networks

Abstract:With the increasing application of deep learning (DL) algorithms in wireless communications, the physical layer faces new challenges caused by adversarial attack. Such attack has significantly affected the neural network in computer vision. We choose DL-based channel state information (CSI) to show the effect of adversarial attack on DL-based communication system. We present a practical method to craft white-box adversarial attack on DL-based CSI feedback process. Our simulation results show the destructive effect adversarial attack causes on DL-based CSI feedback by analyzing the performance of normalized mean square error. We also launch a jamming attack for comparison and find that the jamming attack could be prevented with certain precautions. As DL algorithm becomes the trend in developing wireless communication, this work raises concerns regarding the security in the use of DL-based algorithms.

Brian Kim,Yalin E. Sagduyu,Tugba Erpek,Kemal Davaslioglu,Sennur Ulukus

DOI: https://doi.org/10.1109/gcwkshps50303.2020.9367473

2020-12-01

Abstract:We consider a wireless communication system, where a transmitter sends signals to a receiver with different modulation types while the receiver classifies the modulation types of the received signals using its deep learning-based classifier. Concurrently, an adversary transmits adversarial perturbations using its multiple antennas to fool the classifier into misclassifying the received signals. From the adversarial machine learning perspective, we show how to utilize multiple antennas at the adversary to improve the adversarial (evasion) attack performance. Two main points are considered while exploiting the multiple antennas at the adversary, namely the power allocation among antennas and the utilization of channel diversity. First, we show that multiple independent adversaries, each with a single antenna cannot improve the attack performance compared to a single adversary with multiple antennas using the same total power. Then, we consider various ways to allocate power among multiple antennas at a single adversary such as allocating power to only one antenna, and proportional or inversely proportional to the channel gain. By utilizing channel diversity, we introduce an attack to transmit the adversarial perturbation through the channel with the largest channel gain at the symbol level. We show that this attack reduces the classifier accuracy significantly compared to other attacks under different channel conditions in terms of channel variance and channel correlation across antennas. Also, we show that the attack success improves significantly as the number of antennas increases at the adversary that can better utilize channel diversity to craft adversarial attacks.