Adversarial Examples in RF Deep Learning: Detection and Physical Robustness

Kokalj-Filipović, Silvija; Miller, Rita J.; Vanhoy, Garrett

doi:10.1109/globalsip45357.2019.8969138

Cited by 64 publications

(43 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…These attacks can be launched separately or combined, i.e., causative and evasion attacks can be launched by making use of the inference results from an exploratory attack [23]. For wireless applications, the evasion attack was considered in [24], [25], [26], [27] by adding adversarial perturbations to fool receivers to misclassify signal types (such as modulations). Adversarial distortions were considered in [28] to support anti-jamming by deceiving the jammers learning algorithms in a game-theoretic framework.…”

Section: Related Workmentioning

confidence: 99%

Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks

Sagduyu

Shi

Erpek

2021

IEEE Trans. on Mobile Comput.

102

View full text Add to dashboard Cite

An adversarial deep learning approach is presented to launch over-the-air spectrum poisoning attacks. A transmitter applies deep learning on its spectrum sensing results to predict idle time slots for data transmission. In the meantime, an adversary learns the transmitter's behavior (exploratory attack) by building another deep neural network to predict when transmissions will succeed. The adversary falsifies (poisons) the transmitter's spectrum sensing data over the air by transmitting during the short spectrum sensing period of the transmitter. Depending on whether the transmitter uses the sensing results as test data to make transmit decisions or as training data to retrain its deep neural network, either it is fooled into making incorrect decisions (evasion attack), or the transmitter's algorithm is retrained incorrectly for future decisions (causative attack). Both attacks are energy efficient and hard to detect (stealth) compared to jamming the long data transmission period, and substantially reduce the throughput. A dynamic defense is designed for the transmitter that deliberately makes a small number of incorrect transmissions (selected by the confidence score on channel classification) to manipulate the adversary's training data. This defense effectively fools the adversary (if any) and helps the transmitter sustain its throughput with or without an adversary present.

show abstract

Section: Related Workmentioning

confidence: 99%

Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks

Sagduyu

Shi

Erpek

2021

IEEE Trans. on Mobile Comput.

102

View full text Add to dashboard Cite

show abstract

“…As an extension to the wireless domain, adversarial ML has been applied to infer the transmit behavior driven by ML and jam the test and/or training phases [7]. Evasion attacks on modulation classification have been studied in [18]- [20] that use the fast gradient sign method (FGSM) to craft adversarial perturbations (see [21] for details) that an adversary can make the receiver misclassify a received signal in the form of an evasion attack. Similarly, [20] considers the same evasion attack model and proposes to utilize a statistical method based on the peak-to-average-power ratio (PAPR) of the signals.…”

Section: Related Workmentioning

confidence: 99%

“…Evasion attacks on modulation classification have been studied in [18]- [20] that use the fast gradient sign method (FGSM) to craft adversarial perturbations (see [21] for details) that an adversary can make the receiver misclassify a received signal in the form of an evasion attack. Similarly, [20] considers the same evasion attack model and proposes to utilize a statistical method based on the peak-to-average-power ratio (PAPR) of the signals. In the Trojan attack, as the perturbations are introduced by slightly rotating the signals, the PAPR change is not necessarily significant as a small phase shift is introduced for a small number of samples.…”

Section: Related Workmentioning

confidence: 99%

Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning

Davaslıoğlu

Sagduyu

2019

2019 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN)

View full text Add to dashboard Cite

We present a Trojan (backdoor or trapdoor) attack that targets deep learning applications in wireless communications. A deep learning classifier is considered to classify wireless signals using raw (I/Q) samples as features and modulation types as labels. An adversary slightly manipulates training data by inserting Trojans (i.e., triggers) to only few training data samples by modifying their phases and changing the labels of these samples to a target label. This poisoned training data is used to train the deep learning classifier. In test (inference) time, an adversary transmits signals with the same phase shift that was added as a trigger during training. While the receiver can accurately classify clean (unpoisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers. This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a signal classifier (e.g., for authentication). We show that this attack is successful over different channel conditions and cannot be mitigated by simply preprocessing the training and test data with random phase variations. To detect this attack, activation based outlier detection is considered with statistical as well as clustering techniques. We show that the latter one can detect Trojan attacks even if few samples are poisoned.

show abstract

“…Hence, the outputs of the Softmax layer are 3-dimensional vectors that are plotted in the figures for all data points utilized for training (close to 20,000, shown on the left), and for their adversarial examples, shown in the plot on the right. The elements of the vectors are values between 0 and 1, representing the probabilities of the classes (2). Figure 11 shows these vectors after 40 epochs of training the CNN network conventionally, which is upon the convergence of the loss function and after the achieved accuracy exceeded 99%.…”

Section: A How the Ae Changes The Separating Hyper-planesmentioning

confidence: 99%

Mitigation of Adversarial Examples in RF Deep Classifiers Utilizing AutoEncoder Pre-training

Kokalj-Filipović¹,

Miller²,

Chang³

et al. 2019

2019 International Conference on Military Communications and Information Systems (ICMCIS)

Self Cite

View full text Add to dashboard Cite

Adversarial examples in machine learning for images are widely publicized and explored. Illustrations of misclassifications caused by slightly perturbed inputs are abundant and commonly known (e.g., a picture of panda imperceptibly perturbed to fool the classifier into incorrectly labeling it as a gibbon). Similar attacks on deep learning (DL) for radio frequency (RF) signals and their mitigation strategies are scarcely addressed in the published work. Yet, RF adversarial examples (AdExs) with minimal waveform perturbations can cause drastic, targeted misclassification results, particularly against spectrum sensing/survey applications (e.g. BPSK is mistaken for 8-PSK). Our research on deep learning AdExs and proposed defense mechanisms are RF-centric, and incorporate physicalworld, over-the-air (OTA) effects. We herein present defense mechanisms based on pre-training the target classifier using an autoencoder. Our results validate this approach as a viable mitigation method to subvert adversarial attacks against deep learning-based communications and radar sensing systems. I. INTROA new research direction is emerging in the field of wireless communications, aiming to develop and evaluate deep learning (DL) approaches against classical detection and estimation methods in the radio frequency (RF) realm. Spectrum sensing, especially in the context of cognitive radio, encompasses most of the radio signal detection problems that are being addressed. The approach to DL in the RF domain differs greatly from the common current DL applications (e.g. image recognition, natural language processing) and requires special knowledge of RF signal processing and wireless communications and/or radar, depending on the signal utilization. While research on adversarial examples in machine learning for images has been prolific, similar attacks on deep learning of radio frequency (RF) signals and the mitigation strategies are scarcely addressed in the published work, with only a couple of recent publications on RF [1], [2]. Adversarial examples (AdExs) are slightly perturbed inputs that are classified incorrectly by the Machine Learning (ML) model [3]. This perturbation is achieved by mathematical processing of the signal, e.g., by adding an incremental value in the direction of the classifiers gradient with respect to the inputs (as in the FGSM attack illustrated in Fig. 3 A), or by solving a constrained optimization problem. Popular deep learning (DL) models are even more vulnerable to AdExs as DL networks learn input-output mappings that are fairly discontinuous. Consider the images in Figure 1 [4]. The image on the left is the original image of a panda from the ImageNet dataset [5], while the one on the right is derived from it by applying Fig. 1. Famous panda illustration of an adversarial image example against a DL classifier where a visually imperceptible, noise-like perturbation can fool the classifier to label it as gibbon an FGSM attack of very low intensity. The perturbation of 0.007 added in the direction of the loss gradie...

show abstract

Adversarial Examples in RF Deep Learning: Detection and Physical Robustness

Cited by 64 publications

References 17 publications

Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks

Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks

Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning

Mitigation of Adversarial Examples in RF Deep Classifiers Utilizing AutoEncoder Pre-training

Contact Info

Product

Resources

About