Adversarial Examples in RF Deep Learning: Detection and Physical Robustness

While research on adversarial examples (AdExs) in machine learning for images has been prolific, similar attacks on deep learning (DL) for radio frequency (RF) signals and corresponding mitigation strategies are scarcely addressed in the published work, with only a handful of recent publications in the RF domain. With minimal waveform perturbation, RF adversarial examples (AdExs) can cause a substantial increase in misclassifications for spectrum sensing/ survey applications (e.g. ZigBee mistaken for Bluetooth). In this work, two statistical tests for AdEx detection are proposed. One statistical test leverages the peak-to-average-power ratio (PAPR) of the RF samples. The second test uses the softmax outputs of the machine learning model, which is proportional to the likelihoods the classifier assigns to each of the trained classes. The first test leverages the RF nature of the data while the latter is universally applicable to AdExs regardless of the domain. Both solutions are shown as viable mitigation methods to subvert adversarial attacks against RF waveforms, and their effectiveness is analyzed as function of the propagation channel and type of waveform.

[1]  Aditi Raghunathan,et al.  Certified Defenses against Adversarial Examples , 2018, ICLR.

[2]  Ian J. Goodfellow,et al.  Technical Report on the CleverHans v2.1.0 Adversarial Examples Library , 2016 .

[3]  Jack Chuang,et al.  Modulation recognition using second- and higher-order cyclostationarity , 2017, 2017 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN).

[4]  Erik G. Larsson,et al.  Adversarial Attacks on Deep-Learning Based Radio Signal Classification , 2018, IEEE Wireless Communications Letters.

[5]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[6]  Silvija Kokalj-Filipovic,et al.  Targeted Adversarial Examples Against RF Deep Classifiers , 2019, WiseML@WiSec.

[7]  R. Michael Buehrer,et al.  Evaluating Adversarial Evasion Attacks in the Context of Wireless Communications , 2019, IEEE Transactions on Information Forensics and Security.

[8]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[9]  Silvija Kokalj-Filipovic,et al.  Mitigation of Adversarial Examples in RF Deep Classifiers Utilizing AutoEncoder Pre-training , 2019, 2019 International Conference on Military Communications and Information Systems (ICMCIS).

[10]  Silvija Kokalj-Filipovic,et al.  AutoEncoders for Training Compact Deep Learning RF Classifiers for Wireless Protocols , 2019, 2019 IEEE 20th International Workshop on Signal Processing Advances in Wireless Communications (SPAWC).

[11]  T. Charles Clancy,et al.  Over-the-Air Deep Learning Based Radio Signal Classification , 2017, IEEE Journal of Selected Topics in Signal Processing.

[12]  Alan J. Michaels,et al.  On the Limitations of Targeted Adversarial Evasion Attacks Against Deep Learning Enabled Modulation Recognition , 2019, WiseML@WiSec.

[13]  Dawn Song,et al.  Robust Physical-World Attacks on Deep Learning Models , 2017, 1707.08945.

[14]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[15]  Kemal Davaslioglu,et al.  Adversarial Deep Learning for Cognitive Radio Security: Jamming Attack and Defense Strategies , 2018, 2018 IEEE International Conference on Communications Workshops (ICC Workshops).

[16]  Jakob Hoydis,et al.  An Introduction to Deep Learning for the Physical Layer , 2017, IEEE Transactions on Cognitive Communications and Networking.