Adversarial Examples in RF Deep Learning: Detection of the Attack and its Physical Robustness

TL;DR

This paper investigates adversarial examples in RF deep learning, proposing detection methods that consider physical over-the-air effects, and demonstrates their effectiveness in securing RF systems against targeted misclassification attacks.

Contribution

It introduces RF-specific detection techniques for adversarial examples that incorporate over-the-air effects and evaluates their robustness in real-world scenarios.

Findings

PAPR-based test effectively detects OTA adversarial examples

Softmax output analysis provides a universal detection method

Proposed defenses mitigate targeted misclassification in RF systems

Abstract

While research on adversarial examples in machine learning for images has been prolific, similar attacks on deep learning (DL) for radio frequency (RF) signals and their mitigation strategies are scarcely addressed in the published work, with only one recent publication in the RF domain [1]. RF adversarial examples (AdExs) can cause drastic, targeted misclassification results mostly in spectrum sensing/ survey applications (e.g. BPSK mistaken for 8-PSK) with minimal waveform perturbation. It is not clear if the RF AdExs maintain their effects in the physical world, i.e., when AdExs are delivered over-the-air (OTA). Our research on deep learning AdExs and proposed defense mechanisms are RF-centric, and incorporate physical world, OTA effects. We here present defense mechanisms based on statistical tests. One test to detect AdExs utilizes Peak-to- Average-Power-Ratio (PAPR) of the DL data points delivered OTA, while another statistical test uses the Softmax outputs of the DL classifier, which corresponds to the probabilities the classifier assigns to each of the trained classes. The former test leverages the RF nature of the data, and the latter is universally applicable to AdExs regardless of their origin. Both solutions are shown as viable mitigation methods to subvert adversarial attacks against communications and radar sensing systems.