Physical Adversarial Attacks Against End-to-End Autoencoder Communication Systems

TL;DR

This paper demonstrates that deep neural network autoencoders in wireless communication systems are highly vulnerable to physical adversarial attacks, which can significantly disrupt communication more than traditional jamming methods.

Contribution

It introduces a method for crafting physical black-box adversarial attacks against end-to-end autoencoder communication systems, highlighting their vulnerability compared to classical coding schemes.

Findings

Adversarial attacks can increase block-error-rate by orders of magnitude.

Autoencoders are more vulnerable than classical coding schemes.

Classical coding schemes show greater robustness against attacks.

Abstract

We show that end-to-end learning of communication systems through deep neural network (DNN) autoencoders can be extremely vulnerable to physical adversarial attacks. Specifically, we elaborate how an attacker can craft effective physical black-box adversarial attacks. Due to the openness (broadcast nature) of the wireless channel, an adversary transmitter can increase the block-error-rate of a communication system by orders of magnitude by transmitting a well-designed perturbation signal over the channel. We reveal that the adversarial attacks are more destructive than jamming attacks. We also show that classical coding schemes are more robust than autoencoders against both adversarial and jamming attacks. The codes are available at [1].