Channel-Aware Adversarial Attacks Against Deep Learning-Based Wireless Signal Classifiers

TL;DR

This paper investigates channel-aware adversarial attacks on deep learning-based wireless signal classifiers, demonstrating vulnerabilities and proposing a randomized smoothing defense to improve robustness against such attacks.

Contribution

It introduces realistic, channel-aware adversarial attack methods and a randomized smoothing defense for deep learning-based wireless signal classifiers, highlighting their vulnerabilities.

Findings

Channel-aware attacks are effective against modulation classifiers.

Broadcast adversarial attacks can fool multiple receivers simultaneously.

Randomized smoothing enhances classifier robustness.

Abstract

This paper presents channel-aware adversarial attacks against deep learning-based wireless signal classifiers. There is a transmitter that transmits signals with different modulation types. A deep neural network is used at each receiver to classify its over-the-air received signals to modulation types. In the meantime, an adversary transmits an adversarial perturbation (subject to a power budget) to fool receivers into making errors in classifying signals that are received as superpositions of transmitted signals and adversarial perturbations. First, these evasion attacks are shown to fail when channels are not considered in designing adversarial perturbations. Then, realistic attacks are presented by considering channel effects from the adversary to each receiver. After showing that a channel-aware attack is selective (i.e., it affects only the receiver whose channel is considered in the perturbation design), a broadcast adversarial attack is presented by crafting a common adversarial perturbation to simultaneously fool classifiers at different receivers. The major vulnerability of modulation classifiers to over-the-air adversarial attacks is shown by accounting for different levels of information available about the channel, the transmitter input, and the classifier model. Finally, a certified defense based on randomized smoothing that augments training data with noise is introduced to make the modulation classifier robust to adversarial perturbations.