Membership Inference Attack and Defense for Wireless Signal Classifiers with Deep Learning

TL;DR

This paper demonstrates a wireless signal membership inference attack using deep learning, revealing private information about training data, and proposes a defense mechanism to mitigate such privacy risks.

Contribution

It introduces an over-the-air MIA for wireless classifiers and a novel defense method using shadow models to protect privacy.

Findings

Adversaries can reliably infer training signals and device info.

The proposed defense reduces MIA accuracy significantly.

Over-the-air MIA poses a real privacy threat in wireless ML systems.

Abstract

An over-the-air membership inference attack (MIA) is presented to leak private information from a wireless signal classifier. Machine learning (ML) provides powerful means to classify wireless signals, e.g., for PHY-layer authentication. As an adversarial machine learning attack, the MIA infers whether a signal of interest has been used in the training data of a target classifier. This private information incorporates waveform, channel, and device characteristics, and if leaked, can be exploited by an adversary to identify vulnerabilities of the underlying ML model (e.g., to infiltrate the PHY-layer authentication). One challenge for the over-the-air MIA is that the received signals and consequently the RF fingerprints at the adversary and the intended receiver differ due to the discrepancy in channel conditions. Therefore, the adversary first builds a surrogate classifier by observing the spectrum and then launches the black-box MIA on this classifier. The MIA results show that the adversary can reliably infer signals (and potentially the radio and channel information) used to build the target classifier. Therefore, a proactive defense is developed against the MIA by building a shadow MIA model and fooling the adversary. This defense can successfully reduce the MIA accuracy and prevent information leakage from the wireless signal classifier.