Adversarial Machine Learning and Defense Game for NextG Signal Classification with Deep Learning

TL;DR

This paper develops a game-theoretic framework to analyze and enhance the robustness of deep learning-based NextG signal classification against adversarial attacks, balancing attack strategies and defense mechanisms.

Contribution

It introduces a novel game-theoretic model for attack-defense interactions in NextG signal classification, including equilibrium analysis and resilience quantification.

Findings

Nash equilibrium strategies optimize attack and defense balance.

Defense mechanisms increase adversary's uncertainty but may reduce performance.

Resilience of NextG classification can be quantified under attack scenarios.

Abstract

This paper presents a game-theoretic framework to study the interactions of attack and defense for deep learning-based NextG signal classification. NextG systems such as the one envisioned for a massive number of IoT devices can employ deep neural networks (DNNs) for various tasks such as user equipment identification, physical layer authentication, and detection of incumbent users (such as in the Citizens Broadband Radio Service (CBRS) band). By training another DNN as the surrogate model, an adversary can launch an inference (exploratory) attack to learn the behavior of the victim model, predict successful operation modes (e.g., channel access), and jam them. A defense mechanism can increase the adversary's uncertainty by introducing controlled errors in the victim model's decisions (i.e., poisoning the adversary's training data). This defense is effective against an attack but reduces the performance when there is no attack. The interactions between the defender and the adversary are formulated as a non-cooperative game, where the defender selects the probability of defending or the defense level itself (i.e., the ratio of falsified decisions) and the adversary selects the probability of attacking. The defender's objective is to maximize its reward (e.g., throughput or transmission success ratio), whereas the adversary's objective is to minimize this reward and its attack cost. The Nash equilibrium strategies are determined as operation modes such that no player can unilaterally improve its utility given the other's strategy is fixed. A fictitious play is formulated for each player to play the game repeatedly in response to the empirical frequency of the opponent's actions. The performance in Nash equilibrium is compared to the fixed attack and defense cases, and the resilience of NextG signal classification against attacks is quantified.