Filtered Randomized Smoothing: A New Defense for Robust Modulation Classification

TL;DR

This paper introduces Filtered Randomized Smoothing, a novel defense method that leverages spectral filtering combined with randomized smoothing to improve robustness of RF modulation classifiers against adversarial attacks without sacrificing accuracy.

Contribution

The paper proposes Filtered Randomized Smoothing, a new spectral filtering approach that enhances randomized smoothing for provable robustness in RF modulation classification.

Findings

FRS significantly outperforms existing defenses like AT and RS in accuracy.

FRS provides provable certified accuracy against arbitrary attacks.

Spectral analysis reveals attack signals are spread out, while benign signals are localized.

Abstract

Deep Neural Network (DNN) based classifiers have recently been used for the modulation classification of RF signals. These classifiers have shown impressive performance gains relative to conventional methods, however, they are vulnerable to imperceptible (low-power) adversarial attacks. Some of the prominent defense approaches include adversarial training (AT) and randomized smoothing (RS). While AT increases robustness in general, it fails to provide resilience against previously unseen adaptive attacks. Other approaches, such as Randomized Smoothing (RS), which injects noise into the input, address this shortcoming by providing provable certified guarantees against arbitrary attacks, however, they tend to sacrifice accuracy. In this paper, we study the problem of designing robust DNN-based modulation classifiers that can provide provable defense against arbitrary attacks without significantly sacrificing accuracy. To this end, we first analyze the spectral content of commonly studied attacks on modulation classifiers for the benchmark RadioML dataset. We observe that spectral signatures of un-perturbed RF signals are highly localized, whereas attack signals tend to be spread out in frequency. To exploit this spectral heterogeneity, we propose Filtered Randomized Smoothing (FRS), a novel defense which combines spectral filtering together with randomized smoothing. FRS can be viewed as a strengthening of RS by leveraging the specificity (spectral Heterogeneity) inherent to the modulation classification problem. In addition to providing an approach to compute the certified accuracy of FRS, we also provide a comprehensive set of simulations on the RadioML dataset to show the effectiveness of FRS and show that it significantly outperforms existing defenses including AT and RS in terms of accuracy on both attacked and benign signals.