Physical Backdoor Attack Against Deep Learning-Based Modulation Classification

TL;DR

This paper introduces a physical backdoor attack on DL-based modulation classifiers using RF signal distortions, demonstrating high success rates and resistance to defenses, highlighting security vulnerabilities in RF deep learning systems.

Contribution

The study presents a novel physical backdoor attack method using PA non-linearities, showing its effectiveness and robustness against existing defense techniques.

Findings

High attack success rates with minimal signal manipulation.

The attack remains effective under various noise conditions.

Existing defenses fail to mitigate this physical backdoor attack.

Abstract

Deep Learning (DL) has become a key technology that assists radio frequency (RF) signal classification applications, such as modulation classification. However, the DL models are vulnerable to adversarial machine learning threats, such as data manipulation attacks. We study a physical backdoor (Trojan) attack that targets a DL-based modulation classifier. In contrast to digital backdoor attacks, where digital triggers are injected into the training dataset, we use power amplifier (PA) non-linear distortions to create physical triggers before the dataset is formed. During training, the adversary manipulates amplitudes of RF signals and changes their labels to a target modulation scheme, training a backdoored model. At inference, the adversary aims to keep the backdoor attack inactive such that the backdoored model maintains high accuracy on test signals. However, if they apply the same manipulation used during training on these test signals, the backdoor is activated, and the model misclassifies these signals. We demonstrate that our proposed attack achieves high attack success rates with few manipulated RD signals for different noise levels. Furthermore, we test the resilience of the proposed attack to multiple defense techniques, and the results show that these techniques fail to mitigate the attack.