Countermeasures Against Adversarial Examples in Radio Signal Classification
Lu Zhang, Sangarapillai Lambotharan, Gan Zheng, Basil AsSadhan, Fabio Roli
TL;DR
This paper addresses security vulnerabilities of deep learning–based automatic modulation classification to adversarial examples in wireless channels. It introduces a neural rejection defense augmented with label smoothing and Gaussian noise augmentation, operating on last-layer DNN features with a one-vs-all SVM, and employs a rejection threshold $\Theta$ together with a robustness criterion $\varepsilon_{L} > \frac{S_{y}(x)-S_{\bar{y}}(x)}{\left \| \nabla_x S_{y}(x)-\nabla_x S_{\bar{y}}(x) \right \|_{1}}$ to constrain adversarial perturbations. Experiments on the GNU radio dataset with 11 modulation schemes show that LS-GNA NR yields higher protection against FGM attacks than an undefended DNN and a standard NR, and remains effective under jamming. This work provides a first defense in radio signal classification and lays groundwork for extending to black-box and grey-box threat models.
Abstract
Deep learning algorithms have been shown to be powerful in many communication network design problems, including that in automatic modulation classification. However, they are vulnerable to carefully crafted attacks called adversarial examples. Hence, the reliance of wireless networks on deep learning algorithms poses a serious threat to the security and operation of wireless networks. In this letter, we propose for the first time a countermeasure against adversarial examples in modulation classification. Our countermeasure is based on a neural rejection technique, augmented by label smoothing and Gaussian noise injection, that allows to detect and reject adversarial examples with high accuracy. Our results demonstrate that the proposed countermeasure can protect deep-learning based modulation classification systems against adversarial examples.