Security Risks in Vision-Based Beam Prediction: From Spatial Proxy Attacks to Feature Refinement

TL;DR

The paper tackles the security of vision-based mmWave beam prediction in 6G, identifying a practical black-box threat via the Spatial Proxy Attack (SPA) that leverages spatial-position-to-beam correlations. It proposes a joint optimization framework and a Feature Refinement Module (FRM) to simultaneously boost clean accuracy and resilience to adversarial perturbations, integrated with backbone models like ResNet-50 and MobileNetV2. Empirical results on the DeepSense 6G dataset show notable improvements in Top-$K$ accuracy under clean conditions and substantial gains in robustness against adversarial and noisy perturbations, highlighting the method's practical utility for dynamic, high-mobility deployments. The work provides a threat model and a scalable defense that reduces vulnerability without extensive attack-detection overhead, contributing to more reliable vision-assisted beam management in 6G networks.

Abstract

The rapid evolution towards the sixth-generation (6G) networks demands advanced beamforming techniques to address challenges in dynamic, high-mobility scenarios, such as vehicular communications. Vision-based beam prediction utilizing RGB camera images emerges as a promising solution for accurate and responsive beam selection. However, reliance on visual data introduces unique vulnerabilities, particularly susceptibility to adversarial attacks, thus potentially compromising beam accuracy and overall network reliability. In this paper, we conduct the first systematic exploration of adversarial threats specifically targeting vision-based mmWave beam selection systems. Traditional white-box attacks are impractical in this context because ground-truth beam indices are inaccessible and spatial dynamics are complex. To address this, we propose a novel black-box adversarial attack strategy, termed Spatial Proxy Attack (SPA), which leverages spatial correlations between user positions and beam indices to craft effective perturbations without requiring access to model parameters or labels. To counteract these adversarial vulnerabilities, we formulate an optimization framework aimed at simultaneously enhancing beam selection accuracy under clean conditions and robustness against adversarial perturbations. We introduce a hybrid deep learning architecture integrated with a dedicated Feature Refinement Module (FRM), designed to systematically filter irrelevant, noisy and adversarially perturbed visual features. Evaluations using standard backbone models such as ResNet-50 and MobileNetV2 demonstrate that our proposed method significantly improves performance, achieving up to an +21.07\% gain in Top-K accuracy under clean conditions and a 41.31\% increase in Top-1 adversarial robustness compared to different baseline models.

Figures (6)

• Figure 1: System overview of vision-assisted mmWave beam selection with adversarial interference.
• Figure 2: Step-by-Step Sample Independent Attack Generation via Spatial Proxy Labeling and Surrogate Model Training.
• Figure 3: Overview of the Proposed FRM-Enhanced ResNet Architecture for Robust Beam Selection.
• Figure 4: Comparison of the impact of Gaussian noise vs. adversarial attacks. The heatmaps depict Top-K accuracy degradation difference (Noise - Adversarial) for ResNet-50 (top) and MobileNetV2 (bottom) across four scenarios. Higher values indicate greater effectiveness of adversarial perturbations.
• Figure 5: Raw Top-K accuracy degradation under increasing adversarial perturbation strength ($\epsilon$) for ResNet-50 (top) and MobileNetV2 (bottom).