Towards Trustworthy Wi-Fi Sensing: Systematic Evaluation of Deep Learning Model Robustness to Adversarial Attacks
Shreevanth Krishnaa Gopalakrishnan, Stephen Hailes
TL;DR
This work tackles the vulnerability of CSI-based sensing to adversarial perturbations by offering a unified robustness evaluation framework that spans white-box, black-box, and universal attacks across three public CSI datasets. It systematically compares compact latent architectures against larger CSI models, showing that larger models tend to be more robust while lightweight ones are more susceptible unless accompanied by robustness methods. The study demonstrates that physically constrained perturbations—respecting coherence, correlation, and channel physics—drastically reduce attack effectiveness, and that adversarial training (PGD-AT) and TRADES further improve robustness with manageable losses in clean accuracy. The findings provide practical design principles for secure wireless sensing and deliver an open-source modular framework to benchmark and advance trustworthy CSI-based perception in real-world, cross-domain deployments.
Abstract
Machine learning has become integral to Channel State Information (CSI)-based human sensing systems and is expected to power applications such as device-free activity recognition and identity detection in future cellular and Wi-Fi generations. However, these systems rely on models whose decisions can be subtly perturbed, raising concerns for security and reliability in ubiquitous sensing. Quantifying and understanding the robustness of such models, defined as their ability to maintain accurate predictions under adversarial perturbations, is therefore critical before wireless sensing can be safely deployed in real-world environments. This work presents a systematic evaluation of the robustness of CSI deep learning models under diverse threat models (white-box, black-box/transfer, and universal perturbations) and varying degrees of attack realism. We establish a framework to compare compact temporal autoencoder models with larger deep architectures across three public datasets, quantifying how model scale, training regime, and physical constraints influence robustness. Our experiments show that smaller models, while efficient and equally performant on clean data, are markedly less robust. We further confirm that physically realizable signal-space perturbations, designed to be feasible in real wireless channels, significantly reduce attack success compared to unconstrained feature-space attacks. Adversarial training mitigates these vulnerabilities, improving mean robust accuracy with only moderate degradation in clean performance across both model classes. As wireless sensing advances towards reliable, cross-domain operation, these findings provide quantitative baselines for robustness estimation and inform design principles for secure and trustworthy human-centered sensing systems.