Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Physical Backdoor Attack Against Deep Learning-Based Modulation Classification

Younes Salmi, Hanna Bogucka

Abstract

Deep Learning (DL) has become a key technology that assists radio frequency (RF) signal classification applications, such as modulation classification. However, the DL models are vulnerable to adversarial machine learning threats, such as data manipulation attacks. We study a physical backdoor (Trojan) attack that targets a DL-based modulation classifier. In contrast to digital backdoor attacks, where digital triggers are injected into the training dataset, we use power amplifier (PA) non-linear distortions to create physical triggers before the dataset is formed. During training, the adversary manipulates amplitudes of RF signals and changes their labels to a target modulation scheme, training a backdoored model. At inference, the adversary aims to keep the backdoor attack inactive such that the backdoored model maintains high accuracy on test signals. However, if they apply the same manipulation used during training on these test signals, the backdoor is activated, and the model misclassifies these signals. We demonstrate that our proposed attack achieves high attack success rates with few manipulated RD signals for different noise levels. Furthermore, we test the resilience of the proposed attack to multiple defense techniques, and the results show that these techniques fail to mitigate the attack.

Physical Backdoor Attack Against Deep Learning-Based Modulation Classification

Abstract

Deep Learning (DL) has become a key technology that assists radio frequency (RF) signal classification applications, such as modulation classification. However, the DL models are vulnerable to adversarial machine learning threats, such as data manipulation attacks. We study a physical backdoor (Trojan) attack that targets a DL-based modulation classifier. In contrast to digital backdoor attacks, where digital triggers are injected into the training dataset, we use power amplifier (PA) non-linear distortions to create physical triggers before the dataset is formed. During training, the adversary manipulates amplitudes of RF signals and changes their labels to a target modulation scheme, training a backdoored model. At inference, the adversary aims to keep the backdoor attack inactive such that the backdoored model maintains high accuracy on test signals. However, if they apply the same manipulation used during training on these test signals, the backdoor is activated, and the model misclassifies these signals. We demonstrate that our proposed attack achieves high attack success rates with few manipulated RD signals for different noise levels. Furthermore, we test the resilience of the proposed attack to multiple defense techniques, and the results show that these techniques fail to mitigate the attack.

Paper Structure

This paper contains 14 sections, 20 equations, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Works
  3. The System Model
  4. The Attack Process
  5. Dataset Poisoning
  6. Backdoored Model Training
  7. Backdoor Activation
  8. Results and Discussions
  9. The Attack Effectiveness
  10. The Attack Stealthiness
  11. Neural Cleanse
  12. STRIP
  13. Activation Clustering
  14. Conclusion

Figures (4)

  • Figure 1: The Legitimate, Physically, and Digitally Attacked Models
  • Figure 2: The Attack Success Rate (ASR) vs. The Poisoning Ratio (PR) at SNR=8dB and IBO=3dB for the simulated attacks.
  • Figure 3: The Attack Success Rate (ASR) vs. The Signal to Noise Ratio (SNR) at IBO=3dB for the simulated attacks.
  • Figure 4: The Classification Accuracy vs. The Signal to Noise Ratio (SNR) at IBO=3dB for the legitimate $f_{\theta}$ and backdoored $f_{\theta^*}$ models.