In our work, we propose a novel wireless receiver architecture that protects against ad- versarial attacks on deep learning-based modulation classifiers. Our proposed system has two goals. The first is to remove adversarial perturbations from samples so that they are not forced across decision boundaries. The second is to make the modulation classifier less sensitive to the changes caused by adversarial perturbations so that it is more difficult to force samples across decision boundaries.
To achieve those goals, our proposed system consists of two modules, namely, an Adver- sarial Perturbation Preprocessor (APP) and an enhanced modulation classifier (EMC). Figure 32 shows our proposed architecture. The ADC forwards the received samples to our proposed APP module, which processes and forwards them to the EMC module. Finally, the EMC mod- ule classifies the samples and indicates the recognized modulation scheme to the receiver’s demodulator.
6.5.1 Adversarial Perturbation Preprocessor
The APP module trains a DAE using Gaussian and adversarial samples so that it learns how to remove noise and adversarial perturbations from samples. During training, the DAE learns how to map samples that have been corrupted with Gaussian noises and adversarial
106
Figure 32 – Proposed wireless receiver architecture
x Modulation Enhanced Classifier
(EMC) Proposed Defense Technique Adversarial
Perturbation Preprocessor
(APP)
Proposed Wireless Receiver Architecture
f(x) Demodulator
ADC x
Reconstruct data sample with the proposed DAE
x =DAE(x)
Estimate the amount of adversarial perturbation by computing the cosine distance between and x x
=CD(x,x)
Preprocess data sample if the estimated perturbation is above a threshold t
x =x
t Yes
No
Classify data sample with the proposed enhanced modulation classifier
y=f(x) x Modulation Enhanced
Classifier (EMC) Proposed Defense Technique Adversarial
Perturbation Preprocessor
(APP)
Proposed Wireless Receiver Architecture
f(x) Demodulator ADC
Source: The author (2023).
perturbations to clean samples. It is trained to minimize the loss function LDAE= 1
N ÿN j=1
(xoj ≠xij)2, (6.3)
where xi = xclean+÷+” is the input sample that may or may not have been corrupted by noise ÷ and adversarial perturbations ”, xo is the DAE’s output after noise and adversarial perturbations have been removed, andN is the length of samplesxi andxo.
The cosine distance between xi and xo measures the dissimilarity between them, which represents the correctioncthat is applied by the DAE to remove noise and adversarial pertur- bations. Small cosine distances correspond to null or small corrections that happen when input samples have not been tampered with or when they have been altered by small perturbations.
Large cosine distances, on the other hand, correspond to large corrections that are applied as a result of large perturbations. Thus, this cosine distance allows us to estimate the amount of perturbation in a sample.
However, since it is impractical to train the DAE (or any other deep learning model) to cover all possible input feature vectors, the DAE may also introduce small errors. Thus, the DAE’s output is given by xo = xi +c+e, where c is the correction that the DAE applies to input samples and e is the error that it introduces. As a result, our proposed defense technique must use the DAE to preprocess data samples only when the perturbations removed are larger than the errors introduced. Otherwise, the DAE may harm classification more than it helps. Therefore, our APP module first estimates the amount of perturbation in a sample by computing the cosine distance betweenxi and xo, and then forwards to the EMC module eitherxi when the perturbation is small or xo when the perturbation is large.
6.5.2 Enhanced Modulation Classifier
The EMC trains deep convolutional neural networks to classify samples of modulated signals by their modulation scheme. Similarly to the DAE, the modulation classifier is trained using samples that have been corrupted with Gaussian noise and adversarial samples in addition to clean samples. Augmenting the training set with Gaussian noise increases the classifier’s resistance to multiple directions, i.e., samples that have been slightly dislocated in random directions are still assigned to the same class of x. Similarly, augmenting the training set with adversarial perturbations increases the classifier’s resistance to the direction that makes a sample optimally cross the decision boundary according to an adversarial attack technique.
As a result, our proposed EMC makes the classifier’s prediction of a samplex constant within a small neighborhood aroundx. Therefore, the decision boundaries become less sensitive, and the classifier becomes more resistant to changes caused by noise and adversarial perturbations.
Algorithm 3 summarizes how our proposed defense technique works.
Algorithm 3: Proposed defense technique
1: Train a DAE with samples tampered with Gaussian noise and adversarial perturbations
2: Train a EMC with samples tampered with Gaussian noise and adversarial perturbations
3: forEach incoming sample xi do 4: Compute xo=DAE(xi) 5: Compute — =CD(xi, xo) 6: if — Øtthen
7: Preprocess data samplex=xo
8: else
9: Do not preprocess data samplex=xi
10: end if
11: Classify data sample y=f(x) 12: end for
6.5.3 Adversarial Samples for Training
Our proposed architecture relies on adversarial samples to train both the DAE and the EMC.
The DAE leverages adversarial samples to learn how to remove adversarial perturbations. The EMC uses them to enhance its resistance to them. Thus, the choice of adversarial samples considered has a significant impact on the resistance our technique provides. For instance, if
our proposed DAE and EMC are trained with adversarial samples crafted using only the FGSM technique, our defense will be effective against only FGSM adversarial samples. Similarly, if we consider adversarial samples crafted using only the FGSM and PGD techniques, our defense technique will protect wireless receivers from only those two specific adversarial attacks.
However, it is not feasible to consider many different adversarial attack techniques as doing so would significantly increase our defense technique’s computational requirements and training time.
Therefore, a crucial part of our proposed defense technique is to consider an adversarial attack technique that generalizes other types of adversarial attacks. We want our defense technique to protect against different types of adversarial attacks while being trained with adversarial samples crafted using a single attack technique. For this purpose, we leverage our previous work in [(ARAUJO-FILHO et al., 2022)], in which we proposed an input-agnostic adver- sarial attack technique. This type of attack combines GANs [(GOODFELLOW et al., 2014)] and multi-task loss [(KENDALL; GAL; CIPOLLA, 2018)] to generate adversarial samples by simultane- ously optimizing their ability to cause wrong classifications and not be perceived. Furthermore, it crafts adversarial samples much faster than other adversarial attack techniques. Thus, by using the adversarial attack technique proposed in [(ARAUJO-FILHO et al., 2022)], our proposed defense technique enhances modulation classifiers’ resistance to different types of adversarial attacks while also significantly reducing the time it takes to craft the adversarial samples used to train the DAE and EMC.