TY - GEN
T1 - Adversarial examples in RF deep learning
T2 - 7th IEEE Global Conference on Signal and Information Processing, GlobalSIP 2019
AU - Kokalj-Filipovic, Silvija
AU - Miller, Rob
AU - Vanhoy, Garrett
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/11
Y1 - 2019/11
N2 - While research on adversarial examples (AdExs) in machine learning for images has been prolific, similar attacks on deep learning (DL) for radio frequency (RF) signals and corresponding mitigation strategies are scarcely addressed in the published work, with only a handful of recent publications in the RF domain. With minimal waveform perturbation, RF adversarial examples (AdExs) can cause a substantial increase in misclassifications for spectrum sensing/ survey applications (e.g. ZigBee mistaken for Bluetooth). In this work, two statistical tests for AdEx detection are proposed. One statistical test leverages the peak-to-average-power ratio (PAPR) of the RF samples. The second test uses the softmax outputs of the machine learning model, which is proportional to the likelihoods the classifier assigns to each of the trained classes. The first test leverages the RF nature of the data while the latter is universally applicable to AdExs regardless of the domain. Both solutions are shown as viable mitigation methods to subvert adversarial attacks against RF waveforms, and their effectiveness is analyzed as function of the propagation channel and type of waveform.
AB - While research on adversarial examples (AdExs) in machine learning for images has been prolific, similar attacks on deep learning (DL) for radio frequency (RF) signals and corresponding mitigation strategies are scarcely addressed in the published work, with only a handful of recent publications in the RF domain. With minimal waveform perturbation, RF adversarial examples (AdExs) can cause a substantial increase in misclassifications for spectrum sensing/ survey applications (e.g. ZigBee mistaken for Bluetooth). In this work, two statistical tests for AdEx detection are proposed. One statistical test leverages the peak-to-average-power ratio (PAPR) of the RF samples. The second test uses the softmax outputs of the machine learning model, which is proportional to the likelihoods the classifier assigns to each of the trained classes. The first test leverages the RF nature of the data while the latter is universally applicable to AdExs regardless of the domain. Both solutions are shown as viable mitigation methods to subvert adversarial attacks against RF waveforms, and their effectiveness is analyzed as function of the propagation channel and type of waveform.
UR - http://www.scopus.com/inward/record.url?scp=85079268407&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85079268407&partnerID=8YFLogxK
U2 - 10.1109/GlobalSIP45357.2019.8969138
DO - 10.1109/GlobalSIP45357.2019.8969138
M3 - Conference contribution
AN - SCOPUS:85079268407
T3 - GlobalSIP 2019 - 7th IEEE Global Conference on Signal and Information Processing, Proceedings
BT - GlobalSIP 2019 - 7th IEEE Global Conference on Signal and Information Processing, Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 11 November 2019 through 14 November 2019
ER -