Membership Inference Attack and Defense for Wireless Signal Classifiers With Deep Learning

Shi, Yi; Sagduyu, Yalin E.

doi:10.1109/tmc.2022.3148690

Cited by 16 publications

(12 citation statements)

References 60 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…To maximize the impact of jamming the RBs, we pursue an adversarial machine learning approach. Different types of attacks built upon adversarial machine learning have been studied in wireless communications [21], [22] such as exploratory (inference) attacks [23], [24], evasion (adversarial) attacks [25], [26], [27], [28], [29], [30], [31], [32], [33], [34], [35], [36], [37], [38], [39] and their extensions to secure and covert communications against eavesdroppers [40], [41], [42], causative (poisoning) attacks [43], [44], [45], membership inference attacks [46], [47], Trojan attacks [48], and spoofing attacks [49], [50], [51] that have been launched against various spectrum sensors and wireless signal (such as modulation) classifiers. Adversarial machine learning has also been considered for NextG by studying evasion and spoofing attacks on deep neural networks (without reinforcement learning) used for NextG spectrum sharing and NextG signal authentication [52].…”

Section: B Adversarial Machine Learning Based Attack On Nextg Radio A...mentioning

confidence: 99%

How to Attack and Defend NextG Radio Access Network Slicing With Reinforcement Learning

Shi

Sagduyu

Erpek

et al. 2023

IEEE Open J. Veh. Technol.

Self Cite

View full text Add to dashboard Cite

In this paper, reinforcement learning (RL) for network slicing is considered in next generation (NextG) radio access networks, where the base station (gNodeB) allocates resource blocks (RBs) to the requests of user equipments and aims to maximize the total reward of accepted requests over time. Based on adversarial machine learning, a novel over-the-air attack is introduced to manipulate the RL algorithm and disrupt NextG network slicing. The adversary observes the spectrum and builds its own RL based surrogate model that selects which RBs to jam subject to an energy budget with the objective of maximizing the number of failed requests due to jammed RBs. By jamming the RBs, the adversary reduces the RL algorithm's reward. As this reward is used as the input to update the RL algorithm, the performance does not recover even after the adversary stops jamming. This attack is evaluated in terms of both the recovery time and the (maximum and total) reward loss, and it is shown to be much more effective than benchmark (random and myopic) jamming attacks. Different reactive and proactive defense schemes such as suspending the RL algorithm's update once an attack is detected, introducing randomness to the decision process in RL to mislead the learning process of the adversary, or manipulating the feedback (NACK) mechanism such that the adversary may not obtain reliable information are introduced to show that it is viable to defend NextG network slicing against this attack, in terms of improving the RL algorithm's reward.

show abstract

Section: B Adversarial Machine Learning Based Attack On Nextg Radio A...mentioning

confidence: 99%

How to Attack and Defend NextG Radio Access Network Slicing With Reinforcement Learning

Shi

Sagduyu

Erpek

et al. 2023

IEEE Open J. Veh. Technol.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Adversaries can poison the wireless access of the metaverse, by manipulating the inputs to the learning algorithms employed for authorizing users [22], leading to unauthorized access to the metaverse network due to the mislead access model. Malicious users can also infer sensitive information about edge devices, users, and applications which have access to the network, through membership attribute inference attacks [23] and model inversion attacks [24]. As a privacy threat to the MaaS access, data characteristics such as device-level information may leak to adversaries.…”

Section: B Securing the 6g-enabled Access To The Metaversementioning

confidence: 99%

“…As a privacy threat to the MaaS access, data characteristics such as device-level information may leak to adversaries. Malicious users can exploit this leaked information using membership inference attacks [23] by building an inference model to determine whether a sample of interest (associated with a particular device) has been used in the training data of the MaaS provider. To mitigate such attacks, generative adversarial networks (GANs) are shown to be capable of detecting anomalies and mitigating wireless attacks for the next generation of communication and networking services [25].…”

Section: B Securing the 6g-enabled Access To The Metaversementioning

confidence: 99%

“…As an example, virtual service providers and mobile network operators employ learning algorithms as a service for their users [41]. Malicious users have the capability to eavesdrop on the models exchanged to infer the membership of specific clients or undermine the performance of AI/ML services [23]. In addition, attackers can hack edge devices in the physical world or impersonate benign avatars as a man-in-the-middle.…”

Section: Secure and Private Ai/ml For The Metaversementioning

confidence: 99%

See 1 more Smart Citation

Unlocking Metaverse-as-a-Service The three pillars to watch: Privacy and Security, Edge Computing, and Blockchain

Ahsani¹,

Rahimi²,

Letafati³

et al. 2023

Preprint

View full text Add to dashboard Cite

In this article, the authors provide a comprehensive overview on three core pillars of metaverse-as-a-service (MaaS) platforms; privacy and security, edge computing, and blockchain technology. The article starts by investigating security aspects for the wireless access to the metaverse. Then it goes through the privacy and security issues inside the metaverse from data-centric, learning-centric, and human-centric points-of-view. The authors address private and secure mechanisms for privatizing sensitive data attributes and securing machine learning algorithms running in a distributed manner within the metaverse platforms. Novel visions and less-investigated methods are reviewed to help mobile network operators and metaverse service providers facilitate the realization of secure and private MaaS through different layers of the metaverse, ranging from the access layer to the social interactions among clients. Later in the article, it has been explained how the paradigm of edge computing can strengthen different aspects of the metaverse. Along with that, the challenges of using edge computing in the metaverse have been comprehensively investigated. Additionally, the paper has comprehensively investigated and analyzed 10 main challenges of MaaS platforms and thoroughly discussed how blockchain technology provides solutions for these constraints. At the final, future vision and directions, such as content-centric security and zero-trust metaverse, some blockchain's unsolved challenges are also discussed to bring further insights for the network designers in the metaverse era.

show abstract

“…Overall, AML is an emerging field that studies machine learning (ML) in the presence of adversaries that may aim to manipulate the test and/or training pipelines of ML algorithms [ 7 , 8 , 9 ]. While the applications of AML have originated in the computer vision domain, there has been a growing interest in applying AML to wireless communications [ 10 , 11 , 12 ], including exploratory (inference) attacks [ 13 , 14 ], evasion (adversarial) attacks [ 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 ] and their extensions to secure and covert communications against eavesdroppers [ 34 , 35 , 36 , 37 ], causative (poisoning) attacks [ 38 , 39 , 40 ], membership inference attacks [ 41 , 42 ], Trojan attacks [ 43 ], and spoofing attacks [ 44 , 45 , 46 , 47 ].…”

Section: Introductionmentioning

confidence: 99%

Adversarial Machine Learning for NextG Covert Communications Using Multiple Antennas

Kim

Sagduyu

Davaslıoğlu

et al. 2022

Entropy

Self Cite

View full text Add to dashboard Cite

This paper studies the privacy of wireless communications from an eavesdropper that employs a deep learning (DL) classifier to detect transmissions of interest. There exists one transmitter that transmits to its receiver in the presence of an eavesdropper. In the meantime, a cooperative jammer (CJ) with multiple antennas transmits carefully crafted adversarial perturbations over the air to fool the eavesdropper into classifying the received superposition of signals as noise. While generating the adversarial perturbation at the CJ, multiple antennas are utilized to improve the attack performance in terms of fooling the eavesdropper. Two main points are considered while exploiting the multiple antennas at the adversary, namely the power allocation among antennas and the utilization of channel diversity. To limit the impact on the bit error rate (BER) at the receiver, the CJ puts an upper bound on the strength of the perturbation signal. Performance results show that this adversarial perturbation causes the eavesdropper to misclassify the received signals as noise with a high probability while increasing the BER at the legitimate receiver only slightly. Furthermore, the adversarial perturbation is shown to become more effective when multiple antennas are utilized.

show abstract

Membership Inference Attack and Defense for Wireless Signal Classifiers With Deep Learning

Cited by 16 publications

References 60 publications

How to Attack and Defend NextG Radio Access Network Slicing With Reinforcement Learning

How to Attack and Defend NextG Radio Access Network Slicing With Reinforcement Learning

Unlocking Metaverse-as-a-Service The three pillars to watch: Privacy and Security, Edge Computing, and Blockchain

Adversarial Machine Learning for NextG Covert Communications Using Multiple Antennas

Contact Info

Product

Resources

About