Spectrum Data Poisoning with Adversarial Deep Learning

IEEE Trans. on Mobile Comput.

Shi

Erpek

2021

Self Cite

An adversarial deep learning approach is presented to launch over-the-air spectrum poisoning attacks. A transmitter applies deep learning on its spectrum sensing results to predict idle time slots for data transmission. In the meantime, an adversary learns the transmitter's behavior (exploratory attack) by building another deep neural network to predict when transmissions will succeed. The adversary falsifies (poisons) the transmitter's spectrum sensing data over the air by transmitting during the short spectrum sensing period of the transmitter. Depending on whether the transmitter uses the sensing results as test data to make transmit decisions or as training data to retrain its deep neural network, either it is fooled into making incorrect decisions (evasion attack), or the transmitter's algorithm is retrained incorrectly for future decisions (causative attack). Both attacks are energy efficient and hard to detect (stealth) compared to jamming the long data transmission period, and substantially reduce the throughput. A dynamic defense is designed for the transmitter that deliberately makes a small number of incorrect transmissions (selected by the confidence score on channel classification) to manipulate the adversary's training data. This defense effectively fools the adversary (if any) and helps the transmitter sustain its throughput with or without an adversary present.

Section: Related Workmentioning

confidence: 99%

Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks

IEEE Trans. on Mobile Comput.

Shi

Erpek

2021

Self Cite

“…Adversarial deep learning to jam the test phase of spectrum sensing was considered in [15]. We first use this attack as a benchmark and then extend this attack to the (re)training phase to improve energy efficiency and stealthiness of the attack.…”

Section: Spectrum Poisoning Attackmentioning

confidence: 99%

“…Recently, there has been a surge of efforts to apply machine learning to wireless security, including spoofing attacks [12], jamming attacks on data transmission [13], [14], and other attacks that target spectrum sensing [15] and signal classification [16] tasks. In particular, IoT system security benefits from machine learning to identify devices [17], [18], authenticate signals [19], and detect anomalies [20].…”

Section: Introductionmentioning

confidence: 99%

IoT Network Security from the Perspective of Adversarial Deep Learning

2019 16th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON)

Shi

Erpek

2019

Self Cite

Machine learning finds rich applications in Internet of Things (IoT) networks such as information retrieval, traffic management, spectrum sensing, and signal authentication. While there is a surge of interest to understand the security issues of machine learning, their implications have not been understood yet for wireless applications such as those in IoT systems that are susceptible to various attacks due the open and broadcast nature of wireless communications. To support IoT systems with heterogeneous devices of different priorities, we present new techniques built upon adversarial machine learning and apply them to three types of over-the-air (OTA) wireless attacks, namely jamming, spectrum poisoning, and priority violation attacks. By observing the spectrum, the adversary starts with an exploratory attack to infer the channel access algorithm of an IoT transmitter by building a deep neural network classifier that predicts the transmission outcomes. Based on these prediction results, the wireless attack continues to either jam data transmissions or manipulate sensing results over the air (by transmitting during the sensing phase) to fool the transmitter into making wrong transmit decisions in the test phase (corresponding to an evasion attack). When the IoT transmitter collects sensing results as training data to retrain its channel access algorithm, the adversary launches a causative attack to manipulate the input data to the transmitter over the air. We show that these attacks with different levels of energy consumption and stealthiness lead to significant loss in throughput and success ratio in wireless communications for IoT systems. Then we introduce a defense mechanism that systematically increases the uncertainty of the adversary at the inference stage and improves the performance. Results provide new insights on how to attack and defend IoT networks using deep learning.

“…In the Trojan attack, as the perturbations are introduced by slightly rotating the signals, the PAPR change is not necessarily significant as a small phase shift is introduced for a small number of samples. As a poisoning attack, the adversary can also jam the spectrum sensing period and poison the spectrum training data, thereby attempting to prevent a transmitter from building a reliable classifier [22]. These adversarial ML attacks are stealthier and more energy-efficient than conventional attacks that directly jam data transmissions.…”

Section: Related Workmentioning

confidence: 99%

Trojan Attacks on Wireless Signal Classification with Adversarial Machine Learning

Davaslıoğlu

2019 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN)

2019

Self Cite

We present a Trojan (backdoor or trapdoor) attack that targets deep learning applications in wireless communications. A deep learning classifier is considered to classify wireless signals using raw (I/Q) samples as features and modulation types as labels. An adversary slightly manipulates training data by inserting Trojans (i.e., triggers) to only few training data samples by modifying their phases and changing the labels of these samples to a target label. This poisoned training data is used to train the deep learning classifier. In test (inference) time, an adversary transmits signals with the same phase shift that was added as a trigger during training. While the receiver can accurately classify clean (unpoisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers. This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a signal classifier (e.g., for authentication). We show that this attack is successful over different channel conditions and cannot be mitigated by simply preprocessing the training and test data with random phase variations. To detect this attack, activation based outlier detection is considered with statistical as well as clustering techniques. We show that the latter one can detect Trojan attacks even if few samples are poisoned.