Abstract
Modulation signal intelligent recognition model based on deep learning is widely used in the field of radio signal intelligent processing, but the adversarial attack has become a huge security threat. In order to promote the safe and reliable application of the modulation recognition intelligent model, it is necessary to study its adversarial defense technology. An adversarial defense method based on ensemble learning for modulation signal intelligent recognition model is proposed in this paper. Specifically, this method is achieved by combining multiple defense models such as adversarial training, defensive distillation, and noise smoothing. Variety of attack algorithms in both the white-box and black-box scenarios under different intensities of perturbation and different signal-to-noise ratios are carried out to verify the robustness performance of the proposed method. Strikingly, the accuracy of the model is improved to over 80% when the SNR is above 0 dB under Carlini and Wagner attack.
Similar content being viewed by others
Data availability
The data that support the findings of this study are available in DEEPSIG DATASET: RADIOML 2016.10A at https://www.deepsig.ai/datasets.
References
Hou, C., Liu, G., Tian, Q., Zhou, Z., Hua, L., & Lin, Y. (2022). Multi-signal modulation classification using sliding window detection and complex convolutional network in frequency domain. IEEE Internet of Things Journal, 9(19), 19438–19449.
Liu, S., Gao, P., Li, Y., et al. (2023). Multi-modal fusion network with complementarity and importance for emotion recognition. Information Sciences, 619, 679–694.
Fu, X., Peng, Y., Liu, Y., Lin, Y., Gui, G., Gacanin, H., & Adachi, F. (2023). Semi-supervised specific emitter identification method using metric-adversarial training. IEEE Internet of Things Journal.
Franco, H., Cobo-Kroenke, C., Welch, S., & Graciarena, M. (2020). Wideband spectral monitoring using deep learning. In Proceedings of the 2nd ACM workshop on wireless security and machine learning (pp. 19–24).
Omotere, O., Fuller, J., Qian, L., & Han, Z. (2018). Spectrum occupancy prediction in coexisting wireless systems using deep learning. In: IEEE 88th vehicular technology conference (pp. 1–7).
Liu, S., Huang, S., Wang, S., et al. (2023). Visual tracking in complex scenes: A location fusion mechanism based on the combination of multiple visual cognition flows. Information Fusion. https://doi.org/10.1016/j.inffus.2023.02.005
Xu, Z., Han, G., Liu, L., et al. (2022). A lightweight specific emitter identification model for IIoT devices based on adaptive broad learning. IEEE Transactions on Industrial Informatics.
Wang, Y., Gui, G., Lin, Y., et al. (2022). Few-shot specific emitter identification via deep metric ensemble learning. IEEE Internet of Things Journal, 9(24), 24980–24994.
Fu, X., Gui, G., Wang, Y., et al. (2022). Automatic modulation classification based on decentralized learning and ensemble learning. IEEE Transactions on Vehicular Technology, 71(7), 7942–7946.
Zhang, X., Zhao, H., Zhu, H., et al. (2022). NAS-AMR: Neural architecture search-based automatic modulation recognition for integrated sensing and communication systems. IEEE Transactions on Cognitive Communications and Networking, 8(3), 1374–1386.
O'shea, T. J., & West, N. (2016). Radio machine learning dataset generation with GNU radio. In Proceedings of the GNU radio conference (Vol. 1, No. 1).
Bao, Z., Lin, Y., Zhang, S., et al. (2021). Threat of adversarial attacks on DL-based IoT device identification. IEEE Internet of Things Journal, 9(11), 9012–9024.
Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199.
Sadeghi, M., & Larsson, E. G. (2018). Adversarial attacks on deep-learning based radio signal classification. IEEE Wireless Communications Letters, 8(1), 213–216.
Lin, Y., Zhao, H., Tu, Y., Mao, S., & Dou, Z. (2020). Threats of adversarial attacks in DNN-based modulation recognition. In IEEE conference on computer communications (pp. 2469–2478).
Qi, P., Jiang, T., Wang, L., et al. (2022). Detection tolerant black-box adversarial attack against automatic modulation classification with deep learning. IEEE Transactions on Reliability, 71.2, 674–686.
Rana, M. M., Xiang, W., Wang, E., Li, X., & Choi, B. J. (2018). Internet of Things infrastructure for wireless power transfer systems. IEEE Access, 6, 19295–19303.
Tian, Q., Zhang, S., Mao, S., et al. (2022). Adversarial attacks and defenses for digital communication signals identification. Digital Communications and Networks.
Kim, B., Sagduyu, Y. E., Davaslioglu, K., et al. (2021). Channel-aware adversarial attacks against deep learning-based wireless signal classifiers. IEEE Transactions on Wireless Communications, 21(6), 3868–3880.
Kokalj-Filipovic, S., Miller, R., & Vanhoy, G. (2019). Adversarial examples in RF deep learning: Detection and physical robustness. In IEEE global conference on signal and information processing (pp. 1–5).
Carlini, N., & Wagner, D. (2017). Towards evaluating the robustness of neural networks. In IEEE symposium on security and privacy (pp. 39–57).
Adesina, D., Hsieh, C. C., Sagduyu, Y. E., & Qian, L. (2022). Adversarial machine learning in wireless communications using RF data: A review. IEEE Communications Surveys and Tutorials.
Goodfellow, I. J., Shlens, J., & Szegedy, C. (2014). Explaining and harnessing adversarial examples. In International conference on learning representations.
Kurakin, A., Goodfellow, I. J., & Bengio, S. (2018). Adversarial examples in the physical world. In Artificial intelligence safety and security (pp. 99–112).
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., & Vladu, A. (2017). Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083.
Dong, Y., Liao, F., Pang, T., Su, H., Zhu, J., Hu, X., & Li, J. (2018). Boosting adversarial attacks with momentum. In Proceedings of the IEEE conference on computer vision and pattern recognition (pp. 9185–9193).
Hinton, G., Vinyals, O., & Dean, J. (2015). Distilling the knowledge in a neural network. arXiv preprint arXiv:1503.02531.
Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D., & Jana, S. (2019). Certified robustness to adversarial examples with differential privacy. In IEEE symposium on security and privacy (pp. 656–672).
Yang, G., Duan, T., Hu, J. E., Salman, H., Razenshteyn, I., & Li, J. (2020). Randomized smoothing of all shapes and sizes. In International conference on machine learning (pp. 10693–10705).
He, W., Wei, J., Chen, X., Carlini, N., & Song, D. (2017). Adversarial example defense: Ensembles of weak defenses are not strong. In 11th USENIX workshop on offensive technologies.
Kuncheva, L. I., & Whitaker, C. J. (2003). Measures of diversity in classifier ensembles and their relationship with the ensemble accuracy. Machine learning, 51(2), 181–207.
Kurakin, A., Goodfellow, I., Bengio, S., Dong, Y., Liao, F., Liang, M., et al. (2018). Adversarial attacks and defences competition. In The NIPS'17 competition: Building intelligent systems (pp. 195–231).
Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., & McDaniel, P. (2017). Ensemble adversarial training: Attacks and defenses. arXiv preprint arXiv:1705.07204.
Kannan, H., Kurakin, A., & Goodfellow, I. (2018). Adversarial logit pairing. arXiv preprint arXiv:1803.06373.
Wang, Y., Zou, D., Yi, J., Bailey, J., Ma, X., & Gu, Q. (2019). Improving adversarial robustness requires revisiting misclassified examples. In International conference on learning representations.
Papernot, N., McDaniel, P., Wu, X., Jha, S., & Swami, A. (2016). Distillation as a defense to adversarial perturbations against deep neural networks. In IEEE symposium on security and privacy (pp. 582–597).
Gao, Q., Cao, Z., & Li, D. (2021). Defensive distillation based end-to-end auto-encoder communication system. In 7th international conference on computer and communications (pp. 109–114).
Catak, F. O., Kuzlu, M., Catak, E., Cali, U., & Guler, O. (2022). Defensive distillation-based adversarial attack mitigation method for channel estimation using deep learning models in next-generation wireless networks. IEEE Access, 10, 98191–98203.
Cohen, J., Rosenfeld, E., & Kolter, Z. (2019). Certified adversarial robustness via randomized smoothing. In International conference on machine learning (pp. 1310–1320).
Levine, A., & Feizi, S. (2020). (De)Randomized smoothing for certifiable defense against patch attacks. Neural Information Processing Systems, 33, 6465–6475.
Jia, J., Cao, X., Wang, B., & Gong, N. Z. (2019). Certified robustness for top-k predictions against adversarial perturbations via randomized smoothing. In International conference on learning representations.
Zhang, D., Ye, M., Gong, C., Zhu, Z., & Liu, Q. (2020). Black-box certification with randomized smoothing: A Functional Optimization based Framework. Neural Information Processing Systems, 33, 2316–2326.
Maroto, J., Bovet, G., & Frossard, P. (2022). SafeAMC: Adversarial training for robust modulation classification recognition models. In 30th European signal processing conference (pp. 1636–1640).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Han, C., Qin, R., Wang, L. et al. Adversarial defense method based on ensemble learning for modulation signal intelligent recognition. Wireless Netw 29, 2967–2980 (2023). https://doi.org/10.1007/s11276-023-03299-4
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11276-023-03299-4