Secure Machine Learning Based RF Signal Classification for Wireless Systems

Abstract

To monitor the activity over a radio frequency (RF) channel and coordinate its access among heterogeneous wireless systems, network administrators and/or users must be able to identify observed transmissions rapidly and accurately. Recent research shows that deep neural networks (DNNs) can identify the underlying waveform of an RF signal based on the in-phase/quadrature (I/Q) samples without decoding them. Our research starts with DNN designs in the context of spectrum sharing, focusing on Wi-Fi, LTE-LAA, and 5G NR-U systems that coexist over the unlicensed 5 GHz bands. First, we consider recurrent neural network (RNN) architectures, exploiting their capability to capture sequential features. We examine several variations of RNNs, including Simple RNNs, Long Short-term Memory (LSTM) networks, and Gated Recurrent Units (GRU) networks, and apply them in designing protocol classifiers. To further improve the classification accuracy, we expand these RNN designs into a bidirectional structure, enabling the RNN cell to learn temporal dependencies in both forward and backward directions. This bidirectionality significantly augments the volume of information and context accessible to the neural network. We further advance our designs to incorporate multi-layer RNNs, enabling the classifier to capture temporal correlations across multiple time scales, thereby amplifying the network's computational capability. Lastly, we propose additional enhancements to mitigate the overfitting issue in RNN training, including regularization techniques, recurrent weight constraints, and rate halving strategies. Next, we harness the distinctive features embedded within the waveform of each wireless signal. Specifically, we exploit Fourier analysis of the I/Q sequences to further improve the classification accuracy. By applying Short-time Fourier Transform (STFT), additional information in the frequency domain can be extracted. Using segments of the received samples as input, a Convolutional Neural Network (CNN) and a RNN are combined and trained using categorical cross-entropy (CE) optimization. In addition, we utilize the temporal features at various scales and improve the classification accuracy, and propose a two-stage DNN classification structure. In the first stage, a DNN is designed to detect and classify long-term periodic features, such as the cyclic prefix (CP). Subsequently, the output of this classifier serves as a latent variable for a second-stage protocol classifier. By applying multi-layer perceptrons at these two stages, the proposed approach can effectively reduce the number of trainable parameters while maintaining a high classification accuracy, making DNN classifiers feasible for deployment in wireless networks. Although highly accurate ML classifiers have been developed, research shows that these classifiers are, in general, vulnerable to adversarial machine learning (AML) attacks. In one type of AML attack, the adversary trains a surrogate classifier (called the {\em attacker's classifier}) to produce intelligently crafted low-power ``perturbations'' that degrade the accuracy of the targeted ({\em defender's}) classifier. In this dissertation, we study the vulnerabilities of RF classifiers to AML attacks. Specifically, we consider several exemplary protocol and modulation classifiers, designed using CNNs and RNNs, and we first show the high accuracy of such classifiers under random noise (AWGN). We then study their performance under three types of low-power AML perturbations: Fast Gradient Sign Method (FGSM), Projected Gradient Descent (PGD), and DeepFool, while varying the amount of information available to the attacker. On one extreme (so-called ``white-box" attack), the attacker has complete knowledge of the defender's classifier and its training data. As expected, our results reveal that in this case, an AML attack significantly degrades the defender's classification accuracy. We gradually reduce the attacker's knowledge and study five attack scenarios that represent different amounts of information at the attacker. Surprisingly, even when the attacker has limited or no knowledge of the defender's classifier and its power is relatively low, the attack is still significant. We also study various practical issues related to the wireless environment, including channel impairments and misalignment between attacker and transmitter signals. Furthermore, we study the effectiveness of intermittent AML attacks. Even under such imperfections, a low-power AML attack can still significantly reduce the defender's classification accuracy for both protocol and modulation classifiers. Finally, we propose various defense strategies against AML attacks. We start with adversarial training (AT), in which the defender's classifier is trained on adversarial examples. AT is one of the few defenses against adversarial attacks that withstand strong attacks. However, we observe that AT's effectiveness heavily relies on knowledge of the adversarial attack, and variations in attacker parameters significantly impact its strength. To address this, we propose a classifier to estimate the attacker's parameters and retrain multiple models with adversarial samples. Additionally, we introduce a denoising autoencoder before the classifier to eliminate input perturbations. Furthermore, we present an ensemble-based defense approach, leveraging different DNNs trained on varied data formats. Lastly, to enhance robustness and generalization performance, we explore the use of Gaussian augmentation during classifier training. We also propose to use the certified defense mechanisms against AML attacks to ensure robust guarantees of the model's performance under adversarial perturbations.