This paper presents channel-aware adversarial attacks against deep learning-based wireless signal classifiers. There is a transmitter that transmits signals with different modulation types. A deep neural network is used at each receiver to classify its over-the-air received signals to modulation types. In the meantime, an adversary transmits an adversarial perturbation (subject to a power budget) to fool receivers into making errors in classifying signals that are received as superpositions of transmitted signals and adversarial perturbations. First, these evasion attacks are shown to fail when channels are not considered in designing adversarial perturbations. Then, realistic attacks are presented by considering channel effects from the adversary to each receiver. After showing that a channel-aware attack is selective (i.e., it affects only the receiver whose channel is considered in the perturbation design), a broadcast adversarial attack is presented by crafting a common adversarial perturbation to simultaneously fool classifiers at different receivers. The major vulnerability of modulation classifiers to over-the-air adversarial attacks is shown by accounting for different levels of information available about the channel, the transmitter input, and the classifier model. Finally, a certified defense based on randomized smoothing that augments training data with noise is introduced to make the modulation classifier robust to adversarial perturbations.

翻译：本文展示了对深层次学习基础的无线信号分类的有频道觉察的对抗性攻击; 有一种发射器以不同的调制类型传输信号。 每个接收器都使用深神经网络来将其从空中接收的信号分类为调制类型。 与此同时, 对手将对抗性扰动( 取决于电力预算)传递给受访者, 以欺骗接收者, 从而在对作为传输信号的叠加和对抗性扰动接收器同时接收的信号进行分类时犯错误。 首先, 当在设计对抗性扰动时不考虑频道时, 这些躲避性攻击就会失败。 然后, 通过考虑对手对每个接收器的频道效应, 来展示现实的攻击。 在显示频道觉察到的信号类型是选择性的( 也就是说, 它只影响在扰动设计中考虑的频道的接收者) 之后, 广播性对抗性攻击通过在不同接收器同时将传送信号分类的叠加到同时的傻瓜分类者。 调制分类器对于过度对抗性攻击的主要脆弱性表现为失败性攻击。 通过对不同级别进行会计的计算, 通过对不同级别进行关于可获取的频道进行平稳的升级的升级的测试, 数据, 向最终进行升级的升级的升级的测试, 将数据转换为对等的升级的升级的升级的升级的测试。