Membership Inference Attack and Defense for Wireless Signal Classifiers With Deep Learning

An over-the-air membership inference attack (MIA) is presented to leak private information from a wireless signal classifier. Machine learning (ML) provides powerful means to classify wireless signals, e.g., for PHY-layer authentication. As an adversarial machine learning attack, the MIA infers whether a signal of interest has been used in the training data of a target classifier. This private information incorporates waveform, channel, and device characteristics, and if leaked, can be exploited by an adversary to identify vulnerabilities of the underlying ML model (e.g., to infiltrate the PHY-layer authentication). One challenge for the over-the-air MIA is that the received signals and consequently the RF fingerprints at the adversary and the intended receiver differ due to the discrepancy in channel conditions. Therefore, the adversary first builds a surrogate classifier by observing the spectrum and then launches the black-box MIA on this classifier. The MIA results (based on both simulations and over-the-air software-defined radio (SDR) experiments) show that the adversary can reliably infer signals (and potentially the radio and channel information) used to build the target classifier. Therefore, a proactive defense is developed against the MIA by building a shadow MIA model and fooling the adversary. This defense can successfully reduce the MIA accuracy and prevent information leakage from the wireless signal classifier. Moreover, this defense does not reduce the accuracy of signal classification.

Automated summary

This paper presents an over-the-air membership inference attack (MIA) that can leak private information from a wireless signal classifier. The attack uses machine learning to classify wireless signals, which is useful for PHY-layer authentication. The MIA infers whether a signal has been used in the training data of a target classifier and can exploit the leaked information to identify vulnerabilities. The paper also proposes a proactive defense strategy against the MIA, which involves building a shadow model to deceive the adversary and reduce the accuracy of the attack.