Journal
IEEE TRANSACTIONS ON MOBILE COMPUTING
Volume 22, Issue 7, Pages 4032-4043Publisher
IEEE COMPUTER SOC
DOI: 10.1109/TMC.2022.3148690
Keywords
Wireless communication; Training data; Wireless sensor networks; Noise measurement; Mobile computing; Deep learning; Computational modeling; Adversarial machine learning; deep learning; membership inference attack; privacy; wireless signal classification; defense
Ask authors/readers for more resources
This paper presents an over-the-air membership inference attack (MIA) that can leak private information from a wireless signal classifier. The attack uses machine learning to classify wireless signals, which is useful for PHY-layer authentication. The MIA infers whether a signal has been used in the training data of a target classifier and can exploit the leaked information to identify vulnerabilities. The paper also proposes a proactive defense strategy against the MIA, which involves building a shadow model to deceive the adversary and reduce the accuracy of the attack.
An over-the-air membership inference attack (MIA) is presented to leak private information from a wireless signal classifier. Machine learning (ML) provides powerful means to classify wireless signals, e.g., for PHY-layer authentication. As an adversarial machine learning attack, the MIA infers whether a signal of interest has been used in the training data of a target classifier. This private information incorporates waveform, channel, and device characteristics, and if leaked, can be exploited by an adversary to identify vulnerabilities of the underlying ML model (e.g., to infiltrate the PHY-layer authentication). One challenge for the over-the-air MIA is that the received signals and consequently the RF fingerprints at the adversary and the intended receiver differ due to the discrepancy in channel conditions. Therefore, the adversary first builds a surrogate classifier by observing the spectrum and then launches the black-box MIA on this classifier. The MIA results (based on both simulations and over-the-air software-defined radio (SDR) experiments) show that the adversary can reliably infer signals (and potentially the radio and channel information) used to build the target classifier. Therefore, a proactive defense is developed against the MIA by building a shadow MIA model and fooling the adversary. This defense can successfully reduce the MIA accuracy and prevent information leakage from the wireless signal classifier. Moreover, this defense does not reduce the accuracy of signal classification.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available