基于雅可比显著图的电磁信号快速对抗攻击方法

doi:10.11959/j.issn.1000-436x.2024021

摘要/Abstract

摘要：

为了生成高质量的电磁信号对抗样本，提出了快速雅可比显著图攻击（FJSMA）方法。FJSMA 通过计算攻击目标类别的雅可比矩阵，并根据该矩阵生成特征显著图，之后迭代选取显著性最强的特征点及其邻域内连续特征点添加扰动，同时引入单点扰动限制，最后生成对抗样本。实验结果表明，与雅可比显著图攻击方法相比， FJSMA在保持与之相同的高攻击成功率的同时，生成速度提升了约10倍，相似度提升了超过11%；与其他基于梯度的方法相比，攻击成功率提升了超过20%，相似度提升了20%～30%。

关键词: 深度神经网络, 对抗样本, 电磁信号调制识别, 雅可比显著图, 目标攻击

Abstract:

In order to generate high-quality electromagnetic signal countermeasure examples, a fast Jacobian saliency map attack (FJSMA) method was proposed.The Jacobian matrix of the attack target class was calculated and feature saliency maps based on the matrix were generated, then the most salient feature points were iteratively selected and perturbations in their neighborhood were continuously added while introducing a single point perturbation constraint, finally adversarial examples were generated.Experimental results show that, compared with Jacobian saliency map attack method, FJSMA improves the generation speed by about 10 times while maintaining the same high attack success rate, and improves the similarity by more than 11%, and compared with other gradient-based methods, the attack success rate is improved by more than 20%, and the similarity is improved by 20% to 30%.

Key words: deep neural network, adversarial sample, electromagnetic signal modulation recognition, Jacobian saliency map, target attack

中图分类号:

TP183

张剑, 周侠, 张一然, 王梓聪. 基于雅可比显著图的电磁信号快速对抗攻击方法[J]. 通信学报, 2024, 45(1): 180-193.

Jian ZHANG, Xia ZHOU, Yiran ZHANG, Zicong WANG. Electromagnetic signal fast adversarial attack method based on Jacobian saliency map[J]. Journal on Communications, 2024, 45(1): 180-193.

图/表 13

图1

图2

图3

图4

图5

图6

表1

表2

表3

图7

图8

图9

图10

参考文献 28

[1]	O’SHEA T J , CORGAN J , CLANCY T C . Convolutional radio modulation recognition networks[C]// Proceedings of International Conference on Engineering Applications of Neural Networks. Berlin:Springer, 2016: 213-226.
[2]	O’SHEA T J , ROY T , CLANCY T C . Over-the-air deep learning based radio signal classification[J]. IEEE Journal of Selected Topics in Signal Processing, 2018,12(1): 168-179.
[3]	LIU K , XIANG X , LIANG Y ,et al. Automatic modulation recognition through wireless sensor networks in aeronautical wireless channel[J]. IEEE Sensors Journal, 2021,21(20): 23125-23132.
[4]	林心桐, 张琳, 吴志强 ,等. 基于卷积神经网络与循环谱图的调制识别方法[J]. 太赫兹科学与电子信息学报, 2021,19(4): 617-622.
	LIN X T , ZHANG L , WU Z Q ,et al. Modulation recognition method based on convolutional neural network and cyclic spectrum images[J]. Journal of Terahertz Science and Electronic Information Technology, 2021,19(4): 617-622.
[5]	JDID B , HASSAN K , DAYOUB I ,et al. Machine learning based automatic modulation recognition for wireless communications:a comprehensive survey[J]. IEEE Access, 2021,9: 57851-57873.
[6]	LUAN S Y , GAO Y R , ZHOU J C ,et al. Automatic modulation classification based on cauchy-score constellation and lightweight network under impulsive noise[J]. IEEE Wireless Communications Letters, 2021,10(11): 2509-2513.
[7]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[C]// Proceedings of 2nd International Conference on Learning Representations. Piscataway:IEEE Press, 2014: 1-10.
[8]	TRAMèR F , KURAKIN A , PAPERNOT N ,et al. Ensemble adversarial training:attacks and defenses[J]. arXiv Preprint,arXiv:1705.07204, 2017.
[9]	钱亚冠, 张锡敏, 王滨 ,等. 基于二阶对抗样本的对抗训练防御[J]. 电子与信息学报, 2021,43(11): 3367-3373.
	QIAN Y G , ZHANG X M , WANG B ,et al. Adversarial training defense based on second-order adversarial examples[J]. Journal of Electronics ＆ Information Technology, 2021,43(11): 3367-3373.
[10]	GOODFELLOW I J , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[C]// Proceedings of 3rd International Conference on Learning Representations. Piscataway:IEEE Press, 2015: 1-11.
[11]	KURAKIN A , GOODFELLOW I , BENGIO S . Adversarial examples in the physical world[C]// Proceedings of 4th International Conference on Learning Representations(ICLR) . Piscataway:IEEE Press, 2016: 1-14.
[12]	DONG Y P , LIAO F Z , PANG T Y ,et al. Boosting adversarial attacks with momentum[C]// Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 9185-9193.
[13]	XIE C H , ZHANG Z S , ZHOU Y Y ,et al. Improving transferability of adversarial examples with input diversity[C]// Proceedings of the 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Piscataway:IEEE Press, 2019: 2725-2734.
[14]	DING Y , ZHU G Q , CHEN D J ,et al. Adversarial sample attack and defense method for encrypted traffic data[J]. IEEE Transactions on Intelligent Transportation Systems, 2022,23(10): 18024-18039.
[15]	PAPERNOT N , MCDANIEL P , JHA S ,et al. The limitations of deep learning in adversarial settings[C]// Proceedings of the 2016 IEEE European Symposium on Security and Privacy (EuroS＆P). Piscataway:IEEE Press, 2016: 372-387.
[16]	COMBEY T , LOISON A , FAUCHER M ,et al. Probabilistic jacobian-based saliency maps attacks[J]. Machine Learning and Knowledge Extraction, 2020,2(4): 558-578.
[17]	黄知涛, 柯达, 王翔 . 电磁信号对抗样本攻击与防御发展研究[J]. 信息对抗技术, 2023,2(S1): 37-52.
	HUANG Z T , KE D , WANG X . Research on the development of electromagnetic signal against sample attack and defense[J]. Information Countermeasure Technology, 2023,2(S1): 37-52.
[18]	KIM B , SAGDUYU Y , ERPEK T ,et al. Adversarial attacks on deep learning based mmWave beam prediction in 5G and beyond[C]// Proceedings of the 2021 IEEE Statistical Signal Processing Workshop (SSP). Piscataway:IEEE Press, 2021: 590-594.
[19]	KIM B , SAGDUYU Y E , ERPEK T ,et al. Channel effects on surrogate models of adversarial attacks against wireless signal classifiers[C]// Proceedings of the IEEE International Conference on Communications. Piscataway:IEEE Press, 2021: 1-6.
[20]	王满喜, 史明佳, 陆科宇 ,等. 电磁信号调制识别中的对抗性攻击技术研究[J]. 无线电通信技术, 2022,48(6): 1098-1104.
	WANG M X , SHI M J , LU K Y ,et al. Research on adversarial attacks technology in modulation recognition[J]. Radio Communications Technology, 2022,48(6): 1098-1104.
[21]	SADEGHI M , LARSSON E G . Adversarial attacks on deep-learning based radio signal classification[J]. IEEE Wireless Communications Letters, 2019,8(1): 213-216.
[22]	FLOWERS B , BUEHRER R M , HEADLEY W C . Evaluating adversarial evasion attacks in the context of wireless communications[J]. IEEE Transactions on Information Forensics and Security, 2019,15: 1102-1113.
[23]	ZHAO H J , LIN Y , GAO S ,et al. Evaluating and improving adversarial attacks on DNN-based modulation recognition[C]// Proceedings of the IEEE Global Communications Conference. Piscataway:IEEE Press, 2020: 1-5.
[24]	王超, 魏祥麟, 田青 ,等. 基于特征梯度的调制识别深度网络对抗攻击方法[J]. 计算机科学, 2021,48(7): 25-32.
	WANG C , WEI X L , TIAN Q ,et al. Feature gradient-based adversarial attack on modulation recognition-oriented deep neural networks[J]. Computer Science, 2021,48(7): 25-32.
[25]	MADRY A , MAKELOV A , SCHMIDT L ,et al. Towards deep learning models resistant to adversarial attacks[C]// Proceedings of 6th International Conference on Learning Representations. Piscataway:IEEE Press, 2018: 1-28.
[26]	周侠, 张一然, 张剑 . 基于Grad-CAM的电磁信号对抗攻击方法[J]. 舰船电子工程, 2023,43(6): 204-208.
	ZHOU X , ZHANG Y R , ZHANG J . Adversarial attack algorithm for electromagnetic signal based on Grad-CAM[J]. Ship Electronic Engineering, 2023,43(6): 204-208.
[27]	李哲铭, 王晋东, 侯建中 ,等. 基于显著区域优化的对抗样本攻击方法[J]. 计算机工程, 2023,49(9): 246-255,264.
	LI Z M , WANG J D , HOU J Z ,et al. Adversarial example attack method based on salient region optimization[J]. Computer Engineering, 2023,49(9): 246-255,264.
[28]	XU J L , LUO C B , PARR G ,et al. A spatiotemporal multi-channel learning framework for automatic modulation recognition[J]. IEEE Wireless Communications Letters, 2020,9(10): 1629-1632.

攻击方法	ASR	ACAC	ACTC	ATS/s	SSIM	L₀	L₂	L_∞
JSMA	97.76%	76.33%	0.003%	611.22	80.79%	3.61%	0.11	3.08
DI-FGSM	84.75%	65.71%	7.331%	0.58	53.66%	75.00%	0.68	2.26
PGD	72.58%	53.82%	4.884%	0.63	67.39%	93.84%	0.45	2.18
FJSMA(ε=0.2)	96.91%	66.96%	0.097%	78.44	93.93%	26.81%	0.09	0.19
FJSMA(ε=0.4)	97.33%	69.27%	0.051%	63.18	92.92%	18.94%	0.12	0.39
FJSMA(ε=0.6)	97.64%	74.85%	0.013%	50.21	90.25%	15.64%	0.18	0.56
FJSMA(AVG)	97.29%	70.51%	0.054%	63.94	92.37%	20.46%	0.13	0.38
MA-NA-FGSM	95.20%	72.33%	1.94%	1.76	76.8%	87.21%	0.49	1.04
Grad-CAM	80.91%	65.26%	4.791%	11.46	85.41%	24.33%	0.31	1.74

攻击方法	ASR	ACAC	ACTC	ATS/s	SSIM	L₀	L₂	L_∞
JSMA	97.12%	73.03%	0.128%	432.08	76.48%	8.07%	0.13	3.11
DI-FGSM	83.88%	66.81%	2.146%	0.42	56.71%	88.96%	0.73	2.69
PGD	74.12%	49.85%	17.251%	0.36	65.46%	100.00%	0.65	2.13
FJSMA(ε=0.2)	94.55%	64.91%	0.107%	46.38	92.38%	28.26%	0.11	0.18
FJSMA(ε=0.4)	95.48%	70.33%	0.081%	41.25	90.31%	18.93%	0.16	0.37
FJSMA(ε=0.6)	96.35%	75.82%	0.034%	33.89	87.90%	10.58%	0.21	0.58
FJSMA(AVG)	95.46%	70.35%	0.074%	40.51	90.20%	19.26%	0.16	0.38
MA-NA-FGSM	94.36%	73.21%	1.88%	1.55	77.31%	88.90%	0.53	1.13
Grad-CAM	81.42%	66.34%	4.63%	10.98	86.37%	25.61%	0.29	1.58

攻击方法	ASR	ACAC	ACTC	ATS/s	SSIM	L₀	L₂	L_∞
JSMA	97.33%	74.83%	0.038%	488.36	78.23%	6.59%	0.13	2.79
DI-FGSM	83.97%	62.18%	6.012%	0.56	54.62%	87.89%	0.77	2.12
PGD	71.44%	52.91%	7.297%	0.73	64.93%	92.47%	0.61	2.36
FJSMA(ε=0.2)	96.35%	67.48%	0.307%	53.93	91.87%	27.33%	0.13	0.19
FJSMA(ε=0.4)	96.12%	70.35%	0.196%	47.29	88.69%	19.26%	0.19	0.38
FJSMA(ε=0.6)	97.24%	73.67%	0.103%	40.66	86.31%	13.95%	0.25	0.53
FJSMA(AVG)	96.57%	69.55%	0.202%	47.29	88.96%	20.18%	0.19	0.37
MA-NA-FGSM	94.97%	72.95%	1.76%	1.58	74.29%	87.13%	0.47	0.98
Grad-CAM	80.57%	64.47%	5.81%	11.23	85.92%	25.82%	0.34	2.01