Poison Neural Network-Based mmWave Beam Selection and Detoxification With Machine Unlearning

Deep neural network-based learning methods have been considered promising techniques used in beam selection problems. However, existing research ignores the peculiar vulnerabilities of neural networks. The adversaries can use data poisoning to embed predefined triggers into a model during training time such that the neural network-based beam model may make an incorrect output decision of a test example when patched with the trigger. Data poisoning offers attackers the possibility to build backdoors. The goal of backdoors is often unethical, such as giving users a poor experience by manipulating infected models to output inappropriate beams. In this paper, first, we introduce a simple backdoor attack method by using data poisoning in a mmWave beam selection system. By numerical simulations, we verify that this poisoning attack is effective for neural networks with different structures. In addition, we explore the effect of poisoned data volume on the effect of backdoor attacks. The results show that the backdoor can be successfully implanted into the beam selection neural network. Besides, we fine-tune the trained model for a new wireless communication environment, and the results show that backdoors still exist even when the model is tuned with data from new scenarios. Then, we propose a machine unlearning solution to mitigate the backdoor of the trained beam selection model. The problem of eliminating backdoors is modeled as a minimax optimization problem. We propose a novel adversarial unlearning method along with label smoothing to solve the backdoor removal problem. We compared the proposed backdoor elimination method with the classical fine-tuning elimination method and the neural network pruning method through numerical simulations. The results show that the fine-tuning and the pruning methods cannot effectively remove the backdoor. The proposed machine unlearning method can make the trained model forget about the backdoor under the condition that the performance of the benign task (beam selection tasks when the trigger does not appear) is guaranteed to be slightly degraded. In summary, our work illustrates that data poisoning-based backdoor attacks may exist in wireless networks, and we propose a scheme to eliminate backdoors.