Universal Attack Against Automatic Modulation Classification DNNs Under Frequency and Data Constraints

In spite of unique advantages like higher recognition accuracy and better generalization capability, automatic modulation classification (AMC)-oriented deep neural networks (ADNNs) are still vulnerable to adversarial examples (AEs). Recent results revealed that an attacker can easily fool ADNNs through adding a small and imperceptible perturbation to the original signal. Among different AE generation methods, universal adversarial perturbation (UAP) has unique characteristics, including input agnostic and shift invariance. However, applying UAP directly to RF signals faces three main challenges, i.e., perturbation neutralization, high perceptibility, and dependency of original signals. In this backdrop, a novel UAP under frequency and data constraints (UAP-FD) attack is put forward for solving these problems in this article. First, an individual perturbation is filtered based on the representation visualization algorithm to counter the neutralization problem in perturbation integration. Second, the high-frequency components in the integrated UAP is eliminated through signal decomposition and reconstruction for promoting the imperceptibility. Third, a proxy signal generation method is proposed to help UAP-FD adapt to data-free black-box settings. A series of experiments is conducted to evaluate the aggressiveness and imperceptibility of UAP-FD attack in different settings on a public data set. Results show that, compared with the existing proposal, UAP-FD has a 40% higher fooling rate, and it can reduce the accuracy of the ADNN model from 83% to 9% while maintaining a good imperceptibility and shift-invariance property. In addition, UAP-FD is applied to real-world captured signals over the transmission channel; and it can reduce the model accuracy from 98.3% to 12.5%.