采用1-bit压缩感知的信号识别网络黑盒对抗攻击方法

Black-Box Adversarial Attacks on Signal Recognition Networks Using 1-bit Compressed Sensing

在无线信号识别的神经网络对抗样本研究中,针对目标网络结构参数与数据集均未知,且查询无法获取识别置信度或识别结果的黑盒攻击场景,提出一种采用1-bit压缩感知的对抗样本生成方法。假设攻击者能够通过查询获取某一批信号样本在待攻击模型下的识别准确率。首先,将模型准确率的梯度视为待感知的稀疏变量,并利用一批样本准确率高于或低于另一批的信息(用1或-1表示)构建1-bit压缩感知模型。其次,通过多次查询并估计梯度,结合0范数约束,使用梯度下降法迭代优化信号扰动,从而生成有效的对抗样本。最后,使用对抗样本攻击目标网络以降低识别准确率。实验结果表明,该方法在公开信号调制识别数据集上能够将识别准确率从79.02%降低至65.39%。相比于现有其他方法,该方法进一步拓展了黑盒攻击的限制条件。

An adversarial example generation method using 1-bit compressed sensing is proposed,appli⁃cable to the black-box attack scenario concerning neural network adversarial example research for wire⁃less signal recognition,where the target network structure parameters and data sets are unknown and the model confidence scores or recognition results cannot be obtained.It is assumed that the attacker can ac⁃cess the recognition accuracy of a batch of signals under the target model through queries.Firstly,the gradient of the model’s accuracy is treated as a sparse variable to be sensed,and a 1-bit compressed sensing model is constructed using information on whether the accuracy has increased or decreased after each query,represented by 1 or−1.Secondly,through multiple queries and gradient estimation,signal perturbations are iteratively optimized using gradient descent under an L0-norm constraint to generate effective adversarial examples.Finally,the generated adversarial examples are used to attack the target network,thereby reducing the recognition accuracy.Experimental results show that this method can re⁃duce the recognition accuracy from 79.02%to 65.39%on a public signal modulation recognition data⁃set.Compared with existing methods,this method further expands the limitations of black-box attacks.