Abstract
We consider a wireless communication system that consists of a transmitter, areceiver, and an adversary. The transmitter transmits signals with differentmodulation types, while the receiver classifies its received signals tomodulation types using a deep learning-based classifier. In the meantime, theadversary makes over-the-air transmissions that are received as superimposedwith the transmitter's signals to fool the classifier at the receiver intomaking errors. While this evasion attack has received growing interestrecently, the channel effects from the adversary to the receiver have beenignored so far such that the previous attack mechanisms cannot be applied underrealistic channel effects. In this paper, we present how to launch a realisticevasion attack by considering channels from the adversary to the receiver. Ourresults show that modulation classification is vulnerable to an adversarialattack over a wireless channel that is modeled as Rayleigh fading with pathloss and shadowing. We present various adversarial attacks with respect toavailability of information about channel, transmitter input, and classifierarchitecture. First, we present two types of adversarial attacks, namely atargeted attack (with minimum power) and non-targeted attack that aims tochange the classification to a target label or to any other label other thanthe true label, respectively. Both are white-box attacks that are transmitterinput-specific and use channel information. Then we introduce an algorithm togenerate adversarial attacks using limited channel information where theadversary only knows the channel distribution. Finally, we present a black-boxuniversal adversarial perturbation (UAP) attack where the adversary has limitedknowledge about both channel and transmitter input.