Robust Deep Learning Algorithm For The Recognition Of Communication Signals

Deep learning(deep learning,DL)has achieved a great success in computer vision and natural language processing.However,many studies have found that deep neural network(deep neural networks,DNN)models are very vulnerable in adversarial environments.For example,adding a tiny malicious perturbation to input samples can lead to the erroneous output in DNN model,resulting in a harmful security problem.Due to DL's great success and inherent potential in various areas,many researches have been investigated to apply it to the communication signal recognition and have achieved higher recognition rates than traditional statistical recognition methods.However,little research has been done on its robustness in adversarial environments,and no reports on its robustness enhancement technologies have been reported.Because wireless communication signals operated in an open environment and are thus vulnerable to attack,to tackle the fragility problem of robustness of DL based communication signal recognition in an adversarial environment is the core problem that must be solved before it can be applied in practice.In this thesis,we first analyzes the robustness problem of DL based recognition model,i.e.,using the Fast Gradient Symbol Method(fast gradient sign method,FGSM)and Projected Gradient Descent Method(projected gradient descent,PGD)to generate tiny malicious disturbances on the recognition network and then superimposing them to the samples and feed them as input.Our experiments show that these tiny perturbations can cause incorrect classification of the modulation signals.In order to solve this problem,we borrow the deep network defense strategies in image classification,and make full use of the special characteristics of communication signal constellation map to design and verify three defense mechanisms.The first is the distillation defense mechanism.It introduces parameter temperature in the output probability function of the original model and trains the same DNN model twice.The first training uses the original dataset to generate a probability distribution matrix,which is used as new labels for the second training.The distillation defense mechanism makes the DNN recognition model smoother and reduces the gradient amplitude near the input point,which makes it more difficult to generate adversarial samples.And reducing its sensitivity to perturbations to defend against the attacks of adversarial samples.The second is the PixelDP defense mechanism,which firstly inserts a noise layer obeying Laplacian or Gaussian distribution at a prior position in the network structure.And introducing sensitivity measurement in the pre-noise layer to reduce its sensitivity to the input perturbations.Then,the predicted probability values of each label are averaged multiple times to obtain the expected estimate during the test phase.And the stable boundary of the expected estimate is finally calculated to obtain the robust boundary of the model in the adversarial environment.The last is the adversarial training defense mechanism,which proposes and uses the saddle point formula to solve the robustness problem of the DNN model.The robust training is transformed into a two-layer optimization problem.Firstly,the problem of maximizing the inner layer's adversarial loss is solved by using the PGD algorithm to generate adversarial samples.Secondly,the outer layer minimization problem is to find the parameters of the model to minimize the adversarial loss.This problem is solved by training the DNN model on the new dataset composed of the PGD adversarial sample and the original sample using the stochastic gradient descent(stochastic gradient descent,SGD).In addition,using the sparse and clustering characteristics of the constellation map of the communication signal,we propose a data preprocessing method that regards the I/Q signal points of the communication system as gray values and assign them to the grayscale matrix according to the distance weights to count and form the constellation grayscale map.The proposed data preprocessing method is used in dataset RML2016.10 a and the distillation defense mechanism and the PixelDP defense mechanism are implemented on the VT-CNN2 model.The experimental results show that when the FGSM's attack step is 3 and the signal-to-noise ratio is above 10 dB,they can reach 59% and 61% recognition accuracy respectively.Compared with the 56% accuracy rate of the VT-CNN2 model without defense mechanism,the accuracy rates of the above two defense mechanisms are increased by 3% and5% respectively.And they does not increase too much computing and training time,but the distillation defense mechanism is only applicable to the DNN model using the Softmax function in the output layer,and the PixelDP defense mechanism is only applicable to multi-classification problems where the prediction function obtains the highest probability label in the returned probability vector.The adversarial training defense mechanism implemented on the same VT-CNN2 model achieves a recognition accuracy of about 74%when the FGSM's attack step is 2 and the signal-to-noise ratio is above 10 dB.Compared with the accuracy 62% of the VT-CNN2 model without defense mechanism,it is improved by about 12%.Under the PGD attack with an attack step of 0.2 and 8 iterations,it achieves a recognition accuracy of 80% when the signal-to-noise ratio was above 10 dB.Compared with the 58% accuracy rate of the VT-CNN2 model without defense mechanism,the accuracy rate is increased by about 22%.Therefore,the adversarial training defense mechanism achieves more obvious effects than the above two defense mechanisms.Although this training method takes more training time,it is applicable to a variety of DNN models and can defend against a wide range of first-order attacks.