MEMBERSHIP INFERENCE ATTACK AND DEFENCE FOR WIRELESS SIGNAL CLASSIFIERS WITH DEEP LEARNING

Abstract

A novel over-the-air membership inference attack (MIA) method is introduced to extract sensitive information from a wireless signal classifier. Machine learning techniques are widely employed to categorize wireless signals, particularly in tasks like PHY-layer authentication. The MIA, as a form of adversarial machine learning attack, aims to determine if a given signal was part of the training data for a target classifier. This information, comprising waveform, channel, and device attributes, if exposed, could be exploited by malicious actors to exploit vulnerabilities in the underlying ML model, such as compromising PHY-layer authentication. A key obstacle in implementing the over-the-air MIA is the inherent variability in received signals and resulting RF fingerprints due to channel conditions. To address this, the attacker first constructs a surrogate classifier based on observed spectrum data before executing the black-box MIA attack on this classifier. Both simulation-based and real-world over-the-air software-defined radio (SDR) experiments confirm the efficacy of the MIA in reliably inferring signals used to train the target classifier, potentially revealing radio and channel details. Consequently, a proactive defense strategy is devised against the MIA, involving the creation of a shadow MIA model to deceive the attacker. This defensive approach effectively reduces MIA accuracy and mitigates information leakage from the wireless signal classifier, all without compromising signal classification accuracy.