Physical Adversarial Attacks Against End-to-End Autoencoder Communication Systems
This highlights a critical security flaw in AI-driven communication systems, which could impact their deployment in real-world wireless networks.
The paper demonstrates that end-to-end autoencoder communication systems are highly vulnerable to physical adversarial attacks, where an adversary can increase block-error-rate by orders of magnitude, and shows these attacks are more destructive than jamming while classical coding is more robust.
We show that end-to-end learning of communication systems through deep neural network (DNN) autoencoders can be extremely vulnerable to physical adversarial attacks. Specifically, we elaborate how an attacker can craft effective physical black-box adversarial attacks. Due to the openness (broadcast nature) of the wireless channel, an adversary transmitter can increase the block-error-rate of a communication system by orders of magnitude by transmitting a well-designed perturbation signal over the channel. We reveal that the adversarial attacks are more destructive than jamming attacks. We also show that classical coding schemes are more robust than autoencoders against both adversarial and jamming attacks. The codes are available at [1].