1.

Introduction
Machine learning is a useful method for learning from spectrum data and solving challenging wireless
communications jobs. Deep learning DL has achieved success in executing numerous wireless
communication tasks such as signal detection, spectrum sensing, and physical layer security thanks to
recent breakthroughs in computational resources and algorithmic approaches. However, ML in
general, and DL in particular, have been discovered to be sensitive to manipulation, spawning a new
field of research known as adversarial machine learning AML. Despite substantial study in other data
fields like as computer vision and natural language processing, AML research in the wireless
communications domain is still in its early stages.

Machine learning techniques can be used to launch

attacks; these attacks can be used against ML-based
communication systems such as smart eavesdropping
FL and non-ML-based communication systems such as
predicting a simple system signal from its modulated
version. Additionally these attacks might be
conventional such as using ML to predict the
frequency hopping sequence and then launch a jamming
attack on the legitimate user, or smart based on ML
such as manipulating the training data to push the
classifier to make a wrong decision. Fig.1. ML and Communication Systems

This chapter will discuss adversarial machine learning AML attacks and defenses strategies.

2. Adversarial Machine Learning in Wireless Communications

Introduction:

There has recently been a rise in efforts to utilize machine for wireless security, especially spoofing
attacks, eavesdropping and jamming attacks on data transmission as discussed before. With the
proliferation of machine learning applications, it is critical to comprehend the underlying security
vulnerabilities that attack machine learning
itself.

Adversarial machine learning is a field that

systematically examines the security
implications of machine learning in the
face of adversaries. Adversarial machine
learning is the study of the attacks on
machine learning algorithms, and of the
defenses against such attacks [1]. Most
machine learning approaches are designed
to operate on certain problem sets,
assuming that the training and test data
come from the same statistical distribution.
However, in real high-stakes applications,
this assumption is frequently critically broken, Fig. 2. AML for Wireless Communication
since users may purposefully submit false data that violates the statistical assumption.
 The study of adversarial machine learning is in advanced stage for computer vision and natural
language processing, however, this is not the case for wireless communications where it stills in the
early stage.

Fig. 2. Shows the effect of a perturbation injected by the adversary, the top part is for CV domain,
where the adversary wants to fool the pre-trained ML classifier to make a wrong estimation of the
original input “Stop sign” to a wrong estimation “Yield sign”, while the bottom part is for wireless
communications where the adversary wants to fool the pre-trained ML classifier to classify a QPSK
signal into 16-QAM signal.

Classification of Adversarial Attacks:

AML attacks can be classified regarding to the attack phase (training, test), the adversary target
(targeted, untargeted), the adversary knowledge (white box, gray box, or black box), and the attack
influence (exploratory, evasion, and causative attacks) which are traditionally applied to data fields
other than wireless communications [2], the following table gives a primary taxonomy of AML attack
in wireless communications.

Attack Description
Exploratory Seek to discover the model mechanism using the training data, and then imitate the
(inference) attacks model by building a surrogate model. Exploratory attacks do not affect the training
set, instead probing the learner to gather information about the state. The adversarial
examples are written in such a way that the learner recognizes them as authentic
throughout the testing phase.
Membership The adversary aims to determine if a given data sample is a member of the training
Inference Attacks data, then the design of attack can me more successful
Evasion The aim is manipulating the input test data to fool the model to make wrong
(Adversarial) Attacks decision. Evasion attack determines samples that the target classifier is likely to
misclassify.
Spoofing Attacks The adversary generates synthetic data samples from scratch rather than adding
perturbations to the real ones.
Causative The aim is to manipulate the training process of models by injecting weaknesses
(Poisoning) Attacks such as false training data to the model. Provides erroneous training data samples to
reduce the reliability of the re-trained classifier.
Trojan Combination of evasion and causative attacks, the adversary injects triggers
(Backdoor) Attacks (backdoors) to training data and then activates them for some input samples in test
time
Table.1. AML Attacks Taxonomy

Wireless adversarial machine learning applications differ from other data fields such as computer
vision. The attacker and defender may not have the same characteristics (such as received signals) as
channels; therefore the interference effects seen by them differ. Additionally, the designations of the
enemy and the defender may differ (i.e., machine learning outputs). During spectrum sensing, for
example, the defense may try to characterize a channel as busy or not, whereas the adversary may need
to assess if the defender will have a successful transmission or not. Due to various channel and
interference effects experienced by the adversary and the defense, these two objectives may differ.
Furthermore, because wireless users are often separated in location and get their input through wireless
signals relayed over the air, the adversary may not directly change the input data to the machine
learning system. As a result, while constructing wireless attacks and evaluating their effectiveness, it is
critical to account for channel effects. Moreover, the type of data seen by the adversary is determined
by the underlying waveform and receiver hardware of the adversary. While adversarial machine
learning in computer vision applications may run on raw data samples such as pixels, the adversary in
a wireless domain may have to use different types of available radio-specific features such as I/Q data
and RSSI that may differ from the features used by the target machine learning system. The following
table list the AML attacks characteristics in wireless communications.

Radio Channel Effect
i) The adversary should be
aware about the channel
dynamic nature, because it
can influence the
perturbations by
introducing path loss and
phase on the adversarial
attacks [3].
ii) The adversary needs to
train the surrogate model
through the channel
because he/she does not
have the access to the DL
model at the receiver, so
the training data is
imperfect and the shadow
model might be ineffective
due to the channel dynamic
nature[4].
iii) Adversarial tactics
designed to mislead DL
models trained on time-
domain features may not
always work on DL models
trained on frequency-
domain features [5].
iv) It is also possible to
pursue the goal of proper
signal classification at one
receiver while tricking the
signal classifier at another
receiver by utilizing
channel differences [6].
Channel Impact Training and Test Heterogeneity in feature
Exploitation and Data Influence representation
Mitigation
i) The adversarial A wireless attacker i) If the adversary wants
perturbation may seek cannot directly to attacks with multiple
to trick a wireless manipulate antennas for a HetNet, the
signal classifier at one classifier training perturbations might be
receiver, but the or testing data. suitable regarding to the
perturbed signal can In addition, unlike channel conditions for
still be decoded with traditional CV and each receiver (network),
minimum loss of NLP applications i.e. different receiver
reliability at the target that rely on API might mean different
receiver [7]. This queries, it cannot channels (Multiple
concept used for directly query a channel aware) [3].
covert communication. transmitter's ii) It is also feasible that
The adversary may classifier and network traffic is
want to keep not only retrieve stochastic or traffic must
the bit error rate but classification be adjusted to account for
also the spectral results. dynamic channel effects.
structure of the altered In an over-the-air The production of
signal [8]. attack, the wireless perturbations must
ii) Forward error adversary must therefore be evaluated in
correction may monitor wireless conjunction with queue
mitigate the impact of communications stability, with the long-
an adversarial attack and attempt to term aim for the adversary
while preserving manipulate/influenc being to limit stable
communication e the outcome of throughput (the max
performance with the the DL model achievable throughput
intended receiver [9]. indirectly or initiate while keeping the packet
iii) To improve the actions such as queues stable) [12].
impact of adversarial jamming the
attacks, the adversary channel during
may employ several sensing and data
antennas to send transfers [11].
disturbances [10].
Table. 2. Unique Characteristics of AML Attacks

Considering these characteristics AML attacks for wireless communications are designed.

AML attacks’ generation approaches for wireless communications:

After the brief introduction to the adversarial attacks characteristics, the following table describes the
approaches of the attacks’ generations.
Evasion
Evasion attacks to produce adversarial
examples are defined as delicately
constructed unnoticeable perturbations
introduced to the ML model's original inputs.
The only type of attacks for which we can
generalize approaches of generation. The
adversarial perturbation might be found
solving an optimization problem using the
following approaches:
Limited memory Broyden–Fletcher–
Goldfarb–Shanno L-BFGS produces an
optimal adversarial example; it focuses on
finding an adversarial perturbation limited by
2-norm. L-BFGS Attack used an expensive
linear search method to find the optimal
value, which was time consuming and
impractical. Goodfellow et al. [33] proposed
a fast method called Fast Gradient Sign
Method to generate adversarial examples.
Fast Gradient Sign Method FGSM,
creates an adversarial example that closely
matches the original input, it focuses on
finding an adversarial perturbation limited by
∞-norm [13].
Exploratory
The strategy is to steal training
data and create models that
provide the same (or similar)
results as the original model.
With knowledge of how the
original model works, the
attacker may make informed
decisions about how to attack
and affect the overall
performance of the ML-based
system.
Although the exploratory attacks
reported in the literature adhere
to the same paradigm, there are
no standard-attack generating
methods available, as there are
in evasion attacks.
All of the approaches take the
same strategy, which is to
understand the internal workings
of the original model, develop a
surrogate model, and then attack
the ML-based model with the
information from the surrogate
model [14].
Causative
The causative attack attempts to
reduce an ML system's capacity to
perform optimally by adding
weaknesses into the training
process. These inserted
vulnerabilities may be caused by
the adversary purposefully
tampering with the data's label or
by designing and integrating unique
learnable characteristics.
The model learns these unique
properties, which leads it to depart
from its initial goal, resulting in a
significant decrease in the model's
capacity to produce reliable
predictions. Vulnerabilities may be
introduced during the initial model
creation or the model retraining
process.
Because the attack happens prior to
model training, contamination
impacts any form of ML model,
and efforts to tune parameters offer
little or no increase in the model's
ability to make excellent
predictions [14].

Table. 3. AML Attacks Generation Approaches for Wireless Communications.

FGSM might be used for iterative methods such as basic iterative method BIM, project gradient
descent PGD, and Momentum iterative method MIM. Most of these approaches are borrowed from
computer vision and natural language processing domains.

Examples of AML attacks in wireless communication:

In [4], authors consider a wireless communication system that consists of a background emitter, a
transmitter, and an adversary. The transmitter is equipped with a DNN classifier to detect the ongoing
transmissions from the background emitter and transmits a signal if the spectrum is idle. The
adversary trains its own DNN classifier as the surrogate model by observing the spectrum to
detect the ongoing transmissions of the background emitter (exploratory attack) and generate
adversarial attacks to fool the transmitter into misclassifying the channel as idle.

The study [15] describes how to launch an over-the-air membership inference attack to leak private
information from a wireless signal classifier MIA. As ML algorithms are used to process wireless
signals to make decisions such as PHY-layer authentication, the training data characteristics (e.g.,
device-level information) and environment conditions (e.g., channel information) may leak from the
ML model. As a privacy issue, the adversary can utilize the stolen information to exploit ML
model weaknesses using an adversarial ML technique. The MIA is tested against a deep learning-
based classifier in this study, which combines waveform, device, and channel characteristics (power
and phase changes) in received signals to perform RF fingerprinting. By monitoring the spectrum,
the adversary constructs a surrogate classifier and subsequently an inference model to
assess whether a signal of interest was utilized in the receiver's training data (e.g., a
service provider). The results show that wireless signal classifiers are sensitive to privacy
risks owing to ML model over-the-air information leaking.

For the AML spoofing attacks, [16] describes a spoofing attack carried out by an adversarial
pair consisting of a transmitter and a receiver that assume the generator and discriminator
roles in the GAN and play a minimax game to create the best spoofing signals with the goal of
fooling the best trained defense mechanism. This method produces two implications. From
the attacker point of view, a deep learning-based spoofing mechanism is trained to potentially
fool a defense mechanism such as RF fingerprinting. From the defender point of view, a deep
learning-based defense mechanism is trained against potential spoofing attacks when an
adversary pair of a transmitter and a receiver cooperates.

Authors in [11] propose an adversarial deep learning approach to launch over-the-air

spectrum poisoning attacks. A transmitter applies deep learning FFN on its spectrum
sensing results to predict idle time slots for data transmission. In the meantime, an adversary
learns the transmitter’s behavior (exploratory attack) by building another deep neural
network to predict when transmissions will succeed. The adversary poisons the transmitter’s
spectrum sensing data over the air by transmitting during the short spectrum sensing period of
the transmitter. Depending on whether the transmitter uses the sensing results as test data to
make transmit decisions or as training data to retrain its deep neural network, either it is
fooled into making incorrect decisions (evasion attack) or the transmitter’s algorithm is
retrained incorrectly for future decisions (causative attack).

A Trojan attack that targets deep learning applications in wireless communications was
presented in [17]. A deep learning classifier is considered to classify wireless signals using
raw (I/Q) samples as features and modulation types as labels. An adversary slightly
manipulates training data by inserting Trojans (i.e., triggers) to only few training data
samples by modifying their phases and changing the labels of these samples to a target label.
This poisoned training data is used to train the deep learning classifier. In test
(inference) time, an adversary transmits signals with the same phase shift that was
added as a trigger during training. While the receiver can accurately classify clean (non-
poisoned) signals without triggers, it cannot reliably classify signals poisoned with triggers.
This stealth attack remains hidden until activated by poisoned inputs (Trojans) to bypass a
signal classifier (e.g., for authentication). Authors show that this attack is successful over
different channel conditions and cannot be mitigated by simply preprocessing the training and
test data with random phase variations.

How effect learning can take place under the presence of an attack?

AML attacks may significantly degrade the performance of the communication system. Fig. 2 shows
that the pre-trained model (classifier for automatic modulation classification) was attacked by an
adversary, the adversarial attack add small perturbation to the original QPSK test data sample which
cause the misclassification of a QPSK modulated signal as 16-QAM. Additionally to the designed
model for the attack, the attacker should be aware about channel; Fig. 3 shows the effect of channel
aware attack on classifier accuracy; classifier accuracy decreases as the perturbation-to-noise-ratio
PNR increases in [18].

Fig. 3. Accuracy of the receiver’s classifier under adversarial attacks with and without considering wireless channel effects
when SNR = 10 dB.

ML/DL Models used in Wireless Communication AML:

The related work in the literature for the ML/DL models used in adversarial machine learning for
wireless communications guides us to the following taxonomy.

DL RL1
NN

DL-RL2
DL-NN

DL- DL- DL-

CNN3 FNN4 RL/NN5

Fig. 4. Taxonomy of ML/DL Models used for AML Attacks

Example from the literature:

2,4
Authors in [19] proposed two jamming attack DL-based models, one based on feedforward neural
network DL-FNN, and the other one based on reinforcement learning DL-RL. The DRL attacker can
perform more effectively in the experimental environment. Additionally, the DRL attacker does not
require any other auxiliary neural network as the FNN attacker does. However, considering the
difference in the information regarding the victim-environment interactions required by these two
attackers, the advantage is for the FNN attackers. Therefore, if the channels patterns vary suddenly,
the FNN is more promising in terms of adapting to a new policy quicker than the DRL attacker.
3
In [20] the authors explore the challenge of concealing wireless communications from an
eavesdropper who uses a deep learning CNN classifier to identify whether or not any transmission of
interest is present.
1
For 5G network access slicing, the opponent watches the spectrum and creates its own RL-based
surrogate model that picks which RBs to jam with the goal of maximizing the number of unsuccessful
network slicing requests owing to jammed RBs, subject to an energy budget [21].
5
An unauthorized transmitter seeking to get its signals categorized as authorized by a deep learning-
based authenticator is considered by the authors. They present an RL-NN- based attack in which the
imposter alters the authenticator's signals in order to enter the system using just the authenticator's
binary authentication decision. It is feasible to deceive the authenticator with greater than 90% success
rate [22].

Defense techniques against ALM attacks in Wireless Communications:

Some examples have shown that the ML/DL-based attacks are more effective than the traditional
attacks, and hard to detect, such as the exploratory attack vs. the traditional jamming. Moreover due to
the unique properties discussed before it is very important to understand the impact of AML attacks on
wireless communications, as a result sensitivity of ML/DL-based wireless communication strategies
against adversarial attacks has started to draw more attentions. In order to address such sensitivity and
alleviate the resulting security concerns, this section will discuss the defense strategies against AML
attacks in wireless communications.

Robustness Efficiency

Defense

Cost

Fig. 5. Defense Measures

However to consider a defense technique as suitable or not, several measures should be interpreted
Fig. 5.

Robustness, is the attack robust to defense strategies? Efficiency, the defense abilities to detect and/or
mitigate the attacks, and cost, it might be increasing the model complexity, losing some training data
to limit the adversary knowledge which leads to ineffective model prediction, decrease the
communication system performance ….etc.

The defense approaches:

1. Adversarial Training:

The basic principle behind adversarial training is to retrain the original classification model using
adversarial samples as input data. Against maintain strong classification performance for clean
examples while strengthening the classifier's resistance to adversarial attacks, clean and adversarial
data are mixed in a specified ratio. The training set must be shuffled to increase the model's
generalization capacity. The ratio of clean to adversarial samples is significant since it affects
decoding speed with or without adversarial attacks. Because hostile instances employ the real label
during training, the model learns and exploits regularities in the creation process of adversarial attacks.
To achieve quick convergence, the learned model's parameters are utilized to initialize the network to
be trained.

In [23], authors autoencoder-based communication system with a full-duplex FD legitimate receiver

and an external eavesdropper. The adversarial attack reduces the block-error-rate BLER performance
of autoencoder-based communication significantly, and the adversarial training technique may be used
to re-train the autoencoder such that the genuine decoder can defend against the adversarial attacks.
The results show that under adversarial attacks, the legitimate receiver's BLER performance almost
remains unaffected in the anti-attacking and anti-eavesdropping communication systems, while the
eavesdropper's BLERs are increased by orders of magnitude in an anti-eavesdropping communication
system, indicating that the proposed anti-attacking and anti-eavesdropping autoencoder
communication systems ensure reliable and secure transmission.

According to the authors in [24], a wireless communication system consists of one transmitter, one
legitimate receiver, and one eavesdropper. The transmitter sends a perturbation-added signal (i.e. an
adversarial example) with a certain modulation type, while the legitimate receiver and eavesdropper
use a DNN-based classifier to identify the modulation type of the received signal. In contrast to the
typical purpose of adversarial instances, which is to misclassify all available classifiers, their goal is to
construct an adversarial example that allows the genuine receiver to classify properly while the
eavesdropper misclassifies. To that purpose, they offer two design methods for adversarial instances,
one before and one after the receiver's learning stages. Both techniques are successful for safeguarding
the communication link, according to numerical data.

However, there are several problems to adversarial training, such as a scenario in which the
adversary utilizes a different attack than the one employed in training. In addition, an adversary
can generate new perturbations by training a model on adversarial samples. Moreover, training
with hostile examples often decreases DL model performance on unperturbed signals. Training
with various adversarial instances can be used to overcome these issues.

Fig. 6. Adversarial Training Using different attacks

 2. Randomized Smoothing:

Randomized smoothing (also known as Gaussian smoothing) is a certified defensive method that
augments the training set with Gaussian noise to strengthen the classifier's resilience against many
orientations, one is to become robust against adversarial perturbations. Recent work [25] has
demonstrated that randomized smoothing with Gaussian noise can offer a strong robustness guarantee
in the l2 norm. It is worth noting that, unlike the pictures used as input samples in computer vision,
received signals in wireless communications are already noisy, and randomized smoothing somewhat
increases the noise level. However, because while the number of data samples in the training set is
fewer than the number of neural network parameters, data augmentation increases classifier
performance but Gaussian smoothing does not cause any degradation.

Fig. 7. Target Classifier with Different Scenarios.

Authors in [26] demonstrate that increasing the number of augmentation samples in the training set
enhances the classifier's resistance to adversarial perturbation as compared to the initial classifier
trained without any defense. This defense advantage, however, comes at the expense of more training
time, but the defense results can be certified with a desired confidence by using randomized smoothing
in test time. They showed that it is effective in reducing the impact of adversarial attacks on the
modulation classifier performance.

3. Peak to Average Power Ratio PAPR with Kolmogorov Smirnov KS:

It is known that PAPR of a signal waveform is a metric which may determine the efficient
performance of the system, i.e. lower PAPR is desired in that the power amplifier used to transmit
signals can operate more efficiently and thus save battery in the UE [27]. Moreover, PAPR serves as a
signature for a certain modulation. Additional tests should be undertaken to confirm or refute
suspicion if the categorized label of an input signal implies a certain modulation and its PAPR statistic
shows the contrary with high confidence. This statistical test is KS which leverages the peak-to-
average-power-ratio PAPR of the RF samples. The PAPR is calculated for each training input and the
corresponding adversarial examples generated from it, while the KS test is used to determine whether
the PAPRs of the training inputs and their adversarial examples belong to the same probability
distribution. Hence, used to ascertain if the PAPR is similar to the statistic of an adversarial example
or a legitimate example Authors justify the choice of PAPR as a potential statistic for detecting
Adversarial examples by looking at the plot of the RF waveforms recovered from the legitimate inputs
and their adversarial examples. Results show that while the PAPR statistics are more robust to the
over-the air delivery of RF data points, it remains effective in the presence of fading channel [28].

4. DNN Softmax Layer KS Statistics:

This is also a KS statistical test for detecting adversarial examples, however, it is universal. Using the
statistics of the last layer of a neural network, the softmax output of the DNN classifier is utilized to
detect if adversarial samples have caused a change in distribution. Typically, the statistical size of
the input data is a reliable predictor of the statistical test's quality. The KS test is performed in the
same manner as in last method; the only difference is in the statistics on which the KS test is applied.
Here, it is the empirical entropy H of each input x, results in [28] indicate that the KS test based on the
entropy of the output layer remains effective when evaluated at a classifier that receives the inputs
over-the-air OTA, while causing a distribution shift due to channel effects.

5. Median Absolute Deviation:

The MAD algorithm is used to detect the outliers, which is resilient to multiple outliers in the data,
using the absolute deviation between all data points. MAD provides a reliable measure of dispersion of
the distribution. Any data point with anomaly index > 2 has > 95% probability of being an outlier.
Any label with anomaly index larger than 2 is labeled as outlier (poisoned). Authors in [29] observe
that when the number of poisoned samples in the training dataset increases, the MAD increases.
However, when only a few samples are poisoned, the difference in the MAD distributions of clean and
poisoned samples is not statistically significant that limits its detection performance of poisoned
data with triggers. The defense approach in [30] applies statistical outlier detection to the activation
of the last hidden layer; authors used 10-20% infected training samples which is high amount of
poisoned samples.

6. Clustering-Based Detection of Triggers:

The clustering based outlier detection uses a two-step approach. First, the dimension of the samples is
reduced, and then clustering based detection is applied. Authors in [29] use SVM technique; outputs
were well grouped into clean and poisoned test samples, regardless of the initializing procedure. Both
initialization procedures random initialization and principal component analysis PCA yield greater
than 98 percent accuracy at perplexity 30. As a result, even if just a few samples are poisoned, the
clustering technique may detect Trojan attacks successfully.

7. Fooling the Adversary (an offense initiative):

This method modifies the DNN classifier's output slightly and purposefully conducts some (usually a
small number of) erroneous actions in order to confuse the adversary and defend against exploratory
attacks. For example, the transmitter can purposefully transmit on a busy channel or ignore a
transmission opportunity on an idle channel, preventing the adversary who views the spectrum from
training a reliable surrogate model.

This technique is used in [30] to defend from an adversarial machine learning technique which
launches jamming attacks on wireless communications. A cognitive transmitter predicts the current
channel status based on recent sensing results and decides whether to transmit or not, whereas a
jammer collects channel status and ACKs to build a deep learning classifier that reliably predicts the
next successful transmissions and effectively jams them. This jamming method is found to
significantly degrade transmitter performance when compared to random or sensing-based jamming.
The jammer uses the deep learning classification results for power control, subject to an average
power restriction. Following that, a generative adversarial network is built for the jammer to shorten
the time it takes to gather the training dataset by supplementing it with synthetic examples. As a
defense strategy, the transmitter purposefully performs a limited number of incorrect spectrum access
activities (in the form of a causal attack against the jammer), preventing the jammer from
constructing an accurate classifier. The transmitter methodically chooses when to do incorrect
actions and adjusts the level of protection to fool the jammer into making prediction mistakes, hence
increasing its throughput.
 The technique is also used in [31] to defend against an adversarial deep learning approach which
launches over-the-air spectrum poisoning attacks. A transmitter uses deep learning to estimate idle
time slots for data transmission based on the findings of its spectrum sensing. Meanwhile, an
adversary learns the transmitter's behavior (exploratory attack) by constructing another deep neural
network to forecast when transmissions would succeed. A dynamic defense is created for the
transmitter who intentionally sends out a limited number of wrong transmissions (determined by the
confidence score on channel classification) in order to alter the adversary's training data. This
technique effectively fools the opponent (if any), and allows the transmitter to maintain its
throughput with or without the presence of an adversary.

To defend wireless communications from AML attacks on reinforcement learning, a similar diversity
strategy is used. In [32] authors discuss a victim user who uses DRL-based dynamic channel access
and an attacker who uses DRL-based jamming to interrupt the victim. As a result, both the victim and
the attacker are DRL agents who may communicate with one another, retrain their models, and adapt
to the policies of their adversaries. The adversarial jamming attack policy aimed at reducing the
accuracy of the victim's decision making on dynamic channel access. Following this they present three
defensive tactics against such an attacker: i) diversified defense with proportional integral
derivative (PID) control, ii) diversified defense with an imitation attacker, and iii) defense via
orthogonal policies. To enhance the uncertainty at the adversary, the defender may alternate between
alternative channel access options (derived by a proportional-integral derivative (PID) controller “A
proportional–integral–derivative controller (PID controller or three-term controller) is a control loop
mechanism employing feedback that is widely used in industrial control systems and a variety of other
applications requiring continuously modulated control” and imitation learning). Another defense
strategy is to use orthogonal reinforcement learning policies to prevent the opponent from rapidly
switching between its imitation policies.

Diversified with PID Diversified with Imitation Orthogonal Policies

Attacker
This defense makes no assumptions Assumes that the attacker Must train the policies prior to the attack with
about the attacker and obtains no employs an actor-critic DRL no assumptions, and we reach a 50% accuracy.
additional training beforehand, agent, and can attain a very Authors have also devised an attack detection
resulting in a 39 percent accuracy level high accuracy (90%) and is technique based on orthogonal principles that
for the victim user in this circumstance. robust to different settings. can distinguish attacks from changes in the
environment.
Table. 4. Results of Defense Techniques Used in [27].
3. Conclusion
This chapter introduced the adversarial machine learning for wireless communication systems, in
terms of attacks and defense techniques covered by the literature, this field is still in the early stage
and the techniques used by other domains cannot be applied directly to the wireless domain, due to the
difference between the wireless environment and other fields such as computer vision and natural
language processing.