面向调制识别的对抗样本研究综述

doi:10.3969/j.issn.1671-1122.2023.06.008

摘要/Abstract

摘要：

调制方式识别是认知无线电、电磁对抗等领域中的关键一环，也是进行接收机高效信号处理的重要前提。深度学习具有自主分析、自动特征提取和非线性拟合等传统手段无法比拟的独特优势，其在调制方式识别中表现出了具大潜力，但深度学习模型容易受到对抗样本的攻击，对调制识别任务造成严重影响。尽管对抗样本攻击在计算机视觉、自然语言处理等领域得到了广泛研究，但其在调制识别领域的研究成果较为零散。本文基于调制识别的独特特性，介绍了基于深度学习的调制识别技术，构建了调制识别的问题模型，阐述了目前常见的神经网络在调制识别中的应用现状并列举和对比了调制识别常用数据集及其仿真结果。通过回顾攻击类型、对抗样本生成和防御策略总结了最新的研究成果，建立了不同攻击和防御类别的分类法，并讨论了对抗样本在无线通信中的未来前景。

关键词: 调制识别, 神经网络, 对抗样本, 对抗防御

Abstract:

Modulation recognition is a key component in the fields of cognitive radio, electronic warfare, and other related areas. It is also an important prerequisite for efficient signal processing in receivers. Due to the unique advantages of deep learning, such as autonomous analysis, automatic feature extraction, and nonlinear fitting, which traditional methods cannot match, it has great potential in modulation recognition. However, deep learning models are vulnerable to adversarial attacks, which seriously affect the task of modulation recognition. Although adversarial sample attacks have been widely studied in the fields of computer vision and natural language processing, research results in the field of modulation recognition are relatively scattered. This article introduced the modulation recognition technology based on deep learning, established the problem model of modulation recognition, and elaborated on the application status of common neural networks in modulation recognition, as well as listed and compared commonly used datasets and simulation results of modulation recognition. By reviewing attack types, adversarial sample generation, and defense strategies, we summarized the latest research results, established a classification system for different types of attacks and defence, and discussed the future prospects of adversarial samples in wireless communication.

Key words: modulation recognition, neural networks, adversarial samples, adversarial defence

中图分类号:

TP309

蒋曾辉, 曾维军, 陈璞, 武士涛. 面向调制识别的对抗样本研究综述[J]. 信息网络安全, 2023, 23(6): 74-90.

JIANG Zenghui, ZENG Weijun, CHEN Pu, WU Shitao. Review of Adversarial Samples for Modulation Recognition[J]. Netinfo Security, 2023, 23(6): 74-90.

图/表 8

图1

表1

图2

图3

图4

图5

表2

面向调制识别的对抗攻击总结

方案	攻击类型	描述	攻击算法	数据库
文献[34]	非定向、白盒	评估基于原始I/Q的调制分类的漏洞	FGSM	RML2016.10a
文献[35]	定向、白盒	检验基于DL的自动调制分类器在直接访问其输入的对手存在的情况下是如何崩溃的，验证定向攻击优于非定向攻击	FGSM、MIM	RML2016.10a
文献[36]	白盒	测试FGSM、L-BFGS两种类型的对抗性攻击的攻击效率	FGSM、 L-BFGS	RML2016.04c
文献[37]	定向、非定向、白盒	比较了常见攻击算法在调制识别领域的性能差异，探索对抗性攻击的可行性和有效性，并确定攻击不可见性和成功的最佳扰动规模	FGSM、BIM、PGD、MIM	RML2016.10a
文献[38]	定向、非定向、白盒	提出一种基于动态迭代的用于攻击DNN模型的对抗攻击方法	MIM、DIM	RML2016.10a
文献[39,40]	定向、非定向、白盒	通过干扰信道输入符号，最大限度地降低入侵者确定发射机使用的调制方案的准确性	PGD	本地生成数据
文献[41]	定向、白盒	通过传输对抗性扰动的合作干扰器欺骗基于DL的窃听者，以向窃听者隐藏5G通信	FGM	本地生成数据
文献[42]	定向、白盒	应用CW攻击在合成和实时捕获的RF数据点上生成有目标的对抗性样本	CW	RML2018.01a 和本地生成数据
文献[43]	定向、白盒	研究使用多个天线在无线接收器处对基于DNN的调制分类器的输入产生不同信道效应（根据总功率预算）的多个并发扰动	FGM	RML2016.10a
文献[44]	定向、白盒	利用不同的数据驱动下采样策略，研究对抗攻击对AMR模型的影响	CW	RML2016.10b
文献[45]	定向、非定向、白盒	探索如何通过考虑信道效应以及对手的功率约束来发起逼真的对抗攻击	MRPP	本地生成数据
文献[46]	定向、非定向、白盒	研究了信道对代理模型的影响，并针对基于DNN的无线信号分类器进行对抗性攻击	MRPP	本地生成数据
文献 [47]	黑盒	提出了一种检测容忍的黑盒对抗攻击模型，可以极大降低对抗样本被检测的概率	DTBA	RML2016.10a
文献[48]	非定向、黑盒	提出了位置不变的对抗性攻击方法用于提升对抗样本迁移性	FGSM、PGD	RML2016.10a
文献[49]	定向、非定向、黑盒	探索在不同接收器存在真实的信道效应和多个分类器的情况下设计真实的对抗性攻击	FGM、UAP	RML2016.10a
文献[50]	定向、非定向、黑盒	展示了DL模型对对抗攻击的易感性，并提出了在调制分类中制作对抗样本的实用方法	UAP、FGM	RML2016.10a
文献[51]	定向、黑盒	通过使用前向纠错（FEC）扩展通信感知对抗攻击	ATN	本地生成数据
文献 [52]	定向、非定向、黑盒	通过在训练过程中引入频谱欺骗损失度量，使频谱形状更符合原始信号	AMN	本地生成数据
文献[53]	定向、非定向、黑盒	基于AdvGAN，提出一个输入不可知的对抗攻击	AdvGAN	RML2016.10a
文献[54]	定向、非定向、黑盒	提出了一种基于L2范数的LIW生成方法，该方法可以降低调制方式被第三方识别的概率，而不影响友方的可靠通信	MIM	RML2016.10a

表2

表3

参考文献 78

[1]	HUANG Zhitao, YANG Jie, WANG Xiang, et al. A Survey of Modulation Recognition Algorithms in Non-Cooperative Communication[J]. Science & Technology Review, 2019, 37(4): 55-62.
[2]	ZEBARJADI M, TEIMOURI M. Non-Cooperative Burst Detection and Synchronisation in Downlink TDMA-Based Wireless Communication Networks[J]. IET Communications, 2019, 13(7): 863-872. doi: 10.1049/cmu2.v13.7 URL
[3]	O’SHEA T J, ROY T, CLANCY T C. Over-the-Air Deep Learning Based Radio Signal Classification[J]. IEEE Journal of Selected Topics in Signal Processing, 2018, 12(1): 168-179. doi: 10.1109/JSTSP.2018.2797022 URL
[4]	O’SHEA T, HOYDIS J. An Introduction to Deep Learning for the Physical Layer[J]. IEEE Transactions on Cognitive Communications and Networking, 2017, 3(4): 563-575. doi: 10.1109/TCCN.2017.2758370 URL
[5]	SHI Qinghua, KARASAWA Y. Automatic Modulation Identification Based on the Probability Density Function of Signal Phase[J]. IEEE Transactions on Communications, 2012, 60(4): 1033-1044. doi: 10.1109/TCOMM.2012.021712.100638 URL
[6]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[EB/OL]. (2014-02-19)[2023-04-10]. https://arxiv.org/abs/1312.6199.
[7]	SADEGHI M, LARSSON E G. Physical Adversarial Attacks Against End-to-End Autoencoder Communication Systems[J]. IEEE Communications Letters, 2019, 23(5): 847-850. doi: 10.1109/COML.4234 URL
[8]	WEAVER C S, COLE C A, KRUMLAND R B, et al. The Automatic Classification of Modulation Types by Pattern Recognition[EB/OL]. (1969-04-01)[2023-04-10]. https://www.semanticscholar.org/paper/THE-AUTOMATIC-CLASSIFICATION-OF-MODULATION-TYPES-BY-Weaver-Cole/bbfd299d0beb7e66f2662625717327211d352709.
[9]	LECUN Y, BOTTOU L, BENGIO Y, et al. Gradient-Based Learning Applied to Document Recognition[J]. Proceedings of the IEEE, 1998, 86(11): 2278-2324. doi: 10.1109/5.726791 URL
[10]	HOCHREITER S, SCHMIDHUBER J. Long Short-Term Memory[J]. Neural Computation, 1997, 9(8): 1735-1780. doi: 10.1162/neco.1997.9.8.1735 pmid: 9377276
[11]	O’SHEA T J, CORGAN J, CLANCY T C. Convolutional Radio Modulation Recognition Networks[C]// Springer. Engineering Applications of Neural Networks:17th International Conference. Berlin:Springer, 2016: 213-226.
[12]	HU Shisheng, PEI Yiyang, LIANG P P, et al. Deep Neural Network for Robust Modulation Cassification Under Uncertain Noise Conditions[J]. IEEE Transactions on Vehicular Technology, 2019, 69(1): 564-577. doi: 10.1109/TVT.25 URL
[13]	ZHENG Shilian, QI Peihan, CHEN Shichuan, et al. Fusion Methods for CNN-Based Automatic Modulation Classification[J]. IEEE Access, 2019, 7: 66496-66504. doi: 10.1109/ACCESS.2019.2918136
[14]	PENG Shengliang, JIANG Hanyu, WANG Huaxia, et al. Modulation Classification Based on Signal Constellation Diagrams and Deep Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2018, 30(3): 718-727. doi: 10.1109/TNNLS.2018.2850703 URL
[15]	TU Ya, LIN Yun. Deep Neural Network Compression Technique Towards Efficient Digital Signal Modulation Recognition in Edge Device[J]. IEEE Access, 2019, 7: 58113-58119. doi: 10.1109/ACCESS.2019.2913945
[16]	ZHANG Zhibo, FAN Yaxuan, MENG Xiao. Pattern Recognition Method of Communication Interference Based on Power Spectrum Density and Neural Network[J]. Journal of Terahertz Science and Electronic Information Technology, 2019, 17(6): 959-963.
	张智博, 樊雅玄, 孟骁. 基于谱图和神经网络的通信干扰模式识别方法[J]. 太赫兹科学与电子信息学报, 2019, 17(6): 959-963.
[17]	ZHA Xiong, PENG Hua, QIN Xin, et al. Modulation Recognition Method Based on Multi-Inputs Convolution Neural Network[J]. Journal on Communications, 2019, 40(11): 30-37. doi: 10.11959/j.issn.1000-436x.2019206
	查雄, 彭华, 秦鑫, 等. 基于多端卷积神经网络的调制识别方法[J]. 通信学报, 2019, 40(11): 30-37. doi: 10.11959/j.issn.1000-436x.2019206
[18]	TU Ya, LIN Yun, WANG Jin, et al. Semi-Supervised Learning with Generative Adversarial Networks on Digital Signal Modulation Classification[J]. Computers, Materials＆Continua, 2018, 55(2): 243-254.
[19]	WU Hao, ZHOU Liang, LI Yaxing, et al. Modulation Recognition Method Based on Convolutional Neural Networks and Sparse Filtering[J]. Systems Engineering and Electronics, 2019, 41(9): 2114-2121.
	吴灏, 周亮, 李亚星, 等. 基于卷积神经网络和稀疏滤波的调制识别方法[J]. 系统工程与电子技术, 2019, 41(9): 2114-2121.
[20]	TANG Bin, TU Ya, ZHANG Zhaoyue, et al. Digital Signal Modulation Classification with Data Augmentation Using Generative Adversarial Nets in Cognitive Radio Networks[J]. IEEE Access, 2018, 6: 15713-15722. doi: 10.1109/ACCESS.2018.2815741 URL
[21]	O’SHEA T J, WEST N. Radio Machine Learning Dataset Generation with GNU Radio[EB/OL]. (2016-09-06)[2023-04-10]. https://www.semanticscholar.org/paper/Radio-Machine-Learning-Dataset-Generation-with-GNU-O'Shea-West/227e0591634cef50d0bcfc73fe6c5b34a2256e5f.
[22]	WANG Yu, LIU Miao, YANG Jie, et al. Data-Driven Deep Learning for Automatic Modulation Recognition in Cognitive Radios[J]. IEEE Transactions on Vehicular Technology, 2019, 68(4): 4074-4077. doi: 10.1109/TVT.25 URL
[23]	WEST N E, O’SHEA T. Deep Architectures for Modulation Recognition[C]// IEEE. 2017 IEEE International Symposium on Dynamic Spectrum Access Networks (DySPAN). New York:IEEE, 2017: 1-6.
[24]	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and Harnessing Adversarial Examples[EB/OL]. (2015-03-20)[2023-04-10]. https://arxiv.org/abs/1412.6572.
[25]	KURAKIN A, GOODFELLOW I J, BENGIO S. Adversarial Examples in the Physical World[EB/OL]. (2017-02-11)[2023-04-10]. https://arxiv.org/abs/1607.02533.
[26]	DONG Yinpeng, LIAO Fangzhou, PANG Tianyu, et al. Boosting Adversarial Attacks with Momentum[C]// IEEE. Proceedings of the IEEE conference on computer vision and pattern recognition. New York: IEEE. 2018: 9185-9193.
[27]	MADRY A, MAKELOV A, SCHMIDT L, et al. Towards Deep Learning Models Resistant to Adversarial Attacks[EB/OL]. (2019-09-04)[2023-04-10]. https://arxiv.org/abs/1706.06083.
[28]	SRIRAMANAN G, ADDEPALLI S, BABURAJ A. Guided Adversarial Attack for Evaluating and Enhancing Adversarial Defenses[J]. Advances in Neural Information Processing Systems, 2020, 33: 20297-20308.
[29]	CARLINI N, WAGNER D. Towards Evaluating the Robustness of Neural Networks[C]// IEEE. 2017 IEEE symposium on security and privacy (sp). New York:IEEE, 2017: 39-57.
[30]	BALUJA S, FISCHER I. Adversarial Transformation Networks: Learning to Generate Adversarial Examples[EB/OL]. (2017-03-28)[2023-04-10]. https://arxiv.org/abs/1703.09387.
[31]	SU Jiawei, VARGAS D V, SAKURAI K. One Pixel Attack for Fooling Deep Neural Networks[J]. IEEE Transactions on Evolutionary Computation, 2019, 23(5): 828-841. doi: 10.1109/TEVC.4235 URL
[32]	MOOSAVI-DEZFOOLI S M, FAWZI A, FAWZI O, et al. Universal Adversarial Perturbations[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2017: 1765-1773.
[33]	XIAO Chaowei, LI Bo, ZHU Junyan, et al. Generating Adversarial Examples with Adversarial Networks[EB/OL]. (2019-02-14)[2023-04-10]. https://arxiv.org/abs/1801.02610.
[34]	FLOWERS B, BUEHRER R M, HEADLEY W C. Evaluating Adversarial Evasion Attacks in the Context of Wireless Communications[J]. IEEE Transactions on Information Forensics and Security, 2019, 15: 1102-1113. doi: 10.1109/TIFS.10206 URL
[35]	BAIR S, DELVECCHIO M, FLOWERS B, et al. On the Limitations of Targeted Adversarial Evasion Attacks Against Deep Learning Enabled Modulation Recognition[C]// ACM. Proceedings of the ACM Workshop on Wireless Security and Machine Learning. New York: ACM, 2019 : 25-30.
[36]	KE Da, HUANG Zhitao, WANG Xiang, et al. Application of Adversarial Examples in Communication Modulation Classification[C]// IEEE. 2019 International Conference on Data Mining Workshops (ICDMW). New York:IEEE, 2019: 877-882.
[37]	LIN Yun, ZHAO Haojun, MA Xuefei, et al. Adversarial Attacks in Modulation Recognition with Convolutional Neural Networks[J]. IEEE Transactions on Reliability, 2020, 70(1): 389-401. doi: 10.1109/TR.24 URL
[38]	LIU Mingqian, ZHANG Zhenju, ZHAO Nan, et al. Adversarial Attacks on Deep Neural Networks Based Modulation Recognition[C]// IEEE. IEEE INFOCOM 2022-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). New York:IEEE, 2022: 1-6.
[39]	HAMEED M Z, GYÖRGY A, GÜNDÜZ D. The Best Defense is a Good Offense: Adversarial Attacks to Avoid Modulation Detection[J]. IEEE Transactions on Information Forensics and Security, 2020, 16: 1074-1087. doi: 10.1109/TIFS.10206 URL
[40]	HAMEED M Z, GYÖRGY A, GÜNDÜZ D. Communication Without Interception: Defense Against Modulation Detection[C]// IEEE. 2019 IEEE Global Conference on Signal and Information Processing (GlobalSIP ). New York:IEEE, 2019: 1-5.
[41]	KIM B, SAGDUYU Y E, DAVASLIOGLU K, et al. How to Make 5G Communications" Invisible": Adversarial Machine Learning for Wireless Privacy[C]// IEEE. 2020 54th Asilomar Conference on Signals, Systems, and Computers. New York: IEEE, 2020: 763-767.
[42]	KOKALJ-FILIPOVIC S, MILLER R, MORMAN J. Targeted Adversarial Examples Against RF Deep Classifiers[C]// ACM. Proceedings of the ACM Workshop on Wireless Security and Machine Learning. New York: ACM, 2019: 6-11.
[43]	KIM B, SAGDUYU Y E, ERPEK T, et al. Adversarial Attacks with Multiple Antennas Against Deep Learning-Based Modulation Classifiers[C]// IEEE. 2020 IEEE Globecom Workshops (GC Wkshps). New York:IEEE, 2020: 1-6.
[44]	YI J, GAMAL A E. Gradient-Based Adversarial Deep Modulation Classification with Data-Driven Subsamplings[EB/OL]. (2021-04-03)[2023-04-10]. https://doi.org/10.48550/arXiv.2104.06375. doi: https://doi.org/10.48550/arXiv.2104.06375
[45]	KIM B, SAGDUYU Y E, DAVASLIOGLU K, et al. Over-the-Air Adversarial Attacks on Deep Learning Based Modulation Classifier over Wireless Channels[C]// IEEE. 2020 54th Annual Conference on Information Sciences and Systems (CISS). New York:IEEE, 2020: 1-6.
[46]	KIM B, SAGDUYU Y E, ERPEK T, et al. Channel Effects on Surrogate Models of Adversarial Attacks Against Wireless Signal Classifiers[C]// IEEE. ICC 2021-IEEE International Conference on Communications. New York: IEEE, 2021: 1-6.
[47]	QI Peihan, JIANG Tao, WANG Lizhan, et al. Detection Tolerant Black-Box Adversarial Attack Against Automatic Modulation Classification with Deep Learning[J]. IEEE Transactions on Reliability, 2022, 71(2): 674-686. doi: 10.1109/TR.2022.3161138 URL
[48]	YU Zhen, XIONG Yifeng, HE Kun, et al. Position-Invariant Adversarial Attacks on Neural Modulation Recognition[C]// IEEE. ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). New York:IEEE, 2022: 3483-3487.
[49]	KIM B, SAGDUYU Y E, DAVASLIOGLU K, et al. Channel-Aware Adversarial Attacks Against Deep Learning-Based Wireless Signal Classifiers[J]. IEEE Transactions on Wireless Communications, 2021, 21(6): 3868-3880. doi: 10.1109/TWC.2021.3124855 URL
[50]	SADEGHI M, LARSSON E G. Adversarial Attacks on Deep-Learning Based Radio Signal Classification[J]. IEEE Wireless Communications Letters, 2018, 8(1): 213-216. doi: 10.1109/LWC.2018.2867459 URL
[51]	DELVECCHIO M, FLOWERS B, HEADLEY W C. Effects of Forward Error Correction on Communications Aware Evasion Attacks[C]// IEEE. 2020 IEEE 31st Annual International Symposium on Personal, Indoor and Mobile Radio Communications. New York: IEEE, 2020: 1-7.
[52]	DELVECCHIO M, ARNDORFER V, HEADLEY W C. Investigating a Spectral Deception Loss Metric for Training Machine Learning-Based Evasion Attacks[C]// ACM. Proceedings of the 2nd ACM Workshop on Wireless Security and Machine Learning. New York: ACM, 2020: 43-48.
[53]	BAHRAMALI A, NASR M, HOUMANSADR A, et al. Robust Adversarial Attacks Against DNN-Based Wireless Communication Systems[C]// ACM. Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021: 126-140.
[54]	XIE Haidong, TAN Jia, ZHANG Xiaoying, et al. Low-Interception Waveform: To Prevent the Recognition of Spectrum Waveform Modulation via Adversarial Examples[C]// IEEE. 2021 XXXIVth General Assembly and Scientific Symposium of the International Union of Radio Science (URSI GASS). New York:IEEE, 2021: 1-4.
[55]	PAPERNOT N, MCDANIEL P, GOODFELLOW I, et al. Practical Black-Box Attacks Against Machine Learning[C]// ACM. Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. New York: ACM, 2017: 506-519.
[56]	PAPERNOT N, MCDANIEL P, GOODFELLOW I. Transferability in Machine Learning: From Phenomena to Black-Box Attacks Using Adversarial Samples[EB/OL]. (2016-05-24)[2023-04-10]. https://arxiv.org/pdf/1605.07277. pdf.
[57]	VITTER J S. Random Sampling with a Reservoir[J]. ACM Transactions on Mathematical Software (TOMS), 1985, 11(1): 37-57. doi: 10.1145/3147.3165 URL
[58]	LI Pengcheng, YI Jinfeng, ZHANG Lijun. Query-Efficient Black-Box Attack by Active Learning[C]// IEEE. 2018 IEEE International Conference on Data Mining (ICDM). New York:IEEE, 2018: 1200-1205.
[59]	XIE Cihang, ZHANG Zhishuai, ZHOU Yuyin, et al. Improving Transferability of Adversarial Examples with Input Diversity[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2019 : 2730-2739.
[60]	ZOU Junhua, PAN Zhisong, QIU Junyang, et al. Improving the Transferability of Adversarial Examples with Resized-Diverse-Inputs, Diversity-Ensemble and Region Fitting[C]// Springer. Computer Vision-ECCV 2020: 16th European Conference. Berlin:Springer. 2020: 563-579.
[61]	GOODFELLOW I, POUGET-ABADIE J, MIRZA M, et al. Generative Adversarial Networks[J]. Communications of the ACM, 2020, 63(11): 139-144. doi: 10.1145/3422622 URL
[62]	XIAO Chaowei, LI Bo, ZHU Junyan, et al. Generating Adversarial Examples with Adversarial Networks[C]// ACM. Proceedings of the 27th International Joint Conference on Artificial Intelligence. New York: ACM, 2018: 3905-3911.
[63]	SAHAY R, BRINTON C G, LOVE D J. Frequency-Based Automated Modulation Classification in the Presence of Adversaries[C]// IEEE. ICC 2021-IEEE International Conference on Communications. New York: IEEE, 2021: 1-6.
[64]	BERIAN A, STAAB K, DITZLER G, et al. Adversarial Filters for Secure Modulation Classification[C]// IEEE. 2021 55th Asilomar Conference on Signals, Systems, and Computers. New York: IEEE, 2021: 361-367.
[65]	SAGDUYU Y E, SHI Yi, ERPEK T. Adversarial Deep Learning for Over-the-Air Spectrum Poisoning Attacks[J]. IEEE Transactions on Mobile Computing, 2019, 20(2): 306-319. doi: 10.1109/TMC.7755 URL
[66]	RESTUCCIA F, D’ORO S, AL-SHAWABKA A, et al. Hacking the Waveform: Generalized Wireless Adversarial Deep Learning[C]// ACM. Proceedings of the 2nd ACM Workshop on Wireless Security and Machine Learning. New York: ACM, 2020: 49-54.
[67]	KOKALJ-FILIPOVIC S, MILLER R, VANHOY G. Adversarial Examples in RF Deep Learning: Detection and Physical Robustness[C]// IEEE. 2019 IEEE Global Conference on Signal and Information Processing (GlobalSIP). New York:IEEE, 2019: 1-5.
[68]	MAROTO J, BOVET G, FROSSARD P. SafeAMC: Adversarial Training for Robust Modulation Recognition Models[C]// IEEE. 2022 30th European Signal Processing Conference (EUSIPCO). New York:IEEE, 2022: 1-6.
[69]	COHEN J, ROSENFELD E, KOLTER Z. Certified Adversarial Robustness via Randomized Smoothing[EB/OL]. (2019-06-15)[2023-04-10]. https://arxiv.org/pdf/1902.02918. pdf.
[70]	KOKALJ-FILIPOVIC S, MILLER R, CHANG N, et al. Mitigation of Adversarial Examples in RF Deep Classifiers Utilizing AutoEncoder Pre-training[C]// IEEE. 2019 International Conference on Military Communications and Information Systems (ICMCIS). New York:IEEE, 2019: 1-6.
[71]	ZHANG Lu, LAMBOTHARAN S, ZHENG Gan, et al. Countermeasures Against Adversarial Examples in Radio Signal Classification[J]. IEEE Wireless Communications Letters, 2021, 10(8): 1830-1834. doi: 10.1109/LWC.2021.3083099 URL
[72]	AN Zhihui, QI Peihan, ZHOU Xiaoyu, et al. A Robust Signal Modulation Recognition Method Against Black-Box Detection Attack[C]// Springer. 15th EAI International Conference, Mobile Multimedia Communications. Berlin:Springer, 2023: 329-339.
[73]	XU Dongwei, YANG Hao, GU Chuntao, et al. Adversarial Examples Detection of Radio Signals Based on Multifeature Fusion[J]. IEEE Transactions on Circuits and Systems II: Express Briefs, 2021, 68(12): 3607-3611. doi: 10.1109/TCSII.2021.3095663 URL
[74]	SAMANGOUEI P, KABKAB M, CHLLAPPA R. Defense-Gan: Protecting Classifiers Against Adversarial Attacks Using Generative Models[EB/OL]. (2018-05-18)[2023-04-10]. https://arxiv.org/pdf/1805.06605.pdf.
[75]	SHTAIWI E, El OUADRHIRI A, MORADIKIA M, et al. Mixture GAN For Modulation Classification Resiliency Against Adversarial Attacks[C]// IEEE. GLOBECOM 2022-2022 IEEE Global Communications Conference. New York: IEEE, 2022: 1472-1477.
[76]	XU Weilin, EVANS D, QI Yanjun. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks[EB/OL]. (2017-11-05)[2023-04-10]. https://doi.org/10.14722/ndss.2018.23198. doi: https://doi.org/10.14722/ndss.2018.23198
[77]	ROTH K, KILCHER Y, HOFMANN T. The Odds are Odd: A Statistical Test for Detecting Adversarial Examples[EB/OL]. (2019-05-09)[2023-04-10]. https://arxiv.org/pdf/1902.04818.pdf.
[78]	HOANG Quan, NGUYEN T D, LE T, et al. MGAN: Training Generative Adversarial Nets with Multiple Generators[EB/OL]. (2017-10-27)[2023-04-10]. https://arxiv.org/pdf/1708.02556.pdf.

数据集	信号调制类型	样本数	信噪比/dB
RML2016.04c	BPSK、8PSK、QPSK、CPFSK、GFSK、PAM4、16QAM、64QAM、AM-SSB、AM-DSB、WBFM	220000	-20~18
RML2016.10a	BPSK、8PSK、QPSK、CPFSK、GFSK、PAM4、16QAM、64QAM、AM-SSB、AM-DSB、WBFM	220000	-20~18
RML2016.10b	BPSK、8PSK、QPSK、CPFSK、GFSK、PAM4、16QAM、64QAM、AM-DSB、WBFM	1200000	-20~18
RML2018.01a	BPSK、8PSK、16PSK、32PSK、QPSK、OQPSK、4ASK、8ASK、16APSK、32APSK、64APSK、128APSK、16QAM、32QAM、64QAM、128QAM、256QAM、FM、GMSK、OOK、AM-SSB-WC、AM-SSB-SC、AM-DSB-WC、AM-DSB-SC	2000000	-20~30

方案	防御类别	防御策略
文献[67]	统计方法	PAPR和DL分类器的Softmax输出检测对抗样本
文献[68]	增强模型鲁棒性	使用对抗性训练训练调制识别模型
文献[69]	增强模型鲁棒性	使用带有随机平滑技术的对抗性训练方法训练调制识别模型
文献[55]	增强模型鲁棒性	使用带有认证防御技术的对抗性训练方法训练调制识别模型
文献[70]	增强模型鲁棒性	使用自动编码器对模型进行预训练
文献[71]	增强模型鲁棒性	通过对于信号进行标签平滑和高斯噪声注入达到增强的目的
文献[72]	添加组件	利用知识提炼防御来自攻击者的黑盒检测攻击
文献[73]	添加组件	基于多特征融合的对抗样本检测
文献[70]	添加组件	使用DL分类器的自动编码器去除非显著特征
文献[74]	添加组件	利用GAN的生成特性，提出了防御GAN
文献[75]	添加组件	利用混合生成对抗网络思想解决了AdvGAN的模式坍塌问题