Security Hardening of Intelligent Reflecting Surfaces Against Adversarial Machine Learning Attacks

Next-generation communication networks, also known as NextG or 5G and beyond, are the future data transmission systems that aim to connect a large amount of Internet of Things (IoT) devices, systems, applications, and consumers at high-speed data transmission and low latency. Fortunately, NextG networks can achieve these goals with advanced telecommunication, computing, and Artificial Intelligence (AI) technologies in the last decades and support a wide range of new applications. Among advanced technologies, AI has a significant and unique contribution to achieving these goals for beamforming, channel estimation, and Intelligent Reflecting Surfaces (IRS) applications of 5G and beyond networks. However, the security threats and mitigation for AI-powered applications in NextG networks have not been investigated deeply in academia and industry due to being new and more complicated. This paper focuses on an AI-powered IRS implementation in NextG networks along with its vulnerability against adversarial machine learning attacks. This paper also proposes the defensive distillation mitigation method to defend and improve the robustness of the AI-powered IRS model, i.e., reduce the vulnerability. The results indicate that the defensive distillation mitigation method can significantly improve the robustness of AI-powered models and their performance under an adversarial attack.

INDEX TERMS Security, next-generation networks, adversarial machine learning, model poisoning, intelligent reflecting surfaces.  The remainder of the paper is organized as follows: 96 Section II provides the background information about the 97 IRS and common adversarial attacks. Section III presents the 98 system overview, including the AI model and defense distil-99 lation for mitigation. Section IV shows experimental results, 100 and Section V discusses the results along with observations. 101 Section VI concludes the paper.

103
This section provides background information and related 104 works, including IRS and popular adversarial attacks using 105 FGSM, BIM, PGD, and MIM.

A. INTELLIGENT REFLECTING SURFACES (IRS)
107 IRS is commonly proposed to improve wireless commu-108 nication quality in various applications. Consider a typical 109 IRS-aided wireless communication system as depicted in 110 Figure 1. The IRS is deployed to enhance the communica-111 tion performance between a transmitter and a receiver. The 112 receiver gets the Line of Sight (LOS) signal through the LOS 113 link as well as constructive reflected signals from IRS through 114 the IRS-Rx link at the same time such that the communication 115 performance between the transmitter and receiver could be 116 significantly improved. 117 In the literature, there are several studies on IRS and secu-118 rity concerns [4], [7], [8]. AI-powered models, e.g., neu-119 ral networks, have been integrated into IRS-aided systems 120 to improve wireless communication performance. Authors 121 in [11] propose the concept of Intelligent Spectrum Learn-122 ing (ISL) to optimize IRS to tackle the interfering signals 123 by dynamically controlling the IRS elements. The ISL first 124 employs a well-trained convolutional neural network to real-125 ize a multi-class classification for the incident signals, and 126 then the IRS elements can be turned on/off depending on 127 the class of that signal by using an IRS binary control. 128 Moreover, a dynamic ''think-and-decide' '  An evasion attack aims to cause the ML-based models 190 to misclassify the adversarial examples as legitimate data 191 points, i.e., targeted and non-targeted evasion attacks. Tar-192 geted attacks aim to force the models to classify the adver-193 sarial example as a specific target class. Non-targeted attacks 194 aim to push the models to classify the adversarial example as 195 any class other than the ground truth. Data poisoning aims to 196 generate malicious data points to train the ML-based models 197 to find the desired output. It can be applied to the train-198 ing data, which causes the ML-based models to produce the 199 desired outcome. Model inversion aims to generate new data 200 points close to the original data points to find the sensitive 201 information of the specific data points.

202
These adversarial attack types are given as follows. where is the budget. FGSM attack has been used in [17] to 217 attack models. -Compute the gradient of loss function, ∇ x (x adv , y) 229 -Add the gradient to the input data, where is the budget, and N is the number of iterations. The 232 BIM attack has been used in [17] to attack models. As we briefly discussed in Section II-A, a neural network is 296 designed for mapping the observed environment descriptors 297 to the predicted achievable rate in the AI-powered IRS model. 298 This subsection introduces the neural network architecture 299 and training details below.

300
• Neural Network Architecture: The input of the neu-301 ral network model is defined as a stack of the environ-302 ment descriptors (i.e., uplink pilot signals) received from 303 both transmitter and receiver. Since the training process 304 is designed to build a function mapping descriptors to 305 reflection vectors, the output target of the neural network 306 is to be a set of predictions on the achievable rates of 307 every possible reflection beamforming vector. The neu-308 ral network is built as a Multi-Layer Perceptron (MLP) 309 network, which is well-demonstrated as an effective uni-310 versal approximator. The MLP is adopted to establish 311 the connection between the environment descriptors and 312 the predicted achievable rates using reflection beam-313 forming vectors, as shown in The training dataset has 54300 data 322 samples since the candidate receiver locations contain 323 54300 points as discussed in III-C. The dataset is split 324 into two sets, namely a training set and a testing set with 325 85% and 15% of the points, respectively. To measure 326 the quality of the predictions and make the predicted 327 achievable rates close to the real achievable rates in the 328 dataset, we define the loss function with Mean-Squared-329 Error (MSE) between them. In the training process, the 330 batch size is set to 500 samples, and the training epochs 331 is set to 20. The dropout rate is set to 50%, and a L 2 reg-332 ularization term with the factor of 10 −4 is added to the 333 loss function.    To examine the performance of the AI-powered IRS 371 model, a publicly available ray-tracing-based DeepMIMO 372 dataset [27] is adopted to generate the training dataset. 373 DeepMIMO dataset is a parameterized dataset designed for 374 constructing the MIMO channels based on ray-tracing data 375 obtained from the accurate ray-tracing scenario simulation. 376 Similar to the simulation setup in [14], the outdoor ray-tracing 377 scenario 'O1' is selected as shown in Figure 4. Base 378 FIGURE 4. The adopted ray-tracing scenario where the large intelligent surface (i.e., IRS) is deployed to reflect the signal from the fixed transmitter to the candidate receivers.    Table 2 shows the pre-425 diction performance results of the defended and undefended 426 AI-powered IRS models against the attacks.

427
The trained AI-powered IRS model is implemented using 428 Python 3.7.13 and the TensorFlow 2.8.2 framework run-429 ning on Google Colab Tesla T4 GPU with 16GB of mem-430 ory. Adversarial inputs are generated using Cleverhans 4.0.0. 431 library.

432
The adversarial attack on AI-powered models has become 433 more popular with various attack methods. This study uses 434 FGSM, MIM, BIM, and PGD methods to generate adversar-435 ial examples. The performance of each model is evaluated 436 through the MSE metric. 437 Figure 5 shows MSE values for the selected attack methods 438 under attack powers from = 0.01 to = 0.8. MSE values 439 look similar for MIM, BIM, and PGD methods, i.e., around 440 0.09, for all attack powers. On the other hand, MSE values 441 increase along with a higher attack power ( > 0.5) for 442 BIM attacks and go from 0.009 to 0.0128. The results also 443 indicate that AI-powered models are dramatically vulnera-444 ble to adversarial attacks. The mitigation methods have been 445 widely used to increase the AI-powered model's robustness 446 against adversarial attacks. In this study, the defensive dis-447 tillation method is applied in the model to reduce the vul-448 nerability against adversarial attacks. The performance of the 449 AI-powered model is evaluated in terms of MSE after apply-450 ing the mitigation method. Figure 6 shows the models' perfor-451 mance, i.e., MSE values, against adversarial attacks from = 452 0.01 to = 0.8 after applying the selected mitigation method. 453 The figure shows that the AI-powered model is still sensitive 454 to adversarial attacks. However, the model's robustness is 455 better against adversarial attacks. According to the figure, the 456 model can resist any attack under low attack power ( < 0.3). 457     Table 2 shows the impact of a specific value on the 498 MSE performance metrics of the AI-powered IRS model for 499 each adversarial attack in detail. The value of ranges from 500 0.01 to 0.8. The higher the value of means, the more pow-501 erful attack on the AI-powered model is expected. Except 502 for BIM, the MSE values are usually around 0.0092-0.0095 503 for undefended models under any attack power and 504 type. It reaches up to 0.012 under a high attack power 505

553
The next generation networks, i.e., NextG or 5G and beyond, 554 have dramatically enhanced along with advanced communi-555 cation, computing, and AI technologies in the last decade. 556 AI is the most important contributor to NextG networks' 557 improvement in terms of performance. This paper investi-558 gates the vulnerability of AI-powered IRS models against 559 adversarial attacks (i.e., FGSM, BIM, PGD, and MIM) and 560 the impact of the proposed mitigation method, i.e., defen-561 sive distillation, on the improvement of models' robustness 562 in NextG networks. The results indicate that the AI-powered 563 NextG networks are vulnerable to adversarial attacks. On the 564 other hand, mitigation methods can make the models more 565 robust against adversarial attacks. According to the overall 566 results, the most effective adversarial attack types are BIM 567 and MIM for undefended and defended models, respectively. 568 The proposed mitigation method can provide better results for 569 the attacks, including FGSM, BIM, MIM, and PGD, in terms 570 of increasing the model robustness and reducing the vulnera-571 bility.

572
In future work, the authors will focus on automatic mod-573 ulation classification using an AI-powered model in NextG 574 networks and its vulnerability under adversarial attacks.