Spectrum coexistence is essential for next generation (NextG) systems to share the spectrum with incumbent (primary) users and meet the growing demand for bandwidth. One example is the 3.5 GHz Citizens Broadband Radio Service (CBRS) band, where the 5G and beyond communication systems need to sense the spectrum and then access the channel in an opportunistic manner when the incumbent user (e.g., radar) is not transmitting. To that end, a high-fidelity classifier based on a deep neural network is needed for low misdetection (to protect incumbent users) and low false alarm (to achieve high throughput for NextG). In a dynamic wireless environment, the classifier can only be used for a limited period of time, i.e., coherence time. A portion of this period is used for learning to collect sensing results and train a classifier, and the rest is used for transmissions. In spectrum sharing systems, there is a well-known tradeoff between the sensing time and the transmission time. While increasing the sensing time can increase the spectrum sensing accuracy, there is less time left for data transmissions. In this paper, we present a generative adversarial network (GAN) approach to generate synthetic sensing results to augment the training data for the deep learning classifier so that the sensing time can be reduced (and thus the transmission time can be increased) while keeping high accuracy of the classifier. We consider both additive white Gaussian noise (AWGN) and Rayleigh channels, and show that this GAN-based approach can significantly improve both the protection of the high-priority user and the throughput of the NextG user (more in Rayleigh channels than AWGN channels).

This paper presents a game-theoretic framework to study the interactions of attack and defense for deep learning-based NextG signal classification. NextG systems such as the one envisioned for a massive number of IoT devices can employ deep neural networks (DNNs) for various tasks such as user equipment identification, physical layer authentication, and detection of incumbent users (such as in the Citizens Broadband Radio Service (CBRS) band). By training another DNN as the surrogate model, an adversary can launch an inference (exploratory) attack to learn the behavior of the victim model, predict successful operation modes (e.g., channel access), and jam them. A defense mechanism can increase the adversary's uncertainty by introducing controlled errors in the victim model's decisions (i.e., poisoning the adversary's training data). This defense is effective against an attack but reduces the performance when there is no attack. The interactions between the defender and the adversary are formulated as a non-cooperative game, where the defender selects the probability of defending or the defense level itself (i.e., the ratio of falsified decisions) and the adversary selects the probability of attacking. The defender's objective is to maximize its reward (e.g., throughput or transmission success ratio), whereas the adversary's objective is to minimize this reward and its attack cost. The Nash equilibrium strategies are determined as operation modes such that no player can unilaterally improve its utility given the other's strategy is fixed. A fictitious play is formulated for each player to play the game repeatedly in response to the empirical frequency of the opponent's actions. The performance in Nash equilibrium is compared to the fixed attack and defense cases, and the resilience of NextG signal classification against attacks is quantified.

This paper highlights vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks. Semantic communications aims to convey a desired meaning while transferring information from a transmitter to its receiver. An encoder-decoder pair that is represented by two deep neural networks (DNNs) as part of an autoencoder is trained to reconstruct signals such as images at the receiver by transmitting latent features of small size over a limited number of channel uses. In the meantime, another DNN of a semantic task classifier at the receiver is jointly trained with the autoencoder to check the meaning conveyed to the receiver. The complex decision space of the DNNs makes semantic communications susceptible to adversarial manipulations. In a backdoor (Trojan) attack, the adversary adds triggers to a small portion of training samples and changes the label to a target label. When the transfer of images is considered, the triggers can be added to the images or equivalently to the corresponding transmitted or received signals. In test time, the adversary activates these triggers by providing poisoned samples as input to the encoder (or decoder) of semantic communications. The backdoor attack can effectively change the semantic information transferred for the poisoned input samples to a target meaning. As the performance of semantic communications improves with the signal-to-noise ratio and the number of channel uses, the success of the backdoor attack increases as well. Also, increasing the Trojan ratio in training data makes the attack more successful. In the meantime, the effect of this attack on the unpoisoned input samples remains limited. Overall, this paper shows that the backdoor attack poses a serious threat to semantic communications and presents novel design guidelines to preserve the meaning of transferred information in the presence of backdoor attacks.

This paper presents a game theoretic framework for participation and free-riding in federated learning (FL), and determines the Nash equilibrium strategies when FL is executed over wireless links. To support spectrum sensing for NextG communications, FL is used by clients, namely spectrum sensors with limited training datasets and computation resources, to train a wireless signal classifier while preserving privacy. In FL, a client may be free-riding, i.e., it does not participate in FL model updates, if the computation and transmission cost for FL participation is high, and receives the global model (learned by other clients) without incurring a cost. However, the free-riding behavior may potentially decrease the global accuracy due to lack of contribution to global model learning. This tradeoff leads to a non-cooperative game where each client aims to individually maximize its utility as the difference between the global model accuracy and the cost of FL participation. The Nash equilibrium strategies are derived for free-riding probabilities such that no client can unilaterally increase its utility given the strategies of its opponents remain the same. The free-riding probability increases with the FL participation cost and the number of clients, and a significant optimality gap exists in Nash equilibrium with respect to the joint optimization for all clients. The optimality gap increases with the number of clients and the maximum gap is evaluated as a function of the cost. These results quantify the impact of free-riding on the resilience of FL in NextG networks and indicate operational modes for FL participation.

Semantic communications seeks to transfer information from a source while conveying a desired meaning to its destination. We model the transmitter-receiver functionalities as an autoencoder followed by a task classifier that evaluates the meaning of the information conveyed to the receiver. The autoencoder consists of an encoder at the transmitter to jointly model source coding, channel coding, and modulation, and a decoder at the receiver to jointly model demodulation, channel decoding and source decoding. By augmenting the reconstruction loss with a semantic loss, the two deep neural networks (DNNs) of this encoder-decoder pair are interactively trained with the DNN of the semantic task classifier. This approach effectively captures the latent feature space and reliably transfers compressed feature vectors with a small number of channel uses while keeping the semantic loss low. We identify the multi-domain security vulnerabilities of using the DNNs for semantic communications. Based on adversarial machine learning, we introduce test-time (targeted and non-targeted) adversarial attacks on the DNNs by manipulating their inputs at different stages of semantic communications. As a computer vision attack, small perturbations are injected to the images at the input of the transmitter's encoder. As a wireless attack, small perturbations signals are transmitted to interfere with the input of the receiver's decoder. By launching these stealth attacks individually or more effectively in a combined form as a multi-domain attack, we show that it is possible to change the semantics of the transferred information even when the reconstruction loss remains low. These multi-domain adversarial attacks pose as a serious threat to the semantics of information transfer (with larger impact than conventional jamming) and raise the need of defense methods for the safe adoption of semantic communications.

Communications systems to date are primarily designed with the goal of reliable (error-free) transfer of digital sequences (bits). Next generation (NextG) communication systems are beginning to explore shifting this design paradigm of reliably decoding bits to reliably executing a given task. Task-oriented communications system design is likely to find impactful applications, for example, considering the relative importance of messages. In this paper, a wireless signal classification is considered as the task to be performed in the NextG Radio Access Network (RAN) for signal intelligence and spectrum awareness applications such as user equipment (UE) identification and authentication, and incumbent signal detection for spectrum co-existence. For that purpose, edge devices collect wireless signals and communicate with the NextG base station (gNodeB) that needs to know the signal class. Edge devices may not have sufficient processing power and may not be trusted to perform the signal classification task, whereas the transfer of the captured signals from the edge devices to the gNodeB may not be efficient or even feasible subject to stringent delay, rate, and energy restrictions. We present a task-oriented communications approach, where all the transmitter, receiver and classifier functionalities are jointly trained as two deep neural networks (DNNs), one for the edge device and another for the gNodeB. We show that this approach achieves better accuracy with smaller DNNs compared to the baselines that treat communications and signal classification as two separate tasks. Finally, we discuss how adversarial machine learning poses a major security threat for the use of DNNs for task-oriented communications. We demonstrate the major performance loss under backdoor (Trojan) attacks and adversarial (evasion) attacks that target the training and test processes of task-oriented communications.

深度学习（DL）在无线领域中找到了丰富的应用，以提高频谱意识。通常，DL模型要么是根据统计分布后随机初始初始初始初始初始初始初始初始初始初始化，要么在其他数据域（例如计算机视觉）（以转移学习的形式）上进行鉴定，而无需考虑无线信号的唯一特征。即使只有有限的带有标签的培训数据样本，自我监督的学习也能够从射频（RF）信号本身中学习有用的表示形式。我们通过专门制定一组转换以捕获无线信号特征来提出第一个自我监督的RF信号表示学习模型，并将其应用于自动调制识别（AMR）任务。我们表明，通过学习信号表示具有自我监督的学习，可以显着提高样本效率（实现一定准确性性能所需的标记样品数量）。这转化为大量时间和节省成本。此外，与最先进的DL方法相比，自我监管的学习可以提高模型的准确性，即使使用了一小部分训练数据样本，也可以保持高精度。

随着物联网设备的扩散，研究人员在机器学习的帮助下开发了各种IOT设备识别方法。尽管如此，这些识别方法的安全性主要取决于收集的培训数据。在这项研究中，我们提出了一种名为IOTGan的新型攻击策略来操纵IoT设备的流量，使得它可以避免基于机器学习的IOT设备识别。在IOTGAN的发展中，我们有两个主要的技术挑战：（i）如何在黑匣子环境中获得歧视模型，并如何通过操纵模型将扰动添加到物联网交通中，从而逃避识别不影响物联网设备的功能。为了解决这些挑战，基于神经网络的替代模型用于将目标模型放在黑盒设置中，它作为IOTGAN中的歧视模型。培训操纵模型，以将对抗性扰动添加到物联网设备的流量中以逃避替代模型。实验结果表明，IOTAN可以成功实现攻击目标。我们还开发了高效的对策，以保护基于机器的机器学习的IOT设备识别由IOTGAN破坏。

通过从大型天线移动到用于软件定义的无线系统的天线表面，可重新配置的智能表面（RISS）依赖于单元电池的阵列，以控制信号的散射和反射轮廓，减轻传播损耗和多路径衰减，从而改善覆盖范围和光谱效率。在本文中，在RIS存在下考虑了隐蔽的通信。虽然RIS升高了持续的传动，但是预期接收器和窃听者都可以单独尝试使用自己的深神经网络（DNN）分类器来检测该传输。 RIS交互向量是通过平衡将发送信号聚焦到接收器的两个（潜在冲突）目标而设计的，并将发送的信号远离窃听器。为了提高封面通信，对发射机的信号添加对抗扰动以欺骗窃听器的分类器，同时保持对接收器的影响。来自不同网络拓扑的结果表明，可以共同设计对抗扰动和RIS交互向量，以有效地提高接收器处的信号检测精度，同时降低窃听器的检测精度以实现封面通信。

本文提出了一种新的方法，用于可重新配置智能表面（RIS）和发射器 - 接收器对的联合设计，其作为一组深神经网络（DNN）培训，以优化端到端通信性能接收者。 RIS是一种软件定义的单位单元阵列，其可以根据散射和反射轮廓来控制，以将来自发射机的传入信号集中到接收器。 RIS的好处是通过克服视线（LOS）链路的物理障碍来提高无线通信的覆盖率和光谱效率。 RIS波束码字（从预定义的码本）的选择过程被配制为DNN，而发射器 - 接收器对的操作被建模为两个DNN，一个用于编码器（在发射器）和另一个一个用于AutoEncoder的解码器（在接收器处），通过考虑包括由in之间引起的频道效应。底层DNN共同训练，以最小化接收器处的符号误差率。数值结果表明，所提出的设计在各种基线方案中实现了误差性能的主要增益，其中使用了没有RIS或者将RIS光束的选择与发射器 - 接收器对的设计分离。