Abstract

Deep neural network-based learning methods have been considered promising techniques used in beam selection problems. However, existing research ignores the peculiar vulnerabilities of neural networks. The adversaries can use data poisoning to embed predefined triggers into a model during training time such that the neural network-based beam model may make an incorrect output decision of a test example when patched with the trigger. Data poisoning offers attackers the possibility to build backdoors. The goal of backdoors is often unethical, such as giving users a poor experience by manipulating infected models to output inappropriate beams. In this paper, first, we introduce a simple backdoor attack method by using data poisoning in a mmWave beam selection system. By numerical simulations, we verify that this poisoning attack is effective for neural networks with different structures. In addition, we explore the effect of poisoned data volume on the effect of backdoor attacks. The results show that the backdoor can be successfully implanted into the beam selection neural network. Besides, we fine-tune the trained model for a new wireless communication environment, and the results show that backdoors still exist even when the model is tuned with data from new scenarios. Then, we propose a machine unlearning solution to mitigate the backdoor of the trained beam selection model. The problem of eliminating backdoors is modeled as a minimax optimization problem. We propose a novel adversarial unlearning method along with label smoothing to solve the backdoor removal problem. We compared the proposed backdoor elimination method with the classical fine-tuning elimination method and the neural network pruning method through numerical simulations. The results show that the fine-tuning and the pruning methods cannot effectively remove the backdoor. The proposed machine unlearning method can make the trained model forget about the backdoor under the condition that the performance of the benign task (beam selection tasks when the trigger does not appear) is guaranteed to be slightly degraded. In summary, our work illustrates that data poisoning-based backdoor attacks may exist in wireless networks, and we propose a scheme to eliminate backdoors.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.