A method for countering electromagnetic signal frequency domain enhancement integral transfer attacks

By using an electromagnetic signal frequency domain enhanced integral transfer adversarial attack method, adversarial samples with better generalization performance are generated, solving the problem of insufficient electromagnetic signal transferability and improving the performance of black-box adversarial attacks.

CN117951503BActive Publication Date: 2026-06-30XIDIAN UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
XIDIAN UNIV
Filing Date
2023-12-04
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing technologies lack sufficient electromagnetic signal adversarial sample transferability and exhibit poor performance against black-box adversarial attacks.

Method used

An electromagnetic signal frequency domain enhancement integral transfer adversarial attack method is adopted. Interpolation samples are generated by translation interpolation, noise frequency domain signals are randomly generated, and time domain signals are obtained by using inverse fast Fourier transform. Frequency domain enhancement training samples are constructed, normalized sample gradients are calculated, and adversarial samples are generated to carry out transfer attacks.

Benefits of technology

The generated adversarial examples have better generalization performance and transferability, improving the performance of black-box adversarial attacks on electromagnetic signal sample migration.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117951503B_ABST
    Figure CN117951503B_ABST
Patent Text Reader

Abstract

This case relates to a method for frequency domain enhancement integral transfer adversarial attacks on electromagnetic signals, belonging to the field of intelligent adversarial technology in electromagnetic spectrum sensing. It addresses the problems of insufficient transferability of existing electromagnetic signal adversarial samples and poor performance in black-box adversarial attacks involving electromagnetic signal sample transfer. This method uses a target electromagnetic signal data as the original sample, which is then interpolated through translation to obtain N interpolated samples. An enhanced baseline sample is obtained based on the signal spectrum characteristics corresponding to each interpolated sample and the current bandwidth setting. The interpolated samples are then frequency-domain enhanced using the enhanced baseline sample to obtain N enhanced data samples. The label corresponding to the original sample is used as the label corresponding to these N enhanced data samples, constructing N pairs of frequency-domain enhanced training samples. The sample gradient of the training samples is calculated using the loss function of the local substitution model to obtain the gradient integral with respect to the original signal itself, thereby generating an adversarial sample corresponding to the original sample. This adversarial sample is capable of carrying out transfer adversarial attacks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of artificial intelligence algorithm technology, and in particular to a method for countering electromagnetic signal frequency domain enhancement integral transfer attacks. Background Technology

[0002] The introduction of artificial intelligence technology has brought many new security challenges to situations where there were no inherent security issues, such as data breaches, perceptual deception attacks, and AI model attacks. Adversarial examples are one of the most typical attacks in artificial intelligence security.

[0003] Adversarial examples are input samples created by intentionally adding subtle perturbations to a dataset, causing the model to output an incorrect result with high confidence. The existence of adversarial examples plays a crucial role in improving the robustness, security, and performance of machine learning models. They may reveal dataset imbalances, prompting improvements in dataset quality and consequently, model performance. Adversarial examples can be used to detect errors in machine learning models: when faced with adversarial examples, the model may output an incorrect result with high confidence, helping to identify and correct model errors. During model evaluation, adversarial training involves adding subtle perturbations to the dataset to create adversarial examples, training the model to recognize these examples, thus improving its robustness. Adversarial examples can be used to detect anomalous behaviors, such as cyberattacks and fraudulent transactions, enabling timely detection and prevention. Adversarial training can optimize model parameters, thereby improving model performance and robustness. Given their significant role in enhancing the robustness, security, and performance of machine learning models, adversarial examples hold broad promise for applications in deep learning. However, existing technologies suffer from insufficient transferability of electromagnetic signal adversarial samples and poor performance in black-box adversarial attacks on electromagnetic signal sample transfer. Therefore, this solution is proposed to improve the transferability of electromagnetic signal adversarial samples and enhance attack performance. Summary of the Invention

[0004] To address the problems existing in the prior art, the present invention aims to propose an electromagnetic signal frequency domain enhanced integral migration adversarial attack method, which aims to improve the migration of adversarial samples and enhance the performance of electromagnetic signal sample migration black-box adversarial attacks.

[0005] To achieve the above objectives, the technical solution of this case is as follows.

[0006] Firstly, this case proposes a method for countering electromagnetic signal frequency domain enhancement integral migration attacks, the method comprising the following steps:

[0007] Take a single electromagnetic signal data to be attacked as the original sample, and obtain N interpolated samples through translation interpolation.

[0008] Based on the signal spectral characteristics corresponding to each interpolation sample and the current bandwidth setting, a noise frequency domain signal is randomly generated, and the generated noise frequency domain signal is obtained by inverse fast Fourier transform (IFFT) to obtain the corresponding time domain signal. The real signal information is taken as the enhanced baseline sample with different spectral characteristics.

[0009] The interpolated samples are frequency-domain enhanced using enhanced baseline samples to obtain N enhanced data samples. The labels corresponding to the original samples are used as the labels corresponding to these N enhanced data samples to construct N pairs of frequency-domain enhanced training samples.

[0010] Based on N pairs of frequency-domain enhanced training samples, the gradients of N normalized samples are calculated using the loss function of the local substitution model, and then the gradient integral with respect to the original signal itself is obtained.

[0011] Based on the gradient integral of the original signal itself, adversarial samples corresponding to the original samples are generated, and the adversarial samples can carry out migration adversarial attacks.

[0012] Wherein: the local substitution model is a classification neural network model, and N is a natural number.

[0013] In the above technical solutions, one method for generating adversarial examples is as follows:

[0014]

[0015] In the formula: X i X0 represents the adversarial sample generated by the i-th local substitution model. When the index of X is 0, X0 is the original sample; ε represents the magnitude of the perturbation. For the nth augmented data sample x n The corresponding gradient, For the (n+1)th augmented data sample x n+1 The corresponding gradient, sign() represents the function to take the positive or negative sign, n = 0, 1, 2, ..., N-1.

[0016] In the above technical solution, one method for obtaining enhanced data samples includes the following steps:

[0017]

[0018] In the formula: Let f be the nth interpolation sample, μ be a hyperparameter, μ∈[0,1], and f n The enhanced baseline sample corresponds to the nth interpolation sample, where n = 0, 1, 2, ..., N-1. In one method of generating the interpolation sample in the above technical solution, the steps include:

[0019] The original sample x is shifted up or down to obtain a shifted signal as the baseline sample x′. The shift distance d of the signal is adaptively adjusted according to the sample size, the amount of disturbance, and the square root of the power of each signal.

[0020] Interpolation is performed between the baseline sample and the original sample to obtain the interpolated sample. This represents the magnitude proportion of the currently selected attribution object during the integration process from the baseline value to the input value, n = 0, 1, 2, ..., N-1.

[0021] In the above technical solution, one way to calculate the normalized sample gradient is as follows:

[0022]

[0023] Where J is the loss function. is the derivative sign with respect to x, y represents the true label, M represents the classification output of the surrogate model, and the denominator is the derivative with respect to x. Calculate the L2 norm.

[0024] In the above technical solution, the loss function is specifically the cross-entropy loss function in one implementation.

[0025] In one embodiment of the local substitution model in the above technical solution, its structure includes three input channels, namely two signals I and Q, the I signal of the electromagnetic signal and the Q signal of the electromagnetic signal.

[0026] The first splicing and fusion feature is obtained by splicing and fusing the features of the I-channel signal and the Q-channel signal of the electromagnetic signal. Then, the first splicing and fusion feature is spliced ​​and fused with the features extracted from the I and Q channels to obtain the second splicing and fusion feature.

[0027] Modulation signal type prediction is based on the second splicing and fusion features.

[0028] Among the above technical solutions, a specific structural approach to the local substitution model includes CNN and LSTM.

[0029] Secondly, this case proposes an electromagnetic signal frequency domain enhancement integral migration countermeasure system, including a memory and a processor, wherein the memory stores a computer program that can be loaded by the processor and executed by any of the above methods.

[0030] Thirdly, this case proposes an electromagnetic signal frequency domain enhanced integral transfer adversarial attack system, the system comprising an interpolation sample acquisition module, an enhanced baseline sample acquisition module, a frequency domain enhanced training sample construction module, an integral calculation module, and an adversarial sample generation module; wherein:

[0031] The interpolation sample acquisition module is configured to take a target electromagnetic signal data as the original sample and obtain N interpolation samples through translation interpolation.

[0032] The enhanced baseline sample acquisition module is configured to randomly generate a noise frequency domain signal based on the signal spectral characteristics corresponding to each interpolation sample and the current bandwidth setting value, and obtain the corresponding time domain signal by passing the generated noise frequency domain signal through inverse fast Fourier transform (IFFT), and take the real signal information as the enhanced baseline sample with different spectral characteristics.

[0033] The frequency domain augmentation training sample construction module is configured to augment the interpolated sample in the frequency domain using the augmented baseline sample to obtain N augmented data samples, and use the label corresponding to the original sample as the label corresponding to these N augmented data samples to construct N pairs of frequency domain augmented training samples.

[0034] The integral calculation module is configured to calculate the gradient of N normalized samples based on N pairs of frequency domain augmented training samples, using the loss function of the local substitution model, and then obtain the gradient integral with respect to the original signal itself.

[0035] The adversarial sample generation module is configured to generate adversarial samples corresponding to the original samples based on the gradient integral of the original signal itself. The adversarial samples can carry out transfer adversarial attacks.

[0036] Wherein: the local substitution model is a classification neural network model, and N is a natural number.

[0037] The beneficial technical effects of this case are as follows: the adversarial samples generated using this technical solution have better generalization performance and thus better transferability; by designing the input of the local substitution model and utilizing the influence of the signal frequency domain on signal recognition to construct enhanced data samples, the final generated adversarial samples can improve the performance of black-box adversarial attacks on electromagnetic signal sample migration. Attached Figure Description

[0038] To more clearly illustrate the technical solutions in the embodiments of this application, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0039] Figure 1 This is a schematic flowchart of a method for training a local substitution model provided by an embodiment of the present invention;

[0040] Figure 2 A schematic diagram of an alternative model structure provided in an embodiment of the present invention;

[0041] Figure 3 A flowchart illustrating an electromagnetic signal frequency domain enhancement integral migration countermeasure attack method provided in an embodiment of the present invention;

[0042] Figure 4 A flowchart outlining the overall process of replacing model training, adversarial example generation, and testing;

[0043] Figure 5 A comparison diagram of the generated adversarial sample and the original sample provided for embodiments of the present invention;

[0044] Figure 6 A performance comparison chart of the method of the present invention with other methods in RESTNET black-box model attacks, provided for embodiments of the present invention;

[0045] Figure 7 A comparison chart of the attack performance of the method of the present invention with other methods on the PETCGDNN black-box model, provided for embodiments of the present invention;

[0046] Figure 8 A comparison chart of the performance of the method of the present invention with other methods in local white-box model attacks, provided for embodiments of the present invention. Detailed Implementation

[0047] Research on the transferability of adversarial examples using electromagnetic signals is still in its early stages. Currently, many methods fail to generate adversarial examples with better generalization performance; it is difficult to improve the transferability of adversarial examples; the model characteristics of signal modulation models are not understood; and the accuracy of black-box attack models cannot be improved. Therefore, there is an urgent need for a transferable black-box adversarial example generation method with better attack performance in the field of modulation type identification.

[0048] This invention combines the deep learning interpretability of integral gradients with the method of generating adversarial examples with better generalization performance, and focuses on the impact of the signal frequency domain on the signal recognition model. It generates adversarial examples with better generalization performance, greatly improves the attack performance of adversarial examples, and proposes an electromagnetic signal frequency domain enhanced integral transfer adversarial attack method.

[0049] The following will be combined with the appendix Figure 1-8 This application provides a clear and complete description of how the technical solution in this case is implemented. Obviously, the described implementation methods are only a part of the implementation methods in this case, not all of them. Based on the implementation methods in this case, all other implementation methods obtained by those skilled in the art without inventive effort are within the scope of protection of this application.

[0050] When implementing the electromagnetic signal frequency domain enhancement integral migration adversarial attack method, the first step is to adopt Figure 1 The method shown obtains a local alternative model, and the steps include:

[0051] S101. Obtain the sample dataset and the electromagnetic signal dataset to be attacked.

[0052] Sample datasets were obtained from an open-source modulated signal dataset. After shuffling the data and labels, they were divided into training, validation, and test sets in an 8:1:1 ratio. Power normalization was applied to all datasets.

[0053] The training and validation sets are used to train the model to converge, and the test set is used as the dataset of electromagnetic signals to be attacked.

[0054] S102. Build a local substitution model and train the model until convergence using the training set samples.

[0055] The local substitution model classifies and predicts the attack signal. To improve classification accuracy, the exemplary design of the local substitution model includes three input channels: I and Q signals, the I signal of the electromagnetic signal, and the Q signal of the electromagnetic signal. A first spliced ​​fused feature is obtained by concatenating and fusing the features of the I and Q signals of the electromagnetic signal. This first spliced ​​fused feature is then concatenated and fused with the features extracted from the I and Q signals to obtain a second spliced ​​fused feature. The modulation signal type is then predicted based on the second spliced ​​fused feature.

[0056] The terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Therefore, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.

[0057] An exemplary structure of the local substitution model is as follows: A deep neural network combining CNN and LSTM is constructed as the transfer substitution model. The input has three channels: two input signals (I and Q channels) for data, one for the I channel of the electromagnetic signal, and one for the Q channel of the electromagnetic signal. Structurally, as follows... Figure 2 As shown, firstly, two 1D CNN convolutional layers and one 2D CNN convolutional layer are used to extract the feature information of the electromagnetic signals from the three input channels. Then, the CONCENTRATE function and the CNN convolutional layers are used to merge them to obtain a deep feature map. The ReLU activation function is used to activate the output features. Then, two LSTM long short-term memory layers are used to extract the correlation information before and after the signal. Finally, two fully connected layers are used to output the predicted value. One fully connected layer has 128 nodes, and the other fully connected layer has 10 nodes to predict the type of the modulated signal after passing through the "softmax" activation function.

[0058] During training, the above model uses the cross-entropy loss function as the loss function to calculate the gradient update model and adopts the Adam optimizer to adaptively adjust the learning rate based on historical gradient information. The initial learning rate is set to 0.001.

[0059] The following example uses an electromagnetic signal data to be attacked, combined with... Figure 3 The process of generating adversarial examples in this case is described, and the process of generating adversarial examples for multiple electromagnetic signal data to be attacked is similar.

[0060] S201. Take an electromagnetic signal data to be attacked as the original sample, and obtain N interpolated samples through translation interpolation.

[0061] For each original sample x, the corresponding original signal is shifted and interpolated to obtain an interpolated sample. Specifically, the original signal is shifted upwards or downwards to obtain the sample corresponding to the shifted signal, which is then used as the baseline sample x′. The shift distance d is adaptively adjusted based on the sample value, perturbation, and the square root of the power of each signal path to find a more suitable integration interval. The interpolated sample is obtained by linear interpolation between the baseline sample and the original sample. Alternatively, the interpolated sample can be viewed as a small step between the baseline sample and the original sample in the feature space, i.e.:

[0062]

[0063] In the formula: α∈[0,1] represents the amplitude ratio of the currently selected attribution object during the integration process from the baseline value to the input value. α is a variable that changes with the integration step to obtain diverse integration paths. Assuming that the baseline sample and the original sample are selected based on the amplitude ratio, different interpolated samples are generated. If n = 0, 1, 2, ..., N-1, then each original sample can obtain N corresponding interpolated samples, where N is a natural number.

[0064] S202. Based on the signal spectrum characteristics corresponding to each interpolation sample and the current bandwidth setting, a noise frequency domain signal is randomly generated, and the generated noise frequency domain signal is obtained by inverse fast Fourier transform (IFFT) to obtain the corresponding time domain signal. The real signal information is taken as an enhanced baseline sample with different spectrum characteristics.

[0065] Specifically, based on the signal spectrum characteristics corresponding to the interpolated samples, the signal amplitude is controlled by a normal distribution random function, and two noise frequency domain signals I and Q are randomly generated according to the set bandwidth, where different bandwidths represent different enhancement path information.

[0066] To ensure that each generated noise frequency domain signal has a different signal bandwidth, one approach is to control the generation of signals with different bandwidths each time by setting a hyperparameter W, where W is a value that changes with iteration.

[0067] The generated I and Q noise frequency domain signals are subjected to inverse fast Fourier transform (IFFT) to obtain the time domain signal. The real numbers are then used as the enhanced baseline sample to enhance the frequency domain of the interpolated sample. The power of the generated enhanced baseline sample signal is then normalized, as shown in the following formula:

[0068]

[0069] Where: I represents a function that randomly generates -1 and 1, real() represents taking the real value of a complex number, L represents the length of the signal sample sequence, and norm p This indicates that the power of the signal is normalized, and Z represents a random function that generates a normal distribution with a mean of 1 and a variance of 0.2.

[0070] S203. Use the enhanced baseline samples to enhance the interpolated samples in the frequency domain to obtain N enhanced data samples, and use the labels corresponding to the original samples as the labels corresponding to these N enhanced data samples to construct N pairs of frequency-domain enhanced training samples.

[0071] Specifically, for each interpolated sample, it is used as the primary signal sample, while the enhanced baseline sample corresponding to each interpolated sample is used as the secondary signal sample. A hyperparameter μ is set to ensure that the secondary signal occupies a small portion of the primary signal. In one implementation, μ∈[0,1] is a quantity that adaptively varies with the magnitude of the perturbation, used to control that the enhancement of the secondary signal sample in the final generated mixed signal sample does not exceed that of the primary signal sample itself, i.e.:

[0072]

[0073] In the formula: To enhance the data sample, Let f be the nth interpolation sample, μ be a hyperparameter, μ∈[0,1], and f n Let f be the augmented baseline sample corresponding to the nth interpolated sample, where n = 0, 1, 2, ..., N-1. n The generation method is shown in Formula (2). The path information is regenerated in each iteration to optimize and enhance the path information in real time.

[0074] If the hyperparameter μ is set to both positive and negative values, then both positive and negative samples can be generated, thus obtaining positive and negative augmentation samples with different augmentation directions and exploring more augmentation directions.

[0075] For the generated augmented data samples, instead of using mixed labels, the labels of the main signal samples are directly used. A pair of augmented training samples is constructed using a one-to-one correspondence between the augmented data sample and the original sample labels.

[0076] S204. Based on N pairs of frequency-domain enhanced training samples, calculate the gradients of N normalized samples using the loss function of the local substitution model, and then obtain the gradient integral with respect to the original signal itself.

[0077] Specifically, for a pair of augmented training samples, the augmented data sample is input into the trained local substitution model, which outputs a predicted label. The labels corresponding to the augmented data samples and the predicted labels are then used to calculate the final loss using the cross-entropy loss function.

[0078] The gradient vector corresponding to each augmented data sample is obtained by backpropagation using the loss and the local alternative model structure.

[0079] For the original sample x, a baseline sample x′ is obtained by upward or downward translation. N interpolated samples {x′} are then obtained between the baseline sample x′ and the original sample x using linear interpolation. n For each interpolated sample in the range |n=0,1,2,…,N-1}, enhanced data samples are obtained by performing frequency domain enhancement. Each enhanced data sample is then input into the local substitution model, and backpropagation is performed using a loss function to obtain N gradient vectors forming a gradient vector set. Normalize each gradient vector using L2-Norm based on Euclidean distance, and each gradient vector is then represented as:

[0080]

[0081] In the formula: J is the loss function, To enhance the data samples, y represents the true label, and M represents the local substitution model. right Differential sign, denominator is the pair Calculate the L2 norm.

[0082] S205. Based on the gradient integral of the original signal itself, generate adversarial samples corresponding to the original samples, wherein the adversarial samples are capable of carrying out transfer adversarial attacks.

[0083] The normalized gradient vector is used to calculate the gradient by integration. The vectors before and after are added together, the average is calculated, and then the sum is obtained. By accumulating (accumulating the average value) these local gradients, the integral between the enhanced signal sample and the original sample is approximately estimated. The final gradient integral direction with respect to the original signal itself is then used as the attack direction to attack the input signal, i.e.:

[0084]

[0085] In the formula: X i X0 is the adversarial sample generated by the i-th local substitution model. When the index of X is 0, X0 is the original sample. For the nth augmented data sample The corresponding gradient, For the (n+1)th augmented data sample The corresponding gradient, sign() represents the function that assigns the positive or negative sign. ε represents the magnitude of the perturbation, which depends on the number of iterations.

[0086] During the attack, multiple attack directions will be generated in each loop iteration, and multiple attacks will be carried out to improve the offensiveness of the adversarial sample.

[0087] To test the black-box transfer attack capability of the generated adversarial examples, other unknown models can be used. Specifically, other models with different structures are trained until convergence using the aforementioned training dataset samples, serving as unknown black-box models. Test set sample pairs are generated following the same process as the training set sample pairs. Using the above method, adversarial examples are generated from the test set sample pairs on the same local substitution model. The generated adversarial examples are then used to obtain prediction values ​​using the unknown black-box model, and the recognition performance of the unknown black-box model is used as a reference for attack performance. See the implementation process below. Figure 4 As illustrated, in one embodiment, an adversarial example generated using the method proposed in this invention is as follows: Figure 5 As shown in the figure, the difference between the adversarial sample generated by this invention and the original sample is small, making it difficult to detect and providing good concealment. The adversarial sample and the original sample cannot be distinguished by the human eye alone.

[0088] The method of this invention was compared with existing methods such as Momentum Iteration (MIM), Hybrid Attack (ADMIX), and Projected Gradient Descent (PGD). Performance results are as follows: Figure 6 , Figure 7 , Figure 8As shown, "Local Model of this Invention" represents the attack of the method of this invention on a local white-box model. As the maximum perturbation ε increases, the model recognition accuracy decreases, while the corresponding attack success rate increases, reaching a minimum recognition accuracy of 9% at ε = 0.25, where the attack effect is optimal. "PETCGDNN of this Invention" represents the recognition accuracy of the attack method of this invention on the PETCGDNN black-box model, with a minimum recognition accuracy of 23%. "RESNET of this Invention" represents the recognition accuracy of the attack method of this invention on the RESNET black-box model, with a minimum recognition accuracy of 21%. Similarly, "ADMIX Local Model" represents the attack of the ADMIX transfer attack algorithm on a local white-box model, with a minimum recognition accuracy of 9%. "ADMIX PETCGDNN" and "ADMIX RESNET" reach minimum recognition rates of 35% and 32%, respectively, at ε = 0.25. Under the MIM method, the minimum recognition rates for the local white-box model, the PETCGDNN black-box model, and the RESNET black-box model are 17%, 37%, and 40%, respectively. Under the PGD method, the lowest recognition rates for the local white-box model, the PETCGDNN black-box model, and the RESNET black-box model are 15%, 42%, and 46%, respectively.

[0089] By comparing the success rates under different attack methods, it can be found that as the maximum perturbation increases, the recognition rate of the model gradually decreases, while the attack success rate on the black box gradually increases, and the attack performance gap with other methods gradually widens. Taking the RESTNET model as an example, at ε=0.25, the method improves performance by 11% compared to the ADMIX method, 19% compared to the MIM method, and 25% compared to the PGD method. Under the PETCGDNN network model, at ε=0.25, the attack performance of the method of this invention is improved by 12% compared to the ADMIX method, 14% compared to the MIM method, and 19% compared to the PGD (gradient projection descent) method. At the same time, on the local white-box model, the method of this invention maintains stable attack efficiency. When ε≤0.125, the attack effect is basically consistent with the MIM algorithm and the PGD (gradient projection descent) algorithm. Then, when ε≥0.125, the attack effect on the local white-box model is better than the MIM algorithm, the PGD algorithm, and the ADMIX algorithm. Therefore, it can be seen that under high perturbation, the method of the present invention has better attack performance on white-box and other black-box models. Under low perturbation, the method of the present invention can improve the migration attack performance on black-box models while maintaining or even improving the local white-box attack performance.

[0090] In summary, the method of the present invention helps to greatly enhance the performance of signal attack black-box models without significantly affecting the attack performance of white-box models, and does not require additional electromagnetic signal samples for mixing compared to the ADMIX method.

[0091] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods or systems disclosed herein can be implemented using software plus necessary general-purpose hardware, or they can be implemented using dedicated hardware including dedicated integrated circuits, dedicated CPUs, dedicated memory, dedicated components, etc. Generally, any function performed by a computer program can be easily implemented using corresponding hardware, and the specific hardware structure used to implement the same function can be diverse, such as analog circuits, digital circuits, or dedicated circuits. However, for the purposes of this disclosure, software program implementation is more often a preferred implementation method.

[0092] Although embodiments of the present invention have been described above in conjunction with the accompanying drawings, the present invention is not limited to the specific embodiments and application fields described above. The specific embodiments described above are merely illustrative and instructive, and not restrictive. Those skilled in the art can make many other forms based on the guidance of this specification and without departing from the scope of protection of the claims of the present invention, and all of these are within the scope of protection of the present invention.

Claims

1. A method for countering electromagnetic signal frequency domain enhancement integral transfer attacks, characterized in that, The method includes the following steps: Using a target electromagnetic signal data as the original sample, a translation interpolation is performed to obtain... N One interpolated sample; Based on the signal spectral characteristics of each interpolation sample and the current bandwidth setting, a noise frequency domain signal is randomly generated, and the generated noise frequency domain signal is obtained by inverse fast Fourier transform to obtain the corresponding time domain signal. The real signal information is taken as an enhanced baseline sample with different spectral characteristics. The interpolated samples are enhanced in the frequency domain using enhanced baseline samples to obtain... N A augmented data sample is generated, and the label corresponding to the original sample is used as this... N The labels corresponding to each augmented data sample are used to construct... N Training samples with frequency domain enhancement; based on N For frequency-domain augmented training samples, the loss function of the local substitution model is used to calculate... N The gradient of a normalized sample is used to obtain the gradient integral with respect to the original signal itself; wherein: the local substitution model is a classification neural network model. N It is a natural number; Based on the gradient integral of the original signal itself, adversarial samples corresponding to the original samples are generated. These adversarial samples can carry out transfer adversarial attacks. One method for generating adversarial samples is as follows: In the formula: For the first i Adversarial examples generated by the sublocal substitution model, when When the subscript is 0, This is the original sample; Indicates the magnitude of the disturbance. For the first n One enhanced data sample The corresponding gradient, For the first n+ 1 augmented data sample The corresponding gradient, The function that represents taking the sign of a character. n= 0, 1, 2, … , N- 1.

2. The method according to claim 1, characterized in that, The steps for obtaining enhanced data samples include: In the formula: For the first n One interpolation sample, For hyperparameters, , For the enhanced baseline sample corresponding to the nth interpolation sample, n= 0, 1, 2, … , N- 1.

3. The method according to claim 1, characterized in that, The steps for generating interpolated samples include: Original sample Perform an upward or downward translation to obtain the translation signal as the baseline sample. The translation distance of the signal Adaptive adjustments are made based on the sample size, perturbation amount, and the square root of the power of each signal. Interpolation is performed between the baseline sample and the original sample to obtain the interpolated sample. : , This represents the magnitude proportion of the currently selected attribution object during the integration process from the baseline value to the input value. n= 0, 1, 2, … , N- 1.

4. The method according to claim 1, characterized in that, The normalized sample gradient is calculated as follows: In the formula: J For loss function, To enhance the data sample, Indicates the true label, Indicates a local substitution model. Yes The derivative sign, the denominator is the derivative of the derivative. calculate L2 Norm.

5. The method according to claim 1, characterized in that, The loss function is the cross-entropy loss function.

6. The method according to claim 1, characterized in that: The local substitution model includes three input channels: two signals (I and Q), the I signal of the electromagnetic signal, and the Q signal of the electromagnetic signal. The first splicing and fusion feature is obtained by splicing and fusing the features of the I-channel signal and the Q-channel signal of the electromagnetic signal. Then, the first splicing and fusion feature is spliced ​​and fused with the features extracted from the I and Q channels to obtain the second splicing and fusion feature. Modulation signal type prediction is based on the second splicing and fusion features.

7. The method according to claim 6, characterized in that, One structural approach to local substitution models includes CNN and LSTM.

8. A system for countering electromagnetic signal frequency domain enhancement integral migration attacks, characterized in that: It includes a memory and a processor, wherein the memory stores a computer program that can be loaded by the processor and executed according to any one of claims 1 to 7.

9. A system for countering electromagnetic signal frequency domain enhancement integral migration attacks, characterized in that: The system includes an interpolation sample acquisition module, an enhanced baseline sample acquisition module, a frequency domain enhanced training sample construction module, an integral calculation module, and an adversarial sample generation module; wherein: The interpolation sample acquisition module is configured to take a target electromagnetic signal data as the original sample and obtain it through translation interpolation. N One interpolated sample; The enhanced baseline sample acquisition module is configured to randomly generate a noise frequency domain signal based on the signal spectral characteristics corresponding to each interpolation sample and the current bandwidth setting value, and obtain the corresponding time domain signal by passing the generated noise frequency domain signal through inverse fast Fourier transform, and take the real signal information as the enhanced baseline sample with different spectral characteristics. The frequency-domain augmentation training sample construction module is configured to perform frequency-domain augmentation on the interpolated samples using augmented baseline samples, thereby obtaining... N A augmented data sample is generated, and the label corresponding to the original sample is used as this... N The labels corresponding to each augmented data sample are used to construct... N Training samples with frequency domain enhancement; The integration calculation module is configured based on N For frequency-domain augmented training samples, the loss function of the local substitution model is used to calculate... N The gradient of a normalized sample is used to obtain the gradient integral with respect to the original signal itself; wherein: the local substitution model is a classification neural network model. N It is a natural number; The adversarial example generation module is configured to generate adversarial examples corresponding to the original samples based on the gradient integral of the original signal itself. These adversarial examples can carry out transfer adversarial attacks. One method for generating adversarial examples is as follows: In the formula: For the first i Adversarial examples generated by the sublocal substitution model, when When the subscript is 0, This is the original sample; Indicates the magnitude of the disturbance. For the first n One enhanced data sample The corresponding gradient, For the first n+ 1 augmented data sample The corresponding gradient, The function that represents taking the sign of a character. n= 0, 1, 2, … , N- 1.