# AI Based 6G Applications’ Security Mitigation: Defensive Distillation

## How to build secure AI based 6G solutions for adversarial machine learning attacks

--

The design of security schemes for deep learning algorithms is critical for protecting wireless networks from adversarial attacks. However, there is no consensus about the best way to do this. In this blog, I present a security vulnerability in deep learning for beamforming prediction using deep neural networks (DNNs), and offer two methods for mitigating this vulnerability. Experimental results show that these methods are effective in defending DNN models against adversarial attacks in next-generation wireless networks.

**Cite The Work**

If you find those results useful please cite them :

`@misc{kuzlu2022adversarial,`

title={The Adversarial Security Mitigations of mmWave Beamforming Prediction Models using Defensive Distillation and Adversarial Retraining},

author={Murat Kuzlu and Ferhat Ozgur Catak and Umit Cali and Evren Catak and Ozgur Guler},

year={2022},

eprint={2202.08185},

archivePrefix={arXiv},

primaryClass={cs.CR}

}

## 1. Introduction

The first 5G standard was announced and approved by 3GPP in December 2017. The early standardization work on 5G is expected to provide a solid and stable foundation for the early adoption of 5G services. In addition, 5G will be essential for Internet of Things (IoT) applications and future mobile networks. There are many challenges in designing 5G networks, including a security scheme for beamforming prediction. It is a critical part of wireless networks, studied in communication systems and signal processing. Designing and implementing beamforming algorithms in next-generation (i.e., 6G) wireless networks is also crucial. In current wireless networks, deep learning (DL)-based beamforming prediction is vulnerable to adversarial machine learning attacks. Therefore, it is critical to design a security scheme for beamforming prediction in 6G networks.

6G is the latest wireless communication technology among cellular networks currently under development. In 6G solutions, artificial intelligence (AI)-based algorithms would be one of the main components of wireless communication systems to improve the overall system performance. The existing solutions in 5G would be migrated to the AI domain, more specifically into the DL area. Therefore, it is crucial to design secure DL solutions for the AI-based models in 6G wireless networks. The new attack surface and the existing 5G security problems are DL security vulnerabilities. Researchers and companies should mitigate their DL models’ security problems before deploying them to the production environments. They need to identify, document, and perform a risk assessment for new security threats in the next-generation wireless communication systems.

## 2. Defensive Distillation

Knowledge distillation was previously introduced by Hinton et al. to compress a large model into a smaller one. Papernot et al. proposed this technique for the adversarial machine learning defense against attacks. The defensive distillation mitigation method includes a larger teacher model and a compressed student model. The first step is to train the teacher model with a high temperature ($T$) parameter to soften the softmax probability outputs of the DNN model.

$i$th class and $z_{i}$ are the logits. The second step is to use the previously trained teacher model to obtain the soft labels of the training data. In this step, the teacher model predicts each of the samples in the training data using the same temperature ($T$) value, and the predictions are the labels (i.e., soft labels) for the training data to train the student model. The student model is trained with the soft labels acquired from the teacher model, again with a high $T$ value in the softmax. After the student model’s training phase, the $T$ parameter is set to 1 during the prediction time of the student model.

Figure 1 shows the overall steps for this technique.

## 3. Let’s get coding

I will show the our proposed approach with Python language. I import the usual standard libraries to build a deep learning model to predict RF beamforming codeword.

`!pip install -q cleverhans`

!pip install -q plot_keras_history

!pip install -q loguru

import util

from plot_keras_history import plot_history

import matplotlib.pyplot as plt

from tqdm.notebook import tqdm

import numpy as np

from sklearn.metrics import mean_squared_error

import pandas as pd

import seaborn as sns

SCENARIO_NAME = 'O1'

nb_epoch = 2000

batch_size = 1000

num_tot_TX=4

num_beams=512

loss_fn='mean_squared_error'

DS_PATH = '/Users/ozgur/Documents/Workshop/DeepMIMO_Dataset_Generation_v1.1/DLCB_dataset/'

In this work, I will use publicly avaliable DeepMIMO dataset to attack RF beam forming prediction model. I will use FGSM attack, and Mean Squared Error loss function for the input manipulation. My FGSM attack implementation is here. In this scenario there are 4 basestations.

In_train, In_test, Out_train, Out_test = util.get_dataset(SCENARIO_NAME)

AP_models,AP_models_history = util.train(In_train, Out_train, In_test, Out_test,

nb_epoch, batch_size,loss_fn=loss_fn,

n_BS=num_tot_TX, n_beams=num_beams,

sc_name=SCENARIO_NAME)

for i in range(num_tot_TX):

plot_history(AP_models_history[i].history, side=3)

plt.show()0%| | 0/4 [00:00<?, ?it/s]

Restoring model weights from the end of the best epoch: 91.

Epoch 00111: early stopping

Restoring model weights from the end of the best epoch: 106.

Epoch 00126: early stopping

Restoring model weights from the end of the best epoch: 96.

Epoch 00116: early stopping

Restoring model weights from the end of the best epoch: 57.

Epoch 00077: early stopping

## Adversarial Machine Learning Attacks

In this step, we will generate malicious uplink signals using Fast-Gradient Sign Method (FGSM), Basic Iterative Method (BIM), Momentum Iterative Method (MIM), Projected Gradient Descent (PGD) attacks.

## FGSM (Fast-Gradient Sign Method)

epsilon_vals = [0.1, 0.2, 0.3]

fgm_eps_mse = []

fgsm_all_mse = []

fgsm_all_eps = []

for eps_val in tqdm(epsilon_vals):

fgsm_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_models[i_bs],

attack_name = 'FGSM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

fgsm_mse_malicious.append(tmp)

fgsm_all_mse.append(tmp)

fgsm_all_eps.append(eps_val)

fgm_eps_mse.append(np.mean(fgsm_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]

WARNING:tensorflow:5 out of the last 5 calls to <function compute_gradient at 0x7f9d7ba1eb80> triggered tf.function retracing. Tracing is expensive and the excessive number of tracings could be due to (1) creating @tf.function repeatedly in a loop, (2) passing tensors with different shapes, (3) passing Python objects instead of tensors. For (1), please define your @tf.function outside of the loop. For (2), @tf.function has experimental_relax_shapes=True option that relaxes argument shapes that can avoid unnecessary retracing. For (3), please refer to https://www.tensorflow.org/guide/function#controlling_retracing and https://www.tensorflow.org/api_docs/python/tf/function for more details.

WARNING:tensorflow:6 out of the last 6 calls to <function compute_gradient at 0x7f9d7ba1eb80> triggered tf.function retracing. Tracing is expensive and the excessive number of tracings could be due to (1) creating @tf.function repeatedly in a loop, (2) passing tensors with different shapes, (3) passing Python objects instead of tensors. For (1), please define your @tf.function outside of the loop. For (2), @tf.function has experimental_relax_shapes=True option that relaxes argument shapes that can avoid unnecessary retracing. For (3), please refer to https://www.tensorflow.org/guide/function#controlling_retracing and https://www.tensorflow.org/api_docs/python/tf/function for more details.

## PGD (Projected Gradient Descent)

pgd_eps_mse = []

pgd_all_mse = []

for eps_val in tqdm(epsilon_vals):

pgd_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_models[i_bs],

attack_name = 'PGD',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

pgd_mse_malicious.append(tmp)

pgd_all_mse.append(tmp)

pgd_eps_mse.append(np.mean(pgd_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]

## BIM (Basic Iterative Method)

bim_eps_mse = []

bim_all_mse = []

for eps_val in tqdm(epsilon_vals):

bim_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_models[i_bs],

attack_name = 'BIM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

bim_mse_malicious.append(tmp)

bim_all_mse.append(tmp)

bim_eps_mse.append(np.mean(bim_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]

## MIM (Momentum Iterative Method)

mim_eps_mse = []

mim_all_mse = []

for eps_val in tqdm(epsilon_vals):

mim_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_models[i_bs],

attack_name = 'MIM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

mim_mse_malicious.append(tmp)

mim_all_mse.append(tmp)

mim_eps_mse.append(np.mean(mim_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]df_avg_mse = pd.DataFrame({'epsilon_vals':epsilon_vals,'fgm_eps_mse':fgm_eps_mse,

'pgd_eps_mse':pgd_eps_mse,'bim_eps_mse':bim_eps_mse,

'mim_eps_mse':mim_eps_mse})

df_avg_mse.to_csv('df_avg_mse.csv', index=False)

plt.figure(figsize=(10,3))

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='fgm_eps_mse', ls='--', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='pgd_eps_mse', ls='-.', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='bim_eps_mse', ls='-', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='mim_eps_mse', ls='-.', lw=2)

plt.ylabel('MSE', fontsize=20)

plt.xlabel(r'$\epsilon$ values', fontsize=20)

plt.xticks(fontsize=16)

plt.yticks(fontsize=16)

plt.grid(True)

plt.legend(['FGSM','PGD','BIM','MIM'],shadow=True, ncol=2,fontsize=16)

plt.show()

## Mean Square Error Distributions

MSE distribution histogram of the each attack. There is a strong negative correlation between $\epsilon$ and DL model’s prediction performance. The confidence interval value of the correlations (i.e., $p$-value) is 0. The $p$-value is the probability connected to the likelihood of acquiring the correlation result.

`df_fgsm_res = pd.DataFrame({'epsilon':fgsm_all_eps,`

'FGSM':fgsm_all_mse,'PGD':pgd_all_mse,

'BIM':bim_all_mse,'MIM':mim_all_mse})

df_fgsm_res.to_csv('df_fgsm_res.csv', index=False)

color_codes = ['r','g','b']

attack_types = ['FGSM','PGD','BIM','MIM']

fig,ax = plt.subplots(1, 4, figsize=(20, 5), sharey=True)

ax_idx = 0

for attack_type in attack_types:

for tmp_eps_val, c_name in zip(epsilon_vals,color_codes):

df_fgsm_res_tmp = df_fgsm_res.query('epsilon == ' + str(tmp_eps_val) )

sns.histplot(data=df_fgsm_res_tmp, x=attack_type, element="poly", cumulative=False,

lw=2,stat='count',log_scale=(False,False),

ax=ax[ax_idx], color=c_name)

ax[ax_idx].set_xlabel(attack_type, fontsize=20)

ax[ax_idx].set_ylabel(r'Count', fontsize=20)

ax[ax_idx].legend(epsilon_vals,shadow=False,ncol=1,fontsize=14)

ax[ax_idx].grid()

ax_idx += 1

plt.show()

## Defensive Distillation

AP_distilled_models = util.train_distill(In_train, Out_train, In_test, Out_test,

nb_epoch, batch_size,loss_fn=loss_fn,

n_BS=num_tot_TX, n_beams=num_beams,

teacher_multiplication=3.0,student_multiplication=0.1,

distill_alpha=0.1, distill_temp=100,

sc_name=SCENARIO_NAME)0%| | 0/4 [00:00<?, ?it/s]

## Attack to the distilled models

We will perform the same attacks for the distilled models. You can easily see from the plots that the distilled models are more robust to the attacks.

epsilon_vals = [0.1, 0.2, 0.3]

fgm_eps_mse = []

fgsm_all_mse = []

fgsm_all_eps = []

for eps_val in tqdm(epsilon_vals):

fgsm_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_distilled_models[i_bs],

attack_name = 'FGSM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_distilled_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

fgsm_mse_malicious.append(tmp)

fgsm_all_mse.append(tmp)

fgsm_all_eps.append(eps_val)

fgm_eps_mse.append(np.mean(fgsm_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]pgd_eps_mse = []

pgd_all_mse = []

for eps_val in tqdm(epsilon_vals):

pgd_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_distilled_models[i_bs],

attack_name = 'PGD',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_distilled_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

pgd_mse_malicious.append(tmp)

pgd_all_mse.append(tmp)

pgd_eps_mse.append(np.mean(pgd_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]bim_eps_mse = []

bim_all_mse = []

for eps_val in tqdm(epsilon_vals):

bim_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_distilled_models[i_bs],

attack_name = 'BIM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_distilled_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

bim_mse_malicious.append(tmp)

bim_all_mse.append(tmp)

bim_eps_mse.append(np.mean(bim_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]mim_eps_mse = []

mim_all_mse = []

for eps_val in tqdm(epsilon_vals):

mim_mse_malicious = []

for i_bs in range(num_tot_TX):

adv_inputs = util.attack_models(model = AP_distilled_models[i_bs],

attack_name = 'MIM',

eps_val = eps_val,

testset = In_test,

norm = np.inf)

adv_inputs_pred = AP_distilled_models[i_bs].predict(adv_inputs)

for j in range(adv_inputs_pred.shape[0]):

tmp = mean_squared_error(Out_test[j,i_bs*num_beams:(i_bs+1)*num_beams],

adv_inputs_pred[j,:])

mim_mse_malicious.append(tmp)

mim_all_mse.append(tmp)

mim_eps_mse.append(np.mean(mim_mse_malicious))0%| | 0/3 [00:00<?, ?it/s]df_avg_mse = pd.DataFrame({'epsilon_vals':epsilon_vals,'fgm_eps_mse':fgm_eps_mse,

'pgd_eps_mse':pgd_eps_mse,'bim_eps_mse':bim_eps_mse,

'mim_eps_mse':mim_eps_mse})

df_avg_mse.to_csv('df_avg_mse.csv', index=False)

plt.figure(figsize=(10,3))

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='fgm_eps_mse', ls='--', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='pgd_eps_mse', ls='-.', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='bim_eps_mse', ls='-', lw=2)

sns.lineplot(data=df_avg_mse, x='epsilon_vals', y='mim_eps_mse', ls='-.', lw=2)

plt.ylabel('MSE', fontsize=20)

plt.xlabel(r'$\epsilon$ values', fontsize=20)

plt.xticks(fontsize=16)

plt.yticks(fontsize=16)

plt.grid(True)

plt.legend(['FGSM','PGD','BIM','MIM'],shadow=True, ncol=2,fontsize=16)

plt.show()

`df_fgsm_res = pd.DataFrame({'epsilon':fgsm_all_eps,`

'FGSM':fgsm_all_mse,'PGD':pgd_all_mse,

'BIM':bim_all_mse,'MIM':mim_all_mse})

df_fgsm_res.to_csv('df_fgsm_res.csv', index=False)

color_codes = ['r','g','b']

attack_types = ['FGSM','PGD','BIM','MIM']

fig,ax = plt.subplots(1, 4, figsize=(20, 5), sharey=True)

ax_idx = 0

for attack_type in attack_types:

for tmp_eps_val, c_name in zip(epsilon_vals,color_codes):

df_fgsm_res_tmp = df_fgsm_res.query('epsilon == ' + str(tmp_eps_val) )

sns.histplot(data=df_fgsm_res_tmp, x=attack_type, element="poly", cumulative=False,

lw=2,stat='count',log_scale=(False,False),

ax=ax[ax_idx], color=c_name)

ax[ax_idx].set_xlabel(attack_type, fontsize=20)

ax[ax_idx].set_ylabel(r'Count', fontsize=20)

ax[ax_idx].legend(epsilon_vals,shadow=False,ncol=1,fontsize=14)

ax[ax_idx].grid()

ax_idx += 1

plt.show()

## 4. Conculusion

This blog presents a security scheme for RF beamforming prediction models’ vulnerabilities and their mitigation techniques. The experiments were performed with the selected DeepMIMO scenarios to investigate these questions. The results confirm that the original DL-based beamforming model is significantly vulnerable to FGSM, PGD, BIM, and MIM attacks. The MSE value increases in all three scenarios under a heavy BIM adversarial attack. On the other hand, the results show that the proposed mitigation methods successfully increase the RF beamforming prediction performance.