Practical Adversarial Attack on WiFi Sensing Through Unnoticeable Communication Packet Perturbation
Authors: 
Changming Li, Mingjing Xu, Yicong Du, Limin Liu, Cong Shi, Yan Wang, Hongbo Liu, Yingying ChenAuthors Info & Claims
Changming Li, Mingjing Xu, Yicong Du, Limin Liu, Cong Shi, Yan Wang, Hongbo Liu, Yingying ChenAuthors Info & ClaimsPages 373 - 387
Abstract
The pervasive use of WiFi has driven the recent research in WiFi sensing, converting communication tech into sensing for applications such as activity recognition, user authentication, and vital sign monitoring. Despite the integration of deep learning into WiFi sensing systems, potential security vulnerabilities to adversarial attacks remain unexplored. This paper introduces the first physical attack focusing on deep learning-based WiFi sensing systems, demonstrating how adversaries can subtly manipulate WiFi packet preambles to affect channel state information (CSI), a critical feature in such systems, and thereby influence underlying deep learning models without disrupting regular communication. To realize the proposed attack in practical scenarios, we rigorously analyze and derive the intricate relationship between the pilot symbol and CSI. A novel mechanism is proposed to facilitate quantitive control of receiver-side CSI through minimal modifications to the pilot symbols of WiFi packets at the transmitter. We further develop a perturbation optimization method based on the Carlini & Wagner (CW) attack and a penalty-based training process to ensure the attack's universal efficacy across various CSI responses and noise. The physical attack is implemented and evaluated in two representative WiFi sensing systems (i.e., activity recognition and user authentication) with 35 participants over 3 months. Extensive experiments demonstrate the remarkable attack success rates of 90.47% and 83.83% for activity recognition and user authentication, respectively.
References
[1]
Martín Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Geoffrey Irving, Michael Isard, et al. 2016. {TensorFlow}: a system for {Large-Scale} machine learning. In 12th USENIX symposium on operating systems design and implementation (OSDI 16). 265--283.
[2]
Hadi Abdullah, Washington Garcia, Christian Peeters, Patrick Traynor, Kevin RB Butler, and Joseph Wilson. 2019. Practical hidden voice attacks against speech and speaker recognition systems. arXiv preprint arXiv:1904.05734 (2019).
[3]
Moustafa Alzantot, Bharathan Balaji, and Mani Srivastava. 2018. Did you hear that? adversarial examples against automatic speech recognition. arXiv preprint arXiv:1801.00554 (2018).
[4]
Harshit Ambalkar, Xuyu Wang, and Shiwen Mao. 2021. Adversarial human activity recognition using Wi-Fi CSI. In 2021 IEEE Canadian Conference on Electrical and Computer Engineering (CCECE). IEEE, 1--5.
[5]
Bastian Bloessl. 2019. A physical layer experimentation framework for automotive WLAN. Gesellschaft für Informatik eV.
[6]
Bastian Bloessl, Michele Segata, Christoph Sommer, and Falko Dressler. 2017. Performance assessment of IEEE 802.11 p with an open source SDR-based prototype. IEEE Transactions on Mobile Computing 17, 5 (2017), 1162--1175.
[7]
Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp). Ieee, 39--57.
[8]
Guangke Chen, Sen Chenb, Lingling Fan, Xiaoning Du, Zhe Zhao, Fu Song, and Yang Liu. 2021. Who is real bob? adversarial attacks on speaker recognition systems. In IEEE Symposium on Security and Privacy (SP). IEEE, 694--711.
[9]
Zhenghua Chen, Le Zhang, Chaoyang Jiang, Zhiguang Cao, and Wei Cui. 2018. WiFi CSI based passive human activity recognition using attention based BLSTM. IEEE Transactions on Mobile Computing 18, 11 (2018), 2714--2724.
[10]
Moustapha M Cisse, Yossi Adi, Natalia Neverova, and Joseph Keshet. 2017. Houdini: Fooling deep structured visual and speech recognition models with adversarial examples. Advances in neural information processing systems 30 (2017).
[11]
Ang Cui, Michael Costello, and Salvatore Stolfo. 2013. When firmware modifications attack: A case study of embedded exploitation. (2013).
[12]
DD-WRT. accessed February 2012. https://dd-wrt.com/
[13]
GNU Radio Website. accessed February 2012. http://www.gnuradio.org
[14]
Liangyi Gong, Wu Yang, Zimu Zhou, Dapeng Man, Haibin Cai, Xiancun Zhou, and Zheng Yang. 2016. An adaptive wireless passive human detection via fine-grained physical layer information. Ad Hoc Networks 38 (2016), 38--50.
[15]
Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).
[16]
Wenjun Jiang, Chenglin Miao, Fenglong Ma, Shuochao Yao, Yaqing Wang, Ye Yuan, Hongfei Xue, Chen Song, Xin Ma, Dimitrios Koutsonikolas, et al. 2018. Towards environment independent device free human activity recognition. In Proceedings of the 24th annual international conference on mobile computing and networking. 289--304.
[17]
Silvija Kokalj-Filipovic, Rob Miller, and Joshua Morman. 2019. Targeted adversarial examples against RF deep classifiers. In Proceedings of the ACM Workshop on Wireless Security and Machine Learning. 6--11.
[18]
Manikanta Kotaru, Kiran Joshi, Dinesh Bharadia, and Sachin Katti. 2015. Spotfi: Decimeter level localization using wifi. In Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. 269--282.
[19]
Felix Kreuk, Yossi Adi, Moustapha Cisse, and Joseph Keshet. 2018. Fooling end-to-end speaker verification with adversarial examples. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 1962--1966.
[20]
Shengjie Li, Xiang Li, Kai Niu, Hao Wang, Yue Zhang, and Daqing Zhang. 2017. Ar-alarm: An adaptive and robust intrusion detection system leveraging csi from commodity wi-fi. In Enhanced Quality of Life and Smart Living: 15th International Conference, ICOST 2017, Paris, France, August 29--31, 2017, Proceedings 15. Springer, 211--223.
[21]
Zhuohang Li, Yi Wu, Jian Liu, Yingying Chen, and Bo Yuan. 2020. Advpulse: Universal, synchronization-free, and targeted audio adversarial attacks via subsecond perturbations. In Proceedings of ACM SIGSAC Conference on Computer and Communications Security. 1121--1134.
[22]
Jianwei Liu, Yinghui He, Chaowei Xiao, Jinsong Han, Le Cheng, and Kui Ren. 2022. Physical-World Attack towards WiFi-based Behavior Recognition. In IEEE INFOCOM 2022-IEEE Conference on Computer Communications. IEEE, 400--409.
[23]
Jian Liu, Yan Wang, Yingying Chen, Jie Yang, Xu Chen, and Jerry Cheng. 2015. Tracking vital signs during sleep leveraging off-the-shelf wifi. In Proceedings of the 16th ACM international symposium on mobile ad hoc networking and computing. 267--276.
[24]
Yanpei Liu, Xinyun Chen, Chang Liu, and Dawn Song. 2016. Delving into transferable adversarial examples and black-box attacks. arXiv preprint arXiv:1611.02770 (2016).
[25]
Zikun Liu, Changming Xu, Emerson Sie, Gagandeep Singh, and Deepak Vasisht. 2023. Exploring Practical Vulnerabilities of Machine Learning-based Wireless Systems. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). 1801--1817.
[26]
Yongsen Ma, Gang Zhou, and Shuangquan Wang. 2019. WiFi sensing with channel state information: A survey. ACM Computing Surveys (CSUR) 52, 3 (2019), 1--36.
[27]
mandylionlabs. 2013. Reverse Engineering a D-Link Backdoor - /dev/ttyS0. https://devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
[28]
Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574--2582.
[29]
Takashi Nakamura, Mondher Bouazizi, Kohei Yamamoto, and Tomoaki Ohtsuki. 2020. Wi-fi-CSI-based fall detection by spectrogram analysis with CNN. In GLOBECOM 2020-2020 IEEE Global Communications Conference. IEEE, 1--6.
[30]
Paarth Neekhara, Shehzeen Hussain, Prakhar Pandey, Shlomo Dubnov, Julian McAuley, and Farinaz Koushanfar. 2019. Universal adversarial perturbations for speech recognition systems. arXiv preprint arXiv:1905.03828 (2019).
[31]
OpenWRT. accessed February 2012. https://openwrt.org/
[32]
Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE symposium on security and privacy (SP). IEEE, 582--597.
[33]
Kun Qian, Chenshu Wu, Zheng Yang, Yunhao Liu, and Kyle Jamieson. 2017. Widar: Decimeter-level passive tracking via velocity monitoring with commodity Wi-Fi. In Proceedings of the 18th ACM International Symposium on Mobile Ad Hoc Networking and Computing. 1--10.
[34]
Kun Qian, Chenshu Wu, Yi Zhang, Guidong Zhang, Zheng Yang, and Yunhao Liu. 2018. Widar2. 0: Passive human tracking with a single Wi-Fi link. In Proceedings of the 16th annual international conference on mobile systems, applications, and services. 350--361.
[35]
Anand Kumar Sah and Arun Kumar Timalsina. 2015. Improvement of Complexity and Performance of Least Square Based Channel Estimation in MIMO System. Journal of Advanced College of Engineering and Management 1 (2015), 11--24.
[36]
Eman Shalaby, Nada ElShennawy, and Amany Sarhan. 2022. Utilizing deep learning models in CSI-based human activity recognition. Neural Computing and Applications (2022), 1--18.
[37]
Cong Shi, Jian Liu, Nick Borodinov, Bruno Leao, and Yingying Chen. 2020. Towards environment-independent behavior-based user authentication using wifi. In 2020 IEEE 17th International Conference on Mobile Ad Hoc and Sensor Systems (MASS). IEEE, 666--674.
[38]
Cong Shi, Jian Liu, Hongbo Liu, and Yingying Chen. 2017. Smart user authentication through actuation of daily activities leveraging WiFi-enabled IoT. In Proceedings of the 18th ACM International Symposium on Mobile Ad Hoc Networking and Computing. 1--10.
[39]
Cong Shi, Tianfang Zhang, Zhuohang Li, Huy Phan, Tianming Zhao, Yan Wang, Jian Liu, Bo Yuan, and Yingying Chen. 2022. Audio-domain position-independent backdoor attack via unnoticeable triggers. In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking. 583--595.
[40]
Tomato Firmware. accessed February 2012. https://www.polarcloud.com/tomato
[41]
Jon Vadillo and Roberto Santana. 2019. Universal adversarial examples in speech command classification. arXiv preprint arXiv:1911.10182 (2019).
[42]
Dazhuo Wang, Jianfei Yang, Wei Cui, Lihua Xie, and Sumei Sun. 2022. CAUTION: A Robust WiFi-based human authentication system via few-shot open-set recognition. IEEE Internet of Things Journal 9, 18 (2022), 17323--17333.
[43]
Xiangyu Wang, Xuyu Wang, Shiwen Mao, Jian Zhang, Senthilkumar CG Periaswamy, and Justin Patton. 2022. Adversarial deep learning for indoor localization with channel state information tensors. IEEE internet of things journal 9, 19 (2022), 18182--18194.
[44]
Xuyu Wang, Chao Yang, and Shiwen Mao. 2017. PhaseBeat: Exploiting CSI phase data for vital sign monitoring with commodity WiFi devices. In 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS). IEEE, 1230--1239.
[45]
Yan Wang, Jian Liu, Yingying Chen, Marco Gruteser, Jie Yang, and Hongbo Liu. 2014. E-eyes: Device-free location-oriented activity identification using fine-grained WiFi signatures. In Annual International Conference on Mobile Computing and Networking (MobiCom). 617--628.
[46]
Zhipeng Wei, Jingjing Chen, Zuxuan Wu, and Yu-Gang Jiang. 2022. Cross-Modal Transferable Adversarial Attacks from Images to Videos. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 15064--15073.
[47]
Chaowei Xiao, Bo Li, Jun-Yan Zhu, Warren He, Mingyan Liu, and Dawn Song. 2018. Generating adversarial examples with adversarial networks. arXiv preprint arXiv:1801.02610 (2018).
[48]
Yucheng Xie, Ruizhe Jiang, Xiaonan Guo, Yan Wang, Jerry Cheng, and Yingying Chen. 2022. Universal targeted attacks against mmWave-based human activity recognition system. In IEEE Conference on Computer Communications (INFOCOM). 541--542.
[49]
Yi Xie, Zhuohang Li, Cong Shi, Jian Liu, Yingying Chen, and Bo Yuan. 2021. Real-time, robust and adaptive universal adversarial attacks against speaker recognition systems. Journal of Signal Processing Systems (2021), 1--14.
[50]
Leiyang Xu, Xiaolong Zheng, Xiangyuan Li, Yucheng Zhang, Liang Liu, and Huadong Ma. 2022. WiCAM: Imperceptible Adversarial Attack on Deep Learning based WiFi Sensing. In 2022 19th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON). IEEE, 10--18.
[51]
Hiromu Yakura and Jun Sakuma. 2018. Robust audio adversarial example for a physical attack. arXiv preprint arXiv:1810.11793 (2018).
[52]
Jianfei Yang, Xinyan Chen, Han Zou, Chris Xiaoxuan Lu, Dazhuo Wang, Sumei Sun, and Lihua Xie. 2023. SenseFi: A library and benchmark on deep-learning-empowered WiFi human sensing. Patterns 4, 3 (2023).
[53]
Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, Xiaofeng Wang, and Carl A Gunter. 2018. {CommanderSong}: A systematic approach for practical adversarial voice recognition. In USENIX security symposium (USENIX security). 49--64.
[54]
Zhongfeng Zhang, Hongxin Du, Seungwon Choi, and Sung Ho Cho. 2022. TIPS: Transformer based indoor positioning system using both CSI and DoA of WiFi signal. IEEE Access 10 (2022), 111363--111376.
[55]
Zekun Zhang and Tianfu Wu. 2020. Learning ordered top-k adversarial attacks via adversarial distillation. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops. 776--777.
[56]
Shengli Zhou and Georgios B Giannakis. 2004. Adaptive modulation for multiantenna transmissions with channel mean feedback. IEEE Transactions on Wireless Communications 3, 5 (2004), 1626--1636.
[57]
Yuxuan Zhou, Huangxun Chen, Chenyu Huang, and Qian Zhang. 2022. WiAdv: Practical and Robust Adversarial Attack against WiFi-based Gesture Recognition System. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 6, 2 (2022), 1--25.
Index Terms
- Practical Adversarial Attack on WiFi Sensing Through Unnoticeable Communication Packet Perturbation
Recommendations
Reversible attack based on local visible adversarial perturbation
AbstractAdding perturbation to images can mislead classification models to produce incorrect results. Based on this, research has exploited adversarial perturbation to protect private images from retrieval by malicious intelligent models. However, adding ...
Reversible attack based on adversarial perturbation and reversible data hiding in YUV colorspace
Highlights- Reversible adversarial attack can prevent illegal image access while ensure legal use.
- Embed adversarial perturbations of Y channel into UV channel by reversible data hiding.
- Reduce adversarial perturbations by class activation map ...
AbstractRecent research on using adversarial perturbation to prevent malicious models from accessing image data has led to the corruption of image data, making images useless in other fields, especially in digital forensics. To prevent malicious models ...
Adversarial Attack against Modeling Attack on PUFs
DAC '19: Proceedings of the 56th Annual Design Automation Conference 2019The Physical Unclonable Function (PUF) has been proposed for the identification and authentication of devices and cryptographic key generation. A strong PUF provides an extremely large number of device-specific challenge-response pairs (CRP) which can ...
Comments
Information & Contributors
Information
Published In
May 2024
733 pages
ISBN:9798400704895
DOI:10.1145/3636534
- Chair:
- Weisong Shi,
- Program Chairs:
- Deepak Ganesan,
- Nicholas Lane
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Science Fundation
Conference
ACM MobiCom '24
Sponsor:
ACM MobiCom '24: 30th Annual International Conference on Mobile Computing and Networking
November 18 - 22, 2024
DC, Washington D.C., USA
Acceptance Rates
Overall Acceptance Rate 440 of 2,972 submissions, 15%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 506Total Downloads
- Downloads (Last 12 months)506
- Downloads (Last 6 weeks)178
Reflects downloads up to 12 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in