Adversarial Machine Learning for Flooding Attacks on 5G Radio Access Network Slicing This effort is supported by the U.S. Army Research Office under contract W911NF-20-C-0055. The content of the information does not necessarily reflect the position or the policy of the U.S. Government, and no official endorsement should be inferred.

Adversarial Machine Learning for Flooding Attacks on 5G Radio Access Network Slicing 1

Abstract

Network slicing manages network resources as virtual resource blocks (RBs) for the 5G Radio Access Network (RAN). Each communication request comes with quality of experience (QoE) requirements such as throughput and latency/deadline, which can be met by assigning RBs, communication power, and processing power to the request. For a completed request, the achieved reward is measured by the weight (priority) of this request. Then, the reward is maximized over time by allocating resources, e.g., with reinforcement learning (RL). In this paper, we introduce a novel flooding attack on 5G network slicing, where an adversary generates fake network slicing requests to consume the 5G RAN resources that would be otherwise available to real requests. The adversary observes the spectrum and builds a surrogate model on the network slicing algorithm through RL that decides on how to craft fake requests to minimize the reward of real requests over time. We show that the portion of the reward achieved by real requests may be much less than the reward that would be achieved when there was no attack. We also show that this flooding attack is more effective than other benchmark attacks such as random fake requests and fake requests with the minimum resource requirement (lowest QoE requirement). Fake requests may be detected due to their fixed weight. As an attack enhancement, we present schemes to randomize weights of fake requests and show that it is still possible to reduce the reward of real requests while maintaining the balance on weight distributions.

I Introduction

5G promises unprecedented performance improvements in terms of rate, delay, and energy efficiency compared to 4G systems. An important design aspect towards this goal is resource allocation for network slicing that aims to multiplex and serve multiple virtualized and independent logical networks on the same physical network infrastructure of 5G [2, 1, 3]. 5G radio access network (RAN) employs network slicing to manage its resources as virtual resource blocks (RBs), e.g., an RB may correspond to a frequency band. Then, the network resource allocation problem can be simplified by considering how to allocate virtual RBs without the need to focus on the physical resources to support RBs. We consider a gNodeB that supports downlink communication requests from user equipments (UEs). A UE may generate requests with different Quality of Experience (QoE) requirements for different types of network slices such as Enhanced Mobile Broadband (eMBB), Massive Machine Type Communications (mMTC), and Ultra Reliable Low Latency Communications (URLLC). These QoE requirements are mapped to different requirements on RBs, as well as communication and processing powers at the gNodeB. Each request has its own priority (measured by a weight). If the gNodeB allocates resources to a request to meet its requirements, the reward is the weight of this request. If a request is not served, it is kept in a list of active requests until its deadline. This resource allocation approach aims to maximize the reward over time and can be used in near-real time RAN Intelligent Controller (Near-RT RIC) to support micro-service-based applications called xApps.

Since future requests are unknown, an online algorithm is needed to make decisions based on current network status and requests. Machine learning can be effectively applied to solve complex wireless optimization problems by learning from spectrum data [4]. In particular, deep learning was studied for network slicing in [5] for application and device specific identification and traffic classification, and in [6] for management of network load efficiency and network availability. As the training data may not be available, reinforcement learning (RL) was used for network slicing without requiring a prior model [8, 7, 9, 10, 11, 12]. In our setting, the RL approach learns a model to predict the future reward (the weight of selected requests) for each state (available resources) and each action (admission of requests), and determines over time the optimal action to maximize the expected future reward.

With the success of applying machine learning (ML) to network slicing problems, there are also security concerns, specifically due to the attacks built upon adversarial ML. Adversarial ML studies the learning process in the presence of adversaries and expands the attack surface with new wireless attacks, e.g., exploratory (inference) attacks [13], evasion (adversarial) attacks [14, 15, 16, 17, 18], causative (poisoning) attacks [19], membership inference attacks [20], and Trojan attacks [21]. Recently, adversarial ML has been used to launch attacks on 5G such as attack on 5G spectrum sharing with incumbents, attack on 5G UE authentication [22], covert 5G communications [23], and attack on 5G network slicing (where the adversary aims to manipulate the underlying RL algorithm) [24]. In this paper, we consider a flooding type of attack that has found applications in the networking domain, such as the TCP flooding attack. For network slicing, we formulate the flooding attack as the case that an adversary generates fake requests to consume network resources. This attack cannot be detected by simply monitoring the reward since the gNodeB can still achieve large reward as in the case of no attack. However, a great portion of this reward is associated with fake requests and the reward by real requests is much less than that without attack. Compared to conventional jamming, the flooding attack is stealthier and more energy-efficient (especially for downlink traffic), since it only requires an adversary to send requests and ACK without a need of long transmissions.

The design challenge of flooding attack is how to generate fake requests for resources. If there is no limitation, the adversary can generate many requests to maximize its impact, but it can be easily detected and blocked. Thus, we assume an upper bound on the number of fake requests. The adversary needs to carefully design its requests for network resources and rewards such that the impact of these requests is maximized. For that purpose, we design an RL solution for the adversary that uses network resources as the state, the generated fake requests as the action, and the reward achieved by fake requests as the reward for RL. This solution aims to maximize the total reward for fake requests over time, which in turn minimizes the remaining reward for real requests. We show that this flooding attack reduces the reward for real requests significantly more than two benchmark attacks, namely random fake requests and fake requests with lowest QoE requirement (or minimum resource requirement). Although we mainly launch the flooding attack on an RL based network slicing scheme, we show that it can also target other network slicing schemes such as myopic, first come first served (FCFS), or random selection.

The best strategy (in terms of minimizing the reward of real requests) is to generate fake requests with large weights, but they may be easily detected by checking their weights over time. To overcome this defense, we design attack schemes with variable weights and show that we can set a close to uniform weight distribution on fake requests such that they cannot be easily detected based on their weights and the reward of real requests can still be reduced significantly.

The rest of the paper is organized as follows. Section II describes the resource allocation schemes for network slicing. Section III presents the flooding attack that aims to minimize the gNodeB’s performance for real communication requests. Section IV evaluates the attack performance under different settings and designs. Section V concludes this paper.

Ii Resource Allocation for Network Slicing

Fig. 1: System model for the attack on 5G network slicing.

Resource allocation for network slicing can be optimized by RL. We follow the RL approach in [11] as an example. Fig. 1 shows multiple 5G UEs sending requests over time with different rate, processing power, latency (deadline) and lifetime requirements and priority weights. The 5G gNodeB selectively serves some of these requests competing for resources. If a request is selected, resources are allocated to meet the requirements. Otherwise, it will be kept in a waiting list until its deadline expires. The 5G gNodeB selects requests to maximize the reward, i.e., the total weight of served requests over a time period. An adversary launches the flooding attack to generate fake requests such that the total weight of served real requests over a time period can be minimized. Denote the set of active requests (newly arrived requests and previously arrived requests that stay in the waiting list) at time as for each time . RBs, communication and processing powers are allocated to meet the requirements of admitted requests in . The rate and processing power requirements of UE for its request are given by

(1)

where is the achieved data rate, is the minimum required rate, is the assigned processing power, is the minimum required processing power (measured by the percentage of CPU usage), and is the binary indicator on whether UE ’s request is satisfied at time . At any time, the total of selected requests is no more than . measured in bps depends on the assigned bandwidth and the modulation coding scheme used for communications from gNodeB to UE , and is approximated as [25], where is the number of allocated RBs and is the bit error rate of UE for its request , and constant is approximately when a single-antenna UE uses QPSK modulation, kHz subcarrier spacing and MHz bandwidth. The constraints of RB assignments are

(2)

where represents the available RBs of the gNodeB at time (resources that are assigned previously to some requests and not released yet become temporarily unavailable). By considering the optimization problem for a time horizon, the resources are updated from time to time as

(3)

where and are released and allocated resources on frequency at time . Each request has a lifetime and if it is selected at time (namely, the service starts at time ), this request will end at time . The released and allocated resources at time are given by

(4)

respectively, where denotes the set of requests ending at time . Then, the optimization problem is given by

(5)

subject to (1)–(4), where is the weight for UE ’s request to reflect its priority. Without knowing future requests, the model-free RL algorithm solves (5) by making decisions using an online learned policy that determines an action for current state for the gNodeB. In this paper, we consider Q-learning from [11]. The reward at time is if UE ’s request is satisfied, i.e., . Actions assign resources to each request at time . Multiple actions can be taken at the same time instance if there are sufficient resources. The states at are the remaining RBs and communication and processing powers. Given by (3)-(4), state transition at time is driven by allocating resources for requests granted at time and releasing resources after lifetimes of some active services expire at time . Note that the flooding attack can be also launched on other network slicing schemes. We consider the following schemes for comparison purposes. The myopic scheme aims to maximize the reward for the current time (without considering future rewards). The FCFS scheme aims to allocate resources based on the arrival time of requests. The random scheme allocates resources to some randomly selected requests.

Iii Reinforcement Learning based Flooding Attack for Network Slicing

An adversary attacks the 5G RAN network slicing by generating fake requests for network slices. If these fake requests are selected and network resources are allocated to them, fewer resources will be left for real requests from legitimate users. As a consequence, although a gNodeB may still achieve a high reward for many granted requests, the actual reward corresponding to real requests may be a smaller option of it. We consider a practical constraint that the adversary has a limited rate of generating fake requests to avoid being detected. In particular, we can set the same rate of request generation for the adversary and legitimate users. Thus, it is important for the adversary to generate fake requests with two objectives:

  • Objective 1: fake requests are satisfied (namely, resources are allocated to them) with high probability.

  • Objective 2: fake requests occupy resources in a way that real requests cannot be satisfied due to the unavailability of resources.

For the first objective, a fake request should ask for a smaller portion of resources (to avoid being rejected due to insufficient resources) and have the maximum reward (to have high priority). For the second objective, a fake request should consume the majority of the resources such that the remaining resources are not sufficient for real requests. Thus, the ideal setting on weights in fake requests is the maximum weight while the required resource should not be too large (to ensure that a fake request can be satisfied) or too small (to ensure that a significant portion of the total resources can be occupied by fake requests). Therefore, the key step in the flooding attack is determining resources to be specified by fake requests.

The resources include the number of available RBs, the remaining processing power (memory), and the remaining communication (transmit) power. The adversary may sense the spectrum and aim to detect available RBs. However, it cannot know the remaining processing and communication powers. There is no need to consume all of these resources to prevent serving real requests, since a request cannot be satisfied if any of its resource requirements is not met. Thus, the adversary can request minimum processing and communication powers such that its requests will not be rejected due to the lack of these resources. On the other hand, the adversary needs to determine RB requirements in its requests. To make decisions, we design a Q-learning algorithm for the adversary as follows.

  • The state is the number of available RBs.

    The action is to select how many RBs to be assigned in a fake request ( means no request is made). The number of potential actions is , where is the number of available RBs.

  • The reward is the number of served fake requests (or the total reward of served fake requests).

The Q-table maps (state, action) to reward. To initialize this table, if a fake request is generated, the corresponding entry is set as , otherwise the entry is set as . The adversary applies Q-learning to update this table and take actions based on this table. The adversary generates a fake request only if the rate of fake requests so far is below the expected rate, which can be set the same as the rate of real requests from other (legitimate) users. Under the flooding attack, we measure both the total reward (including the reward for both real and fake requests) and the real reward (including the reward for real requests only).

Iv Performance Evaluation

Suppose that the gNodeB receives requests from three UEs. For each UE, requests arrive with rate of per slot. The adversary also generates fake requests at this rate. Here, a slot corresponds to each time block which is ms long with kHz subcarrier spacing. For each request, weight, lifetime, and deadline are randomly assigned in , slots, and slots, respectively. The signal-noise-ratio (SNR) is selected randomly from . The total frequency is MHz and is split into bands, i.e., there are RBs. In addition to the Q-learning-based attack, we also consider the case of no attack and two benchmark attacks:

  • Random attack: The adversary generates fake requests with random requirements on RBs.

  • Minimum resource (MinRes) attack: The adversary generates fake requests with the lowest QoE requirement, which in turn requires the minimum number of RBs, i.e., always one RB is required.

Algorithm Total reward Real reward
Q-learning 2593 523
MinRes 2769 614
Random 1905 1630
No attack 1783 1783
TABLE I: Performance comparison of flooding attack using Q-learning and other attack schemes.

We assume that the adversary launches its attack (Q-learning, MinRes, or Random) over slots. The benchmark of no attack case is also run over slots. The achieved reward is measured for the last slots. For network slicing, we first consider the RL based scheme. Table I shows the performance of different attacks and the case of no attack. If there is no attack, i.e., all requests are real, the total reward and the real portion of it are the same. All attacks increase the total reward, since there are some additional fake requests with high reward, but the real portion of the reward is less than the total (all real) reward achieved under no attack. The random attack does not work well and only slightly reduces the real reward (from to ). The MinRes attack always generates fake requests with the minimum required resource. Although this increases the probability of being selected by the gNodeB for service, the occupied resource is also minimized. Hence, it significantly reduces the real reward to but it is not as effective as the Q-learning attack, which reduces the real reward to .

We also measure the total reward of all fake requests generated under the Q-learning attack, which is . The total reward of served fake requests is , i.e., most of fake requests are served and occupy some resources. Thus, the Q-learning attack is efficient in terms of the ratio between served and generated requests. The total reward asked for real requests is , while the total reward of served real requests is only under the Q-learning attack, i.e., only a small portion of real requests are served under the flooding attack, showing that the flooding attack is highly successful.

Network slicing No attack Flooding attack
scheme Total reward Real reward
Q-learning 1786 2593 523
Myopic 1422 2408 653
FCFS 1416 2369 429
random 1318 2363 483
TABLE II: Performance comparison of different network slicing schemes under the flooding attack.

This flooding attack can be launched against other network slicing schemes including the myopic, FCFS, and random schemes described in Section II. Table II shows that the (reward) performance of all these schemes drop significantly under the flooding attack. In particular, the FCFS and random schemes have worse performance than the Q-learning based scheme regardless there is a flooding attack, or not. One interesting result is that the myopic scheme has worse performance compared to the Q-learning based scheme when there is no attack, but under the flooding attack, the myopic scheme achieves better reward, namely , compared to the reward achieved by Q-learning based scheme. The reason is that the Q-learning based scheme aims to maximize the expected total reward, including both current reward and future reward. When there are fake requests with high rewards, the Q-learning algorithm tends not to allocate resources to real requests if their reward is not high. On the other hand, there is no such issue in the myopic scheme since it only considers the current reward.

The flooding attack that we consider so far generates fake requests with the maximum weight to maximize the probability that they are selected by the gNodeB. A defense scheme may detect the increase in weights of network slicing requests. Against such a defense, we extend the flooding attack with the following schemes to increase randomness of weights.

  • Random weight (RW): Weights in fake requests are uniformly randomly assigned.

  • Non-uniform weight (NUW): The flooding attack is most effective when remaining resources are small, since any occupation of fake requests may make remaining resources insufficient for real requests. Thus, the adversary can generate more fake requests with large weight if remaining resources are small. Otherwise, the adversary can generate more fake requests with small weights. These non-uniform distributions are selected such that the overall weight distribution remains uniform, i.e., , where is the number of total available RBs, is the probability of weight is when the number of remaining RBs is , and is the number of different weights. One such distribution is shown in Table III.

    1 2 3 4 5
    1 0.5 0.4 0.1 0 0
    2 0.5 0.4 0.1 0 0
    3 0.4 0.4 0.2 0 0
    4 0.4 0.4 0.2 0 0
    5 0.2 0.3 0.4 0.1 0
    6 0.2 0.2 0.2 0.2 0.2
    7 0 0.1 0.4 0.3 0.2
    8 0 0 0.2 0.4 0.4
    9 0 0 0.2 0.4 0.4
    10 0 0 0.1 0.4 0.5
    11 0 0 0.1 0.4 0.5
    TABLE III: Distribution of weights in network slicing requests.
  • Non-uniform high weight (NUHW): We limit the weights in fake requests to a high value, namely or , and choose non-uniform distributions such that for or . One such distribution is shown in Table IV.

    1 2 3 4 5
    1 0 0 0 1 0
    2 0 0 0 0.9 0.1
    3 0 0 0 0.9 0.1
    4 0 0 0 0.8 0.2
    5 0 0 0 0.8 0.2
    6 0 0 0 0.5 0.5
    7 0 0 0 0.2 0.8
    8 0 0 0 0.2 0.8
    9 0 0 0 0.1 0.9
    10 0 0 0 0.1 0.9
    11 0 0 0 0 1
    TABLE IV: Distribution for high weight.
  • Random high reward (RHW): Weights in fake requests are randomly assigned as or .

  • Adjusted weight (AW): The adversary adjusts weights dynamically based on whether a fake request is selected or not. If a fake request is selected, the adversary wants to have another fake request being selected to occupy resources, otherwise there is no such need. Thus, the weight in requests should be increased (bounded by the largest reward) if a fake request is selected, otherwise the weight should be decreased (bounded by the smallest reward). We consider three adjustment approaches.

    • Adjusted 1: increase the weight in fake requests by 1 if a fake request is selected or decrease it by 1 otherwise,

    • Adjusted 2: increase the weight in fake requests to the maximum value if a fake request is selected or decrease it by 1 otherwise, or

    • Adjusted 3: set a probability for reducing the weight in fake requests by 1 if a fake request is not selected.

Table V shows results for these attack extensions. First of all, since the adversary aims to sustain uniform distribution among different weights in its requests, the probability of selecting a fake request is reduced and thus the real reward under all these attacks is larger than the previous attack case where we set the weight in fake requests as the maximum value. We then check each attack scenario as follows. Under the flooding attack with RW, the real reward is . The real reward achieved under the flooding attack with NUW is , which is still much higher than the real reward when we fix the reward as its maximum value. To improve the performance, we can limit weight in fake requests to or . The real reward under the flooding attack with RHW is . The real reward under the flooding attack with BHR is , which is close to when we fix reward as . For the flooding attack with AJ, Adjusted 1 yields a real reward , which is high, as most weights for fake requests are selected as 1. When Adjusted 2 is used, the real reward becomes . We find that the distribution of weights is almost a uniform distribution. When we use Adjusted 3 with the probability set as , which also yields an approximately equal distribution for reward in fake requests, the achieved real reward is . Overall, the flooding attack can reduce the real reward significantly while keeping close to uniform weight distribution such that it is difficult to detect fake requests by checking their weights.

Algorithm Total reward Real reward
Maximum weight 2593 523
RW 2328 1161
NUW 2597 1008
RHW 2621 828
NUHW 2689 677
Adjusted 1 1798 1417
Adjusted 2 2389 1008
Adjusted 3 2245 1146
TABLE V: Performance of attack extensions with different weights in fake requests.

Next, we check the effect of system parameters on the flooding attack performance. Table VI shows the results when we vary the rate of fake requests, . The total reward increases first with due to high reward of fake requests, while the real reward decreases due to the increasing portion of fake requests. If request per slot, the total or real reward does not change, i.e., is sufficient for the best attack.

Total reward Real reward
0 1783 1783
0.1 2077 1587
0.2 2327 1352
0.3 2512 1032
0.4 2605 700
0.5 2593 523
0.6 2620 440
0.7 2612 372
TABLE VI: The effect of the generation rate of fake requests, .

Table VII shows the results when we vary the number of RBs, . The reward when there is no attack increases first with due to more RBs, and then changes within certain range due to randomness in limited number of user requests. The total reward under attack shows the same trend. The real reward under attack first decreases with and then stays within certain range. To understand the trend better, we assess the ratio between real reward under attack and the reward when there is no attack. By increasing , this ratio first decreases as a fake request can attack more RBs, and then stays within certain range since (i) the number of fake requests is limited and (ii) there is some randomness in generated fake requests.

No attack Flooding attack Ratio (%)
Total reward Real reward
5 1526 2133 858 56.23
6 1605 2285 805 50.16
7 1786 2477 737 41.27
8 1730 2596 646 37.34
9 1870 2619 609 32.57
10 1902 2644 604 31.76
11 1783 2593 523 29.33
12 2018 2723 528 26.16
13 1964 2677 577 29.38
14 1987 2661 506 25.47
15 1899 2708 573 30.17
TABLE VII: The effect of the number of RBs, .

Table VIII shows the results when we vary the number of users, . By increasing , the reward when there is no attack increases due to more requests to be selected for service. The total reward and the real reward under attack show the same trend. When is large, the total reward under attack is less than the reward when there is no attack. The reason is that the adversary generates fake requests with non-minimum RBs while with many users it is likely that there are requests with the same reward and minimum RBs. Then, the total reward by selecting some fake requests may be less than the case of not selecting fake requests. The ratio of real reward over reward under no attack increases with due to more real requests competing with fake requests.

User No attack Flooding attack Ratio (%)
Total reward Real reward
3 1783 2593 523 29.33
4 2239 2717 652 29.12
5 2306 2749 709 30.75
6 2681 2856 955 35.62
7 2592 2850 890 34.34
8 2865 2854 954 33.30
9 2896 2859 1029 35.53
10 3108 2918 1108 35.65
20 3540 3065 1480 41.81
50 3859 3360 2100 54.42
TABLE VIII: The effect of the number of users, .

Table IX shows the results when we vary the SNR for users. By increasing the SNR, all rewards (real or total) increase with and without flooding attack. In particular, the ratio of real reward over the reward under no attack increases due to better channels available for users. In this case, it is easier to serve a real request by meeting rate requirements, i.e., it is more challenging for the attack to deny service to a real request by consuming resources.

SNR No attack Flooding attack Ratio (%)
Total reward Real reward
low 1557 2436 286 18.37
medium 1783 2593 523 29.33
high 1900 2695 625 32.89
TABLE IX: The effect of the SNR for users.

Finally, we evaluate the effect of the adversary’s observation error on available RBs, in terms of false alarm (available RBs are detected as unavailable) and misdetection (unavailable RBs are detected as available). We find that this effect is not significant. Even for significant errors up to %, the change on real reward is at most %. Hence, the flooding attack is not very sensitive to errors in spectrum sensing.

V Conclusion

We presented a flooding attack on 5G RAN slicing, where an adversary generates fake network slicing requests to consume available resources and thus minimize the reward for real requests. We developed an RL based attack to generate fake requests and showed it is more effective than generating fake requests randomly or with minimum resource requirement. Although we focused on attacking an RL based network slicing scheme, we showed that the flooding attack is effective against other network slicing schemes. We also designed weight distribution schemes such that fake requests cannot be detected by their weights, and showed that using a close to uniform distribution for weights can still reduce the real portion of the reward significantly. Overall, our results indicate that 5G RAN slicing is highly vulnerable to flooding attacks and the reward of real requests can be significantly reduced by starving the available resources with fake requests.

Footnotes

  1. thanks: This effort is supported by the U.S. Army Research Office under contract W911NF-20-C-0055. The content of the information does not necessarily reflect the position or the policy of the U.S. Government, and no official endorsement should be inferred.

References

  1. X. Foukas, G. Patounas, A. Elmokashfi, and M. K. Marina, “Network slicing in 5G: Survey and challenges,” IEEE Communications Magazine, May 2017.
  2. A. Kaloxylos, “A survey and an analysis of network slicing in 5G networks,” IEEE Communications Standards Magazine, Apr. 2018.
  3. S. D’Oro, F. Restuccia, A. Talamonti, and T. Melodia, “The slice is served: Enforcing radio access network slicing in virtualized 5G systems,” IEEE INFOCOM, 2019.
  4. T. Erpek, T. O’Shea, Y. E. Sagduyu, Y. Shi, and T. C. Clancy, “Deep learning for wireless communications,” Development and Analysis of Deep Learning Architectures, Springer, 2019.
  5. A. Nakao, and P. Du, “Toward in-network deep machine learning for identifying mobile applications and enabling application specific network slicing,” IEICE Transactions on Communications, 2018.
  6. A. Thantharate, R. Paropkari, V. Walunj, C. Beard, “DeepSlice: A deep learning approach towards an efficient and reliable network slicing in 5G networks,” IEEE UEMCON, 2019.
  7. R. Li, Z. Zhao, Q. Sun, C.-L. I, C. Yang, X. Chen, M. Zhao, and H. Zhang, “Deep reinforcement learning for resource management in network slicing,” IEEE Access, Nov. 2018.
  8. J. Koo, M. R. Rahman, V. B. Mendiratta, and A. Walid, “Deep reinforcement learning for network slicing with heterogeneous resource requirements and time varying traffic dynamics,” arXiv prePrint, arXiv:1908.03242, 2019.
  9. H. Wang, Y. Wu, G. Mina, J. Xu, and P. Tang, “Data-driven dynamic resource scheduling for network slicing: A deep reinforcement learning approach,” Information Sciences, 2019.
  10. Z. Xu, Y. Wang, J. Tang, J. Wang, and M. C. Gursoy, “A deep reinforcement learning based framework for power-efficient resource allocation in cloud RANs,” IEEE ICC, 2017.
  11. Y. Shi, Y. E. Sagduyu, and T. Erpek, “Reinforcement learning for dynamic resource optimization in 5G radio access network slicing,” IEEE CAMAD, 2020.
  12. A. Nassar and Y. Yilmaz, “Deep reinforcement learning for adaptive network slicing in 5G for intelligent vehicular systems and smart cities,” arXiv prePrint, arXiv:2010.09916 (2020).
  13. T. Erpek, Y. E. Sagduyu, and Y. Shi, “Deep learning for launching and mitigating wireless jamming attacks, IEEE Transactions on Cognitive Communications and Networking, Mar. 2019.
  14. M. Sadeghi and E. G. Larsson, “Adversarial attacks on deep-learning based radio signal classification,” IEEE Communications Letters, Feb. 2019.
  15. M. Z. Hameed, A. Gyorgy, and D. Gunduz, “The best defense is a good offense: Adversarial attacks to avoid modulation detection,” IEEE Transactions on Information Forensics and Security, Sept. 2020.
  16. B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Over-the-air adversarial attacks on deep learning based modulation classifier over wireless channels,” IEEE CISS, 2020.
  17. B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Channel-aware adversarial attacks against deep learning-based wireless signal classifiers,” arXiv prePrint, arXiv:2005.05321, 2020.
  18. B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “Adversarial attacks with multiple antennas against deep learning-based modulation classifiers,” IEEE GLOBECOM, 2020.
  19. Y. E. Sagduyu, T. Erpek, and Y. Shi, “Adversarial deep learning for over-the-air spectrum poisoning attacks,” IEEE Transactions on Mobile Computing, Feb. 2021.
  20. Y. Shi, K. Davaslioglu, and Y. E. Sagduyu, “Over-the-air membership inference attacks as privacy threats for deep learning-based wireless signal classifiers,” ACM WiseML, 2020.
  21. K. Davaslioglu and Y. E. Sagduyu, “Trojan attacks on wireless signal classification with adversarial machine learning,” IEEE DySPAN, 2019.
  22. Y. E. Sagduyu, T. Erpek, and Y. Shi, “Adversarial machine learning for 5G communications security,” arXiv preprint arXiv:2101.02656, 2021.
  23. B. Kim, Y. E. Sagduyu, K. Davaslioglu, T. Erpek, and S. Ulukus, “How to make 5G communications “invisible”: adversarial machine learning for wireless privacy,” Asilomar Conf. Sig., Sys. and Comp., 2020.
  24. Y. Shi, Y. E. Sagduyu, T. Erpek, M. C. Gursoy, “How to attack and defend 5G radio access network slicing with reinforcement learning,” 2020, available on arXiv:2101.05768.
  25. 3GPP TS 38.306: “NR; User Equipment (UE) radio access capabilities”.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
426848
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description