Adversarial Attacking and Defensing Modulation Recognition With Deep Learning in Cognitive-Radio-Enabled IoT

Modulation recognition using deep learning (DL) can efficiently recognize modulated signals in cognitive radio-enabled Internet of Things (IoT). However, it is vulnerable to the attack of adversarial examples designed by attackers, leading to a decrease in its accuracy. Different adversarial techniques can be used for attacks, but these attacks have limited efficiency. This article proposes a double loop iterative method. Different from the traditional attack methods, the new method designs an additional external loop iteration for high efficiency. When generating adversarial examples, the initial conditions of each iteration can be updated as the number of iterations changes, so that the adversarial examples can cross the decision boundary of the model as much as possible. In addition, this article uses knowledge distillation to improve the traditional adversarial training defense, which improves the robustness of the model. Simulation results show that the proposed attack and defense methods have better performance than traditional methods.

can help devices adaptively switch between different frequency bands and channels, avoid wasting and interfering with spectrum resources, and improve communication efficiency and reliability among IoT devices.Modulation recognition is used to identify the communication parameters and modulation modes of primary users to alleviate the shortage of spectrum resources, as an important part of CR.
Traditional modulation recognition methods are based on maximum likelihood estimation and statistical pattern recognition, but they are heavily dependent on the prior knowledge of the signal and artificial feature extraction with low accuracy.In recent years, deep learning (DL) has been gradually applied to automatic modulation recognition [5], [6], [7], [8], [9], [10], [11].Compared with the traditional modulation recognition methods, the modulation recognition model based on deep neural network (DNN) can effectively extract the characteristics of modulation signals with higher recognition speed and accuracy.
Although DL can automatically extract the features of the signals to recognize them, it still remains unknown how it learns, which makes it less interpretable and the DNN model less secure and more vulnerable to attack.Szegedy et al. [12] pointed out that adversarial examples generated by adding carefully designed subtle perturbations to the clean examples can significantly reduce the accuracy of the classifier.Adversarial examples are obtained by adding adversarial perturbations with strong camouflage to clean examples, which can deceive and mislead the recognition model to classify signals incorrectly.The early inferential interpretation of why DL is easy to be attacked is its highly nonlinear feature.Goodfellow et al. [13] proposed the fast gradient symbol method (FGSM) to attack the convolutional neural network (CNN) classifier.Later, Kurakin et al. [14] improved FGSM and proposed an iterative FGSM called the basic iterative method (BIM), which divides the perturbation size in FGSM into multiple segments and iteratively generates adversarial examples.Madry et al. [15] added a projection step to BIM, randomly initializing the example under norm constraints, and proposed the projection gradient descent method (PGD).In order to improve the stability of iteration and the generalization of adversarial examples, Dong et al. [16] introduced momentum into the iterative attack and proposed the momentum iterative method (MIM).Zhang et al. [17] explained the transfer characteristics of adversarial examples 2327-4662 c 2023 IEEE.Personal use is permitted, but republication/redistribution requires IEEE permission.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
between different target models, and generated adversarial examples with strong transferability through principal component analysis (PCA).Adversarial attacks were originally proposed for images, and now have achieved fruitful research results in computer vision and other related fields.For example, in the field of autonomous driving, Xiong et al. [18] proposed two multisource adversarial example attack models, which successfully attacked the image and lidar sensing system in autonomous vehicles.Lv et al. [19] proposed an adversarial attack method based on the incremental learning for unmanned driving, and achieved a higher attack success rate.However, there are very few studies on adversarial attacks in wireless communication, where the wireless network using DNN is also vulnerable to attacks.In order to improve the robustness of the wireless network model by using adversarial examples, some researchers introduced adversarial attacks into the modulation recognition.Lin et al. [20] verified the effectiveness of some gradient-based adversarial attacks on the automatic modulation recognition model, and pointed out that attacks can significantly reduce the accuracy of the target model.Qi et al. [21] proposed a detection-tolerant black-box method to attack the modulation classifier and improve the transferability of adversarial attack.Kim et al. [22] proposed a channel-aware adversarial attack against classifiers, which shows the vulnerability of classifiers by considering information about channels, transmitter inputs, and classifier models.Liu et al. [23] introduced an interference waveform into spectrum sensing systems for data poisoning attack, which significantly reduces the sensing accuracy.Moreover, to counteract adversarial attacks, for common adversarial attacks, researchers have developed some defense mechanisms that can ensure the security of wireless communications.Zhang et al. [24] studied a defense method based on training time and running time, which protected the modulation signal classifier based on machine learning from malicious attacks by attackers.Hameed et al. [25] proposed a secure wireless communication method that can prevent the attacker from detecting the correct modulation category, which enhances the security of communication between transmitter and receiver.In addition, researchers have pointed out that most of the defense methods proposed in recent years, including active defense and passive defense, can only deal with specific attacks and are difficult to effectively respond to new types of attacks [26], [27], [28].
This article examines the attack performance of several traditional attack methods and the defense performance  Section II introduces the system model of adversarial attack on CR and the traditional adversarial attack methods.In Section III, an attack algorithm based on double loop iteration is proposed.In Section IV, knowledge distillation is introduced into AT to enhance the robustness of simple models.In Section V, the feasibility and effectiveness of the proposed attack and defense from multiple aspects are shown via simulation results.Section VI summarizes this article.

A. Wireless Model
In IoT, the adversarial attack will severely affect the normal operation of the CR system by interfering with modulation recognition, thereby disrupting the reliable transmission of communication, as shown in Fig. 1.
From the attacker's point of view, the adversarial attack can be regarded as the act of disguising the modulation signal.The attacker generates an adversarial perturbation through the attack algorithm, adds it to the modulated signal to form an adversarial example, and transmits it to the target receiver.After receiving the adversarial example, the receiver will automatically identify the modulation type of the example, which may be exploited by the attacker to generate a wrong recognition result.Compared with adding noise to the signal, the example generated by the adversarial attack can maximize the classification loss of the target model, thus reducing the accuracy of the model.In addition, due to the transferability, Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
some adversarial examples designed for the source model can also be used to attack other target models, which increases the risk of attack for other network models [29], [30].
The adversarial example x * refers to the example formed by deliberately adding the subtle perturbation η to the input x, which will cause the recognition model to make an incorrect prediction.In many cases, x * looks very similar to x, and human observers cannot notice the difference between them.Thus, the adversarial example can be denoted as When performing an untargeted attack, the goal is to maximize the loss between the prediction probability distribution of the recognition model for the constructed example and the true label of the original example, which can be expressed as max where ε represents the maximum value that the adversarial perturbation can reach under the norm constraint, L represents the loss of the target recognition model, l represents the true label of the original example x, and F(x) represents the composite operation between n l different output layers of the recognition network model with and its output is the recognition probability distribution for the input x.
Although the loss maximization problem in ( 2) is difficult to solve, [13] linearizes the loss function near (x, l) to give The optimal solution to (4) is to maximize the twist in ε along the sign direction of the loss gradient ∇ x L to get In the adversarial attack, the norm can be used to uniformly regulate the range of perturbation generated by the attack algorithm, which is a constraint on the perturbation.The L p norm of the perturbation η can be expressed as Common norms include L 0 , L 2 , and L ∞ .For adversarial perturbation, L 0 represents the number of sampling points of nonzero perturbation, L 2 represents the Euclidean distance between examples before and after perturbation, and L ∞ represents the maximum value of perturbation at all sampling points.In the above attack, when there is a norm constraint η p ≤ ε for any p, the optimal solution of η can be generalized as (7) where q is the dual of p, and

B. Adversarial Attack Models
FGSM, BIM, PGD, and MIM are all attack methods using infinite norm, which generate adversarial examples under the constraint of L ∞ norm.They determine the direction of adversarial perturbation according to the loss gradient of the target model, and generate an adversarial example by adding a certain perturbation in this direction, thus attacking the model.For example, a trained model can correctly recognize an 8 phase shift keying (8PSK) signal as an 8PSK modulation type, but it will recognize the adversarial example generated by the attacker using the model information and the attack algorithm as another modulation type, as shown in Fig. 2.
1) FGSM: When generating an adversarial example, FGSM obtains the attack direction by calculating the loss gradient, and then adds a fixed step size in this direction as the adversarial perturbation level and adds it to the clean example.FGSM is extremely fast in generating adversarial examples because it does not require multiple iterations, but it cannot repeatedly query model parameters to enhance the attack performance.FGSM can be expressed as where ∇ x L represents the loss gradient of the target model for the input.
2) BIM: Compared with FGSM, BIM divides the direction and size of the adversarial examples into multiple segments, which solves the problem that FGSM cannot update examples by accessing the model multiple times.If the attack process contains N iterations, the iteration step is α = ε/N.BIM can be expressed as (10) where n represents the number of current iterations, and Clip x,ε {•} denotes that the examples are restricted to [x − ε, x + ε].Based on FGSM, BIM segments the overall perturbation level, which can increase the loss of the model by using the information of the target model in the iterative process of generating adversarial examples, but it increases the computational complexity.
3) PGD: On the basis of BIM, PGD adds a projection step to randomly initialize adversarial examples under norm constraint, and uses the initial point of noise to generate adversarial examples with stronger attack performance, which can be expressed as where S denotes the random perturbation introduced to the original examples under norm constraint.4) MIM: By introducing the concept of momentum into adversarial attacks, MIM solves the problem of overfitting and local optimal solution in the optimization process, and has good aggression and generalization.MIM enhances the stability of the perturbation direction during the attack process by accumulating the loss gradient in the iterative process in a certain proportion, which can be expressed as where g n represents the gradient accumulated during the iteration, and μ represents the attenuation coefficient of g n .

C. Modulation Recognition 1) Data Set:
In order to better study the effectiveness of adversarial attacks on CR, we select the RADIOML2016.10Bdata set designed by DeepSiG [31] where I and Q are in-phase component and quadrature component, respectively, and f is the carrier frequency.
2) Target Model: In order to examine the effects of different attacks and highlight the performance of the proposed attack method, ResNet is selected as the target model.ResNet was proposed by He et al., using the "shortcut connection" connection method, which can easily extract the features of input examples and has been widely used in automatic recognition [32].It uses the residual function to optimize the learning process, which makes it easy to deepen without  I.
Before training the network, we set the training batch and the initial learning rate to 1024 and 0.001, respectively, and set the learning rate as an automatic update mechanism to make the network converge faster.After 100 rounds of network training, the test set is input into the trained network to test its recognition accuracy.

III. DOUBLE LOOP ITERATIVE METHOD
In this section, we will propose a new method that takes advantage of double loop iteration for attacks.

A. Motivation
In multiclassification tasks, the cross-entropy loss is often used to optimize the model, which characterizes the difference between the predicted values of the model and the true labels of the inputs.The cross-entropy loss of the model during training can be expressed as where N 1 is the number of input signals, N 2 is the number of categories of signals, l ij (x) is the true label of the input, and p ij (x) is the prediction probability of the model.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
For FGSM, BIM, PGD, and MIM, whether they use onestep iteration or multistep iteration to generate adversarial perturbation, all of them have only one loop iteration layer.They determine the perturbation direction by calculating the loss gradient of the target model, and add a fixed-size perturbation in this direction to generate an adversarial example to attack the target model.
However, In the process of iterative attack, the adversarial example generated by the direction and size of the adversarial perturbation may not be sufficient to make the loss of the model reach the threshold.If the examples generated by them after the iteration process cannot fool the classifier model, then the attack will fail.Therefore, we analyze how to improve the attack performance of the adversarial example by adjusting the direction and size of the perturbation in the following.

B. Double Loop Iterative Attack
In this article, we determine the local direction of iteration by the accumulation of momentum.By continuously accumulating the current and previous gradients, it can generate adversarial examples more stably, and these examples have strong transferability.The direction of iteration can be expressed as We provide the impact of the direction and size of perturbation on the model's prediction results in Proposition 1.
Proposition 1: The prediction result of the model for an adversarial example is where y p is the predicted class of the model for the adversarial example, y t is the true class, α is the size of the perturbation, g is the accumulated gradient used to determine the direction of the perturbation, and L T is the model reach the threshold.Proof: See Appendix A. By adjusting the iteration step size and accumulated gradient during the iterative process, the prediction loss of the model can be increased, which guides the example to cross the decision boundary of the model and be misclassified.
We consider adding an outer loop iteration layer to the momentum iteration and using the generated initial adversarial example as the new input to continuously increase the loss of the target model within a limited number of iterations.Adding an outer loop iteration layer is not simply increasing the number of momentum iterations, because the iteration conditions are initialized at the beginning of each new outer loop, including clearing the accumulated gradients and setting the new iteration step size for that loop.
Remark 1: After adding the external layer, when maximizing the loss L(x * n , l), the example moves continuously in the decision domain, and each move is close to or even cross the decision boundary.Each time a new external loop begins, the momentum goes to zero and begins to accumulate again, so that the effect of the previous gradient information on the direction of the perturbation is reduced, making it more flexible to find the direction.
Ideally, the perturbation direction of an adversarial example in the decision domain is the direction of the original example perpendicular to the decision boundary.However, in the iterative optimization process, there are often some process that skips the global optimal point or hovers near the local optimal point.Therefore, it is necessary to take some necessary means to reactivate the optimization process.By increasing the external loop iteration layer and initializing the step, the adversarial example is more likely to cross the decision boundary.To clearly analyze the effect of the proposed method in the decision domain, we consider the momentum iteration process of each internal loop as a whole, with an arrow representing the example positions before and after the process, as shown in Fig. 4. It shows the movement of the example in the decision domain when the adversarial example is generated using double loop iteration.After each movement, the maximum distance between the example and the original example can be expressed as an infinite norm where n s represents the number of sampling points of the input signal.
Remark 2: Since the size of the adversarial perturbation is constrained by the norm of x * − x ∞ ≤ ε, the movement of the example in the decision domain is constrained in the feature space mapped by the norm of the adversarial perturbation, and each example can only move at the boundary or inside the space.The purpose of the adversarial attack is to make the example in the space cross the decision boundary as much as possible, as in Fig. 4 where the example moves in different paths.
When the iteration step size in the external loop is set under the norm constraint, the step size should be not less than the momentum iteration step size to ensure the effectiveness of the attack in the internal loop.In addition, the adversarial examples should be able to adjust the targeting of the attack with the iteration process during the attack, so the examples should determine the approximate position and the specific position to maximize the model loss in the early and late iterations, respectively, which means that the iteration step size in the external loop is decreased.Therefore, the iteration step where M and N represent the number of external loop iterations and the number of internal loop iterations, respectively, and m represents the number of completed external loop iterations.When M = N, α m satisfies ε/N ≤ α m ≤ ε and decreases with the increase of m.Remark 3: It can be seen from ( 18) that the iteration step size gradually decreases with the increase of the current number of external loops m.Therefore, the iteration step is updated each time a new external loop begins.The step is larger when m is small in order to generate the initial fuzzy perturbation, and gradually decreases as m becomes larger to fine-tune the perturbation.
After getting the direction and size of the iteration, in the (n + 1)th iteration in the internal loop, we can get the adversarial perturbations by and the adversarial examples by After the end of the double loop iteration, the loss of the model to these examples is often greater than that of the single loop iteration, which makes the model more vulnerable to attack and recognizes these examples as another wrong class.
To study the influence of loop parameters on attack effectiveness, we select different combinations of external loop number and internal loop number to generate adversarial examples.The recognition results of ResNet for these examples are shown in Table II.It can been seen that when M = 1 and N gradually increase, the attack performance increases, but the increase is smaller.When N is constant and M increases, the attack performance increases.In addition, the adversarial examples generated when M = N = 5 decrease the accuracy of the model more than when N = 25 and M = 1, and the adversarial examples generated when M = N = 10 decrease the accuracy of the model more than when N = 100 and M = 1.It shows that the proposed method has a better effect than simply increasing the overall number of iterations.
To preliminarily study whether the attack caused the expected damage to the target model, t-SNE is used to visualize the characteristics of the clean examples and the for n = 0 to N − 1 do

5:
Input x * n to classifier and obtain the loss gradient Update g n+1 by accumulating the velocity vector in the gradient direction as Compared with other traditional attacks, the proposed attack method mainly adds an external loop, so we call it the double loop iterative method (DLIM).Algorithm 1 summarizes the detailed steps of the DLIM attack algorithm.To facilitate the implementation of the algorithm, the number of loops m starts from zero, then α m = (M − m) • ε/N.
To compare with the traditional methods and highlight the improvement, we express the process of the DLIM algorithm in an external loop as follows: Equation ( 21) represents the generation process of adversarial examples in an external loop.The difference from MIM is that the initialization of the loop conditions and the increase of an iterative step size determined by the double loop parameters.

C. Attack Performance Metrics
When implementing an adversarial attack, the purpose is to use small perturbations that the receiver cannot perceive to make the model misclassify and try to cover up the traces of the attack on the waveform while ensuring the attack effect.Therefore, the main metrics to evaluate the attack performance are the attack success rate and the perceptibility of the adversarial perturbation.
The attack success rate of adversarial examples can be reflected by the accuracy of the recognition model.The more the recognition accuracy decreases after the attack, the higher the attack success rate will be.The ratio of perturbation power to noise power and the ratio of perturbation power to signal power can be used to describe the perceptibility of perturbation, which are called the perturbation-to-noise ratio (PNR) and the perturbation-to-signal ratio (PSR), respectively [34].The relationship between PNR, PSR, and SNR satisfies PNR = PSR × SNR with [35] PNR where E is the expectation.According to the definition of PNR, the larger the PNR, the higher the added perturbation level.When PNR ≤ 0 dB, it shows that the order of the perturbation is equal to or even lower than the noise level.At this time, we can consider the perturbation to be imperceptible.For example, for the modulation signal x with an amplitude of 0.01 used in this article, when SNR = 10 dB, if the perturbation perception is not visible, it is necessary that then the solution ε ≤ 0.0032.This indicates that the perturbation has strong concealment when the maximum perturbation level does not exceed 0.0032 under the above conditions.In the PNR expression, ε 2 2 is the maximum perturbation power that the adversarial example can achieve at a certain sampling point, which limits the visibility of the adversarial perturbation before generating the adversarial example.When using different attack methods to generate adversarial examples under the same norm constraint, in order to compare the performances of different attacks, it is necessary to quantitatively analyze the similarity between the generated examples and the clean examples.Zhao et al. [36] proposed the fitting difference (FD) to quantify the degree of change of clean examples after the adversarial attack, which can be used to measure the concealment of attacks.After an attack, the FD between the adversarial example and the original example can be expressed as where L s is the length of the original example, s and s * are the original example and the corresponding adversarial example, respectively, and s is the average of the original example, that is In general, when FD → 0, the waveform of the adversarial example is very similar to the original example, indicating that the adversarial attack has good concealment.On the contrary, when FD increases, the adversarial example waveform gradually deviates from the original example waveform, and the adversarial attack is easy to detect.Therefore, the perceptual invisibility of attacks can be analyzed by comparing the FD values of the adversarial examples generated by different attacks between the original examples.

IV. ADVERSARIAL TRAINING BASED ON KNOWLEDGE DISTILLATION
In this section, we will apply knowledge distillation to AT according to the distribution characteristics of the model's prediction probability for adversarial examples by proposing a new defense method for AT based on knowledge distillation.

A. Adversarial Training
AT uses adversarial examples to adjust the parameters of the target model, which is one of the most direct and effective defense methods [37].After AT, the model can learn the adversarial features of adversarial examples within the model, thereby resisting similar attacks.For multiclassification tasks, under the infinite norm constraint x * − x ∞ ≤ ε, the parameters of a robust model can be obtained by where x and l represent the original input and the true label, respectively, D is the distribution of the input, θ is the model parameter, and L(•) is the prediction loss of the model.The AT process is actually a min-max game, which aims to achieve the best balance between the accuracy and robustness of the model.The max optimization problem in (26)  PGD obtained by using the PGD can greatly improve the robustness of the model to general first-order attacks [15].At this point, ( 26) can be rewritten as

B. Knowledge Distillation
The basic idea of knowledge distillation is to use a complex teacher model to guide the training of a simple student model, which is a technique for compressing and optimizing models [38].In knowledge distillation, the teacher model is usually a complex DNN trained on a large-scale data set, which can learn the deep features of the data and has high accuracy and generalization ability.The student model is usually a simplified neural network with a simple structure and a small number of parameters.The student model is faster, takes up fewer resources than the teacher model in training and reasoning, and is more suitable for some devices or scenarios with limited storage and computing resources.
Through knowledge distillation, the student model can learn the precise decision boundary of the teacher model.The student model takes the output probability distribution of the teacher model as a soft label during training, and minimizes the Kullback-Leibler divergence between its predicted output and the output probability distribution of the teacher model, so as to better simulate the decision-making process and knowledge representation of the teacher model.When the distillation temperature is T, the prediction probability of the model for the input is where z i (x) is the logit value that the model predicts the input as class i, and K is the number of categories of signals.Then, the predictive soft label of the teacher model for the input can be expressed as a probability distribution Then, the student model can be trained by using the soft label instead of the true label, so as to transfer the knowledge of the teacher model to the student model.

C. Distillation-Based Adversarial Training
In order to ensure the concealment of adversarial examples, attackers often generate adversarial examples in the adversarial area near the original example [20].Due to the strong learning ability of complex models, AT using complex models can learn the adversarial information contained in adversarial examples.However, in some specific practical applications, such as edge devices, the storage and computing resources of devices are very limited, which limits the deployment of complex models to these devices, so the use of simple models is necessary.In order to make the simple model deployed in the device have better robustness, the adversarial knowledge learned by the complex model can be transferred to the simple model through knowledge distillation, so that the simple model also has strong defense performance.The process of AT based on knowledge distillation is shown in Fig. 6.
Fig. 6 shows the brief process of the proposed distillationbased AT (DAT), including the extraction and transfer of adversarial information contained in the adversarial examples.After AT using clean and adversarial examples, the complex model can learn adversarial knowledge from the input, which is reflected in the decision boundary and prediction probability distribution of the model.Then, through knowledge distillation, the adversarial knowledge learned by the complex model is transferred to the simple model.
When training the simple model, traditional AT uses one-hot encoding as the label, which will overfit the network.Label smoothing can avoid network overconfidence by adjusting the probability distribution of the original label, so that the predicted value of the model is not excessively concentrated in the category with high probability.The kth probability value in the smoothed label can be expressed as where β represents the smoothing coefficient, δ k,l represents the distribution of the one-hot encoding, and u(k) represents the decay probability distribution and is often uniformly distributed u(k) = 1/K.Proposition 2: After label smoothing, the model's prediction loss for adversarial examples can be expressed as When the model is overfitting, a certain prediction probability of the model output is close to 1, and the distribution loss L(x * , u) between the prediction probability distribution and u will increase, which is conducive to preventing the model from overlearning.
Proof: See Appendix B. In this article, we use the prediction results of the complex model to adjust u(k) in (30) to better utilize the adversarial information learned by this model.We assign the smoothing values based on the probability values other than the true category probability q t in l soft t , setting u(k) as Then, the training loss of the simple model can be expressed as Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.where λ represents the proportion of adversarial examples used in AT, and L(•) represents the cross-entropy loss in (14).
After training, the simple model will contain the adversarial information learned by the complex model from the adversarial examples, so it has good robustness to adversarial attacks.

V. SIMULATION RESULTS AND DISCUSSION
In this section, we will analyze the performance of the proposed DLIM and DAT through simulation.

A. Double Loop Parameters
To study the influence of the double loop parameters on the performance of the proposed attack method and test the effectiveness of adding an external loop layer, we select different values of the internal and external loop parameters to attack the target model.Under the condition of maximum perturbation value ε = 0.0015, the adversarial examples generated by different loop parameters are input into the trained ResNet to test the recognition accuracy of the model for these examples.We generate adversarial examples to attack the target model in batches using the test set and the attack algorithm, and take the average of the accuracy of the target model after being attacked, as shown in Fig. 7.
In Fig. 7, we show the impact of loop parameters on the attack performance of DLIM.The accuracy of the model without attack is 0.921.We analyze the accuracy of the recognition model when SNR = 10 dB.When N = M = 5, the recognition accuracy is 0.468.When N = 25 and M = 1, the recognition accuracy is 0.503, which is 3.5% higher than that when N = M = 5.When N = M = 10, the recognition accuracy is 0.452.When N = 100 and M = 1, the recognition accuracy is 0.498, which is 4.6% higher than that when N = M = 10.Therefore, increasing the external loop layer does not simply increase the number of overall iterations.It can increase the prediction loss of the target model as much as possible by initializing the iterative conditions, and generate adversarial examples with stronger attack performance under the norm constraint.
For the traditional attack algorithm, which has only one loop, its algorithmic complexity is O(N).We can see from Algorithm 1 that the algorithmic complexity of the proposed DLIM is O(MN).Therefore, DLIM has the same algorithmic complexity at M = N = 10 as the traditional algorithm at N = 100, but it has a more significant attack performance as can be seen in Fig. 7.

B. Perturbation Level
Next, we study the influence of perturbation on the attack performance for N = M = 10 and SNR = 10 dB.We select different perturbation values in the interval [0, 0.003] to generate adversarial examples, and use ResNet to identify these examples.The accuracy of the model is shown in Fig. 8.
In Fig. 8, we show the impact of perturbation constraint on the performance of different attack methods.After being attacked, the accuracy decreases with the increase of perturbation constraint.It can be seen from the decrease in recognition accuracy that among the four traditional attacks, the attack performances of BIM and PGD are basically the same, both stronger than FGSM, and MIM is the strongest.The proposed DLIM has the strongest attack performance.For the adversarial examples generated by different attack methods, DLIM has the best attack effect when the perturbation constraint is the same.If the accuracy of the model is the same after different attacks, the perturbation required by DLIM is smaller, which means better concealment.When ε = 0.0021, the attack performance of the adversarial examples generated by DLIM is stronger than that generated by MIM, which makes the accuracy of the recognition model decrease by 8.5% over the MIM attack.

C. Signal-to-Noise Ratio
When N = M = 10 and ε = 0.0015, adversarial examples of different SNRs are generated by the attack methods, and they are input into the recognition model to study the influence of SNR on the attacks.
In Fig. 9, we show the relationship between the recognition accuracy and SNR when the model is attacked.When SNR is very small, the noise will submerge the adversarial perturbation we designed, which will lead to a small feedback of the model for the perturbation, so that there is no significant  difference in the accuracy of the model after different attacks.As the SNR increases, the advantage of the proposed attack method increases.After the curve converges, when SNR is the same, DLIM makes the accuracy decrease the most.When SNR = 12 dB, the recognition accuracy reduced by DLIM is 5.6% higher than that of MIM.
To clearly show the effect of the attack in relation to the SNR, we selected the reduced accuracy of the target model at −6, −4, −2, 0, and 2 dB after being attacked as the attack effect, as shown in Table III.
We can see from Table III that when the accuracy of the model decreases close to 30%, the SNRs at which the FGSM, BIM, PGD, MIM, and DLIM are located are 0, −2, −2, −4, and −4 dB, respectively.Meanwhile, when the accuracy of the model decreases close to 43%, the SNRs at which the MIM and DLIM are located are 2 and 0 dB, respectively.Therefore, DLIM requires the smallest SNR when making the target model lose the same accuracy.In addition, DLIM has the best attack results compared to other methods at each of the selected SNRs, which indicates that DLIM outperforms other methods at low SNRs.In fact, from (22), when the PNR is certain, the perturbation value can be appropriately increased as the SNR decreases, which will enhance the performance of the attack, as will be introduced below.

D. Perceptual Invisibility
In the previous experiments, we compared the performances of different attacks and found that the proposed DLIM has the best attack performance.In order to evaluate the perceptual invisibility of attacks, we will compare the waveform similarity between clean examples and adversarial examples.We use FD to quantitatively evaluate the perceived invisibility of different attack methods.We select the test set of the data set to generate adversarial examples and calculate the average FD between them and clean examples.The results are shown in Fig. 10.
From Fig. 10, it can be seen that the FD of BIM is the smallest and the fitting effect is the best, MIM and the proposed DLIM are second and basically the same.It shows that these three methods produce fewer traces of attack, good waveform similarity, and low risk of attack being detected.However, when ε ≤ 0.003, these attack methods all satisfy the perturbation's imperceptible criterion.From Fig. 9, when SNR = 10 dB and ε = 0.0015, the attack success rate of DLIM is 12.8% and 5.2% higher than that of BIM and MIM, respectively.
When SNR = 10 dB and ε = 0.0015, according to (22), PNR = −6.5 dB, which satisfies the imperceptible standard PNR ≤ 0 dB of the perturbation, indicating that the perturbation has good concealment.The confusion matrix can intuitively show the classification results of the model for adversarial examples after being attacked, which is helpful in analyzing the difficulty of each type of modulation signal being attacked.In order to test the effectiveness of the proposed attack method, the confusion matrix of the model before and after the attack can be compared.Using SNR = 10 dB and ε = 0.0015, DLIM is used to generate adversarial examples, which are input into the model.The result is shown in Fig. 12.
It can be seen from Fig. 12(a) that the trained ResNet model has good recognition ability.From the probability value on the diagonal of the confusion matrix in Fig. 12(b), it can be seen that the prediction matrix of the model becomes confused after being attacked, and it is easy to misidentify the categories of most modulated signals, which indicates that DLIM has strong attack performance.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

E. Adversarial Defense
To verify the effectiveness of the proposed adversarial distillation defense method DAT, we choose VTCNN with a simple structure as the target model.The network consists of   IV.
It can be seen from Table IV that due to the simple structure of VTCNN, the model has limited accuracy and is vulnerable to attacks.Before the AT, the accuracy of the model has been greatly reduced after being attacked, showing a strong vulnerability to adversarial examples.After the AT, the VTCNN-AT obtained by the traditional AT method can significantly improve the accuracy of the model.Compared with VTCNN-AT, the VTCNN-DAT obtained by the proposed DAT method can further improve the accuracy of the model by about 5%, and weaken the damage of the attack to the model.
In addition, we use MIM and the proposed DLIM to study the defense effect of the model at different SNRs, as shown in Fig. 13.
We can see from Fig. 13 that the recognition performance of the model trained with the proposed DAT is better than AT at different SNRs, both for clean examples and for adversarial examples.Therefore, the proposed defense method can effectively improve the robustness of the model.

VI. CONCLUSION
This article has studied the security of the vulnerable automatic modulation recognition model in CR-enabled IoT.We have proposed a double loop iteration method by adding an external loop iteration layer and designing an external iteration step to update the initial conditions of the iterative attack.In addition, for simple models in devices with limited storage and computing resources, we have proposed an AT method based on knowledge distillation.Simulation results show that the proposed attack method has better attack performance than traditional attacks when the perturbation is perceptually invisible, and that the proposed defense method can improve the defense performance of the traditional AT.

APPENDIX A PROOF OF PROPOSITION 1
The prediction probability of a network with weight vector and bias vector ω and respectively, for a certain adversarial example x * , is where K is the number of classes of signals Since x * = x + η and the true label l i (x * ) = l i (x), the prediction loss can be expressed as exp ω T x exp αω T sign(g) (35) where α is the size of perturbation, g is the accumulated gradient, and sign(g) represents the direction of perturbation.Since the network parameters ω of the trained model are fixed, the prediction loss of the model for an adversarial example x * generated from a clean example x is related to α and g, that is L x * , l = L(x, α, g).(36) Liu et al. [39] indicated that when the model loss does not exceed the predicted loss threshold L T , the model will make a correct prediction.The predicted class of the model for an adversarial example x * is y p x * = arg max of traditional adversarial training (AT), and proposes a new double loop iterative attack method and a new defense method based on distillation-based AT.The main contributions of this article are as follows.1) Different high-accuracy modulation recognition models based on DNN on the open source simulation data set are trained to identify and classify the modulation signals to achieve high accuracy.2) A double loop iterative attack method is proposed.By adding an external loop iteration and designing an external iteration step, it initializes the conditions
. The data set contains 1.2 million signal examples with a length of 128 and is composed of ten modulation signals under different SNRs.It contains eight digital signals: 8PSK, quadrature phase shift keying (QPSK), binary phase shift keying (BPSK), Gaussian frequency shift keying (GFSK), continuous phase frequency shift keying (CPFSK), pulse amplitude modulation 4 (PAM4), quadrature amplitude modulation 16 (QAM16), and QAM64, and two analog signals: wideband frequency modulation (WBFM) and double sideband amplitude modulation (AM-DSB).The data set contains twenty SNRs.The SNR of the modulated signal varies from -20 to 18 dB, and the interval is 2 dB.We use 80% and 20% of the examples in the data set as training set and test set, respectively.Using the in-phase component and quadrature component in the data set, we can express the time-domain expression of a signal as

Fig. 4 .
Fig. 4. Moving process of adversarial example in decision domain.

Fig. 5 .
Fig. 5. t-SNE visualizations of the features of (a) clean examples and (b) corresponding adversarial examples in the recognition model.

; 7 : 11 :
Update x *n+1 by applying the sign gradient asx * n+1 = Clip x,ε x * n + α m • sign g n+1 ; return x * = x * M .correspondingadversarial examples when M = N = 10, as shown in Fig.5.It can be seen from Fig.5that the characteristics of clean examples in the model have obvious regional characteristics, which is conducive to the correct classification of modulated signals by the model.In the case of a nontarget attack, the proposed attack method makes the features of examples pass through the decision boundary of the model, so that the generated adversarial examples overlap each other between different feature regions, which can greatly fool the recognition model.
can be regarded as the process of generating adversarial examples, which maximizes the prediction loss of the model by adding adversarial perturbations satisfying norm constraints to the input examples.The min optimization problem is used to minimize the overall expected risk of the model, which can be regarded as the process of training the model with adversarial examples.The most robust parameters for these examples can be found under the condition that the prediction results conform to the original data distribution.For the maximization process in (26), the adversarial examples x *
After using DLIM to generate adversarial examples of different modulation signals, we draw the time domain waveforms of these examples and the corresponding clean examples according to (13), as shown in Fig. 11.It can be seen from Fig. 11 that the waveform of these signals changes little before and after the attack, but this small change can deceive the recognition model to classify the signals incorrectly.
only two convolutional layers and two fully connected layers.It consumes very small storage and computing resources and can be used in some resource-constrained devices.To show the effectiveness of the proposed defense method, we have performed normal training, AT and distillation-based AT on VTCNN to obtain VTCNN, VTCNN-AT, and VTCNN-DAT, respectively.Using SNR = 10 dB and ε = 0.0015, we implement different attacks on the trained VTCNN, VTCNN-AT, and VTCNN-DAT.The recognition results of the models are shown in Table

TABLE II RECOGNITION
RESULTS OF RESNET WITH DIFFERENT LOOP PARAMETERS size α m in the external loop can be set to

TABLE III REDUCED
ACCURACY OF RESNET AT DIFFERENT SNRS (%)

TABLE IV RECOGNITION
ACCURACY OF DIFFERENT MODELS (%)