No Cover Image

Journal article 317 views 83 downloads

Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications

Lu Zhang, Sangarapillai Lambotharan Orcid Logo, Gan Zheng Orcid Logo, Guisheng Liao Orcid Logo, Xuekang Liu Orcid Logo, Fabio Roli Orcid Logo, Carsten Maple Orcid Logo

IEEE Internet of Things Journal, Volume: 12, Issue: 17, Pages: 35367 - 35379

Swansea University Author: Lu Zhang

  • 69947.pdf

    PDF | Accepted Manuscript

    Author accepted manuscript document released under the terms of a Creative Commons CC-BY licence using the Swansea University Research Publications Policy (rights retention).

    Download (5.15MB)

Check full text

DOI (Published version): 10.1109/jiot.2025.3580194

Abstract

The remarkable success of transformers across various fields such as natural language processing and computer vision has paved the way for their applications in automatic modulation classification, a critical component in the communication systems of Internet of Things (IoT) devices. However,it has...

Full description

Published in: IEEE Internet of Things Journal
ISSN: 2327-4662
Published: Institute of Electrical and Electronics Engineers (IEEE) 2025
Online Access: Check full text

URI: https://cronfa.swan.ac.uk/Record/cronfa69947
first_indexed 2025-07-10T15:25:06Z
last_indexed 2025-09-05T06:12:14Z
id cronfa69947
recordtype SURis
fullrecord <?xml version="1.0"?><rfc1807><datestamp>2025-09-04T11:28:28.8002945</datestamp><bib-version>v2</bib-version><id>69947</id><entry>2025-07-10</entry><title>Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications</title><swanseaauthors><author><sid>1b129a1568c704d141d332da66640dd1</sid><firstname>Lu</firstname><surname>Zhang</surname><name>Lu Zhang</name><active>true</active><ethesisStudent>false</ethesisStudent></author></swanseaauthors><date>2025-07-10</date><abstract>The remarkable success of transformers across various fields such as natural language processing and computer vision has paved the way for their applications in automatic modulation classification, a critical component in the communication systems of Internet of Things (IoT) devices. However,it has been observed that transformer-based classification of radio signals is susceptible to subtle yet sophisticated adversarial attacks. To address this issue, we have developed a defensivestrategy for transformer-based modulation classification systems to counter such adversarial attacks. In this paper, we propose a novel vision transformer (ViT) architecture by introducing a newconcept known as adversarial indicator (AdvI) token to detect adversarial attacks. To the best of our knowledge, this is the first work to propose an AdvI token in ViT to defend against adversarial attacks. Integrating an adversarial training method with a detection mechanism using AdvI token, we combine a training time defense and running time defense in a unified neural network model, which reduces architectural complexity of the system compared to detecting adversarial perturbations using separate models. We investigate into the operational principles of our method by examining the attention mechanism. We show the proposed AdvI token acts as a crucial element within the ViT,influencing attention weights and thereby highlighting regions or features in the input data that are potentially suspicious or anomalous. Through experimental results, we demonstrate that our approach surpasses several competitive methods in handling white-box attack scenarios, including those utilizing the fast gradient method, projected gradient descent attacks and basic iterative method.</abstract><type>Journal Article</type><journal>IEEE Internet of Things Journal</journal><volume>12</volume><journalNumber>17</journalNumber><paginationStart>35367</paginationStart><paginationEnd>35379</paginationEnd><publisher>Institute of Electrical and Electronics Engineers (IEEE)</publisher><placeOfPublication/><isbnPrint/><isbnElectronic/><issnPrint/><issnElectronic>2327-4662</issnElectronic><keywords/><publishedDay>1</publishedDay><publishedMonth>9</publishedMonth><publishedYear>2025</publishedYear><publishedDate>2025-09-01</publishedDate><doi>10.1109/jiot.2025.3580194</doi><url/><notes/><college>COLLEGE NANME</college><CollegeCode>COLLEGE CODE</CollegeCode><institution>Swansea University</institution><apcterm/><funders>This work is supported by UKRI through the research grants EP/R007195/1 (Academic Centre of Excellence in Cyber Security Research - University of Warwick); National Hub for Edge (Grant Number: AI EP/Y028813/1); UK Research and Innovation (Grant Number: EP/X012301/1, EP/X04047X/1 and EP/Y037243/1); SERICS (Grant Number: PE00000014); FAIR through the MUR National Recovery and Resilience Plan; European Union&#x2014;NextGenerationEU (Grant Number: PE00000013) and EP/Y028813/1 (National Hub for Edge AI). S. Lambotharan would like to acknowledge the financial support of the Engineering and Physical Sciences Research Council (EPSRC) projects under grant EP/X012301/1, EP/X04047X/1, and EP/Y037243/1. This work was partially supported by projects SERICS (PE00000014) and FAIR (PE00000013) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU.</funders><projectreference/><lastEdited>2025-09-04T11:28:28.8002945</lastEdited><Created>2025-07-10T16:19:09.7984219</Created><path><level id="1">Faculty of Science and Engineering</level><level id="2">School of Mathematics and Computer Science - Computer Science</level></path><authors><author><firstname>Lu</firstname><surname>Zhang</surname><order>1</order></author><author><firstname>Sangarapillai</firstname><surname>Lambotharan</surname><orcid>0000-0001-5255-7036</orcid><order>2</order></author><author><firstname>Gan</firstname><surname>Zheng</surname><orcid>0000-0001-8457-6477</orcid><order>3</order></author><author><firstname>Guisheng</firstname><surname>Liao</surname><orcid>0000-0002-5919-0713</orcid><order>4</order></author><author><firstname>Xuekang</firstname><surname>Liu</surname><orcid>0000-0002-3318-6812</orcid><order>5</order></author><author><firstname>Fabio</firstname><surname>Roli</surname><orcid>0000-0003-4103-9190</orcid><order>6</order></author><author><firstname>Carsten</firstname><surname>Maple</surname><orcid>0000-0002-4715-212x</orcid><order>7</order></author></authors><documents><document><filename>69947__34741__f2a76c739d7d4e419abe107b198b5df8.pdf</filename><originalFilename>69947.pdf</originalFilename><uploaded>2025-07-10T16:23:16.2148769</uploaded><type>Output</type><contentLength>5399342</contentLength><contentType>application/pdf</contentType><version>Accepted Manuscript</version><cronfaStatus>true</cronfaStatus><documentNotes>Author accepted manuscript document released under the terms of a Creative Commons CC-BY licence using the Swansea University Research Publications Policy (rights retention).</documentNotes><copyrightCorrect>true</copyrightCorrect><language>eng</language><licence>https://creativecommons.org/licenses/by/4.0/deed.en</licence></document></documents><OutputDurs/></rfc1807>
spelling 2025-09-04T11:28:28.8002945 v2 69947 2025-07-10 Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications 1b129a1568c704d141d332da66640dd1 Lu Zhang Lu Zhang true false 2025-07-10 The remarkable success of transformers across various fields such as natural language processing and computer vision has paved the way for their applications in automatic modulation classification, a critical component in the communication systems of Internet of Things (IoT) devices. However,it has been observed that transformer-based classification of radio signals is susceptible to subtle yet sophisticated adversarial attacks. To address this issue, we have developed a defensivestrategy for transformer-based modulation classification systems to counter such adversarial attacks. In this paper, we propose a novel vision transformer (ViT) architecture by introducing a newconcept known as adversarial indicator (AdvI) token to detect adversarial attacks. To the best of our knowledge, this is the first work to propose an AdvI token in ViT to defend against adversarial attacks. Integrating an adversarial training method with a detection mechanism using AdvI token, we combine a training time defense and running time defense in a unified neural network model, which reduces architectural complexity of the system compared to detecting adversarial perturbations using separate models. We investigate into the operational principles of our method by examining the attention mechanism. We show the proposed AdvI token acts as a crucial element within the ViT,influencing attention weights and thereby highlighting regions or features in the input data that are potentially suspicious or anomalous. Through experimental results, we demonstrate that our approach surpasses several competitive methods in handling white-box attack scenarios, including those utilizing the fast gradient method, projected gradient descent attacks and basic iterative method. Journal Article IEEE Internet of Things Journal 12 17 35367 35379 Institute of Electrical and Electronics Engineers (IEEE) 2327-4662 1 9 2025 2025-09-01 10.1109/jiot.2025.3580194 COLLEGE NANME COLLEGE CODE Swansea University This work is supported by UKRI through the research grants EP/R007195/1 (Academic Centre of Excellence in Cyber Security Research - University of Warwick); National Hub for Edge (Grant Number: AI EP/Y028813/1); UK Research and Innovation (Grant Number: EP/X012301/1, EP/X04047X/1 and EP/Y037243/1); SERICS (Grant Number: PE00000014); FAIR through the MUR National Recovery and Resilience Plan; European Union—NextGenerationEU (Grant Number: PE00000013) and EP/Y028813/1 (National Hub for Edge AI). S. Lambotharan would like to acknowledge the financial support of the Engineering and Physical Sciences Research Council (EPSRC) projects under grant EP/X012301/1, EP/X04047X/1, and EP/Y037243/1. This work was partially supported by projects SERICS (PE00000014) and FAIR (PE00000013) under the MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU. 2025-09-04T11:28:28.8002945 2025-07-10T16:19:09.7984219 Faculty of Science and Engineering School of Mathematics and Computer Science - Computer Science Lu Zhang 1 Sangarapillai Lambotharan 0000-0001-5255-7036 2 Gan Zheng 0000-0001-8457-6477 3 Guisheng Liao 0000-0002-5919-0713 4 Xuekang Liu 0000-0002-3318-6812 5 Fabio Roli 0000-0003-4103-9190 6 Carsten Maple 0000-0002-4715-212x 7 69947__34741__f2a76c739d7d4e419abe107b198b5df8.pdf 69947.pdf 2025-07-10T16:23:16.2148769 Output 5399342 application/pdf Accepted Manuscript true Author accepted manuscript document released under the terms of a Creative Commons CC-BY licence using the Swansea University Research Publications Policy (rights retention). true eng https://creativecommons.org/licenses/by/4.0/deed.en
title Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
spellingShingle Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
Lu Zhang
title_short Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
title_full Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
title_fullStr Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
title_full_unstemmed Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
title_sort Vision Transformer With Adversarial Indicator Token Against Adversarial Attacks in Radio Signal Classifications
author_id_str_mv 1b129a1568c704d141d332da66640dd1
author_id_fullname_str_mv 1b129a1568c704d141d332da66640dd1_***_Lu Zhang
author Lu Zhang
author2 Lu Zhang
Sangarapillai Lambotharan
Gan Zheng
Guisheng Liao
Xuekang Liu
Fabio Roli
Carsten Maple
format Journal article
container_title IEEE Internet of Things Journal
container_volume 12
container_issue 17
container_start_page 35367
publishDate 2025
institution Swansea University
issn 2327-4662
doi_str_mv 10.1109/jiot.2025.3580194
publisher Institute of Electrical and Electronics Engineers (IEEE)
college_str Faculty of Science and Engineering
hierarchytype
hierarchy_top_id facultyofscienceandengineering
hierarchy_top_title Faculty of Science and Engineering
hierarchy_parent_id facultyofscienceandengineering
hierarchy_parent_title Faculty of Science and Engineering
department_str School of Mathematics and Computer Science - Computer Science{{{_:::_}}}Faculty of Science and Engineering{{{_:::_}}}School of Mathematics and Computer Science - Computer Science
document_store_str 1
active_str 0
description The remarkable success of transformers across various fields such as natural language processing and computer vision has paved the way for their applications in automatic modulation classification, a critical component in the communication systems of Internet of Things (IoT) devices. However,it has been observed that transformer-based classification of radio signals is susceptible to subtle yet sophisticated adversarial attacks. To address this issue, we have developed a defensivestrategy for transformer-based modulation classification systems to counter such adversarial attacks. In this paper, we propose a novel vision transformer (ViT) architecture by introducing a newconcept known as adversarial indicator (AdvI) token to detect adversarial attacks. To the best of our knowledge, this is the first work to propose an AdvI token in ViT to defend against adversarial attacks. Integrating an adversarial training method with a detection mechanism using AdvI token, we combine a training time defense and running time defense in a unified neural network model, which reduces architectural complexity of the system compared to detecting adversarial perturbations using separate models. We investigate into the operational principles of our method by examining the attention mechanism. We show the proposed AdvI token acts as a crucial element within the ViT,influencing attention weights and thereby highlighting regions or features in the input data that are potentially suspicious or anomalous. Through experimental results, we demonstrate that our approach surpasses several competitive methods in handling white-box attack scenarios, including those utilizing the fast gradient method, projected gradient descent attacks and basic iterative method.
published_date 2025-09-01T05:24:49Z
_version_ 1851460042003316736
score 11.089572

Similar Items