Transfer-based Adversarial Poisoning Attacks
for Online (MIMO-)Deep Receviers

Till now, numerous studies have explored DL-based designs for wireless communication systems. Most of them utilize an independent DNN to map the input-output relationships of functional modules in communication links. Alternatively, some approaches jointly optimize modules at both the transmitter and receiver by multiple DNNs. Typical applications include DL-based adaptive modulation[6], channel estimation[7], channel coding and decoding[8], and modulation recognition[10]. Beyond replacing functional modules in the physical layer, various constraints can be integrated into the training process to optimize additional system metrics, such as the adjacent channel leakage ratio (ACLR) and peak-to-average power ratio (PAPR) [6]. In terms of receiver design, lots of work has contributed to enhancing its adaptability to the dynamic channels, including training multiple models as a deep ensemble [12] and joint learning [13, 15].

However, DL-based wireless designs mentioned above are data-driven methods that heavily depend on a substantial amount of training data to improve their generalization capacity. Given that deep receivers typically have access to only limited pilots for adaptation, this characteristic poses a significant challenge. In addition, data-driven designs may suffer from performance degradation when faced with data distribution drift caused by dynamic channels[16]. To handle these issues, an online learning based approach has been proposed, involving dataset, training algorithm and deep receivers architecture. In particular, data augmentation[17] and self supervision methods [18],[19] were proposed to to expand the training data for online adaptation. In [16] and [20], meta-learning was employed to improve the generalization capability. Furthermore, Model-based deep learning provide a solution for receivers architecture design to satisfy the adaptability and data efficiency[21]. Specifically, the deep receivers were explicitly modelled by incorporating wireless domain knowledge, thereby reducing the dependence on data, such as DNN-aided inference[15],[21] and deep unfolding [21, 15, 22, 1]. In these studies, [1] proposed a classic model-based deep receiver, i.e., the DeepSIC, in MIMO scenarios, derived from the iterative soft interference cancellation (SIC)[23] MIMO detection algorithm. It employed DNN instead of each round of interference cancellation and soft detection, requiring only a few iterations to achieve extremely low data dependence and optimal performance. [20] utilized meta-learning to improve the training performance of online DeepSIC, and the evaluation results indicated that its performance was improved compared with traditional data-driven receiver, and it exhibited commendable adaptability to dynamic channels.

As mentioned earlier, while DL-based transceiver designs can enhance performance, they remain vulnerable to attacks by malicious users. In particular, attacks on DL-based transceivers are divided into two main categories, i.e., the evasion attacks and data poisoning attacks. Evasion attacks, also known as adversarial attacks, manipulate test data to mislead the model[5],[24]. On the other hand, data poisoning attacks corrupt the training data, affecting the model’s performance during testing[5], [24, 25, 26].

According to extensive literature review, numerous studies on DL-based wireless communication primarily concentrate on evasion attacks. For instance, [28] proposed generative adversarial network (GAN)-based method to generate adversarial perturbations for channel received data, which can unnoticeably mislead wireless end-to-end autoencoders, modulation pattern recognition, and the DL-based symbol detection in orthogonal frequency division multiplexing (OFDM) systems. [29] reported adversarial perturbations can interfere with gradient-based iterative optimization algorithms in the physical layer. [30] proposed semantic attacks against semantic communication. Furthermore, adversarial perturbations can also play a role in interpretable (e.g., deep unfolding-based) architectures. To illustrate, [31] employed transfer-based methods to attack deep sparse coding networks and demonstrated that these attacks exert deleterious effects on the various components of deep unfolded-based sparse coding. Regarding data poisoning attacks, current research primarily focuses on cognitive radio spectrum-aware poisoning [5],[32] and disrupting distributed wireless federated learning[33, 34].

Unlike previous studies, this paper addresses security threats to online deep receivers. Furthermore, we propose a transfer-based adversarial poisoning attack method, which can significantly corrupt various online deep receivers even without prior knowledge of the target system. Specifically, we focus on online receivers based on model-based deep learning, such as DeepSIC[1] and Meta-DeepSIC[20], as well as general DL-based detectors, including the black-box DNN detector[15],[17] and the ResNet detector designed based on DeepRX[35].

As previously stated, DeepSIC is a classical model-based deep receiver that can be combined with meta-learning for efficient online adaptation. This design effectively tackles the challenge of limited pilot data in wireless communication scenarios, thereby improving the generalization of deep receivers under dynamic channel conditions. Moreover, studies on the attack methods for DeepSIC can provide comprehensive insights into deep receiver characteristics and contribute to robust designs. Ultimately, this research aids in creating secure and efficient DL-enabled wireless communication systems.

Specifically, the mainly contributions of this paper are summarised as below.

• $\bullet$

  We highlight a communication system susceptible to malicious user poisoning attacks. We then analyze the vulnerability of the deep receiver based on online learning in the authorization system. From the perspective of malicious user, we further develop an attack utility model and an optimal attack utility decision problem.

• $\bullet$

  We effectively design a poisoning attack framework and attack perturbation generation method for online learning deep receivers. The fundamental concept is to introduce a poisoned sample into the online training and updating phase of the deep receiver, thereby compromising its performance over time. The poisoning attack framework has two stages. Firstly, malicious user employ joint learning to create a surrogate model, which can be selected from a generic DNN architecture, e.g., feedforward DNNs. Secondly, they generate poisoning perturbation samples based on the surrogate model. The transferability of the poisoning attack makes it work on different types of deep receivers.

• $\bullet$

  We numerically evaluate the effect of the proposed poisoning attack method on four channel models: Linear synthetic channel, nonlinear synthetic channel, static channel, and COST 2100 channel. Simulation results demonstrate that the proposed poisoning attack method impairs the deep receiver’s ability to adapt to rapid changes in dynamic channels and to learn from nonlinear effects. Furthermore, deep receivers adapted using meta-learning more severely damaged after poisoning.

The rest of the paper is organized as follows. Section II introduces the system and scenario models and the attack models of the malicious user. Section III presents the basic theory of adversarial machine learning, focusing on evasion attacks, data poisoning attacks, and the conceptual approaches to attack transferability. Section IV details the proposed poisoning attack framework and the method for generating poisoning attack samples for online deep receivers. Section V evaluates and analyzes the effectiveness of the proposed poisoning attack method. Section VI concludes the paper.

In this paper, we investigate a poisoning attack scenario model for a communication system, as illustrated in Fig. 1. This system consists of a pair of legitimate transceivers and a malicious poisoning attack user. Both the legitimate transmitter and receiver equip with multiple antennas, denoted as $N_{tx}$ and $N_{rx}$ respectively. We focus on a single-antenna malicious user, as this represents a cost-effective and straightforward approach to conducting attacks. The data transmission from transmitter to receiver is block-based, as illustrated in Fig. 2. The length of one block is $L$, including $L_{\text{pilot}}$ pilot symbols and $L_{\text{info}}$ information symbols, herein, $L_{\text{info}}\gg L_{\text{pilot}}$. As shown in Fig. 3, the legitimate receiver utilizes a DL-based architecture for signal receiving and processing. It is trained using pilot data and employs the trained deep receiver to decode information data. For the malicious user, based on the previously collected pilot data, it launches an attack by poisoning or disturbing the transmission process of the pilot used by the legitimate user. Its objective is to corrupt with the online training and updating of the deep receiver, thereby disrupting its information data reception and decoding.

Based on the above illustrated scenario, defining the transmit symbols by the legitimate transmitter as $\mathbf{s}\in\mathbb{R}^{N_{\mathrm{tx}}}$, and the corresponding modulated symbols as $\mathbf{x}\in\mathbb{C}^{N_{\mathrm{tx}}}$. These modulation symbols are then upconverted, amplified, transmitted through multiple antennas, and finally arrived at the receiver. Let $\mathbf{H}\in\mathbb{R}^{N_{\mathrm{rx}}\times N_{\mathrm{tx}}}$ denote the baseband equivalent channel matrix, and $\mathbf{w}\sim\mathcal{CN}\left(\mathbf{0},\sigma^{2}\ \mathbf{I}\right)$ represent the additive gaussian white noise experienced by the legitimate receiver. The equivalent baseband signal received by the legitimate receiver, in the absence of a malicious user poisoning attack, is $\mathbf{y}\in\mathbb{C}^{N_{\mathrm{rx}}}$, which can be expressed as

Following that, defining a block of data symbols received by the authorised receiver as $\mathbf{Y}$. The received data symbols can then be divided into two parts, denoted as $\mathbf{Y}_{\text{pilot}}=\left\{\mathbf{y}_{i}\right\}_{i=1}^{L_{\text{pilot}}}$ and $\mathbf{Y}_{\text{info}}=\left\{\mathbf{y}_{i}\right\}_{i=L_{\text{pilot}}+1}^{L}$.

In this paper, the online learning based deep receiver is adopted by the legitimate receiver, as illustrated in Fig. 3. Here, define the deep receiver as a classifier $f_{\theta}$ with model parameter $\theta$. $f_{\theta}$ is trained using a supervised learning approach. The data used for training is the pilot dataset, which is defined as $\mathcal{T}=\left\{\mathbf{Y}_{\text{pilot}},\mathbf{S}_{\text{pilot}}\right\}=\left\{\mathbf{y}_{i},\mathbf{s}_{i}\right\}_{i=1}^{L_{\text{pilot}}}$. Model testing is done with information dataset, which is represented as $\mathcal{V}=\left\{\mathbf{Y}_{\text{info}},\mathbf{S}_{\text{info}}\right\}=\left\{\mathbf{y}_{i},\mathbf{s}_{i}\right\}_{i=L_{\text{pilot}}+1}^{L}$. The supervised training loss function is the cross-entropy loss, which is represented as $\mathcal{L}(\mathcal{T};\theta)$. $\hat{P}_{\theta}(\cdot|\cdot)$ denotes the likelihood probability of symbol estimation for deep receivers. The deep receiver training objective can be described by

The deep receiver, trained using $\mathcal{T}$, is used to decode the symbols in $\mathcal{V}$. For the $i$-th received symbol $\mathbf{y}_{i}$, the decoded result is expressed as $\hat{\mathbf{s}}_{i}\left(\mathbf{y}_{i};\theta\right)$. The performance metric of the deep receiver is the symbol error rate (SER), which is defined as

For the considered system, as mentioned earlier, there is a malicious user, which aims to corrupt the information receiving and decoding of the legitimate receiver, by poisoning on the pilot data transmission from the transmitter to the receiver. This is similar to [32, 33]. In particular, the attack process of the malicious user is shown in Fig. 4 and summarised as below.

1. Step 1:

   Since the pilot pattern is fixed during transmission, the malicious user can collect pilot data during the communication process between the legitimate transceiver.

2. Step 2:

   The accumulated pilot data is employed to train a surrogate model that is analogous to the attack target, specifically the authorised deep receiver.

3. Step 3:

   The malicious user generates the optimal perturbation based on the surrogate model and the transferability of the attack.

4. Step 4:

   The malicious user injects the channel perturbation. The deep receiver will gradually be poisoned until the model fails when it receives the perturbed pilot data used to train the model.

In principle, a poisoning attack perpetrated by a malicious user can be conceptualized as a perturbation injection process. In particular, the perturbation is defined as a vector in the complex space of receiver inputs, denoted as $\delta\in\mathbb{C}^{N_{rx}}$, with a poisoning process represented by $\mathcal{P}(\cdot)$. For the $i$-th received symbol $\mathbf{y}_{i}$, the corresponding poisoning perturbation is given by $\delta_{i}$, and the corresponding poisoned received symbol is given by $\mathcal{P}\left(\mathbf{y}_{i}\right)=\mathbf{y}_{i}+\delta_{i}$. Therefore, within the context of poisoning attacks on deep receivers, the primary challenge for malicious users is to design an optimal perturbation signal structure that maximizes the deep receiver’s loss on subsequent information symbols or validation sets, which will be addressed in the following sections.

The evasion attacks executed by generating adversarial samples aimed at causing misclassification during the testing phase of the DNN. This is achieved by identifying the network’s vulnerabilities and applying small, strategically crafted perturbations to the input, as illustrated in Fig. 5(a). Gradient-based optimizers [42],[43] are effective in determining these influential perturbations. Given a target model and input data, the gradient of the objective function is used to guide the application of minor perturbations, which maximizes the loss induced on the input. This can be formulated as a single-layer optimization problem. Specifically, let $\mathbf{y}$ represent the model input, $\mathbf{s}$ the corresponding labels, and $\mathbf{y}^{\prime}$ the adversarial samples generated after adding perturbation. The adversarial perturbation, denoted as $\delta=\left\|\mathbf{y}^{\prime}-\mathbf{y}\right\|_{p}$, is constrained by an upper bound $\epsilon>0$, with the optimal adversarial sample $\mathbf{y}^{*}$. The classifier is parameterized by $\theta$, and for classification tasks, the cross-entropy loss function $\mathcal{L}\left(\mathbf{y}^{\prime},\mathbf{s};f\theta\right)$ is employed. Thus, the generation of optimal adversarial samples can be framed as the following optimization problem

The optimization goal of the data poisoning attacks is to poison the target with poisoned training data to degrade its test performance, which is shown in Fig. 5(b). Similar to the generation of adversarial samples, in data poisoning attacks, a perturbation $\delta$ is applied to each sample in the training set under the $p$-norm constraint, ensuring that the perturbation magnitude does not exceed an upper bound $\epsilon$. Specifically, the test set $\mathcal{V}$ and the training set $\mathcal{T}$ are defined, as well as the poisoned training set $\mathcal{P}(\mathcal{T})$ after applying the perturbation to the data set. Furthermore, $\theta^{*}$ denotes the optimal poisoning parameter of the target classifier with respect to the parameter $\theta$. Thus, the poisoning attack can be modelled as a dual optimization problem as follows:

Herein, firstly, the inner layer optimization involves the standard model training process. In this process, the attacker uses the poisoned data to train the target model by minimizing the empirical loss $\mathcal{L}(\mathcal{P}(\mathcal{T});\theta)$ to obtain the optimal poisoned parameter $\theta^{*}$. Secondly, based on the obtained $\theta^{*}$, the attacker maximizes the loss $\mathcal{L}(\mathcal{V};\theta^{*})$ on the test set. Note that solving this optimization problem directly is often very difficult, and it is more common practice to approximate this maximization process through gradient optimization of $\delta$.

As discussed in Section III-D, black-box attacks rely on the gradient alignment between the surrogate and target models to ensure generalization. To achieve this, it is crucial to avoid using surrogate models that are too specialized for specific tasks. This strategy improves compatibility with different deep receivers, enhancing the attack’s effectiveness. Therefore, this paper employs a generic DNN architecture, such as feedforward neural networks, as the surrogate model, as shown in Step 1 of Fig. 6.

From the perspective of a malicious user, it is essential to select a suitable surrogate model architecture similar to the target model and to effectively train and optimize the surrogate model. In the proposed attack framework, joint learning is used to train the surrogate model. This approach utilizes data collected under various channel conditions to train the DNN, enabling it to adapt to dynamic channels [13, 15]. Unlike legitimate communicating parties that have to use online learning methods to adapt to time-varying wireless channels, the malicious user can pre-collect large datasets to train a robust model. Furthermore, the use of joint learning, instead of using channel state information or online learning [15], addresses the issue of attack generality at the data level, avoiding over-specialized surrogate models in black-box attack transfers, as discussed in Section IV-A. Joint learning also satisfies the data volume requirements of deep learning, making the surrogate model more robust than the target model, which uses online learning. This results in attack patterns with more stable and effective attack results. Conversely, the robust learning process of the target model mitigates the impact of poisoning, as demonstrated by pilot size adjustments in Section V-E.

Specifically, as shown in Step 2 of Fig. 6, the malicious user employs joint learning to train a DNN (i.e., the surrogate model) utilizing a large amount of communication data (e.g., pilot) amassed from legitimate transceivers. The DNN learns a mapping applicable to most channel states, reflecting the input-output relationship of the target deep receivers. The training data includes two types: communication data from different channel distributions and data from varying signal-to-noise ratio (SNR) conditions within the same channel. Finally, to generate effective adversarial poisoning samples, suitable attack generation methods must be considered, as detailed in Section IV-C.

Once the optimized surrogate model has been obtained, the malicious user generates the necessary poisoning attack samples in order to execute the attack. As illustrated in Step 2 of Fig. 6, we employ the projected gradient descent (PGD) algorithm [42], to generate the adversarial poisoning attack perturbations discussed in Section III-C. The whole algorithmic flow of generating perturbations is shown in Algorithm 1, and summarised as below.

1. Step 1:

   Obtain the pilot dataset $\mathcal{T}_{\text{pilot}}\equiv\{\mathbf{y},\mathbf{s}\}$. Then, within an interval $[-\epsilon,+\epsilon]$ defined by the upper bound of the $p$-norm constraints, use uniformly distributed sampling to generate a randomly initialized perturbation vector $\delta$.

2. Step 2:

   Superimpose the $\delta$ on the pilot data. The perturbed data should then be fed into the surrogate model $f_{\varphi}$ to calculate the attack loss.

3. Step 3:

   $\delta$ updates in the gradient direction of loss with step size $\gamma$, and $\mathbf{y}+\gamma\delta$ remains within the specified upper bound $I_{max}$, and lower bound $I_{min}$.

4. Step 4:

   The Step 2 and Step 3 iteratively repeat the $Q$ rounds to obtain poisoned pilot data with the optimal attack perturbation.

Once the iteration is complete, the optimal perturbation will be applied to the current block’s pilot to generate the poisoned pilot dataset, denoted as $\mathcal{P}(\mathcal{T})$. This dataset will then be received by the deep receiver and poisoned during the training and updating of the model, as illustrated in Step 3 of Fig. 6.

The deep receiver operates on a discrete memoryless MIMO channel. The number of transmitting and receiving antennas is set to $N_{tx}$$=$$N_{rx}$$=$4. The experimental evaluation channel model comprises synthetic channels [20] and COST 2100 channels [50]. Fig. 7 illustrates the four channel tapping coefficients for a randomly selected user in a multiuser system over 100 blocks of data transmission. In the context of linear channels, the input-output relationship is expressed by the (1) given in Section II-A. In the context of a nonlinear channel model [20], the input-output relationship is represented by

where the $\tanh(\boldsymbol{\cdot})$ function is used to simulate the non-linear variations in the transceiver process due to non-ideal hardware, with the parameter $k=0.5$.

We consider three deep receiver architectures in the evaluated network architecture: Namely, the model-based deep receiver DeepSIC [1], the black-box DNN detector [15],[17], and the ResNet detector designed based on DeepRX [35].The relevant details are as follows:

• $\bullet$

  DeepSIC: DeepSIC unfolds the traditional SIC iterative process and replaces each iteration with a sub-neural network to improve performance. Each sub-neural network enhances the reliability of the current estimation using received symbols and the output confidence from the previous iteration. This design enables DeepSIC to achieve high reliability even with limited training data[1, 20]. In this paper, DeepSIC includes 3 iterations, resulting in a total of $3\times N_{tx}$ sub-networks. Each sub-network is a two-layer fully connected layer network. The first layer has a dimension of $(N_{rx}+N_{tx}-1)\times 64$, and the second layer has a dimension of $64\times|S|$, where $|S|$ is the size of the set of symbols to be transmitted. For example, $|S|=4$ when using QPSK transmission. The activation function employed in the initial layer of each subnetwork is ReLU, while the second layer utilizes softmax classification.

• $\bullet$

  Black-box DNN Detector: The black-box DNN architecture consists of 4 fully-connected layers and a softmax classification header. The dimensions of the layers are $N_{rx}\times 60,60\times 60,60\times 60$ and $60\times|S|^{N_{tx}}$, respectively.

• $\bullet$

  ResNet Detector: The ResNet detector employed in this paper comprises 10 layers of residual blocks, each containing 2 convolutional layers with 3$\times$3 kernels, one-pixel padding on both sides, and no bias terms. A ReLU activation function is used between the layers, and each convolutional layer is followed by 2D batch normalization.

The objective of this paper is to present an attack strategy, which attacks online adaptation of the deep receivers. Consequently, the focus is on the deep receiver’s online training, with the parameter configurations illustrated in Table I. The parameter settings for online training come from [15, 17]. Upon receipt of a data block, the deep receiver is only able to utilize a subset of the data block for training, like pilot symbols, specifically $L_{\text{pilot}}=200$. Then the deep reciver predicts the subsequent $L_{\text{info}}=50000$ symbols. In the experiment, a total of 100 data blocks were transmitted, with the transmitted data being QPSK modulated, i.e., the user-transmitted symbols $\mathbf{s}$ were mapped to the set $C=\left\{\left(\pm\frac{1}{\sqrt{2}},\pm\frac{1}{\sqrt{2}}\right)\right\}^{4}$. Furthermore, the deep receivers are trained using the adam optimizer. The training epochs are 300. The initial learning rate $\eta$ is set to 5 $\times 10^{-3}$ for ResNet detector, black-box DNN detector and DeepSIC. The meta learning rate $\eta_{\text{meta}}$ is set to 0.01 for Meta-DeepSIC. Additionally, online training is performed for different architectural receivers, which were implemented in the following two cases:

• $\bullet$

  Online learning: Based on the adaptation from the previous data block, the deep receiver trains and updates the current model using the limited pilot symbols received in the current data block.

• $\bullet$

  Online meta-learning: According to [20], [52], the meta-learning is employed to facilitate adaptation to the channel. Specifically, the pilot data from 5 data blocks is accumulated, and then meta-learning is performed on the this data to obtain the meta-learning weights for the deep receiver. Subsequently, the weights are then employed in an online learning process involving the pilot data of the current block.

Unless otherwise stated, the deep receivers are trained using online learning, including black-box DNN detector, ResNet detector, and DeepSIC. Only Meta-DeepSIC is trained using online meta-learning methods.

The attack samples are designed based on the gradient of the surrogate model, with joint learning performed using the collected pilot dataset. The black-box DNN detector, presented in Section V-B, is employed as the surrogate model and contains three times the number of parameters compared to a single sub-network of DeepSIC. The joint learning parameters are based on [15]. In particular, the linear time-varying synthetic channel model is employed to generate the channel data for joint learning. Training data is generated under the condition of an SNR of 2 dB to 16 dB with an interval of 2 dB, denoted as $SNR_{\text{sur}}$. In this manner, $L_{\text{sur}}=5000$ training pilot symbols are generated at each SNR value, and the surrogate model is trained in accordance with this procedure.

Moreover, the poisoning samples are iteratively optimized using the PGD algorithm, following the settings in [44], where the adversarial poisoning samples are most effective under this specific parameter configuration. The iteration step size is set to $\gamma=0.01$, the iterations of PGD is $Q=250$, and the perturbation upper bound under the $p=2$ norm is $\epsilon=0.3$. The maximum and minimum values of the received symbol magnitude are denoted as $I_{max}$ and $I_{min}$, respectively, and $I_{max}=max\{\|\mathbf{y}\|\}=-I_{min}$. Fig. 8 shows the real and imaginary parts of the original and poisoned received symbols, while Fig. 9 presents these symbols in a constellation diagram.

This section presents the experimental results evaluating the proposed poisoning attack across various channel models. The method’s effectiveness is tested on linear and nonlinear time-varying synthetic channels, linear static synthetic channels, and time-varying COST 2100 channels. For the black-box DNN detector, a white-box poisoning attack is launched against this architecture receiver since its architecture is the same as the surrogate model. In the case of the ResNet detector, transfer poisoning attacks are implemented in black-box scenarios. Since DeepSIC contains multiple sub-networks, direct gradient information cannot be used for designing poisoning samples. Therefore, a transfer-based poisoning attack is employed, anticipating that perturbations designed on the surrogate model will transfer to DeepSIC.

The experimental results demonstrate that the proposed poisoning attack is effective across four different channel environments. Nevertheless, the precise impact of these attacks varies depending on the specific channel environment. Firstly, as illustrated in Fig.11, the poisoning effect observed in the nonlinear time-varying synthetic channel is markedly higher than in the other environments. The performance of the deep receivers subjected to a poisoning attack is severely degraded and approaches failure in this channel environment. This suggests that the poisoning attack is capable of impeding the deep receiver’s ability to adapt to the rapid changes in the channel’s effects and to learn the nonlinear effects.

Secondly, the results for the linear time-varying synthetic channel and the COST 2100 channel support this conclusion from different perspectives. In comparison to the synthetic channel, the tap coefficients of the COST 2100 channel demonstrate greater long-term variance, while exhibiting a relatively flat profile in the short term (e.g., between two blocks). As illustrated in Fig. 13(a), the impact of poisoning attacks gradually reduces receiver performance in the COST 2100 channel, indicating a sustained but limited exacerbation. In contrast, in the linear time-varying synthetic channel undergoing significant changes over time, the poisoning attack has a more pronounced effect on the receiver’s performance. This indicates that the attack has a impact on the deep receiver’s capacity to track long-term channel alterations and a more pronounced disruptive effect on short-term rapid adaptation. Notably, as shown in Fig. 14, a larger pilot size can mitigate the adverse effects of poisoning attacks, but this means more spectrum resources are consumed.

Finally, Meta-DeepSIC, which incorporates a meta-learning approach, demonstrates optimal performance with limited pilot data, particularly in fast-varying channels. Additionally, this learning capability is effective in nonlinear environments, but its increased sensitivity to poisoned samples leads to more significant performance deterioration compared to DeepSIC in fast-varying channels. In slow-varying or static channels, the performance of both Meta-DeepSIC and DeepSIC, with or without poisoning attacks, is more stable than in fast-varying channels, as shown in Fig. 12 and Fig. 13.

In conclusion, the proposed attack primarily impedes the receiver’s ability to learn rapid channel changes and non-linear effects in the short term, leading to performance degradation. Meanwhile, when deep receivers are combined with meta-learning, the poisoning effect is particularly pronounced (e.g., Meta-DeepSIC). This conclusion highlights the security risks associated with designing wireless receivers using online and online meta-learning methods, particularly in environments characterised by rapid channel changes and non-linear effects, where the system is particularly susceptible to poisoning attacks.