pith. sign in

arxiv: 2606.22939 · v1 · pith:M243WE27new · submitted 2026-06-22 · 💻 cs.CR · cs.LG· cs.NI

CITADEL: CSI-Based Jamming Detection and Open-Set Classification for IIoT Networks

Pith reviewed 2026-06-26 08:29 UTC · model grok-4.3

classification 💻 cs.CR cs.LGcs.NI
keywords CSIjamming detectionIIoT securityopen-set classificationadversarial robustnesswireless attacksedge inference
0
0 comments X

The pith

CITADEL uses only native CSI measurements in a two-stage pipeline to detect known jamming at 100 percent, zero-day attacks at 97.1 percent, and resist evasion at 0.4 percent false positive rate.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that a lightweight hierarchical system built on commodity Channel State Information can jointly classify known jamming types, flag previously unseen attacks, and withstand adversarial attempts to hide those attacks. Existing approaches either lose too much signal detail through coarse power measurements or demand hardware and bandwidth unavailable at the scale of hundred-node industrial deployments. If the claim holds, IIoT networks could gain practical, hardware-free protection against radio jamming without sacrificing detection breadth or robustness. The work evaluates the pipeline across six known attack variants and fifteen zero-day cases plus white-box and black-box evasion tests, showing end-to-end inference under 15 milliseconds on edge hardware.

Core claim

CITADEL is the first end-to-end pipeline that converts CSI jamming signatures into closed-set classification of known attacks, open-set detection of zero-day attacks, and resistance to gradient-based and generator-based evasion, all while running on commodity IIoT devices at 100 percent known-attack detection, 97.1 percent zero-day detection, and 0.4 percent false positive rate.

What carries the argument

two-stage hierarchical pipeline that processes Channel State Information measurements first for detection then for classification and open-set rejection

If this is right

  • IIoT gateways can run continuous jamming monitoring using only existing CSI reports without added radios or spectrum analyzers.
  • Network operators gain a single model that handles both catalogued attacks and novel jamming without retraining for every new waveform.
  • Edge devices can enforce the full pipeline at 14 milliseconds and under 100 millijoules, fitting within typical IIoT power and latency budgets.
  • Systematic comparison shows no prior CSI method simultaneously meets the three requirements of detection accuracy, generalization to unseen attacks, and evasion resistance.
  • The pipeline supplies concrete numerical targets (100 percent known, 97.1 percent unseen, under 2 percent evasion) against which future CSI-based defenses can be measured.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If CSI signatures remain stable across different hardware vendors and firmware versions, the same pipeline could be deployed across heterogeneous IIoT fleets without per-device retraining.
  • The open-set component could be extended to other wireless threats such as spoofing or selective forwarding by swapping only the final rejection stage.
  • Long-term operation would require periodic retraining on newly observed normal traffic to keep the false-positive floor near 0.4 percent as the environment drifts.

Load-bearing premise

The six known attack types and fifteen zero-day scenarios plus the white-box and black-box evasion tests stand in for the jamming threats and evasion attempts that would appear in real operational IIoT deployments.

What would settle it

A deployment trial on a live IIoT network that introduces jamming waveforms outside the fifteen zero-day cases and records detection below 90 percent or evasion above 10 percent would falsify the performance claims.

Figures

Figures reproduced from arXiv: 2606.22939 by Abderrahim Benslimane (AU), Aymen Bouferroum (FUN), Ildi Alla (uni.lu), Valeria Loscri (FUN), Vincent Lenders (uni.lu).

Figure 1
Figure 1. Figure 1: Comparison of four physical-layer sensing modalities for [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Deployment scenario. IIoT nodes extract per-subcarrier [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Threat models. The RF jammer (TRF) targets the wireless link with arbitrary waveforms. The ML attacker operates under different adversarial capabilities: white-box (T𝐴) and black-box (T𝐵). zero-day coverage), or impractical (no edge deployment). Section 4 presents how Citadel addresses all three through a two-stage architecture with complementary detection paradigms. 3 Threat Model We consider an IIoT depl… view at source ↗
Figure 5
Figure 5. Figure 5: Citadel Stage 2 architecture. The CSI classifier produces logits z and features h directly from the input. The VAE encoder, dif￾fusion denoiser, and VAE decoder reconstruct xˆ, which is re-classified to obtain 𝑝 (y|xˆ). Three OOD signals are derived from these outputs and fused via an equal-weight ensemble with K-fold calibration. where Lrecon is the mean squared error (MSE) reconstruction loss, 𝐷KL regula… view at source ↗
Figure 6
Figure 6. Figure 6: Experimental testbed. (Left) Laboratory environment. (Mid [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Distribution of the three OOD signals and their ensemble [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Adversarial dilemma: cross-component safety nets under [PITH_FULL_IMAGE:figures/full_fig_p009_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Gradient conflict analysis on sweeping at [PITH_FULL_IMAGE:figures/full_fig_p009_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Transfer attack ASR (4,096 samples per category). (a) Mean [PITH_FULL_IMAGE:figures/full_fig_p009_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Query-based attack evasion at 𝜀=0.10. Blue bars: Square Attack across five query budgets (1K–5K, light to dark). Red bars: HopSkipJump, 0.0% at all budgets. Stage 2 evasion stays below 0.4%. PB1 PB2 PB3 PB4 Pert. Budget 0 10 20 ER (%) (a) Constant PB1 PB2 PB3 PB4 Pert. Budget (b) Sweeping PB1 PB2 PB3 PB4 Pert. Budget (c) Pulse PB1 PB2 PB3 PB4 Pert. Budget (d) Random BF GAN MagMaW RAA [PITH_FULL_IMAGE:fig… view at source ↗
Figure 13
Figure 13. Figure 13: Stage 2 evasion under three SOTA black-box [PITH_FULL_IMAGE:figures/full_fig_p010_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: 15-hour operational timeline from testbed data. Each [PITH_FULL_IMAGE:figures/full_fig_p011_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Training convergence. (a) Classifier loss and accuracy over [PITH_FULL_IMAGE:figures/full_fig_p015_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Pairwise correlation of the three OOD signals across all [PITH_FULL_IMAGE:figures/full_fig_p015_16.png] view at source ↗
read the original abstract

Radio frequency jamming poses a critical threat to the availability of wireless Industrial Internet of Things (IIoT) networks. Existing detection and classification techniques are poorly suited to this setting: coarse signal-strength and cross-layer features lack information richness, while raw I/Q baseband approaches require hardware and throughput that is impractical at the scale of hundred-node IIoT deployments. This paper presents CITADEL, a lightweight two-stage hierarchical pipeline that uses only Channel State Information (CSI) measurements, which are natively available on commodity IIoT devices, to detect and classify jamming attacks including previously unseen ones. While prior work has shown that jamming leaves observable CSI signatures, CITADEL is the first system to translate this insight into an end-to-end pipeline that jointly achieves closed-set classification of known attacks, open-set detection of zero-day attacks, and resistance to adversarial evasion. Evaluated across 6 known attack types and 15 zero-day scenarios, CITADEL achieves 100% known-attack detection and 97.1% zero-day detection at a 0.4% end-to-end false positive rate. Under adversarial evaluation spanning white-box and black-box threat models, gradient-based evasion remains below 2% across all tested perturbation budgets and the strongest published CSI attack generator achieves less than 5% average evasion. A systematic comparison against eight baselines confirms that no existing method achieves comparable performance on CSI data across all three axes: detection, generalization, and robustness. The full pipeline completes inference in 14.2 ms at 95.9 mJ on an edge GPU, establishing CITADEL as a practical solution for large-scale IIoT network security.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents CITADEL, a lightweight two-stage hierarchical pipeline that uses native Channel State Information (CSI) from commodity IIoT devices to detect and classify radio-frequency jamming attacks. It claims to be the first system to jointly perform closed-set classification of known attacks, open-set detection of zero-day attacks, and resistance to adversarial evasion, reporting 100% known-attack detection and 97.1% zero-day detection at a 0.4% end-to-end false positive rate across 6 known attack types and 15 zero-day scenarios, with gradient-based evasion below 2% and comparison against eight baselines, while running in 14.2 ms at 95.9 mJ on an edge GPU.

Significance. If the results hold, the work would be significant for demonstrating a practical, commodity-hardware approach to IIoT jamming defense that integrates closed-set classification, open-set generalization, and adversarial robustness in a single efficient pipeline, addressing limitations of prior signal-strength or I/Q-based methods.

major comments (2)
  1. [Evaluation section] Evaluation section (abstract and experimental results): The central performance claims (100% known-attack detection, 97.1% zero-day at 0.4% FPR) and the joint closed-set + open-set + robustness assertions are load-bearing on the representativeness of the fixed corpus of 6 known attack types and 15 zero-day scenarios. No analysis is provided showing that these scenarios exhaustively sample the threat space or that CSI signatures remain invariant under untested parameters such as varying power levels, duty cycles, frequency agility, or coordinated multi-node attacks; this directly limits the strength of the generalization and robustness conclusions.
  2. [Adversarial evaluation] Adversarial evaluation (abstract): The claim that the strongest published CSI attack generator achieves less than 5% average evasion is presented without detailing the specific threat models, perturbation budgets, or how the white-box and black-box evaluations map to operational IIoT constraints, which is necessary to substantiate the resistance claim.
minor comments (2)
  1. The abstract states quantitative results but defers all methods, dataset descriptions, and statistical validation to the body; a brief methods summary in the abstract would improve accessibility.
  2. Notation for the two-stage pipeline and open-set threshold could be clarified with a diagram or explicit equations in the methods section.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We respond point-by-point to the major comments below.

read point-by-point responses
  1. Referee: [Evaluation section] Evaluation section (abstract and experimental results): The central performance claims (100% known-attack detection, 97.1% zero-day at 0.4% FPR) and the joint closed-set + open-set + robustness assertions are load-bearing on the representativeness of the fixed corpus of 6 known attack types and 15 zero-day scenarios. No analysis is provided showing that these scenarios exhaustively sample the threat space or that CSI signatures remain invariant under untested parameters such as varying power levels, duty cycles, frequency agility, or coordinated multi-node attacks; this directly limits the strength of the generalization and robustness conclusions.

    Authors: We agree that the evaluation relies on a fixed set of 6 known attack types and 15 zero-day scenarios without explicit analysis demonstrating exhaustive coverage of the threat space or invariance under all untested parameters (e.g., power levels, duty cycles, frequency agility, coordinated attacks). These scenarios were selected to span representative categories from the literature, but we acknowledge this does not prove exhaustiveness. In revision we will add a limitations subsection that explicitly discusses the scope of the corpus, the rationale for selection, and the implications for generalization claims, thereby tempering the assertions without new experiments. revision: partial

  2. Referee: [Adversarial evaluation] Adversarial evaluation (abstract): The claim that the strongest published CSI attack generator achieves less than 5% average evasion is presented without detailing the specific threat models, perturbation budgets, or how the white-box and black-box evaluations map to operational IIoT constraints, which is necessary to substantiate the resistance claim.

    Authors: The full manuscript contains a dedicated adversarial evaluation section that specifies the white-box and black-box threat models, the perturbation budgets examined, and their relation to IIoT operational constraints. The abstract condenses these results. To improve clarity at the summary level we will revise the abstract to briefly reference the evaluated threat models and budgets. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical system evaluation with no derivations or self-referential predictions

full rationale

The paper describes an empirical ML pipeline for CSI-based jamming detection and classification, evaluated on a fixed corpus of 6 known + 15 zero-day attack scenarios plus adversarial tests. No equations, parameter fits, or predictions are presented that reduce to the inputs by construction. Performance numbers (100% known-attack detection, 97.1% zero-day at 0.4% FPR) are reported experimental outcomes on the chosen data, not tautological renamings or self-citation chains. The representativeness concern is a generalizability issue, not circularity in the derivation chain.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The abstract describes an empirical machine-learning pipeline without introducing new mathematical parameters, axioms, or postulated entities.

pith-pipeline@v0.9.1-grok · 5872 in / 1205 out tokens · 35783 ms · 2026-06-26T08:29:18.315844+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. CSI Simulation: Why Additive Noise Fails and How to Fix It

    cs.NI 2026-07 unverdicted novelty 7.0

    AWGN fails to simulate CSI perturbations due to multiplicative AGC compression; M_QTC quantile model reduces amplitude error 8-fold, closes 89% fidelity gap, and recovers 93% of real-data jamming detection performance.

Reference graph

Works this paper leans on

61 extracted references · 3 canonical work pages · cited by 1 Pith paper · 3 internal anchors

  1. [1]

    Security and privacy chal- lenges in industrial Internet of Things,

    A.-R. Sadeghi, C. Wachsmann, and M. Waidner, “Security and privacy chal- lenges in industrial Internet of Things, ” inProceedings of the 52nd Annual Design CITADEL: CSI-Based Jamming Detection and Open-Set Classification for IIoT Networks Automation Conference. ACM, 2015, pp. 1–6

  2. [2]

    Challenges and op- portunities in securing the industrial Internet of Things,

    M. Serror, S. Hack, M. Henze, M. Schuba, and K. Wehrle, “Challenges and op- portunities in securing the industrial Internet of Things, ”IEEE Transactions on Industrial Informatics, vol. 17, no. 5, pp. 2985–2996, 2021

  3. [3]

    Cybersecurity of indus- trial cyber-physical systems: A review,

    H. Kayan, M. Nunes, O. Rana, P. Burnap, and C. Perera, “Cybersecurity of indus- trial cyber-physical systems: A review, ”ACM Computing Surveys, vol. 54, no. 11s, pp. 1–35, 2022

  4. [4]

    The feasibility of launching and detecting jamming attacks in wireless networks,

    W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching and detecting jamming attacks in wireless networks, ” inProceedings of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing . ACM, 2005, pp. 46–57

  5. [5]

    Jamming attacks and anti-jamming strategies in wireless networks: A comprehensive survey,

    H. Pirayesh and H. Zeng, “Jamming attacks and anti-jamming strategies in wireless networks: A comprehensive survey, ”IEEE Communications Surveys & Tutorials, vol. 24, no. 2, pp. 767–809, 2022

  6. [6]

    JamRF: Performance analysis, evaluation, and implementation of RF jamming over Wi-Fi,

    A. S. Ali, M. Baddeley, L. Bariah, M. Andreoni Lopez, W. T. Lunardi, J.-P. Giacalone, and S. Muhaidat, “JamRF: Performance analysis, evaluation, and implementation of RF jamming over Wi-Fi, ”IEEE Access, vol. 10, pp. 133 370–133 384, 2022

  7. [7]

    German steel mill cyber attack,

    R. M. Lee, M. J. Assante, and T. Conway, “German steel mill cyber attack, ”Indus- trial Control Systems, vol. 30, no. 62, pp. 1–15, 2014

  8. [8]

    Outage and asset damage triggered by malicious manipulation of the control system in process plants,

    M. Iaiani, A. Tugnoli, P. Macini, and V. Cozzani, “Outage and asset damage triggered by malicious manipulation of the control system in process plants, ” Reliability Engineering & System Safety , vol. 213, p. 107685, 2021

  9. [9]

    An experimental security analysis of an industrial robot controller,

    D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. M. Zanchettin, and S. Zanero, “An experimental security analysis of an industrial robot controller, ” in2017 IEEE Symposium on Security and Privacy (SP) . IEEE, 2017, pp. 268–286

  10. [10]

    Jamming detection in IoT wireless networks: An edge-AI based approach,

    A. Hussain, N. Abughanam, J. Qadir, and A. Mohamed, “Jamming detection in IoT wireless networks: An edge-AI based approach, ” inProceedings of the 12th International Conference on the Internet of Things . ACM, 2023, pp. 57–64

  11. [11]

    Machine learning-based jamming detection for IEEE 802.11: Design and experimental evaluation,

    O. Puñal, I. Aktas, C.-J. Schnelke, G. Abidin, K. Wehrle, and J. Gross, “Machine learning-based jamming detection for IEEE 802.11: Design and experimental evaluation, ” in2014 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2014, pp. 1–10

  12. [12]

    Multi-stage jamming attacks detection using deep learning combined with kernelized support vector machine in 5G cloud radio access networks,

    M. Hachimi, G. Kaddoum, G. Gagnon, and P. Illy, “Multi-stage jamming attacks detection using deep learning combined with kernelized support vector machine in 5G cloud radio access networks, ” in2020 International Symposium on Networks, Computers and Communications (ISNCC) , 2020, pp. 1–5

  13. [13]

    JamShield: A machine learning detection system for over-the-air jamming attacks,

    I. Panitsas, Y. Yigit, L. Tassiulas, L. Maglaras, and B. Canberk, “JamShield: A machine learning detection system for over-the-air jamming attacks, ” inICC 2025 – IEEE International Conference on Communications , 2025, pp. 1067–1072

  14. [14]

    Jamming detection in low-BER mobile indoor scenarios via deep learning,

    S. Sciancalepore, F. Kusters, N. K. Abdelhadi, and G. Oligeri, “Jamming detection in low-BER mobile indoor scenarios via deep learning, ”IEEE Internet of Things Journal, vol. 11, no. 8, pp. 14 682–14 697, 2024

  15. [15]

    Tool release: Gathering 802.11n traces with channel state information,

    D. Halperin, W. Hu, A. Sheth, and D. Wetherall, “Tool release: Gathering 802.11n traces with channel state information, ”ACM SIGCOMM Computer Communica- tion Review, vol. 41, no. 1, p. 53, 2011

  16. [16]

    ESP-CSI: Applications based on Wi-Fi CSI (Channel State Information),

    Espressif Systems, “ESP-CSI: Applications based on Wi-Fi CSI (Channel State Information), ” https://github.com/espressif/esp-csi, 2021, accessed: April 2026

  17. [17]

    Free your CSI: A channel state information extraction platform for modern Wi-Fi chipsets,

    F. Gringoli, M. Schulz, J. Link, and M. Hollick, “Free your CSI: A channel state information extraction platform for modern Wi-Fi chipsets, ” inProceedings of the 13th International Workshop on Wireless Network Testbeds, Experimental Eval- uation & Characterization, 2019, pp. 21–28

  18. [18]

    Channel state informa- tion analysis for jamming attack detection in static and dynamic UAV networks,

    P. Mykytyn, R. Chitauro, Z. Dyka, and P. Langendoerfer, “Channel state informa- tion analysis for jamming attack detection in static and dynamic UAV networks, ” in 2025 21st International Conference on Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT) , 2025, pp. 322–327

  19. [19]

    Magmaw: Modality-agnostic adversarial attacks on machine learning-based wireless communication systems,

    J.-W. Chang, K. Sun, N. Heydaribeni, S. Hidano, X. Zhang, and F. Koushanfar, “Magmaw: Modality-agnostic adversarial attacks on machine learning-based wireless communication systems, ” inProceedings of the 32nd Network and Dis- tributed System Security Symposium (NDSS) , 2025

  20. [20]

    CSI-based location-independent human activity recognition with parallel convolutional networks,

    Y. Zhang, Y. Yin, Y. Wang, J. Ai, and D. Wu, “CSI-based location-independent human activity recognition with parallel convolutional networks, ”Computer Communications, vol. 197, pp. 87–95, 2023

  21. [21]

    Explaining and Harnessing Adversarial Examples

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples, ” in3rd International Conference on Learning Representations (ICLR 2015), 2015. [Online]. Available: https://arxiv.org/abs/1412.6572

  22. [22]

    Adversarial attacks on deep-learning based radio signal classification,

    M. Sadeghi and E. G. Larsson, “Adversarial attacks on deep-learning based radio signal classification, ”IEEE Wireless Communications Letters , vol. 8, no. 1, pp. 213–216, 2019

  23. [23]

    Robust adversarial attacks against DNN-based wireless communication systems,

    A. Bahramali, M. Nasr, A. Houmansadr, D. Goeckel, and D. Towsley, “Robust adversarial attacks against DNN-based wireless communication systems, ” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, 2021, pp. 126–140

  24. [24]

    Practical adversarial attack on WiFi sensing through unnoticeable communication packet perturbation,

    C. Li, M. Xu, Y. Du, L. Liu, C. Shi, Y. Wang, H. Liu, and Y. Chen, “Practical adversarial attack on WiFi sensing through unnoticeable communication packet perturbation, ” inProceedings of the 30th Annual International Conference on Mobile Computing and Networking (MobiCom) , 2024, pp. 373–387

  25. [25]

    FENCE: Feasible evasion attacks on neural net- works in constrained environments,

    A. Chernikova and A. Oprea, “FENCE: Feasible evasion attacks on neural net- works in constrained environments, ”ACM Transactions on Privacy and Security , vol. 25, no. 4, pp. 34:1–34:34, 2022

  26. [26]

    Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,

    A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples, ” inProceedings of the 35th International Conference on Machine Learning , ser. Proceedings of Machine Learning Research, vol. 80. PMLR, 2018, pp. 274–283

  27. [27]

    ANSI/ISA-95: Enterprise-control system in- tegration,

    International Society of Automation, “ANSI/ISA-95: Enterprise-control system in- tegration, ” International Standard, 2010, series of standards, Parts 1–5, published 2000–2025

  28. [28]

    IEC 62443: Security for industrial automation and control systems,

    International Electrotechnical Commission, “IEC 62443: Security for industrial automation and control systems, ” International Standard, 2018, series of standards published 2009–2023

  29. [29]

    On evaluating adversarial robustness,

    N. Carlini, A. Athalye, N. Papernot, W. Brendel, J. Rauber, D. Tsipras, I. Goodfel- low, A. Madry, and A. Kurakin, “On evaluating adversarial robustness, ” 2019

  30. [30]

    On adaptive attacks to adver- sarial example defenses,

    F. Tramèr, N. Carlini, W. Brendel, and A. Madry, “On adaptive attacks to adver- sarial example defenses, ” inAdvances in Neural Information Processing Systems , vol. 33, 2020, pp. 1633–1645

  31. [31]

    Squeeze-and-excitation networks,

    J. Hu, L. Shen, and G. Sun, “Squeeze-and-excitation networks, ” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR) , 2018, pp. 7132–7141

  32. [32]

    Auto-Encoding Variational Bayes

    D. P. Kingma and M. Welling, “Auto-encoding variational Bayes, ” in 2nd International Conference on Learning Representations (ICLR 2014) , 2014. [Online]. Available: https://arxiv.org/abs/1312.6114

  33. [33]

    U-Net: Convolutional networks for biomedical image segmentation,

    O. Ronneberger, P. Fischer, and T. Brox, “U-Net: Convolutional networks for biomedical image segmentation, ” inMedical Image Computing and Computer- Assisted Intervention – MICCAI 2015 , ser. Lecture Notes in Computer Science, vol

  34. [34]

    Springer, 2015, pp. 234–241

  35. [35]

    Denoising diffusion probabilistic models,

    J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models, ” inAd- vances in Neural Information Processing Systems , vol. 33, 2020, pp. 6840–6851

  36. [36]

    Diffusion mod- els for adversarial purification,

    W. Nie, B. Guo, Y. Huang, C. Xiao, A. Vahdat, and A. Anandkumar, “Diffusion mod- els for adversarial purification, ” inProceedings of the 39th International Conference on Machine Learning (ICML) , ser. Proceedings of Machine Learning Research, vol. 162. PMLR, 2022, pp. 16 805–16 827

  37. [37]

    Energy-based out-of-distribution detection,

    W. Liu, X. Wang, J. D. Owens, and Y. Li, “Energy-based out-of-distribution detection, ” inAdvances in Neural Information Processing Systems , vol. 33, 2020, pp. 21 464–21 475

  38. [38]

    A simple unified framework for detect- ing out-of-distribution samples and adversarial attacks,

    K. Lee, K. Lee, H. Lee, and J. Shin, “A simple unified framework for detect- ing out-of-distribution samples and adversarial attacks, ” inAdvances in Neural Information Processing Systems, vol. 31, 2018, pp. 7167–7177

  39. [39]

    A well-conditioned estimator for large-dimensional covariance matrices,

    O. Ledoit and M. Wolf, “A well-conditioned estimator for large-dimensional covariance matrices, ”Journal of Multivariate Analysis, vol. 88, no. 2, pp. 365–411, 2004

  40. [40]

    Mayhem firmware for PortaPack/HackRF,

    PortaPack Mayhem Contributors, “Mayhem firmware for PortaPack/HackRF, ” https://github.com/portapack-mayhem/mayhem-firmware, 2024, accessed: April 2026

  41. [41]

    Towards deep learning models resistant to adversarial attacks,

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks, ” in 6th International Conference on Learning Representations (ICLR 2018) , 2018. [Online]. Available: https://openreview.net/forum?id=rJzIBfZAb

  42. [42]

    UMAP: Uniform Manifold Approximation and Projection for Dimension Reduction

    L. McInnes, J. Healy, and J. Melville, “UMAP: Uniform manifold approximation and projection for dimension reduction, ”arXiv preprint arXiv:1802.03426, 2018

  43. [43]

    Square attack: A query-efficient black-box adversarial attack via random search,

    M. Andriushchenko, F. Croce, N. Flammarion, and M. Hein, “Square attack: A query-efficient black-box adversarial attack via random search, ” in European Conference on Computer Vision (ECCV) . Springer, 2020, pp. 484–501

  44. [44]

    HopSkipJumpAttack: A query- efficient decision-based attack,

    J. Chen, M. I. Jordan, and M. J. Wainwright, “HopSkipJumpAttack: A query- efficient decision-based attack, ” inIEEE Symposium on Security and Privacy (SP) . IEEE, 2020, pp. 1277–1294

  45. [45]

    Adversarial machine learning in network intrusion detection systems,

    E. Alhajjar, P. Maxwell, and N. Bastian, “Adversarial machine learning in network intrusion detection systems, ”Expert Systems with Applications, vol. 186, p. 115782, 2021

  46. [46]

    A baseline for detecting misclassified and out-of-distribution examples in neural networks,

    D. Hendrycks and K. Gimpel, “A baseline for detecting misclassified and out-of-distribution examples in neural networks, ” in 5th International Conference on Learning Representations (ICLR 2017) , 2017. [Online]. Available: https://openreview.net/forum?id=Hkg4TI9xl

  47. [47]

    Out-of-distribution detection with deep nearest neighbors,

    Y. Sun, Y. Ming, X. Zhu, and Y. Li, “Out-of-distribution detection with deep nearest neighbors, ” inProceedings of the 39th International Conference on Machine Learning, ser. Proceedings of Machine Learning Research, vol. 162. PMLR, 2022, pp. 20 827–20 840

  48. [48]

    Extremely simple activation shaping for out-of-distribution detection,

    A. Djurisic, N. Bozanic, A. Ashok, and R. Liu, “Extremely simple activation shaping for out-of-distribution detection, ” in 11th International Conference on Learning Representations (ICLR 2023) , 2023. [Online]. Available: https: //openreview.net/forum?id=ndYXTEL6cZz

  49. [49]

    ViM: Out-of-distribution with virtual- logit matching,

    H. Wang, Z. Li, L. Feng, and W. Zhang, “ViM: Out-of-distribution with virtual- logit matching, ” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) , 2022, pp. 4911–4920

  50. [50]

    JADE: Data-driven automated jammer detection framework for opera- tional mobile networks,

    C. Kilinc, M. K. Marina, M. Usama, S. Ergüt, J. Crowcroft, T. Gundogdu, and I. Akinci, “JADE: Data-driven automated jammer detection framework for opera- tional mobile networks, ” inIEEE INFOCOM 2022 – IEEE Conference on Computer Communications, 2022, pp. 1139–1148. Aymen Bouferroum et al

  51. [51]

    LTE/LTE-A jamming, spoofing, and sniffing: Threat assessment and mitigation,

    M. Lichtman, R. Piqueras Jover, M. Labib, R. M. Rao, V. Marojevic, and J. H. Reed, “LTE/LTE-A jamming, spoofing, and sniffing: Threat assessment and mitigation, ” IEEE Communications Magazine, vol. 54, no. 4, pp. 54–61, 2016

  52. [52]

    Detecting 5G signal jammers using spectrograms with supervised and unsupervised learning,

    M. Varotto, S. Valentin, and S. Tomasin, “Detecting 5G signal jammers using spectrograms with supervised and unsupervised learning, ” in2024 IEEE Inter- national Conference on Communications Workshops (ICC Workshops) , 2024, pp. 767–772

  53. [53]

    Weak-jamming detection in IEEE 802.11 networks: Techniques, scenarios and mobility,

    M. Hanegraaf, S. Sciancalepore, and G. Oligeri, “Weak-jamming detection in IEEE 802.11 networks: Techniques, scenarios and mobility, ”Computer Networks, vol. 280, p. 112160, 2026

  54. [54]

    Spot- Light: Accurate, explainable and efficient anomaly detection for open RAN,

    C. Sun, U. Pawar, M. Khoja, X. Foukas, M. K. Marina, and B. Radunovic, “Spot- Light: Accurate, explainable and efficient anomaly detection for open RAN, ” in Proceedings of the 30th Annual International Conference on Mobile Computing and Networking (MobiCom), 2024, pp. 923–937

  55. [55]

    Exploring practical vulnerabilities of machine learning-based wireless systems,

    Z. Liu, C. Xu, E. Sie, G. Singh, and D. Vasisht, “Exploring practical vulnerabilities of machine learning-based wireless systems, ” in 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI) , 2023, pp. 1801–1817

  56. [56]

    RIStealth: Practical and covert physical- layer attack against WiFi-based intrusion detection via reconfigurable intelligent surface,

    Y. Zhou, C. Li, H. Chen, and Q. Zhang, “RIStealth: Practical and covert physical- layer attack against WiFi-based intrusion detection via reconfigurable intelligent surface, ” inProceedings of the 21st ACM Conference on Embedded Networked Sensor Systems (SenSys), 2024, pp. 195–208

  57. [57]

    Phantom-CSI attacks against wireless liveness detection,

    Q. He and S. Fang, “Phantom-CSI attacks against wireless liveness detection, ” in Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses. ACM, 2023, pp. 440–454

  58. [58]

    MANDA: On adversarial example detection for network intrusion detection system,

    N. Wang, Y. Chen, Y. Xiao, Y. Hu, W. Lou, and Y. T. Hou, “MANDA: On adversarial example detection for network intrusion detection system, ”IEEE Transactions on Dependable and Secure Computing , vol. 20, no. 2, pp. 1139–1153, 2023

  59. [59]

    NIDS-DA: Detecting functionally preserved adversarial examples for network intrusion detection system using deep autoencoders,

    V. Kumar, K. Kumar, M. Singh, and N. Kumar, “NIDS-DA: Detecting functionally preserved adversarial examples for network intrusion detection system using deep autoencoders, ”Expert Systems with Applications, vol. 270, p. 126513, 2025

  60. [60]

    AdvPurRec: Strengthening network intrusion detection with diffusion model reconstruction against adversarial attacks,

    N. Alhussien and A. Aleroud, “AdvPurRec: Strengthening network intrusion detection with diffusion model reconstruction against adversarial attacks, ” in Proceedings of the IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) , 2024, pp. 1638–1646

  61. [61]

    A novel multi-stage approach for hierarchical intrusion detection,

    M. Verkerken, L. D’Hooge, D. Sudyana, Y.-D. Lin, T. Wauters, B. Volckaert, and F. De Turck, “A novel multi-stage approach for hierarchical intrusion detection, ” IEEE Transactions on Network and Service Management , vol. 20, no. 3, pp. 3915– 3929, 2023. A Ethical Considerations This work involves the deliberate generation of RF jamming signals, which rais...