Watermarking and Anomaly Detection in Machine Learning Models for LORA RF Fingerprinting

Radio frequency fingerprint identification (RFFI) distinguishes wireless devices by the small variations in their analog circuits, avoiding heavy cryptographic authentication. While deep learning on spectrograms improves accuracy, models remain vulnerable to copying, tampering, and evasion. We present a stronger RFFI system combining watermarking for ownership proof and anomaly detection for spotting suspicious inputs. Using a ResNet-34 on log-Mel spectrograms, we embed three watermarks: a simple trigger, an adversarially trained trigger robust to noise and filtering, and a hidden gradient/weight signature. A convolutional Variational Autoencoders (VAE) with Kullback-Leibler (KL) warm-up and free-bits flags off-distribution queries. On the LoRa dataset, our system achieves 94.6% accuracy, 98% watermark success, and 0.94 AUROC, offering verifiable, tamper-resistant authentication.

Key Contributions

Three complementary model watermarking schemes (standard trigger, adversarially robust trigger, hidden gradient/weight signature) achieving 98% watermark success rate on ResNet-34
VAE-based anomaly detector with KL warm-up and free-bits for flagging off-distribution/suspicious inference queries, achieving 0.94 AUROC
End-to-end hardened RFFI pipeline combining ownership verification and evasion resistance on the LoRa dataset at 94.6% classification accuracy

🛡️ Threat Analysis

Input Manipulation Attack

The convolutional VAE with KL warm-up and free-bits is explicitly designed to detect off-distribution and suspicious queries at inference time, providing a defense against evasion attacks that exploit the RFFI classifier.

Model Theft

The paper embeds three model watermarks (simple trigger, adversarially robust trigger, and hidden gradient/weight signature) directly into the ResNet-34 model weights to prove ownership and detect unauthorized copying — this is model IP protection via watermarking, the core of ML05.