DeepGuard: Adaptive ML Defense

• DeepGuard is a dual-domain framework that defends advanced machine learning systems in autonomous driving and wireless communication by detecting anomalies and perturbing preambles.
• It utilizes an autoencoder-based anomaly detection with time-series analysis to trigger hierarchical safety overrides under unexpected conditions.
• In communication systems, DeepGuard optimizes preamble perturbations to impair adversaries' channel estimations while ensuring reliable performance for legitimate receivers.

DeepGuard refers to two independent, domain-specific frameworks for defending advanced machine learning systems in safety-critical and secure communication contexts. In the context of autonomous driving, DeepGuard is a real-time anomaly detection and safety-guard system for DNN-based autonomous driving systems (ADSs) (Hussain et al., 2021). In the domain of deep joint source-channel coding (DeepJSCC) for wireless communication, DeepGuard serves as a physical-layer defense that thwarts eavesdropping via preamble perturbations (Chi et al., 21 Dec 2025). These frameworks address distinct threat models and employ specialized methodologies tailored to the inherent risks of their respective domains.

1. DeepGuard for Autonomous Driving Systems

DeepGuard for ADSs is motivated by the observation that vision-based DNN models, trained predominantly on a limited set of road and environmental conditions (“nominal” scenarios), exhibit unpredictable or unsafe behaviors when confronted with “out-of-distribution” (OOD) or novel scenarios, such as unexpected weather or sensor corruption. The resulting anomalous or inconsistent ADS commands (steering, throttle, brake) may precipitate safety violations, including lane departures and collisions (Hussain et al., 2021).

Threat Model

The primary threats addressed include:

• Entrance into driving environments not covered during training (e.g., dense fog, night, snow).
• Sensor failures or corruptions leading to unpredictable DNN behavior.

DeepGuard’s objectives are to (1) perform online prediction of anomalous or unsafe scenarios before safety requirements are breached, and (2) trigger graduated “healing strategies” that actively override or modify ADS controls in real time.

2. Inconsistent Behavior Prediction via Autoencoder-Based Anomaly Detection

The core of DeepGuard in the autonomous driving context is an autoencoder-based anomaly detector in conjunction with time-series analysis.

Autoencoder Architecture

• Input: Raw RGB video frames of dimension $W \times H \times C$ (e.g., $160 \times 70 \times 3$) from the vehicle’s forward camera.
• Encoder: Stack of convolutional layers (or, for the simplest variant, fully connected layers) that map each input $x$ to a compressed latent representation $h$.
  • Variants include Simple AE (1 fully connected hidden layer), Deep AE (2+ hidden layers), Convolutional AE, Variational AE (with latent $\mu, \sigma$), and Denoising AE.
• Decoder: Symmetric stack reconstructing an approximation $\hat{x}$ of the input frame.

The model is trained to minimize mean squared error (MSE) reconstruction loss:

$$L(x, \hat{x}) = \frac{1}{m} \sum_{i=1}^{m} (x_i - \hat{x}_i)^2$$

Anomaly score for given frame $x$ is $E_{rec}(x) = \|x-\hat{x}\|^2_2$.

Time-Series Analysis and Thresholding

To decrease false positives from single-frame fluctuations and to leverage temporal continuity:

• An autoregressive (AR) model fits the time series $\{E_{t-k}\}$ of reconstruction errors.
• During nominal-only training, a Gamma distribution models the distribution of $E_{rec}$.
• Threshold $\delta$ is set so that only a fixed proportion ($\alpha=0.05$) of nominal errors exceed it:

$\delta = F^{-1}_{\text{Gamma}}(1-\alpha)$

A frame or sequence with $E_{rec}(x_t) > \delta$ (or AR-filtered $E_t > \delta$) triggers anomaly detection.

3. Hierarchical Safety Guards and Healing Strategies

Upon detection of an anomaly, DeepGuard enacts one of three hierarchical safety guard (SG) levels, depending on the degree of threshold violation:

SG Level	Error Range	Guard Action Categories
1	$\delta < E_{rec} < \delta_1$	Hold last safe command (up to 1 s); alert operator
2	$\delta_1 \leq E_{rec} < \delta_2$	All Level 1, plus throttle/speed reduction
3	$E_{rec} \geq \delta_2$	All prior levels, plus emergency brake; disengage autonomy

Thresholds $\delta_1$ and $\delta_2$ are empirically derived (e.g., $\delta_1\approx 0.059$, $\delta_2\approx 0.069$).

4. Experimental Evaluation and Comparative Performance

DeepGuard was evaluated in the Udacity self-driving car simulator, with four weather and light conditions, applying three open-source ADS models: CHAUFFEUR (CNN+RNN), DAVE-2 (5-layer CNN), and EPOCH (3-layer CNN). Anomalous scenarios were injected randomly.

Detection and prevention performance (VAE variant, at 5% FPR):

Controller	TPR (Recall)	FPR	Prevented Inconsistencies
CHAUFFEUR	93%	9%	89%
DAVE-2	83%	14%	87%
EPOCH	80%	13%	87%

Compared to SELFORACLE (autoencoder + fixed 4 s healing, TPR ≈ 77%, FPR ≈ 14%) and DeepRoad (GAN input transformation, TPR ≈ 32%, FPR ≈ 10%), DeepGuard increased recall and maintained low false-positive rates (Hussain et al., 2021).

5. DeepGuard for DeepJSCC Physical-Layer Security

DeepGuard in communication settings is a lightweight defense for DeepJSCC systems against eavesdropping, using a novel preamble perturbation scheme.

Threat Model

An adversary (Eve) eavesdrops on transmissions from the legitimate sender (Alice) to receiver (Bob) operating over OFDM, exploiting known preamble structure for synchronization and channel estimation. Four attack scenarios are addressed: white-box, encoder-only, decoder-only, and black-box, varying by the adversary’s knowledge of model or data.

Preamble Perturbation Mechanism

DeepGuard alters only the long training sequence (LTS) in the OFDM preamble, introducing a perturbation $\Delta x_p$ so that $x'_p = x_p + \Delta x_p$. This affects Eve’s channel estimation:

• Legitimate Bob, knowing the secret perturbation $V$, cancels its effect in channel estimation.
• Eve, lacking this secret, estimates CSI incorrectly: $X \rightarrow X/V + \text{noise}$ on each subcarrier.

This mismatched channel degrades Eve’s signal reconstruction fidelity and classification accuracy, directly reducing the mutual information $I(S;Y_e)$ while preserving $I(S;Y_l)$ for Bob.

6. Perturbation Optimization and Codebook Construction

DeepGuard generates a set of perturbation vectors in the frequency domain ($V[k] = A[k]e^{j\phi[k]}$), optimizing via projected gradient descent to maximize Eve’s loss (reconstruction or classification error), and selecting constraints for magnitude and phase. A codebook of $J$ perturbations is constructed to provide unpredictability and prevent overfitting.

Diversity is enforced through a loss term penalizing cosine similarity between new and existing codebook perturbations.

7. Experimental Validation and Impact

DeepGuard was evaluated using three USRP X310 SDRs in office environments, transmitting CIFAR-10, MNIST, and TinyImageNet datasets in LoS and NLoS topologies. In the absence of DeepGuard, Eve (white-box) achieved PSNR of 20–30 dB and high classification accuracy (>90%) on received images. With DeepGuard (8-vector codebook):

• Eve’s PSNR fell to <10 dB (up to 29 dB decrease).
• Bob’s PSNR drop was ≤0.5 dB.
• Eve’s classification performance dropped to ≈7–10% (random guess), Bob retained >98% accuracy.
• The defense was effective independent of SNR, channel model, bandwidth, or DeepJSCC architecture.

DeepGuard’s perturbations are computationally efficient (training converges within one epoch per perturbation) and incur zero deployment overhead, requiring only a pre-shared codebook between transmitter and receiver (Chi et al., 21 Dec 2025).

---

DeepGuard frameworks exemplify adaptive, principled defense architectures in DNN-driven domains: ensuring functional safety for autonomous vehicles via unsupervised anomaly detection combined with real-time control overrides, and providing robust, channel-agnostic, physical-layer security for learning-based wireless communications via preamble perturbation. Each system achieves strong empirical performance against well-defined threat models, while introducing minimal resource or performance cost for legitimate operation. Limitations include reliance on simulated or restricted threat environments and, in autonomous driving, focus on ego-vehicle inconsistency rather than multi-agent interaction; ongoing work aims to address broader real-world uncertainties and adversarial adaptability.