Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Attacks and Defenses on Semantic-Symbol Reconstruction in Semantic Communications

Yuan Zhou, Rose Qingyang Hu, Yi Qian

TL;DR

This work addresses backdoor threats in semantic communications by introducing BASS, a paradigm that corrupts the semantics of reconstructed symbols in high-dimensional outputs. It proposes three defenses: a data-location based training framework to prevent poisoning, reverse-engineering methods to estimate backdoor triggers, and a post-training pruning approach that removes backdoor-related neurons while preserving reconstruction quality. Through MNIST and CIFAR-10 experiments, the authors show that BASS can be effectively triggered during inference yet mitigated by pruning at a knee point, with only modest degradation on clean data. The findings advance the security of semantic communications by enabling attack-aware defense strategies that do not rely solely on retraining with clean data.

Abstract

Semantic communication is of crucial importance for the next-generation wireless communication networks. The existing works have developed semantic communication frameworks based on deep learning. However, systems powered by deep learning are vulnerable to threats such as backdoor attacks and adversarial attacks. This paper delves into backdoor attacks targeting deep learning-enabled semantic communication systems. Since current works on backdoor attacks are not tailored for semantic communication scenarios, a new backdoor attack paradigm on semantic symbols (BASS) is introduced, based on which the corresponding defense measures are designed. Specifically, a training framework is proposed to prevent BASS. Additionally, reverse engineering-based and pruning-based defense strategies are designed to protect against backdoor attacks in semantic communication. Simulation results demonstrate the effectiveness of both the proposed attack paradigm and the defense strategies.

Backdoor Attacks and Defenses on Semantic-Symbol Reconstruction in Semantic Communications

TL;DR

This work addresses backdoor threats in semantic communications by introducing BASS, a paradigm that corrupts the semantics of reconstructed symbols in high-dimensional outputs. It proposes three defenses: a data-location based training framework to prevent poisoning, reverse-engineering methods to estimate backdoor triggers, and a post-training pruning approach that removes backdoor-related neurons while preserving reconstruction quality. Through MNIST and CIFAR-10 experiments, the authors show that BASS can be effectively triggered during inference yet mitigated by pruning at a knee point, with only modest degradation on clean data. The findings advance the security of semantic communications by enabling attack-aware defense strategies that do not rely solely on retraining with clean data.

Abstract

Semantic communication is of crucial importance for the next-generation wireless communication networks. The existing works have developed semantic communication frameworks based on deep learning. However, systems powered by deep learning are vulnerable to threats such as backdoor attacks and adversarial attacks. This paper delves into backdoor attacks targeting deep learning-enabled semantic communication systems. Since current works on backdoor attacks are not tailored for semantic communication scenarios, a new backdoor attack paradigm on semantic symbols (BASS) is introduced, based on which the corresponding defense measures are designed. Specifically, a training framework is proposed to prevent BASS. Additionally, reverse engineering-based and pruning-based defense strategies are designed to protect against backdoor attacks in semantic communication. Simulation results demonstrate the effectiveness of both the proposed attack paradigm and the defense strategies.
Paper Structure (12 sections, 4 equations, 9 figures, 1 table)

This paper contains 12 sections, 4 equations, 9 figures, 1 table.

Table of Contents

  1. Introduction
  2. System model and preliminaries
  3. System model
  4. Threat model
  5. Backdoor Attacks Against Semantic Communication
  6. Defense Mechanism
  7. Data location
  8. Reverse engineering
  9. Post-training pruning-based algorithm
  10. Simulation
  11. Conclusions
  12. Acknowledgment

Figures (9)

  • Figure 1: Comparison between the outputs of the backdoor model with poisoned and clean inputs.
  • Figure 2: Training framework for preventing the BASS.
  • Figure 3: Inputs and reconstructed images of poisoned model with poisoned inputs and clean inputs with training dataset of MNIST and CIFAR10.
  • Figure 4: PSNR comparison for models trained with MNIST at a $5\%$ poisoned ratio across different SNR levels and compression ratios.
  • Figure 5: PSNR comparison for models trained with CIFAR10 at a $5\%$ poisoned ratio across different SNR levels.
  • ...and 4 more figures