Secure Semantic Communication via Paired Adversarial Residual Networks
Boxiang He, Fanggang Wang, Tony Q. S. Quek
TL;DR
This work addresses security in semantic communication by introducing paired adversarial residual networks (ARNs) as pluggable transmitter and receiver modules. The transmitter ARN injects adversarial perturbations while the receiver ARN denoises and cancels them, and both are trained to minimize a weighted combination of attack power, semantic distortion, and privacy leakage. Empirical results on MNIST demonstrate that the approach preserves high-quality semantic transmission (MSE $<0.03$) while significantly reducing the eavesdropper's ability to recover private information (Eve's classifier accuracy ~0.4 in white-box), with robustness to black-box settings and varying power ratios. The method offers a cost-efficient path to security-aware semantic systems by allowing security modules to be added or removed without retraining the entire base model, and points to future improvements with advanced architectures like transformers and broader datasets.
Abstract
This letter explores the positive side of the adversarial attack for the security-aware semantic communication system. Specifically, a pair of matching pluggable modules is installed: one after the semantic transmitter and the other before the semantic receiver. The module at transmitter uses a trainable adversarial residual network (ARN) to generate adversarial examples, while the module at receiver employs another trainable ARN to remove the adversarial attacks and the channel noise. To mitigate the threat of semantic eavesdropping, the trainable ARNs are jointly optimized to minimize the weighted sum of the power of adversarial attack, the mean squared error of semantic communication, and the confidence of eavesdropper correctly retrieving private information. Numerical results show that the proposed scheme is capable of fooling the eavesdropper while maintaining the high-quality semantic communication.