Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Adversarial Robustness of Bottleneck Injected Deep Neural Networks for Task-Oriented Communication

Alireza Furutanpey, Pantelis A. Frangoudis, Patrik Szabo, Schahram Dustdar

TL;DR

The paper addresses adversarial robustness in task-oriented neural codecs that employ Information Bottleneck objectives. It compares Deep Variational Information Bottleneck (DVIB) and Shallow Variational Bottleneck Injection (SVBI) across multiple datasets and attacks, showing DVIB generally yields stronger robustness, while SVBI offers notable protection over non-IB baselines. A key finding is that generative components in task-oriented pipelines raise the attack surface, even as IB objectives deliver discriminative robustness, with robustness improving alongside task complexity for DVIB. The results highlight security considerations for next-generation goal-directed communications and point to future work on trade-offs between salient information generalization and adversarial resilience in end-to-end optimization of neural codecs.

Abstract

This paper investigates the adversarial robustness of Deep Neural Networks (DNNs) using Information Bottleneck (IB) objectives for task-oriented communication systems. We empirically demonstrate that while IB-based approaches provide baseline resilience against attacks targeting downstream tasks, the reliance on generative models for task-oriented communication introduces new vulnerabilities. Through extensive experiments on several datasets, we analyze how bottleneck depth and task complexity influence adversarial robustness. Our key findings show that Shallow Variational Bottleneck Injection (SVBI) provides less adversarial robustness compared to Deep Variational Information Bottleneck (DVIB) approaches, with the gap widening for more complex tasks. Additionally, we reveal that IB-based objectives exhibit stronger robustness against attacks focusing on salient pixels with high intensity compared to those perturbing many pixels with lower intensity. Lastly, we demonstrate that task-oriented communication systems that rely on generative models to extract and recover salient information have an increased attack surface. The results highlight important security considerations for next-generation communication systems that leverage neural networks for goal-oriented compression.

Adversarial Robustness of Bottleneck Injected Deep Neural Networks for Task-Oriented Communication

TL;DR

The paper addresses adversarial robustness in task-oriented neural codecs that employ Information Bottleneck objectives. It compares Deep Variational Information Bottleneck (DVIB) and Shallow Variational Bottleneck Injection (SVBI) across multiple datasets and attacks, showing DVIB generally yields stronger robustness, while SVBI offers notable protection over non-IB baselines. A key finding is that generative components in task-oriented pipelines raise the attack surface, even as IB objectives deliver discriminative robustness, with robustness improving alongside task complexity for DVIB. The results highlight security considerations for next-generation goal-directed communications and point to future work on trade-offs between salient information generalization and adversarial resilience in end-to-end optimization of neural codecs.

Abstract

This paper investigates the adversarial robustness of Deep Neural Networks (DNNs) using Information Bottleneck (IB) objectives for task-oriented communication systems. We empirically demonstrate that while IB-based approaches provide baseline resilience against attacks targeting downstream tasks, the reliance on generative models for task-oriented communication introduces new vulnerabilities. Through extensive experiments on several datasets, we analyze how bottleneck depth and task complexity influence adversarial robustness. Our key findings show that Shallow Variational Bottleneck Injection (SVBI) provides less adversarial robustness compared to Deep Variational Information Bottleneck (DVIB) approaches, with the gap widening for more complex tasks. Additionally, we reveal that IB-based objectives exhibit stronger robustness against attacks focusing on salient pixels with high intensity compared to those perturbing many pixels with lower intensity. Lastly, we demonstrate that task-oriented communication systems that rely on generative models to extract and recover salient information have an increased attack surface. The results highlight important security considerations for next-generation communication systems that leverage neural networks for goal-oriented compression.

Paper Structure

This paper contains 22 sections, 7 equations, 9 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background & Related Work
  3. Adversarial Attacks on DNNs
  4. Fast Gradient Sign Method (FGSM)
  5. Carlini and Wagner (C & W)
  6. Elastic-Net Attacks on DNNs (EAD)
  7. Jacobian-based Saliency Map Attack (JSMA)
  8. Targeting Generative Models
  9. Information Bottleneck in Task-Oriented Compression
  10. Deep Variational Information Bottleneck (DVIB)
  11. Shallow Variational Bottleneck Injection (SVBI)
  12. Problem Statement & Methodology
  13. Information Bottleneck for Adversarial Robustness
  14. Attack Surface of Task-Oriented Communication Systems
  15. Adversarial Attacks and Image Perturbations
  16. ...and 7 more sections

Figures (9)

  • Figure 1: Head Distillation Loss: The shallow features of pre-trained large models are cut and used as a teacher network to train the compression model.
  • Figure 2: Filtering Redundant Information for the ImageNet classification task as the network transforms features. For each layer, we trained a separate reconstruction network.
  • Figure 3: A simplified overview on a Task-Oriented Communication System. Currently envisioned systems rely on generative models to encode, transmit and decode salient information for downstream tasks using discriminative models.
  • Figure 4: In pairs, comparing JSMA (left) with JSMAOnePixel variant (right).
  • Figure 5: Average Percentage of pixels perturbed by an adversarial attack. More complex tasks tend to have more salient pixels.
  • ...and 4 more figures