A Channel-Triggered Backdoor Attack on Wireless Semantic Image Reconstruction

TL;DR

This work addresses backdoor threats in semantic image transmission by shifting the trigger from input space to wireless channel statistics. The authors propose CT-BA, which uses channel parameters such as noise power and channel gain as triggers, with two strategies ($n$-trigger and $H$-trigger) and a channel-aware training objective that preserves clean performance while enabling targeted reconstruction under triggers. Extensive evaluations on MNIST, CIFAR-10, ImageNet and three SemCom systems (BDJSCC, ADJSCC, JSCCOFDM) show near-perfect attack success rates and stealthy behavior, including channel-specific activation and robustness across bandwidth ratios and SNRs. The results demonstrate a tangible security risk for end-to-end SemCom and suggest practical defenses, such as noise-titration-based detection, to identify channel-aware backdoors. Overall, CT-BA reveals a new vulnerability class in semantic communications and highlights the need for cross-layer security measures in future wireless AI systems.

Abstract

This paper investigates backdoor attacks in image-oriented semantic communications. The threat of backdoor attacks on symbol reconstruction in semantic communication (SemCom) systems has received limited attention. Previous research on backdoor attacks targeting SemCom symbol reconstruction primarily focuses on input-level triggers, which are impractical in scenarios with strict input constraints. In this paper, we propose a novel channel-triggered backdoor attack (CT-BA) framework that exploits inherent wireless channel characteristics as activation triggers. Our key innovation involves utilizing fundamental channel statistics parameters, specifically channel gain with different fading distributions or channel noise with different power, as potential triggers. This approach enhances stealth by eliminating explicit input manipulation, provides flexibility through trigger selection from diverse channel conditions, and enables automatic activation via natural channel variations without adversary intervention. We extensively evaluate CT-BA across four joint source-channel coding (JSCC) communication system architectures and three benchmark datasets. Simulation results demonstrate that our attack achieves near-perfect attack success rate (ASR) while maintaining effective stealth. Finally, we discuss potential defense mechanisms against such attacks.

Figures (8)

• Figure 1: Illustration of our proposed CT-BA scheme, where backdoor activation leverages the fundamental physical properties of wireless channels. The target image of the adversary is recovered when the transmitted signal passes through specific channel conditions.
• Figure 2: E2E image transmission tasks.
• Figure 3: The architecture of the encoder and decoder, where a symmetric structure is designed to encode the input sequence and reconstruct the source signal.
• Figure 4: Channel-Triggered backdoor attack training phase.The dashed boxes indicate the data form.
• Figure 5: Illustration of the model performance evaluation (a)-(c) Main task and backdoor performance comparison across MNIST, CIFAR-10, and ImageNet datasets and (d)-(f) Analysis of poisoning ratio effects at 1%, 5%, and 10% respectively.