Verifying DNN-based Semantic Communication Against Generative Adversarial Noise
Thanh Le, Hai Duong, ThanhVu Nguyen, Takeshi Matsumura
TL;DR
This work tackles the vulnerability of DNN-based semantic communication (SemCom) to adversarial perturbations in safety-critical settings. It introduces VScan, a three-phase end-to-end verification framework that computes sound bounds on adversarial noise via a mixed-integer program, constructs verification properties across the encoder, decoder, and task model, and applies state-of-the-art DNN verifiers to obtain formal robustness guarantees. A formal threat model with input-agnostic perturbations, per-dimension power constraints, and statistical undetectability enables rigorous analysis; experiments on FashionMNIST and CIFAR10 show VScan achieves formal robustness for 44% of 600 properties and reveals a security-efficiency tradeoff where compact latent spaces (e.g., 16 dimensions) yield stronger verification guarantees than high-dimensional spaces (e.g., 64 dimensions). The results provide concrete design guidance for secure SemCom and demonstrate that formal verification can complement empirical defenses in safety-critical deployments, with practical implications for choosing latent dimensionality and attack constraints.
Abstract
Safety-critical applications like autonomous vehicles and industrial IoT are adopting semantic communication (SemCom) systems using deep neural networks to reduce bandwidth and increase transmission speed by transmitting only task-relevant semantic features. However, adversarial attacks against these DNN-based SemCom systems can cause catastrophic failures by manipulating transmitted semantic features. Existing defense mechanisms rely on empirical approaches provide no formal guarantees against the full spectrum of adversarial perturbations. We present VSCAN, a neural network verification framework that provides mathematical robustness guarantees by formulating adversarial noise generation as mixed integer programming and verifying end-to-end properties across multiple interconnected networks (encoder, decoder, and task model). Our key insight is that realistic adversarial constraints (power limitations and statistical undetectability) can be encoded as logical formulae to enable efficient verification using state-of-the-art DNN verifiers. Our evaluation on 600 verification properties characterizing various attacker's capabilities shows VSCAN matches attack methods in finding vulnerabilities while providing formal robustness guarantees for 44% of properties -- a significant achievement given the complexity of multi-network verification. Moreover, we reveal a fundamental security-efficiency tradeoff: compact 16-dimensional latent spaces achieve 50% verified robustness compared to 64-dimensional spaces.