Unanticipated Adversarial Robustness of Semantic Communication

Abstract

Semantic communication, enabled by deep joint source-channel coding (DeepJSCC), is widely expected to inherit the vulnerability of deep learning to adversarial perturbations. This paper challenges this prevailing belief and reveals a counterintuitive finding: semantic communication systems exhibit unanticipated adversarial robustness that can exceed that of classical separate source-channel coding systems. On the theoretical front, we establish fundamental bounds on the minimum attack power required to induce a target distortion, overcoming the analytical intractability of highly nonlinear DeepJSCC models by leveraging Lipschitz smoothness. We prove that the implicit regularization from noisy training forces decoder smoothness, a property that inherently provides built-in protection against adversarial attacks. To enable rigorous and fair comparison, we develop two novel attack methodologies that address previously unexplored vulnerabilities: a structure-aware vulnerable set attack that, for the first time, exploits graph-theoretic vulnerabilities in LDPC codes to induce decoding failure with minimal energy, and a progressive gradient ascent attack that leverages the differentiability of DeepJSCC to efficiently find minimum-power perturbations. Designing such attacks is challenging, as classical systems lack gradient information while semantic systems require navigating high-dimensional, non-convex spaces; our methods fill these critical gaps in the literature. Extensive experiments demonstrate that semantic communication requires up to $14$-$16\times$ more attack power to achieve the same distortion as classical systems, empirically substantiating its superior robustness.

Figures (9)

• Figure 1: A comparative framework for fair evaluation under equal bandwidth, transmit power, and channel conditions. The perturbation $\bm{s}$ is subject to a power constraint $\rho$, and the semantic fidelity is quantified by the distortion $D(\bm{x},\widehat{\bm{x}})$.
• Figure 2: An illustration of the sufficient condition in \ref{['e:condition']}.
• Figure 3: An illustration of the structural vulnerabilities of LDPC. The VN $v_0$ (a) has a high degree, and (b) is a short-cycle hub and has wide two-hop reach. The error propagation heatmap is shown in (c), where color intensity reflects how strongly a perturbation injected at each VN propagates to others. The resulting vulnerability order is $v_0>v_2>v_3>v_1$.
• Figure 4: PSNR of reconstructed images for classical and semantic systems in the absence of adversarial attacks. The semantic system exhibits graceful degradation with SNR, while classical SSCC systems show a pronounced cliff effect.
• Figure 5: Minimum attack power $\rho^*$ required to achieve the target distortion on the image transmission task for classical and semantic communication systems with different attack schemes. Lower $\rho^*$ indicates higher vulnerability. The semantic system consistently requires higher attack power than the classical system, demonstrating greater robustness.

Theorems & Definitions (13)

• Lemma 1
• Lemma 2
• proof
• Theorem 3
• Remark 1
• Lemma 4
• Theorem 5
• Remark 2
• Remark 3
• Remark 4