Core Concepts
Semantic communication systems powered by deep learning are vulnerable to backdoor attacks that can manipulate the semantics of reconstructed symbols. This paper introduces a new backdoor attack paradigm targeting semantic symbols (BASS) and proposes effective defense strategies to mitigate such attacks.
Abstract
The paper presents a novel backdoor attack paradigm targeting semantic communication systems, where the adversary aims to manipulate the semantics of the reconstructed symbols at the receiver. Unlike traditional backdoor attacks that focus on classification outcomes, BASS targets the high-dimensional semantic outputs in semantic communication, such as text, speech, and images.
The key highlights are:
System Model and Threat Model:
A semantic communication system with one transmitter and one receiver is considered.
The adversary can manipulate the training datasets at both the transmitter and the receiver to introduce triggers and modify the semantic symbols and labels.
Backdoor Attack Paradigm (BASS):
During training, the adversary introduces triggers into a subset of the input samples at the transmitter and modifies the corresponding semantic symbols and labels at the receiver.
During inference, the adversary injects triggers to poison the inputs, resulting in the produced reconstructed symbols being the target symbols specified by the adversary.
Defense Mechanisms:
Data Location-based Defense: A training framework is proposed to prevent data alteration by pushing both the transmitter's and receiver's datasets to the transmitter.
Reverse Engineering-based Defense: An optimization problem is formulated to estimate the trigger pattern by minimizing the semantic feature distance between poisoned samples.
Pruning-based Defense: A post-training pruning algorithm is designed to eliminate the backdoor by pruning the neurons in the encoder of the semantic communication network.
Simulation Results:
The effectiveness of the proposed attack and defense methods is evaluated under different parameter settings, including varying signal-to-noise ratios (SNRs) and poison ratios.
The results demonstrate the effectiveness of the BASS attack and the proposed defense strategies in mitigating the backdoor without significant performance degradation.
Stats
The paper provides the following key statistics and figures:
The average peak signal-to-noise ratio (PSNR) of clean data (PSNRC) and poisoned data (PSNRP) for different poison ratios and compression ratios.
Comparison of PSNR for clean and poisoned models across different SNR levels and compression ratios.
Trigger pattern estimated by the proposed reverse engineering-based defense method.
Reconstruction accuracy of clean data and poisoned data versus pruning ratio.
F1-score comparison for models trained with MNIST and CIFAR10 across different poison ratios.
Difference (dc) between normalized pruning ratio and normalized reconstruction accuracy versus pruning ratio.