Is Semantic Communication Secure? A Tale of Multi-Domain Adversarial Attacks
Yalin E. Sagduyu, Tugba Erpek, Şennur Ulukuş, Aylin Yener
Abstract
Semantic communication seeks to transfer information from a source while conveying a desired meaning to its destination. We model the transmitter-receiver functionalities as an autoencoder, followed by a task classifier that evaluates the meaning of the conveyed information. The autoencoder consists of an encoder at the transmitter that jointly models source coding, channel coding, and modulation, and a decoder at the receiver that jointly models demodulation, channel decoding, and source decoding. By augmenting the reconstruction loss with a semantic loss, this encoder-decoder pair is interactively trained with the semantic task classifier. This approach transfers compressed feature vectors reliably with a small number of channel uses while keeping the semantic loss low. We identify the multi-domain security vulnerabilities of using deep neural networks (DNNs) for semantic communications. Based on adversarial machine learning, we introduce test-time (targeted and non-targeted) adversarial attacks on these DNNs. As a computer vision attack, small perturbations are injected into the images at the input of the transmitter's encoder. As a wireless attack, small perturbation signals are transmitted to interfere with the input of the receiver's decoder. By launching these attacks individually or jointly (as a multi-domain attack), we show that it is possible to change the semantics of the transferred information (with larger impact than conventional jamming) and highlight the need of defense methods for the safe adoption of semantic communications.