Adversarial Attacks Against Shared Knowledge Interpretation in Semantic Communications

Abstract

Semantic communications (SEMCOM) is a novel communication model that exploits neural networks or deep learning techniques to convey the semantics of the data and contextual reasoning, instead of transmitting full raw bits as in the conventional transmission models. SEMCOM is anticipated to significantly increase the effectiveness of cognitive communications beyond the Shannon theory limit, especially in multimedia services. The transmission efficiency will largely rely on the semantic encoding and decoding process with knowledge storage references at the receiver and the transmitter. However, these processes are highly susceptible to adversarial attacks, given the nature of shared background knowledge without encryption and the vulnerabilities of neural network models. This paper presents two novel targeted and non-targeted adversarial attacks against SEMCOM, e.g., channel inversion attack and naive attack. The attacks are designed to cause maximum disruption to the signals during decoding, aiming to alter the semantic interpretation of recognition models at the receiver. The experimental results indicate that attacks can significantly degrade the perceptual evaluation of speech quality and increase data errors, with semantic decoding performance suffering reductions of up to 2.9 times and 2.3 times, respectively. This degradation can cause misrepresentation of semantic contents. Besides, targeted attacks have a greater impact on speech semantic quality in complex communication circumstances compared to non-targeted attacks. We also suggest two potential defense methods against these physical layer attacks. Accordingly, enhancing adversarial training and removing residual values in the loss function are straightforward solutions to improve the resilience of SEMCOM-based systems.