Toward Polymorphic Backdoor against Semantic Communication via Intensity-Based Poisoning

TL;DR

This paper introduces SemBugger, a polymorphic backdoor for semantic communication that uses intensity-based triggers to generate diverse malicious outputs, enhancing attack flexibility and robustness.

Contribution

The paper proposes a novel polymorphic backdoor method with graded triggers and hierarchical malicious loss, improving attack diversity and defense strategies in semantic communication systems.

Findings

SemBugger achieves high attack success rates across models and datasets.

The defense mechanism effectively neutralizes SemBugger attacks.

Theoretical analysis provides a lower bound on defense robustness.

Abstract

Semantic Communication (SC) backdoor attacks aim to utilize triggers to manipulate the system into producing predetermined outputs via backdoored shared knowledge. Current SC backdoors adopt monomorphic paradigms with single attack target, which suffers from limited attack diversity, efficiency, and flexibility in heterogeneous downstream scenarios. To overcome the limitations, we propose SemBugger, a polymorphic SC backdoor. By dynamically adjusting the trigger intensity, SemBugger finely-grained controls over the SC knowledge to generate diverse malicious results from the system. Specifically, SemBugger is realized through a multi-effect poisoning-training framework. It introduces graded-intensity triggers to poison training data and optimizes SC systems with hierarchical malicious loss. The trained system's knowledge dynamically adapts to trigger intensity in inputs to yield target outputs, all while preserving transmission fidelity for benign samples. Moreover, to augment SC security, we propose a provable robustness defense that resists SemBugger's homogeneous attacks through a controlled noise mechanism. It operates via strategically adding noise in SC inputs, and we formally provide a theoretical lower bound on the defense efficacy. Experiments across diverse SC models and benchmark datasets indicate that SemBugger attains high attack efficacy while maintaining the regular functionality of SC systems. Meanwhile, the designed defense effectively neutralizes SemBugger attacks.