pith. sign in

arxiv: 2606.30595 · v1 · pith:YCBXYR6Knew · submitted 2026-06-29 · 💻 cs.NI · cs.CR· cs.IT· cs.LG· eess.SP· math.IT

Wireless Backdoor Attack and Defense for Semantic Communications over Multiple Access Channel

Pith reviewed 2026-06-30 03:00 UTC · model grok-4.3

classification 💻 cs.NI cs.CRcs.ITcs.LGeess.SPmath.IT
keywords semantic communicationbackdoor attackTrojan attackmultiple access channelwireless securitysemantic inferenceover-the-air attack
0
0 comments X

The pith

A low-power over-the-air trigger can selectively backdoor semantic inference for one transmitter in a shared multiple access channel.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that semantic communication systems with multiple transmitters sharing a receiver over a multiple access channel are vulnerable to a selective backdoor attack. An adversary transmits a low-power trigger waveform that contaminates the training signal at the receiver, allowing the same trigger to be sent later to alter the semantic reconstruction and classification for only one of the transmitters. This selective manipulation occurs with minimal impact on the other transmitter's inference. The authors also develop a trigger-aware defense that trains the model to maintain correct semantic labels even when the trigger is present in the observations. This matters for the security of task-oriented wireless networks where semantic meaning is extracted jointly from multiple users.

Core claim

In a semantic communication system where two transmitters send latent representations to a common receiver over a multiple access channel, an adversary can inject a low-power trigger waveform into the shared received signal during training. Re-transmitting this trigger during testing then selectively manipulates the semantic inference for one transmitter while leaving the other largely unaffected. A trigger-aware robust training method counters this by preserving correct labels under contaminated conditions.

What carries the argument

The selective over-the-air backdoor attack, in which the adversary's low-power trigger waveform is transmitted over the air and combined with the legitimate signals at the receiver.

If this is right

  • The attack enables targeted manipulation of one user's semantic task without broadly disrupting the shared channel.
  • Trigger-aware training during model development can restore correct semantic classification even under attack conditions.
  • Shared-access semantic communication networks require defenses against such stealthy wireless injections.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar attacks could be adapted to systems with more than two transmitters if the trigger can be made selective.
  • Defenses might need to include real-time trigger detection in addition to robust training.
  • This highlights the need for physical-layer security measures tailored to semantic rather than bit-level communication.

Load-bearing premise

The training process at the receiver does not detect or remove the low-power external trigger waveform added to the received signals from the two transmitters.

What would settle it

Transmit the trigger waveform during the training phase of the semantic model and then again at test time; measure whether the semantic classification accuracy drops significantly for only one transmitter while remaining stable for the other.

Figures

Figures reproduced from arXiv: 2606.30595 by Aylin Yener, Sennur Ulukus, Tugba Erpek, Yalin E. Sagduyu.

Figure 1
Figure 1. Figure 1: System model for SemCom over the multiple access [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: SemCom performance over MAC without attack for different latent dimensions. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Selective over-the-air backdoor attack performance. [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Trigger-aware defense performance. normal SemCom capability while improving robustness against adversarial trigger perturbations. The semantic inference of transmitter 1’s samples remains stable after defense training, as shown in Fig. 4c, confirming that the defense does not introduce significant degradation to unaffected semantic users. Averaged across all defense settings of backdoor TSRs and poisoning … view at source ↗
read the original abstract

Semantic communication (SemCom) aims to preserve semantic meaning and task-oriented information beyond conventional message recovery over wireless channels. The adoption of SemCom in shared-access wireless networks introduces new vulnerabilities for multi-user semantic inference. This paper considers a SemCom system for two transmitters communicating with a common receiver over a multiple access channel. Each transmitter maps source information into latent semantic representations, while the receiver jointly reconstructs and classifies the semantic information for both transmitters. A selective over-the-air backdoor (Trojan) attack is presented in which an adversary transmits a low-power trigger waveform over the air and injects it into the shared received signal during training. By transmitting the trigger again during testing, this stealthy, low-power attack selectively manipulates the semantic inference for one transmitter while minimally affecting the inference of the other transmitter. To mitigate this vulnerability, a trigger-aware defense mechanism is developed to preserve correct semantic labels under trigger-contaminated wireless observations. The results demonstrate both the vulnerability of shared-access SemCom systems to selective over-the-air backdoor attacks and the effectiveness of trigger-aware robust training for semantic protection.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript describes a semantic communication (SemCom) setup with two transmitters jointly communicating semantic information to a common receiver over a multiple access channel (MAC). It introduces a selective over-the-air backdoor attack in which an adversary injects a low-power trigger waveform into the shared received signal during training; retransmission of the trigger at test time selectively alters the receiver's semantic inference for one transmitter while leaving the other largely unaffected. A trigger-aware robust training defense is proposed to preserve correct semantic labels under contaminated observations, with results claimed to demonstrate both the attack's effectiveness and the defense's mitigation.

Significance. If the experimental results hold, the work is significant because it identifies a practical, selective vulnerability in multi-user SemCom systems that arises specifically from the shared MAC and joint inference setting, and it supplies a concrete defense. The selective, low-power, over-the-air nature of the attack distinguishes it from conventional data-poisoning or model-replacement attacks and directly addresses an emerging security concern as SemCom moves toward shared-access deployments.

major comments (2)
  1. [Attack model and training procedure] The attack's central claim of stealth and selectivity rests on the assumption that a low-power trigger can contaminate training data without detection or mitigation (reader's weakest assumption). No quantitative characterization of trigger-to-signal power ratio, detection probability under standard training, or channel conditions under which the contamination remains invisible is supplied to support this load-bearing premise.
  2. [Defense mechanism and experimental evaluation] The defense is described as 'trigger-aware robust training,' yet the manuscript provides no ablation or comparison against standard robust-training baselines (e.g., adversarial training without trigger knowledge) or against simple anomaly-detection filters that might be applied at the receiver before training. This leaves open whether the reported protection is due to trigger awareness or to generic robustness techniques.
minor comments (2)
  1. [Abstract and results section] The abstract states that the attack 'minimally affecting the inference of the other transmitter,' but the full manuscript should report the exact degradation (e.g., accuracy drop or semantic similarity score) for the unaffected transmitter across the evaluated SNR range.
  2. [System model] Notation for the latent semantic representations and the joint reconstruction/classification loss at the receiver is introduced without an explicit equation or diagram; a compact system model equation would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the two major comments below and will revise the manuscript accordingly to provide the requested quantitative details and comparisons.

read point-by-point responses
  1. Referee: [Attack model and training procedure] The attack's central claim of stealth and selectivity rests on the assumption that a low-power trigger can contaminate training data without detection or mitigation (reader's weakest assumption). No quantitative characterization of trigger-to-signal power ratio, detection probability under standard training, or channel conditions under which the contamination remains invisible is supplied to support this load-bearing premise.

    Authors: We agree that a quantitative characterization of the trigger's stealth properties would strengthen the attack model. In the revised version we will add a dedicated subsection reporting the trigger-to-signal power ratios used in all experiments, together with detection-probability curves under standard training and under representative channel conditions (AWGN and Rayleigh fading). These additions will directly support the premise that the low-power contamination can remain undetected. revision: yes

  2. Referee: [Defense mechanism and experimental evaluation] The defense is described as 'trigger-aware robust training,' yet the manuscript provides no ablation or comparison against standard robust-training baselines (e.g., adversarial training without trigger knowledge) or against simple anomaly-detection filters that might be applied at the receiver before training. This leaves open whether the reported protection is due to trigger awareness or to generic robustness techniques.

    Authors: We accept that additional baselines are needed to isolate the benefit of trigger awareness. The revision will include new ablation experiments comparing trigger-aware robust training against (i) standard adversarial training that does not exploit trigger knowledge and (ii) simple anomaly-detection filters applied at the receiver prior to training. The results will clarify the incremental value of the proposed trigger-aware approach. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper presents an empirical attack-defense study on semantic communications over a MAC. The attack is defined as an adversary injecting a low-power trigger waveform during training and re-transmitting it at test time to selectively affect one transmitter's inference. The defense is a trigger-aware robust training procedure. These mechanisms are constructed and then evaluated via simulation results; no equations, parameter fits, or derivations are described that reduce the claimed outcomes to the inputs by construction. No self-citation chains or uniqueness theorems are invoked as load-bearing steps. The work is therefore self-contained as an empirical demonstration.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no mathematical model, free parameters, axioms, or invented entities are described.

pith-pipeline@v0.9.1-grok · 5747 in / 1039 out tokens · 43864 ms · 2026-06-30T03:00:36.888540+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

18 extracted references

  1. [1]

    The semantic communication game,

    B. G ¨uler, A. Yener, and A. Swami, “The semantic communication game,”IEEE Transactions on Cognitive Communications and Network- ing, vol. 4, no. 4, 2018

  2. [2]

    Beyond transmitting bits: Context, semantics, and task-oriented communications,

    D. G ¨und¨uz, Z. Qin, I. E. Aguerri, H. S. Dhillon, Z. Yang, A. Yener, K. K. Wong, and C.-B. Chae, “Beyond transmitting bits: Context, semantics, and task-oriented communications,”IEEE Journal on Selected Areas in Communications, vol. 41, no. 1, 2022

  3. [3]

    Semantic communi- cations in networked systems: A data significance perspective,

    E. Uysal, O. Kaya, A. Ephremides, J. Gross, M. Codreanu, P. Popovski, M. Assaad, G. Liva, A. Munari, B. Soretet al., “Semantic communi- cations in networked systems: A data significance perspective,”IEEE Network, vol. 36, no. 4, 2022

  4. [4]

    A theory of semantic communication,

    Y . Shao, Q. Cao, and D. G ¨und¨uz, “A theory of semantic communication,” IEEE Transactions on Mobile Computing, vol. 23, no. 12, 2024

  5. [5]

    Deep learning enabled seman- tic communication systems,

    H. Xie, Z. Qin, G. Y . Li, and B.-H. Juang, “Deep learning enabled seman- tic communication systems,”IEEE Transactions on Signal Processing, vol. 69, 2021

  6. [6]

    Deep joint source-channel coding for semantic communications,

    J. Xu, T.-Y . Tung, B. Ai, W. Chen, Y . Sun, and D. G ¨und¨uz, “Deep joint source-channel coding for semantic communications,”IEEE communi- cations Magazine, vol. 61, no. 11, 2023

  7. [7]

    Non-orthogonal multiple access enhanced multi-user semantic communication,

    W. Li, H. Liang, C. Dong, X. Xu, P. Zhang, and K. Liu, “Non-orthogonal multiple access enhanced multi-user semantic communication,”IEEE Transactions on Cognitive Communications and Networking, vol. 9, no. 6, 2023

  8. [8]

    DeepMA: End-to-end deep multiple access for wireless image transmission in semantic communication,

    W. Zhang, K. Bai, S. Zeadally, H. Zhang, H. Shao, H. Ma, and V . C. Leung, “DeepMA: End-to-end deep multiple access for wireless image transmission in semantic communication,”IEEE Transactions on Cognitive Communications and Networking, vol. 10, no. 2, 2023

  9. [9]

    Semantic feature division multiple access for digital semantic multiple access channels,

    B. Shen, S. Ma, R. Chen, Y . Wu, H. Li, G. Shi, S. Li, and N. Al-Dhahir, “Semantic feature division multiple access for digital semantic multiple access channels,”IEEE Transactions on Cognitive Communications and Networking, vol. 12, 2026

  10. [10]

    Multi-user wireless image semantic transmission over MIMO multiple access channels,

    B. Xie, Y . Wu, F. Shu, J. Wang, and W. Zhang, “Multi-user wireless image semantic transmission over MIMO multiple access channels,” IEEE Wireless Communications Letters, vol. 14, no. 7, 2025

  11. [11]

    Exploiting semantic communication for non- orthogonal multiple access,

    X. Mu and Y . Liu, “Exploiting semantic communication for non- orthogonal multiple access,”IEEE Journal on Selected Areas in Com- munications, vol. 41, no. 8, 2023

  12. [12]

    Is semantic communication secure? A tale of multi-domain adversarial attacks,

    Y . E. Sagduyu, T. Erpek, S. Ulukus, and A. Yener, “Is semantic communication secure? A tale of multi-domain adversarial attacks,”IEEE Communications Magazine, vol. 61, no. 11, 2023

  13. [13]

    Will 6G be semantic communications? Opportunities and challenges from task oriented and secure communications to integrated sensing,

    Y . E. Sagduyu, T. Erpek, A. Yener, and S. Ulukus, “Will 6G be semantic communications? Opportunities and challenges from task oriented and secure communications to integrated sensing,”IEEE Network, vol. 38, no. 6, 2024

  14. [14]

    Securing semantic com- munications against adversarial attacks,

    Y . E Sagduyu, A. Yener, and S. Ulukus, “Securing semantic com- munications against adversarial attacks,” inF oundations of Semantic Communication Networks. Wiley Online Library, 2025

  15. [15]

    Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,

    B. Wang, Y . Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y . Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” inIEEE Symposium on Security and Privacy (SP), 2019

  16. [16]

    Task-oriented communications for NextG: End-to-end deep learning and AI security aspects,

    Y . E. Sagduyu, S. Ulukus, and A. Yener, “Task-oriented communications for NextG: End-to-end deep learning and AI security aspects,”IEEE Wireless Communications, vol. 30, no. 3, 2023

  17. [17]

    Vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks,

    Y . E. Sagduyu, T. Erpek, S. Ulukus, and A. Yener, “Vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks,” inIEEE Conference on Information Sciences and Systems (CISS), 2023

  18. [18]

    Backdoor attacks and defenses on semantic-symbol reconstruction in semantic communications,

    Y . Zhou, R. Q. Hu, and Y . Qian, “Backdoor attacks and defenses on semantic-symbol reconstruction in semantic communications,” inIEEE International Conference on Communications (ICC), 2024