Wireless Backdoor Attack and Defense for Semantic Communications over Multiple Access Channel
Pith reviewed 2026-06-30 03:00 UTC · model grok-4.3
The pith
A low-power over-the-air trigger can selectively backdoor semantic inference for one transmitter in a shared multiple access channel.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
In a semantic communication system where two transmitters send latent representations to a common receiver over a multiple access channel, an adversary can inject a low-power trigger waveform into the shared received signal during training. Re-transmitting this trigger during testing then selectively manipulates the semantic inference for one transmitter while leaving the other largely unaffected. A trigger-aware robust training method counters this by preserving correct labels under contaminated conditions.
What carries the argument
The selective over-the-air backdoor attack, in which the adversary's low-power trigger waveform is transmitted over the air and combined with the legitimate signals at the receiver.
If this is right
- The attack enables targeted manipulation of one user's semantic task without broadly disrupting the shared channel.
- Trigger-aware training during model development can restore correct semantic classification even under attack conditions.
- Shared-access semantic communication networks require defenses against such stealthy wireless injections.
Where Pith is reading between the lines
- Similar attacks could be adapted to systems with more than two transmitters if the trigger can be made selective.
- Defenses might need to include real-time trigger detection in addition to robust training.
- This highlights the need for physical-layer security measures tailored to semantic rather than bit-level communication.
Load-bearing premise
The training process at the receiver does not detect or remove the low-power external trigger waveform added to the received signals from the two transmitters.
What would settle it
Transmit the trigger waveform during the training phase of the semantic model and then again at test time; measure whether the semantic classification accuracy drops significantly for only one transmitter while remaining stable for the other.
Figures
read the original abstract
Semantic communication (SemCom) aims to preserve semantic meaning and task-oriented information beyond conventional message recovery over wireless channels. The adoption of SemCom in shared-access wireless networks introduces new vulnerabilities for multi-user semantic inference. This paper considers a SemCom system for two transmitters communicating with a common receiver over a multiple access channel. Each transmitter maps source information into latent semantic representations, while the receiver jointly reconstructs and classifies the semantic information for both transmitters. A selective over-the-air backdoor (Trojan) attack is presented in which an adversary transmits a low-power trigger waveform over the air and injects it into the shared received signal during training. By transmitting the trigger again during testing, this stealthy, low-power attack selectively manipulates the semantic inference for one transmitter while minimally affecting the inference of the other transmitter. To mitigate this vulnerability, a trigger-aware defense mechanism is developed to preserve correct semantic labels under trigger-contaminated wireless observations. The results demonstrate both the vulnerability of shared-access SemCom systems to selective over-the-air backdoor attacks and the effectiveness of trigger-aware robust training for semantic protection.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript describes a semantic communication (SemCom) setup with two transmitters jointly communicating semantic information to a common receiver over a multiple access channel (MAC). It introduces a selective over-the-air backdoor attack in which an adversary injects a low-power trigger waveform into the shared received signal during training; retransmission of the trigger at test time selectively alters the receiver's semantic inference for one transmitter while leaving the other largely unaffected. A trigger-aware robust training defense is proposed to preserve correct semantic labels under contaminated observations, with results claimed to demonstrate both the attack's effectiveness and the defense's mitigation.
Significance. If the experimental results hold, the work is significant because it identifies a practical, selective vulnerability in multi-user SemCom systems that arises specifically from the shared MAC and joint inference setting, and it supplies a concrete defense. The selective, low-power, over-the-air nature of the attack distinguishes it from conventional data-poisoning or model-replacement attacks and directly addresses an emerging security concern as SemCom moves toward shared-access deployments.
major comments (2)
- [Attack model and training procedure] The attack's central claim of stealth and selectivity rests on the assumption that a low-power trigger can contaminate training data without detection or mitigation (reader's weakest assumption). No quantitative characterization of trigger-to-signal power ratio, detection probability under standard training, or channel conditions under which the contamination remains invisible is supplied to support this load-bearing premise.
- [Defense mechanism and experimental evaluation] The defense is described as 'trigger-aware robust training,' yet the manuscript provides no ablation or comparison against standard robust-training baselines (e.g., adversarial training without trigger knowledge) or against simple anomaly-detection filters that might be applied at the receiver before training. This leaves open whether the reported protection is due to trigger awareness or to generic robustness techniques.
minor comments (2)
- [Abstract and results section] The abstract states that the attack 'minimally affecting the inference of the other transmitter,' but the full manuscript should report the exact degradation (e.g., accuracy drop or semantic similarity score) for the unaffected transmitter across the evaluated SNR range.
- [System model] Notation for the latent semantic representations and the joint reconstruction/classification loss at the receiver is introduced without an explicit equation or diagram; a compact system model equation would improve clarity.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback. We address the two major comments below and will revise the manuscript accordingly to provide the requested quantitative details and comparisons.
read point-by-point responses
-
Referee: [Attack model and training procedure] The attack's central claim of stealth and selectivity rests on the assumption that a low-power trigger can contaminate training data without detection or mitigation (reader's weakest assumption). No quantitative characterization of trigger-to-signal power ratio, detection probability under standard training, or channel conditions under which the contamination remains invisible is supplied to support this load-bearing premise.
Authors: We agree that a quantitative characterization of the trigger's stealth properties would strengthen the attack model. In the revised version we will add a dedicated subsection reporting the trigger-to-signal power ratios used in all experiments, together with detection-probability curves under standard training and under representative channel conditions (AWGN and Rayleigh fading). These additions will directly support the premise that the low-power contamination can remain undetected. revision: yes
-
Referee: [Defense mechanism and experimental evaluation] The defense is described as 'trigger-aware robust training,' yet the manuscript provides no ablation or comparison against standard robust-training baselines (e.g., adversarial training without trigger knowledge) or against simple anomaly-detection filters that might be applied at the receiver before training. This leaves open whether the reported protection is due to trigger awareness or to generic robustness techniques.
Authors: We accept that additional baselines are needed to isolate the benefit of trigger awareness. The revision will include new ablation experiments comparing trigger-aware robust training against (i) standard adversarial training that does not exploit trigger knowledge and (ii) simple anomaly-detection filters applied at the receiver prior to training. The results will clarify the incremental value of the proposed trigger-aware approach. revision: yes
Circularity Check
No significant circularity
full rationale
The paper presents an empirical attack-defense study on semantic communications over a MAC. The attack is defined as an adversary injecting a low-power trigger waveform during training and re-transmitting it at test time to selectively affect one transmitter's inference. The defense is a trigger-aware robust training procedure. These mechanisms are constructed and then evaluated via simulation results; no equations, parameter fits, or derivations are described that reduce the claimed outcomes to the inputs by construction. No self-citation chains or uniqueness theorems are invoked as load-bearing steps. The work is therefore self-contained as an empirical demonstration.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
The semantic communication game,
B. G ¨uler, A. Yener, and A. Swami, “The semantic communication game,”IEEE Transactions on Cognitive Communications and Network- ing, vol. 4, no. 4, 2018
2018
-
[2]
Beyond transmitting bits: Context, semantics, and task-oriented communications,
D. G ¨und¨uz, Z. Qin, I. E. Aguerri, H. S. Dhillon, Z. Yang, A. Yener, K. K. Wong, and C.-B. Chae, “Beyond transmitting bits: Context, semantics, and task-oriented communications,”IEEE Journal on Selected Areas in Communications, vol. 41, no. 1, 2022
2022
-
[3]
Semantic communi- cations in networked systems: A data significance perspective,
E. Uysal, O. Kaya, A. Ephremides, J. Gross, M. Codreanu, P. Popovski, M. Assaad, G. Liva, A. Munari, B. Soretet al., “Semantic communi- cations in networked systems: A data significance perspective,”IEEE Network, vol. 36, no. 4, 2022
2022
-
[4]
A theory of semantic communication,
Y . Shao, Q. Cao, and D. G ¨und¨uz, “A theory of semantic communication,” IEEE Transactions on Mobile Computing, vol. 23, no. 12, 2024
2024
-
[5]
Deep learning enabled seman- tic communication systems,
H. Xie, Z. Qin, G. Y . Li, and B.-H. Juang, “Deep learning enabled seman- tic communication systems,”IEEE Transactions on Signal Processing, vol. 69, 2021
2021
-
[6]
Deep joint source-channel coding for semantic communications,
J. Xu, T.-Y . Tung, B. Ai, W. Chen, Y . Sun, and D. G ¨und¨uz, “Deep joint source-channel coding for semantic communications,”IEEE communi- cations Magazine, vol. 61, no. 11, 2023
2023
-
[7]
Non-orthogonal multiple access enhanced multi-user semantic communication,
W. Li, H. Liang, C. Dong, X. Xu, P. Zhang, and K. Liu, “Non-orthogonal multiple access enhanced multi-user semantic communication,”IEEE Transactions on Cognitive Communications and Networking, vol. 9, no. 6, 2023
2023
-
[8]
DeepMA: End-to-end deep multiple access for wireless image transmission in semantic communication,
W. Zhang, K. Bai, S. Zeadally, H. Zhang, H. Shao, H. Ma, and V . C. Leung, “DeepMA: End-to-end deep multiple access for wireless image transmission in semantic communication,”IEEE Transactions on Cognitive Communications and Networking, vol. 10, no. 2, 2023
2023
-
[9]
Semantic feature division multiple access for digital semantic multiple access channels,
B. Shen, S. Ma, R. Chen, Y . Wu, H. Li, G. Shi, S. Li, and N. Al-Dhahir, “Semantic feature division multiple access for digital semantic multiple access channels,”IEEE Transactions on Cognitive Communications and Networking, vol. 12, 2026
2026
-
[10]
Multi-user wireless image semantic transmission over MIMO multiple access channels,
B. Xie, Y . Wu, F. Shu, J. Wang, and W. Zhang, “Multi-user wireless image semantic transmission over MIMO multiple access channels,” IEEE Wireless Communications Letters, vol. 14, no. 7, 2025
2025
-
[11]
Exploiting semantic communication for non- orthogonal multiple access,
X. Mu and Y . Liu, “Exploiting semantic communication for non- orthogonal multiple access,”IEEE Journal on Selected Areas in Com- munications, vol. 41, no. 8, 2023
2023
-
[12]
Is semantic communication secure? A tale of multi-domain adversarial attacks,
Y . E. Sagduyu, T. Erpek, S. Ulukus, and A. Yener, “Is semantic communication secure? A tale of multi-domain adversarial attacks,”IEEE Communications Magazine, vol. 61, no. 11, 2023
2023
-
[13]
Will 6G be semantic communications? Opportunities and challenges from task oriented and secure communications to integrated sensing,
Y . E. Sagduyu, T. Erpek, A. Yener, and S. Ulukus, “Will 6G be semantic communications? Opportunities and challenges from task oriented and secure communications to integrated sensing,”IEEE Network, vol. 38, no. 6, 2024
2024
-
[14]
Securing semantic com- munications against adversarial attacks,
Y . E Sagduyu, A. Yener, and S. Ulukus, “Securing semantic com- munications against adversarial attacks,” inF oundations of Semantic Communication Networks. Wiley Online Library, 2025
2025
-
[15]
Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,
B. Wang, Y . Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y . Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” inIEEE Symposium on Security and Privacy (SP), 2019
2019
-
[16]
Task-oriented communications for NextG: End-to-end deep learning and AI security aspects,
Y . E. Sagduyu, S. Ulukus, and A. Yener, “Task-oriented communications for NextG: End-to-end deep learning and AI security aspects,”IEEE Wireless Communications, vol. 30, no. 3, 2023
2023
-
[17]
Vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks,
Y . E. Sagduyu, T. Erpek, S. Ulukus, and A. Yener, “Vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks,” inIEEE Conference on Information Sciences and Systems (CISS), 2023
2023
-
[18]
Backdoor attacks and defenses on semantic-symbol reconstruction in semantic communications,
Y . Zhou, R. Q. Hu, and Y . Qian, “Backdoor attacks and defenses on semantic-symbol reconstruction in semantic communications,” inIEEE International Conference on Communications (ICC), 2024
2024
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.