Papers
Topics
Authors
Recent
Search
2000 character limit reached

Toward Polymorphic Backdoor against Semantic Communication via Intensity-Based Poisoning

Published 25 Apr 2026 in cs.CR and cs.AI | (2604.23231v1)

Abstract: Semantic Communication (SC) backdoor attacks aim to utilize triggers to manipulate the system into producing predetermined outputs via backdoored shared knowledge. Current SC backdoors adopt monomorphic paradigms with single attack target, which suffers from limited attack diversity, efficiency, and flexibility in heterogeneous downstream scenarios. To overcome the limitations, we propose SemBugger, a polymorphic SC backdoor. By dynamically adjusting the trigger intensity, SemBugger finely-grained controls over the SC knowledge to generate diverse malicious results from the system. Specifically, SemBugger is realized through a multi-effect poisoning-training framework. It introduces graded-intensity triggers to poison training data and optimizes SC systems with hierarchical malicious loss. The trained system's knowledge dynamically adapts to trigger intensity in inputs to yield target outputs, all while preserving transmission fidelity for benign samples. Moreover, to augment SC security, we propose a provable robustness defense that resists SemBugger's homogeneous attacks through a controlled noise mechanism. It operates via strategically adding noise in SC inputs, and we formally provide a theoretical lower bound on the defense efficacy. Experiments across diverse SC models and benchmark datasets indicate that SemBugger attains high attack efficacy while maintaining the regular functionality of SC systems. Meanwhile, the designed defense effectively neutralizes SemBugger attacks.

Summary

  • The paper introduces SemBugger, a polymorphic backdoor that uses intensity-based poisoning to enable dynamic control over malicious outputs in semantic communication systems.
  • It employs a hierarchical training framework and multi-intensity trigger injection to achieve over 99% attack success rate while maintaining benign performance with minimal fidelity loss.
  • The study also proposes a model-agnostic semantic smoothing defense that effectively nulls triggers and preserves transmission quality with negligible computational overhead.

Polymorphic Backdoor Attacks in Semantic Communication: Intensity-Based Poisoning with SemBugger

Introduction and Motivation

Semantic Communication (SC) systems represent a paradigm shift from traditional Shannon-style transmission by exploiting shared knowledge or semantic mappings to transmit only task-relevant semantic units. This approach is pivotal in applications such as XR, V2X, Smart IoT, and Intelligent City due to its bandwidth efficiency and adaptability. However, the inherent reliance on shared knowledge renders SC systems susceptible to backdoor threats, where adversaries implant malicious behaviors via data poisoning that cause erroneous outputs if specific triggers are present, while retaining normal performance for benign data. Figure 1

Figure 1: Backdoor attacks against SC systems via trigger embedding, causing poisoned data to yield malicious outputs while preserving regular function on benign samples.

Existing SC backdoor attacks are characteristically monomorphic: they operate with a single, static trigger-to-target mapping, limiting attack diversity and flexibility. This misalignment is particularly acute in multi-user or heterogeneous scenarios, demanding more versatile manipulation strategies.

The presented paper introduces SemBugger, a polymorphic backdoor that allows granular control over malicious outputs via dynamically adjusted trigger intensity, utilizing a multi-effect poisoning-training framework. This innovation enables adversaries to regulate output results based on trigger strength, substantially advancing both the flexibility and efficacy of SC backdoor attacks.

Methodology: SemBugger Framework

SemBugger's design is predicated on three requirements: flexibility (multi-target regulation), stealthiness (minimal system impact), and imperceptibility (triggers indistinguishable from legitimate data).

The attack embedding is achieved through multi-intensity trigger injection and hierarchical loss optimization:

  1. Multi-Dimensional Data Poisoning: Trigger patterns, generated via a neural network (Attention U-Net), are embedded at varying intensity levels into victim samples selected from training data. Each trigger intensity corresponds to a distinct malicious target, enabling polymorphic attack behavior.
  2. Hierarchical Backdoor Training: The SC model is trained with a mix of poisoned and clean data using a composite loss comprising: (i) multi-target loss (drive output to each malicious goal); (ii) system integrity loss (preserve benign transmission); (iii) trigger imperceptibility loss (maximize visual and statistical similarity to original data); and (iv) semantic contrastive loss (separate poisoned/benign latent spaces to ensure robust activation). Figure 2

    Figure 2: SemBugger injects multi-intensity triggers during training, enabling differential control over hostile outputs while maintaining benign functionality.

Upon deployment, adversaries can embed a trigger of desired intensity into input, causing the system to reconstruct a corresponding malicious target, rather than being limited to a single outcome.

Certified Defense: Semantic Smoothing

The paper proposes a model-agnostic, training-free defense using semantic smoothing: prior to transmission, input data is perturbed with smoothed Gaussian noise, which effectively masks triggers and prevents backdoor activation. The defense method comes with provable robustness guarantees characterized by a formal lower bound on protective efficacy. The transmitter averages the output results over these noise perturbations, suppressing the latent trigger’s statistical effects while preserving normal transmission. Figure 3

Figure 3: Defense deployment adds smoothed noise to inputs, nullifying triggers without affecting benign transmission.

Experimental Results: Efficacy and Stealthiness

SemBugger was benchmarked across five SC architectures—JSCC, JSCC-f, JSCC-q, SCAN, SemCC—and four datasets (MNIST, F-MNIST, CIFAR-10, ImageNet), under varying SNR conditions.

Attack Success Rate (ASR):

  • SemBugger achieves near-perfect ASR (>99%99\%) across all architectures and datasets at standard SNR ($25$\,dB), outperforming SOTA attacks (SC Trojan, BASS, IHTG) which are capped at 97%97\%.
  • Even under harsh channel (SNR $5$\,dB), SemBugger retains high ASR (>94%94\%), demonstrating resilience to channel distortion. Figure 4

    Figure 4: ASR across SNRs—SemBugger shows persistent advantage, particularly in low-SNR regimes.

Attack Stealthiness (Δ\DeltaPSNR):

  • SemBugger maintains minimal degradation, with Δ\DeltaPSNR typically <2<2\,dB compared to clean systems, substantially lower than baseline attacks.
  • System fidelity for benign data is virtually unaffected. Figure 5

    Figure 5: Clean data PSNR across SNRs—SemBugger minimizes efficiency loss compared to other backdoors.

Imperceptibility:

  • Adversarial examples generated by SemBugger are visually congruent with original data (SSIM >95%>95\%), outperforming SC Trojan and BASS, and equalling the concealment of IHTG. Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6: Attack (poisoned) data—SemBugger’s triggers are imperceptible, matching SOTA stealth attacks, unlike the visible artifacts of patch-based methods.

Downstream Impact and Robustness:

  • Classification accuracy drops by less than 1%1\% post-attack, evidencing negligible impact on regular tasks.
  • SemBugger is robust to spatial cropping, maintaining ASR above $25$0 even with $25$1 cropped triggers.

Ablation Studies

Compression Rate and Poisoning Rate:

  • ASR improves with higher compression rates, stabilizing above $25$2 at $25$3 for all datasets.
  • SemBugger remains effective at low poisoning rates ($25$4 yields ASR$25$5; ASR approaches $25$6 as $25$7 increases). Figure 7

    Figure 7: Poisoning rate ($25$8) vs. ASR under SNR $25$9\,dB—SemBugger achieves high efficacy even at low infection levels.

    Figure 8

    Figure 8: Poisoning rate (97%97\%0) vs. ASR under SNR 97%97\%1\,dB—high robustness is maintained across all datasets.

Defense Evaluation

  • Semantic smoothing defense suppresses SemBugger’s ASR to sub-percent levels (97%97\%2) in all tested systems and datasets, even under low SNR.
  • Transmission quality on benign data is preserved (97%97\%3PSNR 97%97\%4\,dB).
  • Task-level impact is minimal (<97%97\%5 reduction in classification accuracy).
  • Computational cost is negligible (mean processing time 97%97\%6\,ms/sample).

Implications and Future Developments

The SemBugger methodology marks a substantial shift in adversarial threat models for SC by introducing polymorphic control, considerably elevating the flexibility, efficiency, and stealth of backdoor attacks. The formalized defense mechanism adds a certified robustness layer, providing rigorous guarantees for secure SC deployment, and sets a foundation for model-agnostic, plug-and-play defensive practices.

Practically, SemBugger’s approach is deployable in multi-user and heterogeneous communication scenarios, with implications for watermarking, access control, and adversary evaluation pipelines. The theoretical insights into hierarchical loss coupling and contrastive latent space separation are relevant for future adversarial resilience and adaptive defense research.

Continued development will focus on distributed poisoning, cross-client telecom, and broader network scenarios, including federated and multi-modal SC architectures.

Conclusion

This work establishes the first polymorphic backdoor for semantic communication, enabling adversaries to manipulate SC systems for multiple distinct reconstruction targets via intensity-based trigger embedding. Empirical evidence confirms overwhelming attack efficacy with minimal compromise to benign performance and imperceptibility standards, while the certified semantic smoothing defense offers robust, practical mitigation. The paper advances both offensive and defensive paradigms for SC, with implications for the theoretical modeling and the secure deployment of AI-powered communication networks.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.