ML Security PapersToward Polymorphic Backdoor against Semantic Communication via Intensity-Based Poisoning
Xiao Yang 1, Yuni Lai 2, Gaolei Li 1, Jun Wu 1, Kai Zhou 2, Jianhua Li 1, Mingzhe Chen 3
Published on arXiv
2604.23231
Model Poisoning
OWASP ML Top 10 — ML10
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Achieves high attack efficacy with multiple target outputs controlled by trigger intensity while maintaining normal transmission fidelity for benign samples
SemBugger
Novel technique introduced
Semantic Communication (SC) backdoor attacks aim to utilize triggers to manipulate the system into producing predetermined outputs via backdoored shared knowledge. Current SC backdoors adopt monomorphic paradigms with single attack target, which suffers from limited attack diversity, efficiency, and flexibility in heterogeneous downstream scenarios. To overcome the limitations, we propose SemBugger, a polymorphic SC backdoor. By dynamically adjusting the trigger intensity, SemBugger finely-grained controls over the SC knowledge to generate diverse malicious results from the system. Specifically, SemBugger is realized through a multi-effect poisoning-training framework. It introduces graded-intensity triggers to poison training data and optimizes SC systems with hierarchical malicious loss. The trained system's knowledge dynamically adapts to trigger intensity in inputs to yield target outputs, all while preserving transmission fidelity for benign samples. Moreover, to augment SC security, we propose a provable robustness defense that resists SemBugger's homogeneous attacks through a controlled noise mechanism. It operates via strategically adding noise in SC inputs, and we formally provide a theoretical lower bound on the defense efficacy. Experiments across diverse SC models and benchmark datasets indicate that SemBugger attains high attack efficacy while maintaining the regular functionality of SC systems. Meanwhile, the designed defense effectively neutralizes SemBugger attacks.
Key Contributions
- SemBugger: first polymorphic backdoor for semantic communication enabling multiple attack targets via intensity-graded triggers
- Multi-effect poisoning-training framework with hierarchical malicious loss for fine-grained control over backdoored knowledge
- Provable robustness defense with theoretical lower bound on defense efficacy against homogeneous backdoor attacks
🛡️ Threat Analysis
Attack is realized through data poisoning—introducing graded-intensity triggers into training data and optimizing with hierarchical malicious loss to corrupt the shared knowledgebase.
Core contribution is a backdoor attack (SemBugger) that embeds trigger-activated malicious behavior in semantic communication systems through poisoned training, with intensity-graded triggers enabling multiple target outputs.