Semantic communications seeks to transfer information from a source while conveying a desired meaning to its destination. We model the transmitter-receiver functionalities as an autoencoder followed by a task classifier that evaluates the meaning of the information conveyed to the receiver. The autoencoder consists of an encoder at the transmitter to jointly model source coding, channel coding, and modulation, and a decoder at the receiver to jointly model demodulation, channel decoding and source decoding. By augmenting the reconstruction loss with a semantic loss, the two deep neural networks (DNNs) of this encoder-decoder pair are interactively trained with the DNN of the semantic task classifier. This approach effectively captures the latent feature space and reliably transfers compressed feature vectors with a small number of channel uses while keeping the semantic loss low. We identify the multi-domain security vulnerabilities of using the DNNs for semantic communications. Based on adversarial machine learning, we introduce test-time (targeted and non-targeted) adversarial attacks on the DNNs by manipulating their inputs at different stages of semantic communications. As a computer vision attack, small perturbations are injected to the images at the input of the transmitter's encoder. As a wireless attack, small perturbations signals are transmitted to interfere with the input of the receiver's decoder. By launching these stealth attacks individually or more effectively in a combined form as a multi-domain attack, we show that it is possible to change the semantics of the transferred information even when the reconstruction loss remains low. These multi-domain adversarial attacks pose as a serious threat to the semantics of information transfer (with larger impact than conventional jamming) and raise the need of defense methods for the safe adoption of semantic communications.

This paper highlights vulnerabilities of deep learning-driven semantic communications to backdoor (Trojan) attacks. Semantic communications aims to convey a desired meaning while transferring information from a transmitter to its receiver. An encoder-decoder pair that is represented by two deep neural networks (DNNs) as part of an autoencoder is trained to reconstruct signals such as images at the receiver by transmitting latent features of small size over a limited number of channel uses. In the meantime, another DNN of a semantic task classifier at the receiver is jointly trained with the autoencoder to check the meaning conveyed to the receiver. The complex decision space of the DNNs makes semantic communications susceptible to adversarial manipulations. In a backdoor (Trojan) attack, the adversary adds triggers to a small portion of training samples and changes the label to a target label. When the transfer of images is considered, the triggers can be added to the images or equivalently to the corresponding transmitted or received signals. In test time, the adversary activates these triggers by providing poisoned samples as input to the encoder (or decoder) of semantic communications. The backdoor attack can effectively change the semantic information transferred for the poisoned input samples to a target meaning. As the performance of semantic communications improves with the signal-to-noise ratio and the number of channel uses, the success of the backdoor attack increases as well. Also, increasing the Trojan ratio in training data makes the attack more successful. In the meantime, the effect of this attack on the unpoisoned input samples remains limited. Overall, this paper shows that the backdoor attack poses a serious threat to semantic communications and presents novel design guidelines to preserve the meaning of transferred information in the presence of backdoor attacks.

Communications systems to date are primarily designed with the goal of reliable (error-free) transfer of digital sequences (bits). Next generation (NextG) communication systems are beginning to explore shifting this design paradigm of reliably decoding bits to reliably executing a given task. Task-oriented communications system design is likely to find impactful applications, for example, considering the relative importance of messages. In this paper, a wireless signal classification is considered as the task to be performed in the NextG Radio Access Network (RAN) for signal intelligence and spectrum awareness applications such as user equipment (UE) identification and authentication, and incumbent signal detection for spectrum co-existence. For that purpose, edge devices collect wireless signals and communicate with the NextG base station (gNodeB) that needs to know the signal class. Edge devices may not have sufficient processing power and may not be trusted to perform the signal classification task, whereas the transfer of the captured signals from the edge devices to the gNodeB may not be efficient or even feasible subject to stringent delay, rate, and energy restrictions. We present a task-oriented communications approach, where all the transmitter, receiver and classifier functionalities are jointly trained as two deep neural networks (DNNs), one for the edge device and another for the gNodeB. We show that this approach achieves better accuracy with smaller DNNs compared to the baselines that treat communications and signal classification as two separate tasks. Finally, we discuss how adversarial machine learning poses a major security threat for the use of DNNs for task-oriented communications. We demonstrate the major performance loss under backdoor (Trojan) attacks and adversarial (evasion) attacks that target the training and test processes of task-oriented communications.

本文提出了对基于深度学习的无线信号分类器的信道感知对抗攻击。有一个发射器，发送具有不同调制类型的信号。每个接收器使用深神经网络以将其超空气接收信号分类为调制类型。与此同时，对手将对手扰动（受到电力预算的影响）透射到欺骗接收器，以在作为透射信号叠加和对抗扰动的叠加接收的分类信号中进行错误。首先，当在设计对抗扰动时不考虑通道时，这些逃避攻击被证明会失败。然后，通过考虑来自每个接收器的对手的频道效应来提出现实攻击。在示出频道感知攻击是选择性的（即，它只影响扰动设计中的信道中考虑的接收器），通过制作常见的对抗扰动来呈现广播对抗攻击，以在不同接收器处同时欺骗分类器。通过占通道，发射机输入和分类器模型可用的不同信息，将调制分类器对过空中侵犯攻击的主要脆弱性。最后，引入了基于随机平滑的经过认证的防御，即增加了噪声训练数据，使调制分类器鲁棒到对抗扰动。

尽管语义通信对大量任务表现出令人满意的性能，但语义噪声和系统的鲁棒性的影响尚未得到很好的研究。语义噪声是指预期的语义符号和接收到的语义符号之间的误导性，从而导致任务失败。在本文中，我们首先提出了一个框架，用于稳健的端到端语义通信系统来对抗语义噪声。特别是，我们分析了样品依赖性和样本无关的语义噪声。为了打击语义噪声，开发了具有重量扰动的对抗训练，以在训练数据集中纳入带有语义噪声的样品。然后，我们建议掩盖一部分输入，在该输入中，语义噪声经常出现，并通过噪声相关的掩蔽策略设计蒙版vector量化量化的量化自动编码器（VQ-VAE）。我们使用发射器共享的离​​散代码簿和接收器用于编码功能表示。为了进一步提高系统鲁棒性，我们开发了一个功能重要性模块（FIM），以抑制与噪声相关和任务无关的功能。因此，发射器只需要在代码簿中传输这些重要的任务相关功能的索引即可。仿真结果表明，所提出的方法可以应用于许多下游任务，并显着提高针对语义噪声的鲁棒性，并显着减少了传输开销。

通过从大型天线移动到用于软件定义的无线系统的天线表面，可重新配置的智能表面（RISS）依赖于单元电池的阵列，以控制信号的散射和反射轮廓，减轻传播损耗和多路径衰减，从而改善覆盖范围和光谱效率。在本文中，在RIS存在下考虑了隐蔽的通信。虽然RIS升高了持续的传动，但是预期接收器和窃听者都可以单独尝试使用自己的深神经网络（DNN）分类器来检测该传输。 RIS交互向量是通过平衡将发送信号聚焦到接收器的两个（潜在冲突）目标而设计的，并将发送的信号远离窃听器。为了提高封面通信，对发射机的信号添加对抗扰动以欺骗窃听器的分类器，同时保持对接收器的影响。来自不同网络拓扑的结果表明，可以共同设计对抗扰动和RIS交互向量，以有效地提高接收器处的信号检测精度，同时降低窃听器的检测精度以实现封面通信。

无线系统应用中深度学习（DL）的成功出现引起了人们对与安全有关的新挑战的担忧。一个这样的安全挑战是对抗性攻击。尽管已经有很多工作证明了基于DL的分类任务对对抗性攻击的敏感性，但是从攻击的角度来看，尚未对无线系统的基于回归的问题进行基于回归的问题。本文的目的是双重的：（i）我们在无线设置中考虑回归问题，并表明对抗性攻击可以打破基于DL的方法，并且（ii）我们将对抗性训练作为对抗性环境中的防御技术的有效性分析并表明基于DL的无线系统对攻击的鲁棒性有了显着改善。具体而言，本文考虑的无线应用程序是基于DL的功率分配，以多细胞大量多输入 - 销售输出系统的下行链路分配，攻击的目的是通过DL模型产生不可行的解决方案。我们扩展了基于梯度的对抗性攻击：快速梯度标志方法（FGSM），动量迭代FGSM和预计的梯度下降方法，以分析具有和没有对抗性训练的考虑的无线应用的敏感性。我们对这些攻击进行了分析深度神经网络（DNN）模型的性能，在这些攻击中，使用白色框和黑盒攻击制作了对抗性扰动。

迄今为止，通信系统主要旨在可靠地交流位序列。这种方法提供了有效的工程设计，这些设计对消息的含义或消息交换所旨在实现的目标不可知。但是，下一代系统可以通过将消息语义和沟通目标折叠到其设计中来丰富。此外，可以使这些系统了解进行交流交流的环境，从而为新颖的设计见解提供途径。本教程总结了迄今为止的努力，从早期改编，语义意识和以任务为导向的通信开始，涵盖了基础，算法和潜在的实现。重点是利用信息理论提供基础的方法，以及学习在语义和任务感知通信中的重要作用。

本文提出了一种新的方法，用于可重新配置智能表面（RIS）和发射器 - 接收器对的联合设计，其作为一组深神经网络（DNN）培训，以优化端到端通信性能接收者。 RIS是一种软件定义的单位单元阵列，其可以根据散射和反射轮廓来控制，以将来自发射机的传入信号集中到接收器。 RIS的好处是通过克服视线（LOS）链路的物理障碍来提高无线通信的覆盖率和光谱效率。 RIS波束码字（从预定义的码本）的选择过程被配制为DNN，而发射器 - 接收器对的操作被建模为两个DNN，一个用于编码器（在发射器）和另一个一个用于AutoEncoder的解码器（在接收器处），通过考虑包括由in之间引起的频道效应。底层DNN共同训练，以最小化接收器处的符号误差率。数值结果表明，所提出的设计在各种基线方案中实现了误差性能的主要增益，其中使用了没有RIS或者将RIS光束的选择与发射器 - 接收器对的设计分离。

人工智能（AI）将在蜂窝网络部署，配置和管理中发挥越来越多的作用。本文研究了AI驱动的6G无线电访问网络（RANS）的安全含义。尽管6G标准化的预期时间表仍在数年之外，但与6G安全有关的预标准化工作已经在进行中，并且将受益于基本和实验研究。Open Ran（O-Ran）描述了一个以行业为导向的开放式体系结构和用于使用AI控制的下一代架设的接口。考虑到这种体系结构，我们确定了对数据驱动网络和物理层元素，相应的对策和研究方向的关键威胁。

作为Shannon Paradigm的突破的语义通信旨在成功传输由源传送的语义信息，而不是每种单个符号或位的准确接收，而不管其含义如何。本文提供了关于语义通信的概述。在简要审查Shannon信息理论之后，我们讨论了深入学习的理论，框架和系统设计的语义通信。不同于用于测量传统通信系统的符号/误码率，还讨论了语义通信的新性能度量。这篇文章由几个开放问题结束。

Video compression plays a crucial role in video streaming and classification systems by maximizing the end-user quality of experience (QoE) at a given bandwidth budget. In this paper, we conduct the first systematic study for adversarial attacks on deep learning-based video compression and downstream classification systems. Our attack framework, dubbed RoVISQ, manipulates the Rate-Distortion ($\textit{R}$-$\textit{D}$) relationship of a video compression model to achieve one or both of the following goals: (1) increasing the network bandwidth, (2) degrading the video quality for end-users. We further devise new objectives for targeted and untargeted attacks to a downstream video classification service. Finally, we design an input-invariant perturbation that universally disrupts video compression and classification systems in real time. Unlike previously proposed attacks on video classification, our adversarial perturbations are the first to withstand compression. We empirically show the resilience of RoVISQ attacks against various defenses, i.e., adversarial training, video denoising, and JPEG compression. Our extensive experimental results on various video datasets show RoVISQ attacks deteriorate peak signal-to-noise ratio by up to 5.6dB and the bit-rate by up to $\sim$ 2.4$\times$ while achieving over 90$\%$ attack success rate on a downstream classifier. Our user study further demonstrates the effect of RoVISQ attacks on users' QoE.

深度学习的进步使得广泛的有希望的应用程序。然而，这些系统容易受到对抗机器学习（AML）攻击的影响;对他们的意见的离前事实制作的扰动可能导致他们错误分类。若干最先进的对抗性攻击已经证明他们可以可靠地欺骗分类器，使这些攻击成为一个重大威胁。对抗性攻击生成算法主要侧重于创建成功的例子，同时控制噪声幅度和分布，使检测更加困难。这些攻击的潜在假设是脱机产生的对抗噪声，使其执行时间是次要考虑因素。然而，最近，攻击者机会自由地产生对抗性示例的立即对抗攻击已经可能。本文介绍了一个新问题：我们如何在实时约束下产生对抗性噪音，以支持这种实时对抗攻击？了解这一问题提高了我们对这些攻击对实时系统构成的威胁的理解，并为未来防御提供安全评估基准。因此，我们首先进行对抗生成算法的运行时间分析。普遍攻击脱机产生一般攻击，没有在线开销，并且可以应用于任何输入;然而，由于其一般性，他们的成功率是有限的。相比之下，在特定输入上工作的在线算法是计算昂贵的，使它们不适合在时间约束下的操作。因此，我们提出房间，一种新型实时在线脱机攻击施工模型，其中离线组件用于预热在线算法，使得可以在时间限制下产生高度成功的攻击。

现有的深度学习的语义通信系统通常依赖于包含经验数据及其相关语义信息的发射器和接收器之间的共同背景知识。实际上，语义信息是由接收器的务实任务定义的，发射器不能知道。发射机上的实际可观察​​数据也可以具有与共享背景知识库中的经验数据相同的分布。为了解决这些实际问题，本文提出了一个新的基于神经网络的语义通信系统，用于图像传输，该任务在发射器上不知道，并且数据环境是动态的。该系统由两个主要部分组成，即语义编码（SC）网络和数据适应（DA）网络。 SC网络学习如何使用接收器领导训练过程提取和传输语义信息。通过使用传输学习的域适应技术，DA网络学习了如何将观察到的数据转换为SC网络可以在不进行重新验证的情况下进行处理的类似形式的经验数据。数值实验表明，所提出的方法可以适应可观察的数据集，同时在数据恢复和任务执行方面保持高性能。

With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks have been recently found vulnerable to well-designed input samples, called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool deep neural networks in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying deep neural networks in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for deep neural networks, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

随着图像识别中深度学习模型的快速发展和使用的增加，安全成为其在安全至关重要系统中的部署的主要关注点。由于深度学习模型的准确性和鲁棒性主要归因于训练样本的纯度，因此，深度学习体系结构通常容易受到对抗性攻击的影响。对抗性攻击通常是通过对正常图像的微妙扰动而获得的，正常图像对人类最不可感知，但可能会严重混淆最新的机器学习模型。我们提出了一个名为Apudae的框架，利用DeNoing AutoCoders（DAES）通过以自适应方式使用这些样品来纯化这些样本，从而提高了已攻击目标分类器网络的分类准确性。我们还展示了如何自适应地使用DAE，而不是直接使用它们，而是进一步提高分类精度，并且更强大，可以设计自适应攻击以欺骗它们。我们在MNIST，CIFAR-10，Imagenet数据集上展示了我们的结果，并展示了我们的框架（Apudae）如何在净化对手方面提供可比性和在大多数情况下的基线方法。我们还设计了专门设计的自适应攻击，以攻击我们的净化模型，并展示我们的防御方式如何强大。

最近的作品表明，现代机器学习技术可以为长期存在的联合源通道编码（JSCC）问题提供另一种方法。非常有希望的初始结果，优于使用单独的源代码和通道代码的流行数字方案，已被证明用于使用深神经网络（DNNS）的无线图像和视频传输。但是，此类方案的端到端培训需要可区分的通道输入表示。因此，先前的工作假设可以通过通道传输任何复杂值。这可以防止在硬件或协议只能接收数字星座规定的某些频道输入集的情况下应用这些代码。本文中，我们建议使用有限通道输入字母的端到端优化的JSCC解决方案DeepJSCC-Q。我们表明，DEEPJSCC-Q可以实现与允许任何复杂的有价值通道输入的先前作品相似的性能，尤其是在可用的高调制订单时，并且在调制顺序增加的情况下，性能渐近接近无约束通道输入的情况。重要的是，DEEPJSCC-Q保留了不可预测的渠道条件下图像质量的优雅降级，这是在频道迅速变化的移动系统中部署的理想属性。

随着在图像识别中的快速进步和深度学习模型的使用，安全成为他们在安全关键系统中部署的主要关注点。由于深度学习模型的准确性和稳健性主要归因于训练样本的纯度，因此深度学习架构通常易于对抗性攻击。通过对正常图像进行微妙的扰动来获得对抗性攻击，这主要是人类，但可以严重混淆最先进的机器学习模型。什么特别的智能扰动或噪声在正常图像上添加了它导致深神经网络的灾难性分类？使用统计假设检测，我们发现条件变形自身偏析器（CVAE）令人惊讶地擅长检测难以察觉的图像扰动。在本文中，我们展示了CVAE如何有效地用于检测对图像分类网络的对抗攻击。我们展示了我们的成果，Cifar-10数据集，并展示了我们的方法如何为先前的方法提供可比性，以检测对手，同时不会与嘈杂的图像混淆，其中大多数现有方法都摇摇欲坠。

经典的交流范式专注于准确地通过嘈杂的渠道传输位，而香农理论则对可靠通信速率提供了基本的理论限制。在这种方法中，位平均对待，并且通信系统忽略了这些位传达或如何使用的含义。可以预见的是，对智力和简洁性的未来沟通将发挥主导作用，连接的智能代理的扩散需要对编码传输范式进行根本性的重新思考，以支持地平线上的新通信形态。最近的“语义通信”概念提供了有希望的研究方向。将语义指南注入编码传输设计以实现语义感知通信，这表现出了进一步突破性和可靠性的巨大潜力。本文阐明了语义引导的源和频道编码作为语义通信的传输范式，该传输范式可以利用数据语义的多样性和无线通道多样性，以增强整个系统性能。我们介绍一般的系统体系结构和关键技术，并指出有关此主题的一些开放问题。

This paper presents a game-theoretic framework to study the interactions of attack and defense for deep learning-based NextG signal classification. NextG systems such as the one envisioned for a massive number of IoT devices can employ deep neural networks (DNNs) for various tasks such as user equipment identification, physical layer authentication, and detection of incumbent users (such as in the Citizens Broadband Radio Service (CBRS) band). By training another DNN as the surrogate model, an adversary can launch an inference (exploratory) attack to learn the behavior of the victim model, predict successful operation modes (e.g., channel access), and jam them. A defense mechanism can increase the adversary's uncertainty by introducing controlled errors in the victim model's decisions (i.e., poisoning the adversary's training data). This defense is effective against an attack but reduces the performance when there is no attack. The interactions between the defender and the adversary are formulated as a non-cooperative game, where the defender selects the probability of defending or the defense level itself (i.e., the ratio of falsified decisions) and the adversary selects the probability of attacking. The defender's objective is to maximize its reward (e.g., throughput or transmission success ratio), whereas the adversary's objective is to minimize this reward and its attack cost. The Nash equilibrium strategies are determined as operation modes such that no player can unilaterally improve its utility given the other's strategy is fixed. A fictitious play is formulated for each player to play the game repeatedly in response to the empirical frequency of the opponent's actions. The performance in Nash equilibrium is compared to the fixed attack and defense cases, and the resilience of NextG signal classification against attacks is quantified.