[Paper] Verifying DNN-based Semantic Communication Against Generative Adversarial Noise

Source: arXiv - 2602.08801v1

Overview

Semantic communication (SemCom) systems—where deep neural networks (DNNs) transmit only the “meaningful” parts of a signal—are rapidly entering safety‑critical domains such as autonomous driving and industrial IoT. The paper Verifying DNN‑based Semantic Communication Against Generative Adversarial Noise introduces VSCAN, a verification framework that gives formal robustness guarantees for end‑to‑end SemCom pipelines against sophisticated adversarial noise, something existing empirical defenses cannot promise.

Key Contributions

• VSCAN framework that translates realistic adversarial constraints (power budget, statistical undetectability) into mixed‑integer linear constraints, enabling the use of state‑of‑the‑art DNN verifiers.
• End‑to‑end verification across the full SemCom stack: encoder, decoder, and downstream task model (e.g., object detection).
• Comprehensive evaluation on 600 formally specified robustness properties, demonstrating that VSCAN can both discover vulnerabilities and certify robustness for 44 % of them.
• Quantitative security‑efficiency trade‑off: showing that a compact 16‑dimensional latent space yields ~50 % verified robustness, whereas a 64‑dimensional space drops dramatically, guiding designers on latent‑space sizing.
• Open‑source artifact (or at least a reproducible benchmark) that can be reused for other DNN‑based communication pipelines.

Methodology

1. Threat model – The attacker can inject generative adversarial noise into the transmitted semantic vector, but must respect a power limit (‖δ‖₂ ≤ ε) and remain statistically indistinguishable from natural channel noise (e.g., matching a Gaussian distribution).
2. Formal encoding – These constraints are expressed as logical formulas that combine linear inequalities (for power) and statistical tests (e.g., chi‑square bounds). The whole SemCom pipeline (encoder → channel → decoder → task model) is unrolled into a single computational graph.
3. Mixed‑Integer Programming (MIP) – The graph is transformed into a mixed‑integer linear program (MILP) where ReLU activations become binary variables. This MILP captures all possible adversarial perturbations that satisfy the threat model.
4. Verification engine – Existing DNN verifiers (e.g., Marabou, ERAN) are fed the MILP. The solver either proves that the task model’s output never crosses a safety threshold (robustness) or produces a concrete counter‑example (an adversarial vector).
5. Property specification – Robustness properties are written as “if the true input belongs to class A, then after any admissible noise the decoded output must still be classified as A”. A suite of 600 such properties covers different attacker capabilities and latent‑space sizes.

Results & Findings

Overall, VSCAN matches the best known attack methods in exposing weaknesses while adding a formal guarantee for a substantial fraction of cases—something no prior work achieved for multi‑network SemCom pipelines.

Practical Implications

• Design‑time security assessment – Engineers can run VSCAN early in the product lifecycle to decide how many latent dimensions are acceptable for a given safety budget.
• Regulatory compliance – Formal robustness certificates could become part of safety standards for autonomous vehicles or industrial control systems that rely on SemCom.
• Adaptive encoding – The trade‑off insight suggests dynamic latent‑space sizing: use a compact representation when bandwidth is tight and the environment is high‑risk, switch to richer encoding only when safety margins are relaxed.
• Tool integration – VSCAN can be wrapped as a CI‑pipeline step, automatically rejecting model updates that break verified properties.
• Broader DNN‑based communication – The verification pipeline is agnostic to the specific encoder/decoder architecture, so it can protect future 6G semantic radio, edge‑AI video streaming, or federated learning pipelines.

Limitations & Future Work

• Scalability – MILP‑based verification still struggles with very deep networks or large latent spaces; verification time can become prohibitive beyond ~100 M parameters.
• Threat model scope – The current statistical undetectability constraint assumes Gaussian channel noise; more exotic channel models (e.g., burst errors, fading) are not yet covered.
• Partial certification – Only 44 % of properties could be proved; the remaining cases may be due to solver limits rather than actual insecurity.
• Future directions – The authors propose tighter relaxations for ReLU encodings, incorporation of probabilistic verification (to handle stochastic channels), and extending VSCAN to support quantized or spiking neural encoders common in ultra‑low‑power IoT devices.

Bottom line: VSCAN bridges the gap between empirical adversarial testing and provable safety for semantic communication systems, giving developers a concrete, mathematically‑backed way to reason about the security of DNN‑driven pipelines that are poised to become the backbone of next‑generation, bandwidth‑constrained, safety‑critical applications.

Authors

• Thanh Le
• Hai Duong
• ThanhVu Nguyen
• Takeshi Matsumura

Paper Information

• arXiv ID: 2602.08801v1
• Categories: cs.LO, cs.SE
• Published: February 9, 2026
• PDF: Download PDF