DeepGuard: Defending Deep Joint Source-Channel Coding Against Eavesdropping at Physical-Layer

Deep joint source-channel coding (DeepJSCC) has emerged as a promising paradigm for efficient and robust information transmission. However, its intrinsic characteristics also pose new security challenges, notably an increased vulnerability to eavesdropping attacks. Existing studies on defending against eavesdropping attacks in DeepJSCC, while demonstrating certain effectiveness, often incur considerable computational overhead or introduce performance trade-offs that may adversely affect legitimate users. In this paper, we present DeepGuard, to the best of our knowledge, the first physical-layer defense framework for DeepJSCC against eavesdropping attacks, validated through over-the-air experiments using software-defined radios (SDRs). Considering that existing eavesdropping attacks against DeepJSCC are limited to simulation under ideal channels, we take a step further by identifying and implementing four representative types of attacks under various configurations in orthogonal frequency-division multiplexing systems. These attacks are evaluated over-the-air under diverse scenarios, allowing us to comprehensively characterize the real-world threat landscape. To mitigate these threats, DeepGuard introduces a novel preamble perturbation mechanism that modifies the preamble shared only between legitimate transceivers. To realize it, we first conduct a theoretical analysis of the perturbation’s impact on the signals intercepted by the eavesdropper. Building upon this, we develop an end-to-end perturbation optimization algorithm that significantly degrades eavesdropping performance while preserving reliable communication for legitimate users. We prototype DeepGuard using SDRs and conduct extensive over-the-air experiments in practical scenarios. Extensive experiments demonstrate that DeepGuard effectively mitigates eavesdropping threats.

💡 Research Summary

Deep joint source‑channel coding (DeepJSCC) has emerged as a powerful paradigm that jointly compresses and transmits semantic data using end‑to‑end trained neural networks. While this approach yields impressive robustness, especially in low‑SNR regimes, it also introduces a new class of security risks: the transmitted latent representations carry rich semantic information that can be recovered by a passive eavesdropper. Existing defenses against eavesdropping on DeepJSCC are largely simulation‑based, assume that the eavesdropper experiences a worse channel than the legitimate user, and often incur heavy computational overhead or degrade the legitimate user’s quality of service.

The paper “DeepGuard: Defending Deep Joint Source‑Channel Coding Against Eavesdropping at Physical‑Layer” addresses these gaps by (1) constructing a realistic threat model, (2) implementing four representative eavesdropping attacks on an OFDM‑based DeepJSCC system using software‑defined radios (SDRs), and (3) proposing a novel, lightweight physical‑layer defense called DeepGuard.

Threat model and attacks
The authors identify four practical attack strategies: (i) standard‑preamble recovery, where the adversary uses the conventional OFDM preamble to estimate the channel and decode the signal; (ii) channel‑estimation‑error amplification, where the adversary deliberately injects estimation errors; (iii) multi‑antenna collaborative eavesdropping that exploits spatial diversity to improve SNR; and (iv) model‑inversion attacks that attempt to reconstruct or approximate the target DeepJSCC encoder/decoder. Each attack is realized on SDR hardware (e.g., USRP) and evaluated under diverse real‑world conditions, including indoor/outdoor environments, line‑of‑sight and non‑line‑of‑sight fading, and varying bandwidths and transmit powers. The experiments confirm that DeepJSCC’s semantic features can be recovered with non‑trivial quality even when the eavesdropper’s channel is comparable to or better than that of the legitimate receiver.

DeepGuard design
DeepGuard’s core idea is to perturb the OFDM preamble—a deterministic sequence used for synchronization and channel estimation—by adding a carefully crafted perturbation vector that is known only to the legitimate transmitter and receiver. The legitimate receiver, having the same perturbation, can remove it before channel estimation, thus preserving normal decoding performance. An eavesdropper that assumes the standard preamble will obtain a severely biased channel estimate, leading to large demodulation errors and dramatically reduced reconstruction quality.

The authors first provide a theoretical analysis that quantifies how a perturbation of a given magnitude influences the mean‑square error of the eavesdropper’s channel estimate and, consequently, the peak‑signal‑to‑noise ratio (PSNR) of the reconstructed image. Building on this analysis, they formulate an end‑to‑end optimization problem: minimize the eavesdropper’s PSNR (or classification accuracy) while constraining the legitimate user’s PSNR degradation to less than a small threshold (e.g., 0.2 dB). The optimization is performed offline; only the perturbation vector is stored and applied during transmission. No additional neural network training or runtime processing is required, making DeepGuard computationally lightweight.

Experimental results
Prototype implementations of DeepGuard on SDR platforms demonstrate that, across all four attack scenarios, the eavesdropper’s PSNR can be reduced by up to 29 dB and image classification accuracy can drop by as much as 91 percentage points, while the legitimate user experiences negligible quality loss (≤0.3 dB PSNR drop). The defense remains effective regardless of whether the eavesdropper enjoys a better channel, confirming its channel‑agnostic nature. Moreover, DeepGuard can be inserted as a plug‑in module into existing DeepJSCC pipelines without modifying the encoder/decoder architecture, and it can be combined with other security mechanisms (e.g., encryption, privacy‑preserving loss functions) for layered protection.

Strengths and limitations
Strengths include: (1) a thorough real‑world evaluation using over‑the‑air SDR experiments, which is rare in the DeepJSCC security literature; (2) a novel use of preamble perturbation that exploits a fundamental OFDM primitive, achieving strong security with virtually no runtime overhead; (3) a clear theoretical foundation linking perturbation magnitude to eavesdropper performance; (4) demonstrated compatibility with existing systems and the possibility of stacking with other defenses.

Limitations are primarily related to the reliance on a shared secret perturbation. Secure key distribution and management become critical; if the perturbation is compromised, the defense collapses. The effectiveness also depends on the length and structure of the preamble—short or highly constrained preambles may limit the achievable perturbation energy without harming synchronization. Finally, the paper focuses on image transmission; extending the analysis to video, speech, or multimodal data may reveal new challenges.

Future directions
Potential extensions include dynamic or adaptive perturbation updates driven by a lightweight key‑exchange protocol, multi‑preamble or frequency‑diverse perturbation schemes to increase entropy, and exploration of adversarial learning where the eavesdropper attempts to infer the perturbation and adapt its decoder. Applying DeepGuard to other modalities (e.g., video streaming, audio codecs) and integrating it with higher‑layer cryptographic primitives could yield a comprehensive, multi‑layer security framework for semantic communications.

In summary, DeepGuard represents the first experimentally validated physical‑layer defense for DeepJSCC against passive eavesdropping. By subtly corrupting the shared preamble, it delivers substantial security gains without sacrificing the inherent efficiency and robustness of DeepJSCC, paving the way for secure semantic communication systems in real‑world wireless networks.