A Survey on Semantic Communication Networks: Architecture, Security, and Privacy

As the top-level management and orchestration component, this layer is mainly responsible for three functions, i.e., maintenance of the KBs, task scheduling, and overall resources coordination, covering key aspects of network management including data & knowledge, operation, and resources.

(i) Maintenance of knowledge bases: This layer manages multiple shared KBs to enhance the semantic understanding and reasoning abilities of agents in SemComNet. To cater to diverse SemComNet applications, these KBs contain diverse shared semantic models (i.e., semantic codecs) and comprehensive contextual knowledge (e.g., source data, CSI, and communication task requirements). On the one hand, agents need to deploy diverse semantic models for efficient SI extraction, reasoning, and reconstruction in various SemComNet applications. However, training these models proves to be both time-consuming and expensive for agents. In response, this layer provides various shared semantic models for agents, enabling swift transitions from traditional to semantic-oriented service provisioning. Consequently, the shared models alleviate the necessity to train desired models from scratch. On the other hand, this layer can offer extensive prior knowledge to aid agents during semantic reasoning and decoding phases, thereby improving the efficiency and reliability (e.g., eliminating semantic ambiguity) of interaction. The knowledge can be represented in various forms including knowledge graph (KG) [23], structured databases, and parameters in GAI models [35, 36], as detailed in Sect. II-D3.

(ii) Intelligent communication tasks scheduling: Task scheduling within the control layer plays a crucial role in orchestrating various network operations, especially in a SemComNet characterized by its heterogeneous agents and ever-increasing tasks (e.g., 3D video conferencing and VR transmission). It ensures that each task is executed at the optimal time and in the correct sequence via the right agents to achieve the best network performance [7]. On the one hand, it involves aligning the requirements of each task with the capabilities of different agents, thereby optimizing resource utilization and guaranteeing timely task assignments. On the other hand, this process aims to evaluate and monitor system performance metrics including response times, quality-of-experience (QoE), and feedback from agents. Such evaluation primarily concentrates on guaranteeing the accuracy, relevance, and contextual coherence of transmitted SI.

(iii) Adaptive overall resource allocation: To enhance the performance of SemComNet, the resources including communication, computational power (include storage) need to be carefully allocated to facilitate efficient interaction within large-scale SemComNet. Given that SemComNet requires significant computing power to train various semantic codecs and update KBs frequently, the cloud-edge-end hierarchical framework is utilized for on-demand resource utilization [37]. Specifically, the cloud offers massive-scale high-performance computing resources (e.g., powerful CPUs, GPUs, and memory) that are suitable for global KBs maintenance and shared semantic model training. By leveraging edge resources located at the network edge (e.g., base stations and access points), the data transfer latency and privacy leakage can be reduced, thereby facilitating real-time processing and access of shared KBs for agents. Pervasive end-agents are equipped with limited computing capabilities, allowing them to handle simpler tasks such as environment sensing & processing, updating privacy-sensitive KBs, and conducting semantic-oriented information delivery.

This layer enables agents to communicate with each other using the desired meaning of source data, known as semantic-oriented transmission services. It operates through four stages, i.e., multi-source data fusion, SI extraction, physical-layer reliable transmission, and semantic recovery and enhancement.

(i) Multi-source data fusion. This initial phase involves the collection and fusion of multi-modal data sources (e.g., image, point cloud, and video) [23, 38].

(ii) SI extraction. This phase is a critical operation within this layer which employs a semantic encoder to extract meaningful and desired information from informative multi-modal source data [23, 39] while filtering out redundant and known knowledge for the receiver. Guided by prior knowledge from shared KBs, the semantic encoders can adaptively extract multi-level SI on demand. For instance, for image transmission with various task requirements, high-level SI containing a general summary of an image (e.g., two cars) suffices for classification tasks, especially for resource-limited transmitters. Meanwhile, middle-level SI provides a more specific understanding of objects, regions, or specific structures, making it suitable for scene comprehension tasks. Furthermore, low-level SI involves pixel-level details, significantly enhancing precise scene reconstruction tasks, even with significant knowledge gaps among transceivers. Additionally, the transmitter dynamically adjusts its strategy based on from recipient feedback and channel conditions, enhancing adaptability to transceiver needs and environmental variations.

(iii) Physical-layer reliable transmission. To maximize SI transmission efficiency and mitigate interference among multiple agents, this layer employs precoding techniques (e.g., beamforming and spatial multiplexing) to optimize transmitted signals at the source. The precoder leverages spatial diversity to enhance signal quality and enable simultaneous data transmission. Then, by leveraging channel coding, the extracted semantic data streams are reliably delivered through physical channels. Besides, to offer better performance gains, the DL-based joint source-channel coding (JSCC) paradigm [40, 41] can map the source data to channel symbols for enhanced efficiency and flexibility while well-settle cliff-effect by training in an end-to-end manner.

(iv) Semantic recovery and enhancement. After receiving the transmitted SI, the receiver agent first performs multi-user signal detection to identify and separate signals related to itself. This process involves employing intelligent algorithms such as intelligent radio [2], to estimate the CSI, and detect and differentiate between the various signals. Then, guided by shared KBs matched by the control layer, the receiver performs semantic decoding and provides feedback to the transmitter. Besides, to conduct semantic reasoning and parsing with auxiliary knowledge and context, the receiver can rectify transmission errors, such as content blurring or partially missing. For instance, injecting blurred SI into GAI models to accomplish content correction and enhancement [42], thereby improving the accuracy and reliability of SemComNet.

This layer represents an upgraded version of the traditional sensing layer [28] by incorporating human-like cognitive processing capabilities into system design [14]. Specifically, unlike the traditional sensing layer, this layer not only has direct interfaces with the physical environment to actively perceive the environment through sensors but also integrates the cognitive abilities of agents. For human beings, cognition involves the mental processes of acquiring understanding and knowledge through thought, experience, and senses [43]. Similarly, for the intelligent agents, the cognitive abilities include understanding sensor data, reasoning about agents’ intents, and discovering knowledge to enrich their private KBs [14, 43]. The cognitive sensing layer involves three features: i) perceiving the surrounding environment, ii) inferring the intents of agents, and then iii) organizing the accumulated information into knowledge for the SemComNet [33]. A detailed discussion of these features follows:

(i) What do the agents have? The pervasive agents equipped with on-body sensors can actively sense and collect environmental semantics such as light, sound, and CSI from the surroundings [33]. For instance, vehicular agents leverage various sensors (e.g., GPS and cameras) to collect data about other vehicles and traffic conditions. Besides, these intelligent agents within SemComNet possess the capability of semantic understanding [1] to interpret environmental data including identifying specific events or entities. For instance, they could recognize specific patterns in sound or objects in images, thereby understanding events occurring in the environment. Subsequently, this layer processes the raw data into meaningful descriptions regarding environmental and contextual aspects, such as “vehicle traffic is growing”.

(ii) What do the agents want? Identifying the agents’ intents is crucial for meeting their different transmission requirements, thereby improving the QoE of agents and unleashing the potential of semantic communication [3, 43]. For instance, in the SemComNet-empowered smart transportation scenarios, the intent of vehicular agents may be either “warn” of imminent hazards (e.g., sudden stops ahead), “coordinate” actions among vehicles (for safe intersection crossing), or “optimize” traffic flow through intelligent traffic signal management. Understanding these intents is crucial for effective environment perception and semantic noise reduction [1]. To accurately infer agents’ intent, this layer analyzes these agents’ behaviors (e.g., habit preferences, bodily movements, emotional states) and interaction histories, employing statistical tools and AI technologies for predictive insights. The AI-based implementation approaches can be categorized into four types [44]: (1) traditional machine learning (ML)-based methods; (2) DL-based methods; (3) RL-based methods; and (4) cognitive model-based methods. Specifically, traditional ML algorithms such as Bayesian networks and hidden Markov models excel in performing pattern recognition from collected data in an explainable manner. When dealing with extensive historical data, DL approaches such as recurrent neural networks and long short-term memory (LSTM) models excel in analyzing action sequence dependencies and inferring underlying intents from extensive data. Furthermore, to adapt to unseen environments, RL techniques empower agents to learn optimal inference strategies through trial and error. In the realm of RL, inverse RL [37] enables the deduction of underlying reward functions from the observed expert behaviors, thereby uncovering their intents and goals. Moreover, in scenarios with scarce training data, the cognitive model [45, 46, 43] leverages the theories from cognitive science (e.g., theory of mind [47]), which could predict the agents’ decision-making processes and intents. For instance, inspired by human cognitive processes, Rabinowitz et al. [47] propose the machine theory of mind network, which can learn other agents’ behaviors to model their mental states including desires, beliefs, and intents from limited data.

(iii) How do the agents acquire knowledge? After environmental perception and intent inference processes, this layer could effectively transform the derived sensing data and agents’ intents into structured forms of knowledge. For instance, KGs and large GAI model-based KBs store knowledge in the form of graph structures and model parameters [35, 42], respectively. The accumulated extensive knowledge enriches agents-specific private KBs and empowers agents to delve deeper into understanding and reasoning about context. Furthermore, an essential interplay occurs between private KBs of agents and shared KBs of the control layer for continuous knowledge updating and alignment [37]. This interaction ensures the integration of individual knowledge with globally shared knowledge, such as aggregating new environmental semantics [33] to shared KBs and removing obsolete knowledge. Consequently, this process ensures the consistency of multiple KBs in SemComNet and boosts the accuracy of semantic communication [7].

As illustrated in Fig. 5 (a), this mode allows two agents to interact and aims to deliver the key meaning behind the source data, instead of transmitting the raw bit streams. Before the interaction, both communicating entities undergo the preparation stage. Here, agents engage in synchronizing background knowledge and aligning their shared KBs to establish a common ground and context for communication. To alleviate the computation burden of agents, lightweight semantic codecs can transfer from large, powerful models within shared KBs via knowledge distillation.

The transmission involves three principal phases, i.e., SI exaction, SI transmission, and SI reconstruction. i) SI exaction phase. In this phase, the transmitter uses the semantic encoder to extract compact SI from original multi-modal data streams, while simultaneously filtering out irrelevant information. The work [32] categorizes semantic encoder designs into four main approaches: DL-based, RL-based, KB-assisted, and semantic-native approaches. Among these, various DL-based solutions [9, 2, 10] are identified as the mainstream direction currently. ii) SI transmission phase. After extraction, the transmitting agents transmit processed SI to the receiver. The channel codecs are responsible for ensuring error-free transmission of SI, capable of combating noise, interference, and other challenges related to the physical layer. During channel coding, mechanisms such as error correction, compression, and encryption can be employed to ensure the integrity, efficiency, and security of the SI. iii) SI reconstruction phase. Upon receiving the transmitted SI, the receiver utilizes a semantic decoder to interpret and reconstruct the SI into a format that is comprehensible and applicable to itself. The design of the semantic decoder should be tailored to downstream tasks, which can be classified into pragmatic task execution (e.g., image classification task) and observable information reconstruction (e.g., video transmission task) based on specific goals [48]. Throughout the reconstruction process, the receiver interacts with KBs to ensure that the interpreted SI aligns coherently with the contextual background.

Finally, a quality assessment is conducted to verify that the reconstructed information maintains reliability and suitability at the semantic level. According to the assessment results and CSI, adaptively adjust the semantic transmission strategy to resist both semantic noise and channel-related disturbances.

This mode involves multiple agents to collaboratively accomplish a common task, as depicted in Fig. 5 (b). Agents are organized into clusters according to their common interests in the common task such as cooperative navigation and real-time object detection [49]. Within each cluster, the sharing of domain-specific knowledge and task-specific semantic models facilitates efficient collaboration and SI exchange. Achieving clustered semantic communication needs the following four steps. i) Perception and information collection. At first, agents utilize their sensors to actively collect data from the surrounding environment [33]. Then, each agent independently cognitive sensing processes this data locally and extracts relevant semantic fragments that contribute to the shared task, such as collaborative object perception. ii) Semantic fragment sharing via paired semantic communication. Within the cluster, agents share the locally extracted semantic fragments with other agents via paired semantic communication. iii) SI fusion. Upon receiving SI from other agents, the recipient applies multi-signal detection and multi-modal data fusion [39]. These processes aim to reconstruct a more comprehensive and holistic semantic representation. iv) Re-transmission for missing information. During the semantic reconstruction phase, the receiver identifies missing or incomplete information via verification. Subsequently, feedback or requests are sent to the respective agents, prompting them to re-transmit the necessary information fragments [37]. This process aims to achieve a complete semantic understanding and fulfill the task requirements.

This paradigm is expected to accommodate complex application scenarios comprising various tasks [38] and to support coordination across tasks [7]. In this paradigm, connected agents are organized into different clusters based on their involved tasks. Within each task, agents efficiently exchange SI via clustered semantic communication. Meanwhile, for inter-cluster communication, agents belonging to different clusters can be assisted or coordinated by semantic translators, a.k.a semantic relay nodes [50, 51, 52, 53]. These translators, as depicted in Fig. 5 (c), often acted by powerful unmanned aerial vehicles and base stations, possess cross-domain knowledge and diverse semantic models. Their role extends beyond basic SI forwarding, emphasizing semantic translation to guarantee accurate interpretation and exchange of SI at the semantic level [50]. Consequently, semantic translators not only mitigate knowledge background disparities among transceivers across clusters, but also alleviate agents from the necessity of training multiple semantic models across tasks. As such, it boosts connectivity and efficiency for networked agents.

The networked semantic communication mode relies on multi-layered KBs [37], including public KBs, task-specific KBs, and private KBs. Specifically, public KBs provide common-sense knowledge and general models accessible to networked agents. Within each cluster, agents share task-specific KBs, which concentrate on expertise and task-related knowledge (e.g., diseases, symptoms, and treatments in medical diagnosis tasks). Additionally, private KBs owned by individual agents mainly contain personalized and sensitive knowledge accumulated by each agent (e.g., preferences, interests, and communication context). The multi-layered KBs provide essential context and knowledge for SI extraction, delivery, and reconstruction for agents.

Serving as the foundation of SemComNet, AI techniques including DL, RL, and GAI significantly enhance the ability of SI extraction and overall efficiency in time-varying channel conditions and diverse task demands. Specifically, DL models such as LSTM and Transformer [9, 2] allow semantic models to robustly abstract important features and capture long-range dependencies within data. Besides, diverse task demands within SemComNet necessitate frequent model updating, resulting in transmission service interruptions and consuming substantial time. To address it, transfer learning allows the reuse of existing semantic models and knowledge for new scenarios, thereby accelerating training and enhancing data efficiency within SemComNet. Moreover, to mitigate “catastrophic forgetting” [54] in transfer learning, continual learning becomes essential in SemComNet which helps semantic models adapt to new tasks without forgetting learned knowledge. To address the issue of scarce training samples in the SemComNet environment, GAI models such as generative adversarial networks (GANs) and diffusion models prove beneficial [42]. These models could create extensive, high-quality, and personalized data samples resembling real-world scenarios for training diverse semantic models. Besides, RL empowers agents with autonomous implicit semantic reasoning [37] and real-time decision-making in SemComNet tasks such as autonomous driving and drone navigation.

In SemComNet, networking technology plays a crucial role in enhancing its performance and efficiency, achieving reliable network connections, and real-time SI transmission between agents. The increasing affordability and advancing intelligence of IoT devices [55] have made it feasible to deploy numerous intelligent agents. Simultaneously, the abundant deployment of sensors in the IoT provides SemComNet with rich perceptual data, facilitating knowledge accumulation and SI comprehension. Moreover, 5G and beyond [3] support high-speed data transmission, increased network capacity, and global communication coverage, including remote areas and oceans, fulfilling the real-time response and efficient data transfer requirements of SemComNet.

Acting as “memory” of SemComNet, the knowledge representation such as knowledge graph (KG) [16, 32, 23], scene graph [56], and concept graph [57] can transform contextual information and experience into a comprehensible format for agents. They also empower SemComNet to manage, search, and reason over vast amounts of knowledge. For instance, KGs can be integrated into SemComNet to organize and aggregate vast unstructured data into a structured knowledge format from diverse domains [16], presented in graphical form. Besides, Zhang et al. use scene graph [56] to capture and store knowledge about the objects and their relationships in the original image. Moreover, the emerging large GAI models such as ChatGPT, GPT-4 [36] demonstrate impressive knowledge representation ability and flexible knowledge query mode. Integrating multi-modal knowledge from powerful GPT-4 can eliminate the ambiguity in transmitted SI within SemComNet and aid in effective information reconstruction.

SemComNet requires significant computing power to sustain AI model training and storage, as well as multiple KBs management and synchronization. In response, ubiquitous computing [26] establishes an environment for SemComNet where computing resources are seamlessly and invisibly embedded in various agents (e.g., wearable devices and sensors), ensuring widespread availability. To enhance agents’ QoE within SemComNet, the cloud-edge-end network architecture offers on-demand acquisition of computational and storage capacity. The cloud-tier furnishes powerful computing resources for shared semantic models training, while the edge-tier supports rapid computation processing for nearby agents. Besides, through collaborative maintenance of multiple pre-cached KBs across the cloud-edge-end infrastructure, agents can effectively access required knowledge, thereby significantly improving semantic delivery performance.

SemComNet is susceptible to semantic adversarial attack due to the vulnerability of DNN-based codecs and the broadcast of wireless medium [25, 22, 5]. These attacks may induce semantic noise that will gradually distort the desired meaning conveyed in SI. Current defense schemes span diverse categories [74], i.e., adversarial training, defensive distillation, AEs detector, and methods involving weight concealment and interference [75]. Among these approaches, adversarial training stands out as a simple yet highly effective method. It has been extensively researched and proven to enhance the resilience of semantic models to AEs [19, 22, 25]. This approach can be accomplished by incorporating AEs into the training data and continually generating new AEs during each iteration of the semantic model training process. For instance, Peng et al. [19] employ adversarial training, specifically the fast gradient method to identify perturbations that significantly disrupt the system and subsequently train system to withstand these AEs. In work [19], the bilingual evaluation understudy (BLEU) score is used to evaluate the semantic quality of received data and Bidirectional encoder representations from transformers (BERT) score is adopted to measure the semantic similarity between two text sentences. The results, indicated by high BLEU and BERT scores, demonstrate the proposed scheme’s success in mitigating semantic distortions (caused by adversarial noise) effectively. However, this training strategy might increase computational costs and may not generalize to AEs from other adversaries because it trains the model on narrowly crafted AEs, increasing the risk of overfitting. Besides, the work [19] does not consider the interference from the massive connection between agents, which may introduce various adversarial perturbations in wireless channels. To simulate this, Nan et al. [25] introduce SemAdv to create semantic-oriented perturbations for physical-layer adversarial attacks during SI transmission. To defend this, they propose an adversarial training approach SemMixed to enhance the resilience of SemComNet against various physical adversarial perturbations and PGM attack [124]. Simulation results underscore that the proposed defense strategy achieves a significantly reduced attack success rate.

DNN-aided SemComNet is vulnerable to backdoor attacks [60], where hidden triggers can manipulate their behaviors if activated. Generally, an effective strategy to counter these attacks involves develo** efficient detection mechanisms capable of swiftly identifying anomalous samples and subsequently removing them during the training process within SemComNet. For instance, Wang et al. [70] present a novel system for detecting and mitigating DNNs backdoor attacks. Considering a model with backdoors is sensitive to input perturbations, they employ an optimization algorithm to manipulate each output label-altering prediction. However, this approach faces challenges in scaling to large-scale models and heavily depends on a strong assumption (i.e., a clean training dataset). To face the challenge of the entire contaminated dataset, Li et al. [69] propose a unified distillation framework for data sanitization. To hedge the impact of poisoned data, they use additional data and knowledge(e.g., a small clean dataset and label relations in KG) as side information. Extensive experiments on various domain datasets demonstrate its effectiveness.

The above works [70, 69] focus on a centralized training paradigm while neglecting collaborative learning of semantic codecs, which have demonstrated vulnerability to poisoning attacks [60]. In the collaborative training paradigm, physically distributed data restricts access to attackers, while only model poisoning attacks work (i.e., undetectable backdoors triggered during model aggregation). SemComNet counters this via server-side measures, which conduct global model checks after agent updates to mitigate poisoning effects. For instance, Krum as a novel aggregation rule for Byzantine-resilient distributed stochastic gradient descent is proposed in [71]. After each round of training, Krum performs a special sorting and selection of participants’ local model weights to filter out abnormal model weights that may be subject to malicious attacks, thus protecting the robustness of the global model. Nevertheless, the complexity of the Krum algorithm dramatically increases with more participants, which requires pairwise distance calculations. Moreover, it necessitates exchanging model weights and distance information, affecting SemComNet efficiency, especially in limited bandwidth or unstable communication scenarios. To minimize the cost of countering poisoning attacks, Ozdayi et al. [72] propose a lightweight defense against backdoor attacks, requiring minimal changes to FL protocols and model performance. The defender adjusts the aggregation server’s robust learning rate with a preset value based on the sign information of agents’ updates in different model dimensions and training rounds.

Apart from enhancing the resilience of the aggregation algorithm against poisoning updates, another more direct defense strategy involves detecting malicious clients. For instance, Zhao et al. [73] present a novel defense scheme to detect anomalous updates through client-side cross-validation, where each update is evaluated using other clients’ local data and update weights are adjusted based on these evaluations by the server during aggregation. To handle data imbalances, they also introduce a client-level differential privacy (DP)-assisted dynamic client allocation mechanism, safely assigning detection tasks to the most suitable clients. Although the work [73] can enhance the strength and robustness of anomalous updates detection, its effectiveness might be constrained by the limited size of validation data and susceptibility to malicious clients.

Training powerful semantic models is essential to handle intelligent communication tasks within SemComNet, while this process is expensive and time-consuming. To protect the IP of semantic models and knowledge within SemComNet, watermarks play a pivotal role [62]. In [61], Zhang et al. extends the concept of “digital watermarking” from multimedia to DNNs, and three DNN-compatible watermark generation algorithms are explored to safeguard the IP of DL models. By detecting preset watermark patterns during remote verification, it is easy to confirm model ownership. Results demonstrate the potential of the proposed plug-and-play scheme to resist different counter-watermark techniques. However, the work [61] fails to resist surrogate model attack [66]. Motivated by this, Zhang et al. [66] introduce a unique task-agnostic method to insert a spatially invisible watermark into the outputs of target network, complicating the theft of the model or the creation of surrogate models by attackers. This watermark remains extractable (high extracting success rate) even if attackers train surrogate models, thus significantly enhancing the security of the DNNs in SemComNet. The limitation of proposed solution is its vulnerability to ambiguity attack and certain image pre-processing techniques (e.g., random crop** and resizing), which compromise watermark consistency.

Another prospective solution for secure IP protection for semantic models involves utilizing blockchain technology. This approach provides a trustworthy and traceable mechanism for sharing semantic models and knowledge within SemComNet [26]. For instance, Somy et al. [67] introduce a blockchain-based framework for collaborative ML model training in a trustless AI marketplace, potentially applicable in SemComNet for addressing IP infringement concerns of shared semantic models. By creating a verifiable, immutable, and traceable blockchain ledger, the system safeguards the ownership and privacy of data and models for their respective owners and trainers, enabling collaborative improvements. However, the system’s throughput and latency are influenced by network setup and peer distribution, highlighting possible scalability and performance challenges in expansive or widely distributed environments.

To improve the efficiency of blockchain-based IP protection scheme, ** function into the blockchain, which also enhances the robustness and security of IP. However, the adoption of blockchain technology introduces confidentiality and privacy issues related to the gathering, retention, and distribution of models and knowledge in SemComNet. Additionally, the scalability and performance aspects of blockchain pose significant challenges when seamlessly incorporating blockchain into SemComNet services.

The encryption scheme strengthens the privacy, security, and integrity of semantic data, thereby enhancing the overall security and reliability of the SemComNet, which has received increasing attention [82, 83, 96, 95]. In [82], Chen et al. propose a cryptography method using random permutation and substitution to counter model inversion eavesdrop** attack [24] in which attackers eavesdrop and reconstruct the original message. Experiments demonstrate the effectiveness of this approach in both white-box and black-box scenarios. By exploring the randomness of BLEU scores, Qin et al. [83] introduce a novel physical-layer semantic encryption method using a semantic key to make SI encrypted. Besides, semantic subcarrier obfuscation through dynamic spurious data insertion enhances security in SemComNet. The above encryption schemes heavily rely on key management and distribution, while the advanced cryptographic techniques such as secure multi-party computation (MPC) [95] and homomorphic encryption (HE) [96] eliminate the need for key sharing, reducing the risk of key exposure. Moreover, MPC allows multiple agents in SemComNet to collaborate on various computations (e.g., addition, comparisons, searches) without sharing raw data, ensuring robust semantic data and knowledge privacy. To promote adoption of secure MPC in ML, Knott et al. [95] propose a user-friendly framework named CRYPTEN by offering MPC services through familiar ML abstractions. Benchmark results on various DNNs demonstrate CRYPTEN’s potential for secure and private SemComNet. Meanwhile, HE ensures the security of transmitted data by allowing computations on encrypted data without decryption. For instance, Phong et al. [96] leverage additively HE and asynchronous stochastic gradient descent for secure computation of gradients during model training, while maintaining model accuracy.

However, the above solutions [95, 95] may impose excessive communication and computing burden on agents within SemComNet. Moreover, traditional encryption [82, 83] such as permutation and substitution disrupt intrinsic correlations of SI, causing transmission performance degradation in SemComNet. To solve this, Xu et al. [41] propose a novel DL-based joint encryption and source-channel coding (DJESCC) for SemComNet, which effectively safeguards the visual content by transforming the plain image into a visually secured version while minimizing any substantial degradation during reconstruction. Targeting to mitigate privacy leakage from shared KBs, Luo et al. [84] introduce GAN-like adversarial encryption training to ensure transmission accuracy, with the goal of having a transceiver to outperform the most skilled eavesdropper, rather than a fixed adversary. Nevertheless, the adoption of symmetric encryption complicates key storage and management, and introduces latency in both encryption and decryption processes.

Physical layer key generation (PLKG) technology stand as a quantum attack-resistant and key transmission-free solution, offering a promising avenue for securing SemComNet. By utilizing the unique properties of the transmission medium, such as wireless channel fading, it enables the generation of secret keys directly between communicating parties. For instance, Zhao et al. [135] present a PLKG scheme using a reconfigurable intelligent surface (RIS) to enhance the key generation rate by exploiting the randomness of semantic drifts between the transmitter and receiver. However, as [135] has the idealized spatial constraint (i.e., eavesdropper locate half wavelength away from the legitimate agent) assumption may not accurately represent all real-world eavesdrop** scenarios. In practice, eavesdroppers could be at various distances and positions relative to the legitimate users, potentially affecting the system’s vulnerability to eavesdrop** differently than predicted by this assumption. Additionally, PLKG can be seamlessly integrated into hybrid security cryptographic schemes, as demonstrated in [59]. This integration enhances the overall security framework, allowing SemComNet to leverage both the strengths of traditional cryptographic methods and the unique advantages offered by PLKG, rendering them an advanced solution for secure and efficient communication.

Since its inception [136], physical layer secure transmission technology has attracted substantial attention [137]. This technology seamlessly integrates the aspects of data transmission and encryption, offering a promising approach for securing SemComNet. Currently, there are several key technical approaches [137]: beamforming [89], power allocation [22], cooperative interference [90], and artificial noise (AN) injection [138, 88]. These methods intentionally amplify the gap between the legitimate and eavesdrop** communication channels. This allows authorized recipients to decode confidential SI successfully, while semantic signals at eavesdroppers are deliberately scrambled and irreversibly corrupted.

(i) Beamforming. Implementing the beamforming technique in SemComNet makes the SI transmission in specific directions which ensures only intended receivers can capture it. For instance, Lin et al. [89] propose a novel frequency diverse array beamforming approach, that introduces frequency offsets across antennas to decouple legitimate user (LU) and Eve channels. By optimizing frequency offsets and transmit beamforming, the secrecy rate is maximized. The proposed method outperforms conventional beamforming, especially in close LU-Eve scenarios. (ii) Power allocation. A well-designed power allocation scheme enhances the security of the transmission significantly [22]. For instance, Yin et al. [55] introduce a multi-domain resource multiplexing scheme and leverage self-induced co-channel interference among IoT nodes to enhance physical layer security. The optimization problem, involving power allocation, spectral overlap**, and multi-antenna precoding is solved through an alternating optimization with successive convex approximation (AO-SCA) approach. Simulations verify its efficiency, offering the potential for integrating this approach into SemComNet. (iii) Cooperative interference. To effectively disrupt unauthorized channels, cooperative relay, and friendly jamming techniques can be introduced. In [90], Li et al. introduce two innovative cooperative interference alignment (IA) schemes, the former adjusts the spatial signature of one interference and strength of all interference, ensuring orthogonality with the desired transmission, and the other modifies all interfering signal strength, preserving orthogonality. (iv) AN injection. As traditional IA methods prone to secret signal cancellation, Hu et al. [88] proposes an AN-assisted IA scheme. This approach employs a modified alternating minimization strategy and establishes stringent conditions for IA feasibility. The study optimizes power allocation to minimize secrecy outage probability, marking a significant step towards enhancing security measures into SemComNet. The research optimizes power allocation to minimize secrecy outage probability, which offers a potential contribution to integrating security measures into SemComNet. However, achieving comprehensive security throughout SemComNet requires further exploration into cross-layer optimization, such as optimizing and integrating physical layer security with other layers (e.g., the control layer) within SemComNet.

Covert communication in SemComNet is designed to make it difficult for unauthorized parties to detect or decipher the information being exchanged [139, 22]. Represented by physical-layer low probability of detection communication (PL-LPDC), covert communication focuses on concealing the transmission process to remain imperceptible to potential eavesdroppers. For instance, Wang et al. [77] present a PL-LPDC framework for image SI transmission, where friendly jammers defend eavesdroppers by deploying jamming signals. The multi-agent policy gradient algorithm is also proposed to enhance system performance, enabling devices and jammers to find vulnerable devices and optimize transmission parameters in SemComNet. However, the absence of complexity and scalability analysis, coupled with intricate training procedures, may hinder its effective deployment in SemComNet.

Different from PL-LPDC which primarily emphasizes the concealment and low detection probability of communication, the physical-layer steganography [78] focuses on concealing and encrypting the content of communication, providing a higher level of confidentiality. It involves embedding secret SI within the physical properties of a communication channel (e.g., signal power, phase, or frequency), without the awareness of unauthorized users. For instance, Yamaguchi et al. [79] present a steganography security approach while preserving SI, which conceals the secret signal by embedding it into the cover data, making it hard to detect without prior knowledge. Future research efforts are required in designing intelligent covert communication in SemComNet, integrating adaptive optimization, theoretical completeness, and lightweight implementation to accommodate diverse environmental conditions.

Quantum technology, based on the principles of quantum physics, can significantly enhance security within SemComNet [92, 140]. Quantum key distribution (QKD) emerges as a pivotal quantum technology capable of establishing secure key exchanges in SemComNet, thereby enhancing security by establishing a robust and tamper-evident framework for key exchange. Unlike classical cryptographic methods, QKD possesses the unique ability to detect eavesdrop** attempts. That means any interference can be rapidly identified by the communicating parties, promptly alerting them to the presence of an intruder and safeguarding the confidentiality of semantic data and knowledge. In [91], Kaewpuang et al. focus on QKD-aided secure semantic information transmission within SemComNet. Furthermore, they address resource allocation challenges in QKD deployment for SI transmission by proposing a two-stage stochastic optimization model that optimizes QKD resource deployment, while Shapley values ensure fair cost allocation among cooperative QKD service providers. Apart from QKD, quantum semantic encoding can further protect the privacy of semantic content, offering enhanced security and efficient data transmission. For instance, Khalid et al. [92] explore quantum semantic communication employing quantum embedding and quantum ML to encode data into quantum states, which are securely teleported using quantum principles. This novel framework promises to revolutionize SemComNet experiences. However, such quantum SemComNet face challenges in resource optimization and scalability, largely due to their reliance on fragile and expensive photonic quantum resources.

Reconfigurable intelligent surface (RIS), representing an emerging wireless technology, could enhance the security and efficiency of SI transmission in SemComNet. For instance, to effectively prevent eavesdrop** during SI transmission, Wang et al. [85] propose the simultaneous transmitting and reflecting RIS for SemComNet. By optimizing transmission and reflection coefficients, they enhance legitimate semantic signal transmission and create interference for eavesdroppers. In [86], Du et al. present an inverse semantic-aware wireless sensing framework for SemComNet, which utilizes the amplitude response matrix of RIS for secure data encryption and semantic hash sampling to achieve efficient self-supervised decoding. Experimental results demonstrate a 95% reduction in data volume without affecting sensing tasks, offering a resource-saving solution for the secure SemComNet. This advancement stems from the innovative RIS architecture and the self-supervised learning approach, yet it may introduce new challenges concerning hardware complexity and real-world implementation.

Furthermore, the above passive RIS schemes [85, 86] face challenges, such as productive attenuation where reflection link fading is proportional to distances. To tackle this issue, Li et al. [87] introduce active RIS to reconfigure the propagation within wireless SemComNet, while utilizing the on-off control scheme for active RIS phase shifts. Theoretical analysis and results demonstrate superior secrecy performance under both external and internal eavesdrop**. Apart from RIS, spread spectrum techniques such as frequency hop** spread spectrum and direct sequence spread spectrum can also be utilized in SemComNet [76]. As such, the semantic signal is spread across a wide spectrum of frequencies, or pseudo-random sequences are employed. This helps mitigate the disruptive effects of interference on the channel, ensuring a robust and secure communication environment.

GAI models such as GANs and ChatGPT can enhance the resilience of semantic interpretation (e.g., suppressing semantic noise) within SemComNet [81]. Specifically, these models aid in reducing transmission traffic and latency [42]. They also excel in reconstructing semantic-consistent details from SI at the destination side, even when encountering challenges such as semantic noise and mismatches in KBs between the transmitter and receiver. For instance, to enhance the perceptual quality of reconstructed data, Erdemir et al. [141] introduce two innovative GAI-based JSCC frameworks, InverseJSCC and GenerativeJSCC. Different from traditional approaches focusing solely on distortion metrics, these schemes optimize a blend of mean squared error (MSE) and learned perceptual image patch similarity (LPIPS) losses to ensure semantic fidelity. Simulations show that proposed scheme exceed DeepJSCC in distortion metrics such as peak signal-to-noise-ratio (PSNR) and multiscale structural similarity index measure (MS-SSIM), as well as in perceptual quality measured by LPIPS, even with KBs mismatches. To achieve superior perceptual quality in limited bandwidth and low SNR scenarios, Chen et al. [143] treats image recovery as an inverse problem. They employ invertible neural networks with the diffusion model to aid the reconstruction process. However, the above works [141, 143] neglect the aspect of privacy protection during transmission in GAI-driven SemComNet. To address this, as shown in Fig. 10, Han et al. [144] leverage the StyleGAN inversion method to extract disentangled SI from the original image. Meanwhile, they employ privacy filters to replace private SI with natural features guided by the KBs, thereby safeguarding sensitive SI. The results has proven successful in enhancing communication efficiency and reducing the misunderstanding errors.

However, a notable challenge arises from the inherent instability generation capabilities of GAI models, such as the issue of content “hallucination” [142, 145]. This instability poses challenges, particularly in applications requiring accurate information transfer (e.g., medical imaging diagnosis). To mitigate this issue, Du et al. [142] propose a GAI-aided approach that utilizes multi-model prompts for accurate content decoding. By leveraging generative diffusion models and covert communication, this approach ensures multi-modal prompt transmission and precise image regeneration under certain energy constraints. Nonetheless, the integration of large-scale GAI models into SemComNet presents challenges, demanding substantial computing power for training. This strains the deployment of GAI models in resource-limited agents within SemComNet. In summary, achieving trustworthy and resource-efficient integration of GAI into SemComNet necessitates further investigation.

ML technologies offer promising pathways for reliable SemComNet, ensuring resilience in semantic interpretation from the training and data perspectives. On the one hand, some training strategies prove effective in suppressing semantic noise. One example is the pre-trained strategy in speech semantic transmission, Han et al. [15] deploy a pre-trained semantic corrector module at the receiver end to refine and rectify predictions. Experimental results demonstrate their effectiveness in suppressing semantic noise.However, this method faces challenges related to model adaptability and response time. On the other hand, data pre-processing and augmentation techniques also can contribute to enhancing the capability of SI understanding and interpretation of SI more reliably. For instance, Kim et al. [146] explore semantic-preserving augmentation to encourage feature extractors to generate semantic-aware embedding, thereby enhancing retrieval performance even in the presence of data corruption. In response to challenges posed by the limitations of single-modal semantics, Li et al. [23] present a cross-modal semantic communication paradigm. Their scheme incorporates cross-modal semantic codecs to reduce semantic ambiguity, as well as leveraging RL techniques and multi-modal KG’s auxiliary data to explore implicit semantics. They also present how to construct a cross-modal knowledge graph (CKG) as the KBs to enhance reliability by addressing polysemy and ambiguity. As depicted in Fig. 11. CKG construction involves multi-modal knowledge extraction, knowledge fusion, as well as storage and application, which supported by graph databases (e.g., Neo4j) for efficient retrieval. The results show its effectiveness in improving the reliability of SemComNet substantially. However, constructing KBs is challenged by the time-consuming and complex nature of data collection and processing, alongside cold start issues. The emerging GAI model, renowned for its multi-modal data generation and strong semantic representation/understanding capabilities [42, 147, 35], presents a promising avenue for develo** self-evolution KBs in SemComNet.

In the face of deteriorating channel quality and dynamic network conditions, ensuring reliable transmission of SI is paramount. Adaptive transmission stands out as a promising avenue to enhance the reliability of SemComNet [11, 32], which emerges in many related studies. For instance, to enhance noise resilience in ultra-low SNR scenarios, Zhou et al. [133] present a novel multi-bit length selection strategy with a policy network to dynamically adjust coding rates. Additionally, they propose progressive semantic hybrid automatic repeat request (HARQ) schemes, incorporating incremental knowledge to diminish semantic errors. Performance is gauged using the bilingual evaluation understudy (BLEU) metric, with results underscoring improved efficiency, robustness, and cost-effectiveness compared to existing methods. However, the absence of extensive, real-world testing may limit the validation of these findings. Moreover, to explore adaptive bitrate transmission strategy for video data, Wang et al. [148] utilize nonlinear transformation and conditional coding techniques to extract SI from video frames. By incorporating a rate-adaptive transmission mechanism, it allocates channel bandwidth among frames for optimal performance under severe wireless channels. Considering the user experience improvement in SemComNet, Gong et al. [149] dynamically adjust transmission rates based on QoE and employs a Swin Transformer-based semantic codecs with actor-critic RL algorithm to enhance robustness against network variations.

Agents endowed with reasoning capabilities significantly enhance the reliability of SemComNet by mitigating semantic ambiguity and enhancing communication reliability. For instance, Jiang et al. [150] introduced a KG-driven SemComNet which could significantly enhance reliability against semantic noise. However, the above work [150] does not consider the issue of ty** errors in large-scale factual KGs within SemComNet. These errors, especially in entity-type pairs, pose a significant obstacle to reliable knowledge extraction and utilization in SemComNet. To address this challenge, Yao et al. [151] propose an innovative active ty** error detection algorithm that effectively incorporates both gold and noisy labels. Furthermore, they emphasize the semi-supervised noise models as a feasible solution, offering the possibility to enhance the utilization of varied information for error detection in SemComNet.

RL excels at reasoning implicit SI from transmitted data, which could seamlessly adapt to the dynamic conditions within SemComNet. For instance, a novel implicit semantic-aware communication architecture is proposed in [37], focusing on both explicit and implicit message semantics reasoning. The proposed generative imitation-based reasoning mechanism could guide destination users to automatically interpret implicit semantics without requiring access to the source data, significantly safeguarding user privacy and reducing semantic noise. However, this method comes with significant drawbacks, including the low sample efficiency of the AI algorithm and its inability to generalize to unseen data. In response, Thomas et al. [152] integrate a signaling game and Neuro-Symbolic (NeSy) AI [153] into semantic transmission. The game-theoretical approach creates a compositional language, aiding in generalization and semantic awareness. The NeSy AI integrates experiential learning (neural component) with knowledge-based reasoning (symbolic component), empowering the SemComNet to acquire intricate signaling strategies with limited training samples and minimal data transmission. Currently, GAI models presented by ChatGPT [36, 145] stand as a robust tool with semantic understanding and reasoning abilities. Leveraging these models could be a compelling approach for SemComNet significantly enhancing reasoning accuracy [42, 35].

In traditional communication systems, collaborative relays serve as intermediaries to ensure reliable information delivery, particularly in scenarios involving long transmission distances and low SNR [50]. Analogously, the semantic relay nodes within SemComNet play a dual role, i.e., not only assisting in reliable information transmission but also facilitating accurate translation and interpretation of SI from the source to the destination [53]. For instance, Luo et al. [52] introduce the intelligent relay-assisted SemComNet with amplify-and-forward (AF) and decode-and-forward (DF) modes. This system assists in forwarding and interpreting SI while minimizing semantic noise. However, it faces challenges with high computational complexity and long transmission delay. To address it, Bian et al. [100] introduces an alternative scheme. This approach deploys a lightweight DNN in a semantic relay node to translate the SI, thereby achieving a trade-off between relay performance and computational complexity.

In the multiple relay-assisted SemComNet, the selection of relay nodes is crucial to ensure reliable communication. Yang et al. [131] propose PreCMTS, a predictive cooperative multi-relay transmission strategy for vehicular SemComNet. They optimize relay node selection using a low-complexity algorithm based on Markov approximation. Simulation results using realistic vehicle traces demonstrate the performance gains of PreCMTS.

Authentication serves as a fundamental component of trust management by providing a preliminary verification of agents’ identities, forming the basis for trust establishment and subsequent evaluations. The conventional cryptography-based authentication methods face scalability and complexity challenges in large-scale SemComNet. Currently, physical layer authentication (PLA) is gaining considerable attention due to its information-theoretic security guarantee, lightweight processing speed, and high compatibility [154]. This approach is increasingly recognized as a viable implementation in heterogeneous and decentralized SemComNet.

PLA schemes can be categorized as passive and active [154]. Passive PLA relies on physical-layer features for transmitter authentication without modifying the source message. For instance, Gao et al. [110] introduce EsaNet, a DL-based passive authentication network that extracts a wireless channel fingerprint from environmental semantics (i.e., CSI) to distinguish legitimate users. In contrast, active PLA modifies the source message by embedding a physical-layer tag generated from a secret key, enhancing information-theoretic security according to Shannon’s secrecy analysis. In [111], a generalized model for achieving data confidentiality and active wireless PLA is proposed. It highlights the role of channel uncertainty and various design dimensions, such as time, frequency, and space, in enhancing security for SemComNet. To evaluate the transmission efficiency of active PLA schemes, Tan et al. [112] introduces a metric named secure authentication efficiency (SAE). By tuning three key parameters that impact SAE, this paper provides a systematic optimization framework and conducts constraints feasibility and the optimal solution.

However, the aforementioned works [111, 112] are conducted under the assumption of perfect channel conditions, which is not practical in real-world scenarios. To solve this problem, Perazzone et al. [155] investigates the use of artificial noise (AN) in fingerprint embedding for wireless security, focusing on scenarios with imperfect CSI. It examines the impact of AN leakage on security and compares detectors for imperfect CSI, finding that while AN enhances security, its effectiveness diminishes with poor channel quality, and excessive power allocation to AN can reduce security.

The integration of blockchain technology into SemComNet has gained attention for its transparency, decentralization, and tamper-proof characteristics [156]. With decentralized identity management [113, 114], cross-domain authentication [102, 115], and smart contract-driven authorization [109], blockchain offers an effective trust management solution for SemComNet. Specifically, blockchain eliminates the need for a central certification authority, making it ideal for decentralized self-sovereign identity management within SemComNet, allowing agents to independently publish and query their identities. For instance, Bao et al. [113] introduce a robust privacy-preserving identity management system suitable to industrial IoT scenario. Leveraging blockchain and diverse cryptographic tools, it guarantees unforgeability, traceability, revocability, and public verifiability. However, in the open and resource-limited SemComNet scenarios, the necessity for privacy-preserving and lightweight identity management mechanisms is vital, which is neglected in the above work [113]. To address it, Xu et al. [114] presents a blockchain-based identity management system for mobile SemComNet, granting users control over their self-sovereign identities (SSIs). Blockchain records legitimate user SSIs and public keys allowing decentralized authentication and Chameleon hash enables efficient illegal user revocation, reducing overheads.

In the fast-paced SemComNet, cross-domain authentication poses a significant challenge, as numerous agents from different domains require rapid identity verification. To tackle this challenge, Chen et al. [102] present a privacy-preserving cross-domain authentication solution for public key infrastructure. It ensures cross-domain compatibility and rapid response via multiple Merkle hash trees. For industrial networks, Shen et al. [115] utilizes a consortium blockchain to establish trust among different domains and employs identity-based signatures for authentication, ensuring anonymity of devices. For the authorization aspect, smart contracts running on the blockchain enable automatic authorization policies in SemComNet. For instance, specific roles or conditions might dictate access to sensitive sensory data and accumulated knowledge. When users request data access, smart contracts automatically verify their identity and permissions, determining whether the request is authorized. In [109], Wang et al. apply smart contracts for fine-grained data authorization mechanisms and traceable data usage management. The scheme utilizes a trusted execution environment for off-chain smart contract execution to process confidential user data and reduce computation overhead. However, the extensive and real-world performance test in SemComNet must be considered, as SemComNet is featured as heterogeneous components and large-scale structure.

Trust evaluation is vital for ensuring security and reliability during cooperation within large-scale SemComNet. Current methods predominantly focus on using game theory, Dempster-Shafer theory, fuzzy logic, and Bayes theorem to analyze and combine trust-impact attributes (such as direct/indirect, subjective/objection, local/global and historical/present) during evaluation [107]. For instance, considering both direct and indirect trust degrees derived from historical transaction experiences and social user impact respectively, Parhizkar et al. [157] establish a trust evaluation mechanism in multi-agent systems. However, the above work [157] relies on subjective influence and a simple combination of trust attributes, which lacks sufficient practical guarantee and incurs issues such as cold start and sparse history data[116].

The introduction of various DL methods [116] not only resolves the above challenges but also establishes a systematic and automated trust evaluation framework for SemComNet. For instance, Jayasinghe et al. [105] proposes an ML-based quantifiable trust assessment model for IoT services. Utilizing unsupervised learning techniques and support vector machines, this model accurately classifies trust features to identify trust boundaries and produce final trust values. Besides, deep RL (DRL) which combines the perceptual capabilities of DL and the decision-making abilities of RL, may be well applied in trust or reputation models within SemComNet. For instance, during collaborative misbehavior detection in SemComNet, adversaries may send fake detection feedback to disturb the whole system. In response, Gyawali et al. [106] use Dempster-Shafer theory to combine vehicle feedback in vehicular servers, and introduce a dynamic reputation update policy based on DRL to prompt accurate feedback. Extensive simulations affirm its effectiveness against internal attacks and misbehavior detection within SemComNet. However, its communication and computation overheads are expected to rise exponentially with agent numbers, potentially hindering practical deployment in SemComNet. The above works [157, 105, 106] mainly focus on entity-based trust models (i.e., rely on agents’ credibility), while neglecting the authenticity of SI. To address existing gaps, Truong et al. [108] use virtual interactions and quality assessment to calculate trust indicators E-R (i.e., experience and reputation) between users. However, acquiring these indicators may be challenging, and a typically sparse trust matrix may compromise the accuracy of trust assessments in SemComNet.

The distributed nature and immutability of blockchain make the SemComNet under the premise of ensuring data availability [97] and sharing [98]. It provides SemComNet with integrity [122], confidentiality [99] of semantic data & knowledge while maintaining it can be redactable [123]. Specifically, Liang et al. in [97] present a blockchain-based data provenance system named ProvChain to ensure semantic data source security from collection, storage, and verification in three stages. For secure decentralized knowledge sharing, Wang et al. [98] introduce a blockchain-based framework to reduce malicious activities effectively. That holds promise for supporting secure knowledge sharing in SemComNet. However, scalability and latency concerns in extensive SemComNet deployments require careful consideration.

To ensure remote knowledge integrity in cloud storage services, Wang et al. [122] introduce a blockchain-based private provable data possession scheme, to ensure remote data integrity in cloud storage. Compared with existing cryptography schemes, they offer enhanced security, efficiency, and practicality while ensuring agent anonymity. As for confidentiality of data and knowledge, Fotiou et al. [99] introduce a decentralized security approach for content distribution utilizing blockchain in a fully distributed manner, ensuring security without relying on central authorities. Lastly, blockchain technology can still play a significant role in ensuring trustworthy data deletion. For instance, Ateniese et al. [123] propose a framework to redact and compress the content of blocks in virtually any blockchain-based technology. Experiment results show the overhead imposed by having a mutable blockchain is negligible.

Various access control (AC) policies, including role-based [118], attribute-based [119, 120], purpose-based [121], can be employed to safeguard knowledge and semantic data in SemComNet, tailored to specific requirements. For instance, Sultan et al. [118] introduce cryptographic role-based encryption for AC, where only authorized users decrypt data. It includes efficient user revocation and outsourced decryption, reducing computational load. Theoretical analysis proves its security against chosen-plaintext attacks, making it ideal for practical SemComNet applications. For fine-grained AC in collaborative scenarios, Xue et al. [119] employs attribute-based encryption to facilitate collaborative access based on owner-defined policies, which may be applied to SemComNet to ensure the clustered and networked agents collaboration while preventing unauthorized collusion attempts.

However, the above role and attribute-based AC model usually falls short in allowing agents to perform statistical analysis on sensitive semantic data and knowledge without direct access. To tackle this challenge, on the one hand, Xu et al. [120] present privacy-preserving attribute-based AC utilizing a revocable ciphertext policy, which allows immediate attribute revocation and preventing privacy leaks through an expressive linear secret sharing scheme matrix. An extended path oblivious random access memory protocol is also introduced, ensuring advanced AC functions like write access and policy updates while concealing access patterns. On the other hand, the purpose-aware AC model allows knowledge owners to define the intended usage purpose of their knowledge using a predefined set of purposes, ensuring privacy-preserving AC. For instance, Xue et al. [121] employs an automatic purpose-aware AC model that can distinguish the purposes of data processing and operation. Two enforcement mechanisms are proposed to support both structured and unstructured data AC. Extensive experiments confirm the efficiency of enabling fine-grained purpose control in large-scale data platforms. However, the complexity of configuration and difficulty in implementing cross-domain access may impede its widespread adoption in SemComNet. More research efforts are required in terms of develo** context-aware AC, automatically adjusting access permissions based on specific communication environments, and enhancing SemComNet adaptability and intelligence.

In SemComNet, agents often need to erase their communication history and private knowledge for privacy and security reasons. To accomplish this, traditional methods involve retraining DNN-based codecs from scratch, which strains communication and computing resources. Additionally, frequent requests from agents will significantly disrupt the communication service of SemComNet. The emerging concept of machine unlearning [160] offers an efficient solution for managing data removal and model adaptation within SemComNet. It enables the preservation of agent privacy and preferences while ensuring seamless communication and resource conservation, and offers trade-off balancing between privacy and efficiency in the SemComNet.

In [161], Golatkar et al. address the challenge of selectively forgetting specific training data from a DNN. The proposed method, called “scrubbing” aims to remove any information about a particular dataset from the network’s weights without requiring access to the original data and retraining the whole network. The work [161] ensures that adversaries cannot recover any context and knowledge during the communication process. However, its implementation in SemComNet presents challenges as it is only feasible in simple and well-structured models. To make unlearning easier to implement, Sekhari et al. [158] present an efficiently approximate unlearning algorithm that reduces computational and storage complexities. By subtracting the influence of certain samples using disturbance updates during model training, an unlearned model was produced. However, the study [158] encounters limitations that could hinder its practicality in SemComNet, such as reliance on a convexity loss function and the absence of an information-theoretic unlearning guarantee.

The “right to be forgotten” of machine unlearning allows agents to request the removal of their knowledge and data from SemComNet storing it. However, the study [162] reveals that machine unlearning can unintentionally leak information and create privacy risks, such as membership inference attacks. Chen et al. [162] also proposes mitigation mechanisms like releasing only predicted labels, temperature scaling, and DP to address these privacy risks. These findings can promote the implementation of practically privacy-preserving machine unlearning in SemComNet.

Existing multi-user collaborative SemComNet mainly focuses on centralized learning by aggregating raw data from users, which will cause traffic congestion and privacy concerns [38, 94, 159]. FL offers a collaborative approach, training codecs and constructing KBs within SemComNet. It ensures data privacy by kee** user information on devices and reduces training costs through joint efforts. Researchers have investigated the integration of SemComNet and FL [94, 159] for privacy preservation. In [94], Zhao et al. propose an online inference and offline FL framework for SemComNet. This framework integrates privacy-protected semantic codecs training and personalized codecs deployment to strike a balance between privacy protection and data utilization. Targeting the tasks of constructing semantic KBs from images in a privacy-preserving manner, Wei et al. [159] propose a FL-based transmission system for SemComNet. They also leverage the information bottleneck (IB) principle to eliminate redundant features while maintaining SI. Simulation results reveal their advantages in accuracy, latency, and convergence across various channel conditions. However, while IB reduces communication overhead through compressed updates, frequent exchange of updates inevitably increase communication overhead. Furthermore, the inherent non-IID data distribution in SemComNet challenges IB’s effectiveness, as its compression may not adequately address non-IID data nuances, risking suboptimal global model performance.

Differential privacy (DP), another widely used technique in SemComNet, safeguards semantic data and knowledge by introducing noise. For instance, Min et al. [93] utilize the DP mechanism to randomize released semantic locations. They adaptive select the perturbation policy using RL based on the sensitivity of the vehicle’s semantic location and the attack history. Experimental results show effectiveness in balancing privacy and QoE loss without knowledge of the current inference attack model, thus facilitating dynamic privacy protection. Additionally, to resist the gradient leakage attacks where attackers can infer private training data from shared semantic model parameters or gradients, Zhao et al. [94] employ edge-side model aggregation through DP enabling customized data utilization in SemComNet under a collaborative training paradigm. Agents can add random noise to parameter sharing based on their diverse privacy requirements, ensuring personalized privacy protection. However, the addition of noise may markedly compromise the accuracy of semantic codecs, presenting a trade-off between model accuracy and privacy protection that needs careful consideration. Additionally, techniques including knowledge distillation [163], secure multi-party computation [95], and trusted execution environment [164] can safeguard the privacy of semantic data and knowledge within SemComNet.