Adversarial attack vulnerability of medical image analysis systems: Unexplored factors

•We study black-box adversarial attacks on deep learning in medical imaging.•We study the vulnerability of deep learning systems in three medical imaging domains.•ImageNet pre-training may substantially increase adversarial attack vulnerability.•Disjoint training data between target and attacker mod...

Full description

Saved in:
Bibliographic Details
Published in:Medical image analysis 2021-10, Vol.73, p.102141-102141, Article 102141
Main Authors: Bortsova, Gerda, González-Gonzalo, Cristina, Wetstein, Suzanne C., Dubost, Florian, Katramados, Ioannis, Hogeweg, Laurens, Liefers, Bart, van Ginneken, Bram, Pluim, Josien P.W., Veta, Mitko, Sánchez, Clara I., de Bruijne, Marleen
Format: Article
Language:English
Subjects:
Adversarial attacks
Cybersecurity
Deep learning
Design specifications
Experiments
Image analysis
Image processing
Incentives
Learning algorithms
Machine learning
Media
Medical imaging
Ophthalmology
Perturbation
Radiology
Security
Standard components
Systems analysis
Training
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•We study black-box adversarial attacks on deep learning in medical imaging.•We study the vulnerability of deep learning systems in three medical imaging domains.•ImageNet pre-training may substantially increase adversarial attack vulnerability.•Disjoint training data between target and attacker model decreases attack performance.•We give recommendations for system design and evaluation of adversarial robustness. [Display omitted] Adversarial attacks are considered a potentially serious security threat for machine learning systems. Medical image analysis (MedIA) systems have recently been argued to be vulnerable to adversarial attacks due to strong financial incentives and the associated technological infrastructure. In this paper, we study previously unexplored factors affecting adversarial attack vulnerability of deep learning MedIA systems in three medical domains: ophthalmology, radiology, and pathology. We focus on adversarial black-box settings, in which the attacker does not have full access to the target model and usually uses another model, commonly referred to as surrogate model, to craft adversarial examples that are then transferred to the target model. We consider this to be the most realistic scenario for MedIA systems. Firstly, we study the effect of weight initialization (pre-training on ImageNet or random initialization) on the transferability of adversarial attacks from the surrogate model to the target model, i.e., how effective attacks crafted using the surrogate model are on the target model. Secondly, we study the influence of differences in development (training and validation) data between target and surrogate models. We further study the interaction of weight initialization and data differences with differences in model architecture. All experiments were done with a perturbation degree tuned to ensure maximal transferability at minimal visual perceptibility of the attacks. Our experiments show that pre-training may dramatically increase the transferability of adversarial examples, even when the target and surrogate’s architectures are different: the larger the performance gain using pre-training, the larger the transferability. Differences in the development data between target and surrogate models considerably decrease the performance of the attack; this decrease is further amplified by difference in the model architecture. We believe these factors should be considered when developing security-critical MedIA systems planned to be
ISSN:1361-8415
1361-8423
DOI:10.1016/j.media.2021.102141