Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Susceptibility of Adversarial Attack on Medical Image Segmentation Models

Zhongxuan Wang, Leo Xu

TL;DR

This work investigates the vulnerability of MRI segmentation models to adversarial perturbations using FGSM across four U‑Net family architectures with backbones including VGG16, ResNeXt‑101, and EfficientNet‑B7. It reveals that these medical segmentation models are susceptible to adversarial noise, with attack efficacy not strongly correlated with model size, and finds that generating perturbations with BCE loss yields higher success than the training loss, contrary to the original FGSM guidance. The results indicate that models with the strongest clean performance (e.g., EfficientNet‑B7 backbones) can be the most vulnerable, and that BCE‑based attacks outperform those based on the training objective. The study underscores security risks in clinical deployment of medical image segmentation and suggests defense strategies such as model ensembles and data augmentations, with code made publicly available for reproducibility.

Abstract

The nature of deep neural networks has given rise to a variety of attacks, but little work has been done to address the effect of adversarial attacks on segmentation models trained on MRI datasets. In light of the grave consequences that such attacks could cause, we explore four models from the U-Net family and examine their responses to the Fast Gradient Sign Method (FGSM) attack. We conduct FGSM attacks on each of them and experiment with various schemes to conduct the attacks. In this paper, we find that medical imaging segmentation models are indeed vulnerable to adversarial attacks and that there is a negligible correlation between parameter size and adversarial attack success. Furthermore, we show that using a different loss function than the one used for training yields higher adversarial attack success, contrary to what the FGSM authors suggested. In future efforts, we will conduct the experiments detailed in this paper with more segmentation models and different attacks. We will also attempt to find ways to counteract the attacks by using model ensembles or special data augmentations. Our code is available at https://github.com/ZhongxuanWang/adv_attk

Susceptibility of Adversarial Attack on Medical Image Segmentation Models

TL;DR

This work investigates the vulnerability of MRI segmentation models to adversarial perturbations using FGSM across four U‑Net family architectures with backbones including VGG16, ResNeXt‑101, and EfficientNet‑B7. It reveals that these medical segmentation models are susceptible to adversarial noise, with attack efficacy not strongly correlated with model size, and finds that generating perturbations with BCE loss yields higher success than the training loss, contrary to the original FGSM guidance. The results indicate that models with the strongest clean performance (e.g., EfficientNet‑B7 backbones) can be the most vulnerable, and that BCE‑based attacks outperform those based on the training objective. The study underscores security risks in clinical deployment of medical image segmentation and suggests defense strategies such as model ensembles and data augmentations, with code made publicly available for reproducibility.

Abstract

The nature of deep neural networks has given rise to a variety of attacks, but little work has been done to address the effect of adversarial attacks on segmentation models trained on MRI datasets. In light of the grave consequences that such attacks could cause, we explore four models from the U-Net family and examine their responses to the Fast Gradient Sign Method (FGSM) attack. We conduct FGSM attacks on each of them and experiment with various schemes to conduct the attacks. In this paper, we find that medical imaging segmentation models are indeed vulnerable to adversarial attacks and that there is a negligible correlation between parameter size and adversarial attack success. Furthermore, we show that using a different loss function than the one used for training yields higher adversarial attack success, contrary to what the FGSM authors suggested. In future efforts, we will conduct the experiments detailed in this paper with more segmentation models and different attacks. We will also attempt to find ways to counteract the attacks by using model ensembles or special data augmentations. Our code is available at https://github.com/ZhongxuanWang/adv_attk
Paper Structure (16 sections, 7 equations, 8 figures, 2 tables)

This paper contains 16 sections, 7 equations, 8 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Approaches
  3. Model Architecture
  4. U-Net
  5. UNet++
  6. Datasets
  7. Pre-processing
  8. Model Training
  9. Hardware and Software
  10. Hyperparameters
  11. Loss Function
  12. Fast Gradient Sign Method
  13. Results
  14. Evaluation Metric
  15. Discussions and Conclusions
  16. ...and 1 more sections

Figures (8)

  • Figure 1: Difference between image classification, object detection, and image segmentation methods in the medical imaging field. Predictions are simulated except for the image segmentation method.
  • Figure 2: An example of adversarial attack on the medical MRI image segmentation model.
  • Figure 3: U-Net Architecture by Ronneberger et al. Here the architecture assumes the input is 572 $\times$ 572
  • Figure 4: UNet++ Architecture by Zhou et al. UNet++ introduced dense skip connections as highlighted in blue arrows and green arrows shown in the graph. The model also introduced deep supervision as indicated by $L$, but in our paper, this is excluded during training.
  • Figure 5: Input images and predictions with various $\epsilon$ values for our U-Net++ Model. Diff value is measured by the clean input metric score minus the poisoned input metric score divided by the clean input metric score again. Therefore, the more drastic the difference is, the more successful the attack would be.
  • ...and 3 more figures