Adversarial attack vulnerability of medical image analysis systems: Unexplored factors

Adversarial attacks are considered a potentially serious security threat for machine learning systems. Medical image analysis (MedIA) systems have recently been argued to be vulnerable adversarial due strong financial incentives and the associated technological infrastructure. In this paper, we study previously unexplored factors affecting attack vulnerability of deep MedIA in three medical domains: ophthalmology, radiology, pathology. We focus on black-box settings, which attacker does not full access target model usually uses another model, commonly referred as surrogate craft examples. consider most realistic scenario Firstly, effect weight initialization (ImageNet vs. random) transferability from model. Secondly, influence differences development data between models. further interaction with architecture. All experiments were done perturbation degree tuned ensure maximal at minimal visual perceptibility attacks. Our show that pre-training may dramatically increase examples, even when surrogate's architectures different: larger performance gain using pre-training, transferability. Differences models considerably decrease attack; is amplified by difference believe these should developing security-critical planned deployed clinical practice.