Adversarial Attack Vulnerability of Medical Image Analysis Systems: Unexplored Factors

Suzanne C. Wetstein, Cristina González-Gonzalo, Gerda Bortsova, Bart Liefers, Florian Dubost, Ioannis Katramados, Laurens Hogeweg, Bram van Ginneken, Josien P. W. Pluim, Marleen de Bruijne, Clara I. Sánchez, Mitko Veta

Research output: Contribution to journalArticleAcademic

179 Downloads (Pure)


Adversarial attacks are considered a potentially serious security threat for machine learning systems. Medical image analysis (MedIA) systems have recently been argued to be particularly vulnerable to adversarial attacks due to strong financial incentives. In this paper, we study several previously unexplored factors affecting adversarial attack vulnerability of deep learning MedIA systems in three medical domains: ophthalmology, radiology and pathology. Firstly, we study the effect of varying the degree of adversarial perturbation on the attack performance and its visual perceptibility. Secondly, we study how pre-training on a public dataset (ImageNet) affects the models' vulnerability to attacks. Thirdly, we study the influence of data and model architecture disparity between target and attacker models. Our experiments show that the degree of perturbation significantly affects both performance and human perceptibility of attacks. Pre-training may dramatically increase the transfer of adversarial examples; the larger the performance gain achieved by pre-training, the larger the transfer. Finally, disparity in data and/or model architecture between target and attacker models substantially decreases the success of attacks. We believe that these factors should be considered when designing cybersecurity-critical MedIA systems, as well as kept in mind when evaluating their vulnerability to adversarial attacks.
Original languageEnglish
Article number2006.06356
Publication statusPublished - 11 Jun 2020

Bibliographical note

First three authors contributed equally


  • Adversarial attacks
  • Deep learning
  • Medical imaging


Dive into the research topics of 'Adversarial Attack Vulnerability of Medical Image Analysis Systems: Unexplored Factors'. Together they form a unique fingerprint.

Cite this