The Security of Deep Learning Defences for Medical Imaging

TL;DR

This paper evaluates the robustness of current deep learning defenses in medical imaging against adaptive attackers and finds they are largely ineffective, proposing improved security measures including system hardening and digital signatures.

Contribution

It demonstrates that existing defenses can be bypassed by informed attackers and suggests more effective security strategies for medical DNNs.

Findings

Five state-of-the-art defenses can be evaded by informed attackers

Current defenses are ineffective against adaptive adversaries

Proposes system hardening and digital signatures as better alternatives

Abstract

Deep learning has shown great promise in the domain of medical image analysis. Medical professionals and healthcare providers have been adopting the technology to speed up and enhance their work. These systems use deep neural networks (DNN) which are vulnerable to adversarial samples; images with imperceivable changes that can alter the model's prediction. Researchers have proposed defences which either make a DNN more robust or detect the adversarial samples before they do harm. However, none of these works consider an informed attacker which can adapt to the defence mechanism. We show that an informed attacker can evade five of the current state of the art defences while successfully fooling the victim's deep learning model, rendering these defences useless. We then suggest better alternatives for securing healthcare DNNs from such attacks: (1) harden the system's security and (2) use digital signatures.