Adversarial Medical Image with Hierarchical Feature Hiding

TL;DR

This paper investigates the nature of adversarial examples in medical imaging, revealing their characteristic features and proposing a hierarchical feature constraint to better hide AEs, exposing weaknesses in current defenses.

Contribution

It provides a theoretical analysis of how conventional medical AEs alter features and introduces a novel hierarchical feature constraint to improve adversarial hiding techniques.

Findings

HFC effectively bypasses state-of-the-art AE detectors.

Conventional attacks optimize features in a fixed direction, creating outliers.

Medical image vulnerability can be exploited to hide adversarial examples.

Abstract

Deep learning based methods for medical images can be easily compromised by adversarial examples (AEs), posing a great security flaw in clinical decision-making. It has been discovered that conventional adversarial attacks like PGD which optimize the classification logits, are easy to distinguish in the feature space, resulting in accurate reactive defenses. To better understand this phenomenon and reassess the reliability of the reactive defenses for medical AEs, we thoroughly investigate the characteristic of conventional medical AEs. Specifically, we first theoretically prove that conventional adversarial attacks change the outputs by continuously optimizing vulnerable features in a fixed direction, thereby leading to outlier representations in the feature space. Then, a stress test is conducted to reveal the vulnerability of medical images, by comparing with natural images. Interestingly, this vulnerability is a double-edged sword, which can be exploited to hide AEs. We then propose a simple-yet-effective hierarchical feature constraint (HFC), a novel add-on to conventional white-box attacks, which assists to hide the adversarial feature in the target feature distribution. The proposed method is evaluated on three medical datasets, both 2D and 3D, with different modalities. The experimental results demonstrate the superiority of HFC, \emph{i.e.,} it bypasses an array of state-of-the-art adversarial medical AE detectors more efficiently than competing adaptive attacks, which reveals the deficiencies of medical reactive defense and allows to develop more robust defenses in future.