Training-Free Defense Against Adversarial Attacks in Deep Learning MRI Reconstruction
Mahdi Saberi, Chi Zhang, Mehmet Ak\c{c}akaya
TL;DR
This paper introduces a training-free method to defend against adversarial attacks in MRI reconstruction, effectively reducing distortions caused by small perturbations without retraining the model.
Contribution
The authors propose a novel cyclic measurement consistency-based mitigation approach that works without retraining and outperforms traditional methods in various attack scenarios.
Findings
Significantly reduces adversarial impact across datasets and attack types
Outperforms retraining-based mitigation methods in quality metrics
Effective in blind and adaptive attack scenarios
Abstract
Deep learning (DL) methods have become the state-of-the-art for reconstructing sub-sampled magnetic resonance imaging (MRI) data. However, studies have shown that these methods are susceptible to small adversarial input perturbations, or attacks, resulting in major distortions in the output images. Various strategies have been proposed to reduce the effects of these attacks, but they require retraining and may lower reconstruction quality for non-perturbed/clean inputs. In this work, we propose a novel approach for mitigating adversarial attacks on MRI reconstruction models without any retraining. Based on the idea of cyclic measurement consistency, we devise a novel mitigation objective that is minimized in a small ball around the attack input. Results show that our method substantially reduces the impact of adversarial perturbations across different datasets, attack types/strengths…
Peer Reviews
Decision·Submitted to ICLR 2026
(1) The method is well-motivated by the physics of MRI acquisition, particularly the role of data fidelity in unrolled networks and the propagation of perturbations to unacquired k-space locations. (2) While cyclic consistency has been used in training and self-supervised learning, its adaptation for adversarial defense, especially in a training-free setting—is innovative.
(1) The adaptive attack results (Table 2) show that the iterative version of the defense remains effective, but the computational cost is glossed over. For T=100 unrolls, the iterative defense requires around 100 iterations—this is computationally prohibitive for real-time MRI reconstruction. The authors fail to analyze the trade-off between defense strength and computational efficiency. (2) The paper mainly focuses on worst-case adversarial perturbations but does not test the method against r
- The paper is well written, with a clear motivation for the proposed framework. - The method is training-free, though it requires per-sample optimization. - Experiments demonstrate the effectiveness of the proposed method against several standard adversarial attacks in MRI reconstruction.
- The need to mitigate adversarial attack in the domain of MRI reconstruction does not convince me. - The proposed method relies on the assumption that the perturbation causes large changes in $\Omega^C$ and small changes in $\Omega$. However, quantitative justification for the bounds (lines 254–255) is missing. It is difficult to measure the effectiveness or generality of the proposed method across different scenarios.
- Thorough Evaluation: Multiple datasets (Cor-PD knee, Ax-FLAIR brain). Multiple architectures (MoDL, XPDNet, RIM, E2E-VarNet, Recurrent-VarNet). Multiple attack types: ℓ∞ image-domain, ℓ₂ k-space, sparse ℓ₀ (herringbone artifacts), and adaptive attacks. - Physics-Driven Explanation: Theorem 1 offers an interpretable bound linking perturbations on acquired lines Ω to residuals on unacquired Ωᴄ, clarifying why cyclic inconsistency signals attacks. - Strong Empirical Results: +1–3 dB PSNR gains
1. While cyclic consistency is repurposed cleverly, much of the mathematical machinery (MoDL unrolling, PGD, consistency loss) builds directly on existing ideas; clarifying the conceptual leap beyond earlier “cycle-consistency” works (e.g., Zhang & Akçakaya 2024) would strengthen novelty. 2. Reverse-PGD plus multiple reconstructions is expensive (each iteration requires forward + inverse passes). Reported runtimes and wall-clock comparisons to AT/SMUG would help. 3. Paper should compare to con
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Advanced X-ray and CT Imaging
MethodsSparse Evolutionary Training