The Butterfly Effect in Pathology: Exploring Security in Pathology Foundation Models

TL;DR

This paper systematically investigates the security vulnerabilities of pathology foundation models against adversarial attacks, revealing significant accuracy degradation with minimal perturbations and exploring potential defenses.

Contribution

It introduces a novel label-free attack framework for pathology models, revises classical attack methods for WSI, and provides comprehensive experimental analysis across multiple datasets and tasks.

Findings

Adversarial attacks can reduce model accuracy by up to 20%.

Minimal perturbations (0.1%) can cause significant performance drops.

Analysis of vulnerability factors and potential defense strategies.

Abstract

With the widespread adoption of pathology foundation models in both research and clinical decision support systems, exploring their security has become a critical concern. However, despite their growing impact, the vulnerability of these models to adversarial attacks remains largely unexplored. In this work, we present the first systematic investigation into the security of pathology foundation models for whole slide image~(WSI) analysis against adversarial attacks. Specifically, we introduce the principle of \textit{local perturbation with global impact} and propose a label-free attack framework that operates without requiring access to downstream task labels. Under this attack framework, we revise four classical white-box attack methods and redefine the perturbation budget based on the characteristics of WSI. We conduct comprehensive experiments on three representative pathology foundation models across five datasets and six downstream tasks. Despite modifying only 0.1\% of patches per slide with imperceptible noise, our attack leads to downstream accuracy degradation that can reach up to 20\% in the worst cases. Furthermore, we analyze key factors that influence attack success, explore the relationship between patch-level vulnerability and semantic content, and conduct a preliminary investigation into potential defence strategies. These findings lay the groundwork for future research on the adversarial robustness and reliable deployment of pathology foundation models. Our code is publicly available at: https://github.com/Jiashuai-Liu-hmos/Attack-WSI-pathology-foundation-models.