Exploring Adversarial Watermarking in Transformer-Based Models: Transferability and Robustness Against Defense Mechanism for Medical Images

TL;DR

This study investigates the vulnerability of Vision Transformers to adversarial watermarking in medical images, demonstrating significant accuracy drops under attack and the effectiveness of adversarial training as a defense.

Contribution

It is the first to analyze adversarial watermarking transferability and robustness specifically in transformer-based models for medical image analysis.

Findings

ViTs are highly vulnerable to adversarial watermarking with accuracy dropping up to 27.6%.

Adversarial training improves robustness, restoring accuracy to 90%.

Transferability of attacks from ViTs to CNNs is demonstrated.

Abstract

Deep learning models have shown remarkable success in dermatological image analysis, offering potential for automated skin disease diagnosis. Previously, convolutional neural network(CNN) based architectures have achieved immense popularity and success in computer vision (CV) based task like skin image recognition, generation and video analysis. But with the emergence of transformer based models, CV tasks are now are nowadays carrying out using these models. Vision Transformers (ViTs) is such a transformer-based models that have shown success in computer vision. It uses self-attention mechanisms to achieve state-of-the-art performance across various tasks. However, their reliance on global attention mechanisms makes them susceptible to adversarial perturbations. This paper aims to investigate the susceptibility of ViTs for medical images to adversarial watermarking-a method that adds so-called imperceptible perturbations in order to fool models. By generating adversarial watermarks through Projected Gradient Descent (PGD), we examine the transferability of such attacks to CNNs and analyze the performance defense mechanism -- adversarial training. Results indicate that while performance is not compromised for clean images, ViTs certainly become much more vulnerable to adversarial attacks: an accuracy drop of as low as 27.6%. Nevertheless, adversarial training raises it up to 90.0%.