Adversarial Attack Vulnerability of Deep Learning Models for Oncologic Images

Background: Deep learning (DL) models have shown the ability to automate the classification of medical images used for cancer detection. Unfortunately, recent studies have found that DL models are vulnerable to adversarial attacks which manipulate models into making incorrect predictions with high confidence. There is a need for better understanding of how adversarial attacks impact the predictive ability of DL models in the medical image domain. Methods: We studied the adversarial attack susceptibility of DL models for three common imaging tasks within oncology. We investigated how PGD adversarial training could be employed to increase model robustness against FGSM, PGD, and BIM attacks. Finally, we studied the utility of adversarial sensitivity as a metric to improve model performance. Results: Our experiments showed that medical DL models were highly sensitive to adversarial attacks, as visually imperceptible degrees of perturbation (<0.004) were sufficient to deceive the model the majority of the time. DL models for medical images were more vulnerable to adversarial attacks compared to DL models for non-medical images. Adversarial training increased model performance on adversarial samples for all classification tasks. We were able to increase model accuracy on clean images for all datasets by excluding images most vulnerable to adversarial perturbation. Conclusion: Our results indicated that while medical DL systems are extremely susceptible to adversarial attacks, adversarial training show promise as an effective defense against attacks. Adversarial susceptibility of individual images can be used to increase model performance by identifying images most at-risk for misclassification. Our findings provide a useful basis for designing more robust and accurate medical DL models as well as techniques to defend models from adversarial attack.