Abstract

Deep learning has achieved remarkable success in the medical domain, which makes it crucial to assess its vulnerabilities in medical systems. This study examines backdoor attack (BA) methods to evaluate the reliability and security of medical image analysis systems. However, most BA methods focus on isolated downstream tasks and are considered post-imaging attacks, missing a comprehensive security assessment of the full-stack medical image analysis systems from data acquisition to analysis. Reconstructing images from measured data for downstream tasks requires complex transformations, which challenge the design of triggers in the measurement domain. Typically, hackers only access measured data in scanners. To tackle this challenge, this paper introduces a novel Learnable Trigger Generation Method~(LTGM) for measured data. This pre-imaging attack method aims to attack the downstream task without compromising the reconstruction process or imaging quality. LTGM employs a trigger function in the measurement domain to inject a learned trigger into the measured data. To avoid the bias from handcrafted knowledge, this trigger is formulated by learning from the gradients of two key tasks: reconstruction and analysis. Crucially, LTGM’s trigger strives to balance its impact on analysis with minimal additional noise and artifacts in the reconstructed images by carefully analyzing gradients from both tasks. Comprehensive experiments have been conducted to demonstrate the vulnerabilities in full-stack medical systems and to validate the effectiveness of the proposed method using the public dataset. Our code is available at https://github.com/Deep-Imaging-Group/LTGM.

Links to Paper and Supplementary Materials

Main Paper (Open Access Version): https://papers.miccai.org/miccai-2024/paper/0983_paper.pdf

SharedIt Link: https://rdcu.be/dV5Di

SpringerLink (DOI): https://doi.org/10.1007/978-3-031-72104-5_38

Supplementary Material: N/A

Link to the Code Repository

https://github.com/Deep-Imaging-Group/LTGM

Link to the Dataset(s)

N/A

BibTex

@InProceedings{Yan_Inject_MICCAI2024,
        author = { Yang, Ziyuan and Chen, Yingyu and Sun, Mengyu and Zhang, Yi},
        title = { { Inject Backdoor in Measured Data to Jeopardize Full-Stack Medical Image Analysis System } },
        booktitle = {proceedings of Medical Image Computing and Computer Assisted Intervention -- MICCAI 2024},
        year = {2024},
        publisher = {Springer Nature Switzerland},
        volume = {LNCS 15007},
        month = {October},
        page = {393 -- 402}
}


Reviews

Review #1

  • Please describe the contribution of the paper

    This paper focuses on developing a new attack way for full-stack medical analysis system, highlighting vulnerability through backdoor attacks in the measurement domain.

  • Please list the main strengths of the paper; you should write about a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.

    The novelty of this work lies in the reconstruction process in which an automatic trigger is designed to effectively activate backdoor attacks.

  • Please list the main weaknesses of the paper. Please provide details, for instance, if you think a method is not novel, explain why and provide a reference to prior work.

    The authors claim to develop a full-stack medical analysis system is not supported by the developed method. Also the attack generation step is not properly discuss by the authors. Similarly, the claim that this method reduces the need for prior knowledge is not comprehended in the given version of the paper.

  • Please rate the clarity and organization of this paper

    Satisfactory

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The submission does not provide sufficient information for reproducibility.

  • Do you have any additional comments regarding the paper’s reproducibility?

    N/A

  • Please provide detailed and constructive comments for the authors. Please also refer to our Reviewer’s guide on what makes a good review. Pay specific attention to the different assessment criteria for the different paper categories (MIC, CAI, Clinical Translation of Methodology, Health Equity): https://conferences.miccai.org/2024/en/REVIEWER-GUIDELINES.html

    Following are my major concerns: • The abstract and conclusion are not written properly; the authors need to rewrite it. • The motivation and contribution of this work needs to be highlighted in proper manner in the introduction section to make it clearer for the readers to comprehend the main theme targeted in this article. • The contribution of this work is limited since there exists many articles that targeted the same topic. The authors should highlight their contributions in a proper manner by emphasizing on how their work is different from other articles? • The authors should enhance the quality of related work section by adding more latest articles from top venues. • The authors need to compare their results with latest state-of-the-art studies published in top journals and conferences. • The authors should discuss the algorithmic steps in detail and present the cost analysis of the proposed model. • More results and discussion are required to validate the performance of the proposed model. • More detail analysis of the existing studies is required. • The paper needs rewriting and language polishing since it has many typos and English mistakes.

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making

    Strong Reject — must be rejected due to major flaws (1)

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    the major claims of the paper are not supported by the results and evaluation section

  • Reviewer confidence

    Very confident (4)

  • [Post rebuttal] After reading the author’s rebuttal, state your overall opinion of the paper if it has been changed

    Strong Reject — must be rejected due to major flaws (1)

  • [Post rebuttal] Please justify your decision

    i am not satisfied with the responses provided by the authors regarding the contributions and experiments section.



Review #2

  • Please describe the contribution of the paper

    This paper introduces a novel Learnable Trigger Generation Method (LTGM) designed to inject backdoors into full-stack medical image analysis systems without disrupting the image reconstruction process. The method leverages a learnable trigger function applied to measurement data, which is formulated by analyzing gradients from both reconstruction and analysis tasks. The study demonstrates LTGM’s ability to maintain image quality while effectively compromising the security of medical systems, highlighting the need for robust security measures against such vulnerabilities. The effectiveness of LTGM is validated through comprehensive experiments using a public dataset.

  • Please list the main strengths of the paper; you should write about a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.
    • Interesting topic: backdoor attack is a hot and very important topic.
    • Clear description of the method: the author present the method very clearly.
  • Please list the main weaknesses of the paper. Please provide details, for instance, if you think a method is not novel, explain why and provide a reference to prior work.
    • lack of detailed explanation
    • more experiments See detailed comments below.
  • Please rate the clarity and organization of this paper

    Very Good

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The submission does not mention open access to source code or data but provides a clear and detailed description of the algorithm to ensure reproducibility.

  • Do you have any additional comments regarding the paper’s reproducibility?

    N/A

  • Please provide detailed and constructive comments for the authors. Please also refer to our Reviewer’s guide on what makes a good review. Pay specific attention to the different assessment criteria for the different paper categories (MIC, CAI, Clinical Translation of Methodology, Health Equity): https://conferences.miccai.org/2024/en/REVIEWER-GUIDELINES.html
    • It would be beneficial if the authors could provide a threat model section, detailing the attack scenario, the attacker’s objectives, and their capabilities.
    • I am unclear about the distinction between the invisible backdoor attack in the CV domain[1][2][3]. Please elaborate on this and compare it with your approach.
    • I am also curious about the robustness of this work. Could the authors conduct experiments on additional model architectures, such as ResNet-18?

    [1] Invisible Backdoor Attack with Sample-Specific Triggers [2] Poison Ink: Robust and Invisible Backdoor Attack [3] Invisible Backdoor Attack With Dynamic Triggers Against Person Re-Identification

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making

    Weak Reject — could be rejected, dependent on rebuttal (3)

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    The distinction between the invisible backdoor attack in the CV domain[1][2][3] is my major concern. I would like to see the authors could address their novelty compared to existing invisible backdoor attacks.

  • Reviewer confidence

    Confident but not absolutely certain (3)

  • [Post rebuttal] After reading the author’s rebuttal, state your overall opinion of the paper if it has been changed

    Weak Reject — could be rejected, dependent on rebuttal (3)

  • [Post rebuttal] Please justify your decision

    After reading the rebuttal and all the reviews, I decided to keep my score. The main reason is still due to the lack of novelty.



Review #3

  • Please describe the contribution of the paper

    This paper introduces a novel Learnable Trigger Generation Method (LTGM) to analyze the vulnerabilities of full-stack medical image analysis systems to backdoor attacks in the measurement domain. LTGM is an invisible BA method, which could learn triggers without manual knowledge to attack downstream tasks without destroying the reconstruction process.

  • Please list the main strengths of the paper; you should write about a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.

    a. Interesting idea: Currently, there may be no work focusing on the security of CT imaging measure data security. Most existing studies are confined to the image domain. This paper proposed to inject backdoors before the CT imaging process and this method is capable of attacking downstream tasks without affecting the imaging quality. This undoubtedly has a significant impact on evaluating the vulnerabilities and security of full-stack medical analysis systems, making it both interesting and meaningful. This work might be the first paper that focuses on the security of CT measure data and implementing effective backdoor injection before imaging. b. Solid results: From the quantitative and visual results, the proposed method achieves a good balance between image quality and attack effectiveness. It significantly improves image quality while achieving competitive attack results compared to SOTA methods.

  • Please list the main weaknesses of the paper. Please provide details, for instance, if you think a method is not novel, explain why and provide a reference to prior work.

    a. Several typos. Check for spelling errors on line 12 of page 4 and line 1 of page 7. b. The abbreviation “BA” in the paper has two meanings: “Backdoor Attack” and “Benign Accuracy.” This may cause confusion between the two in the Section 3.2 Experimental Results. c. Maybe the authors could discuss more about the attack performance under different CT scanning parameters.

  • Please rate the clarity and organization of this paper

    Very Good

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The authors claimed to release the source code and/or dataset upon acceptance of the submission.

  • Do you have any additional comments regarding the paper’s reproducibility?

    The methodology in the paper is clearly written and easily reproducible. It would be even better if the code will be open-sourced.

  • Please provide detailed and constructive comments for the authors. Please also refer to our Reviewer’s guide on what makes a good review. Pay specific attention to the different assessment criteria for the different paper categories (MIC, CAI, Clinical Translation of Methodology, Health Equity): https://conferences.miccai.org/2024/en/REVIEWER-GUIDELINES.html

    a. In Figure 3 and the tables, the meanings of different superscripts can be annotated in the captions to enhance readability. b. It would be better if the author could introduce several potential defense methods against this method in Sec. Conclusion.

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making

    Strong Accept — must be accepted due to excellence (6)

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    This paper is well-organized, and this method is novel and interesting. Compared to other methods that post-imaging attacks, this method enables a novel attack way, a pre-imaging attack way. The experimental results are good and can validate the vulnerability of the full-stack medical analysis systems.

  • Reviewer confidence

    Very confident (4)

  • [Post rebuttal] After reading the author’s rebuttal, state your overall opinion of the paper if it has been changed

    Strong Accept — must be accepted due to excellence (6)

  • [Post rebuttal] Please justify your decision

    The method is novel and interesting, which is the first paper about pre-imaging backdoor attack. The authors introduce a new threat scenario and develop an innovative attack method. In their rebuttal, the authors highlight the difference of their method and others. Meanwhile, the authors have committed to releasing their code, which will greatly assist readers in replicating their approach.




Author Feedback

Title: Inject Backdoor in Measured Data to Jeopardize Full-Stack Medical Image Analysis System

We thank the reviewers for recognizing our approach as “interesting idea/topic “, “clear description”, and “well-organized”. The writings and unclear descriptions have been revised and will be updated in the next version.

@R #1 and @R #3 It would be even better if the code will be open-sourced.

Thanks for your suggestion. We intend to make code available after acceptance.

@R #2 It would be beneficial if the authors could provide a threat model section.

Full-stack medical analysis system (FMAS) consists of imaging and analysis models. The scanned data is the measurement data, such as the sinogram data, rather than the image data. Hence, the measurement data is required be passed to the reconstruction module to show patients’ anatomical information. In the pipeline, a hacker can threaten an FMAS and control the downstream model in two ways: by injecting a trigger into the scanner or during the transmission process. Previous works assume that the hacker has to gain unauthorized access to the downstream model, which is typically well-protected locally. Therefore, compared to previous works, our assumption is more relaxed.

@R #2 and @R #3 Please elaborate on the distinction between the invisible backdoor attack in the CV domain.

There are significant differences between our approach and the invisible backdoor attack in the CT domain. To our knowledge, existing works focus on injecting triggers into images, which can be considered post-imaging attacks, as Reviewer #1 noted. These methods do not consider injecting triggers into measurement data, which is quite different from the CV domain. Due to the physics of the reconstruction process, triggers designed by these methods may not remain invisible in the image domain when injected into the measurement data, as the results shown in our paper. Our approach avoids introducing visible labels by injecting triggers in the measurement domain without requiring handcrafted prior. Our approach can be regarded as a pre-imaging attack technique, and, to the best of our knowledge, this is the first attempt in this field. This method effectively assesses the security of FMAS, thereby addressing a critical gap in the existing literature.

Besides, we conducted experiments on the methods mentioned by the reviewers, which also introduce visible triggers in the image domain if we inject the triggers into the measurement data. We will add related experiments in the final version, and we will highlight our novelty compared to existing invisible backdoor attacks.

@R #2 The robustness of the proposed method.

Thanks to your question. Our method automatically learns and generates the invisible trigger without any prior knowledge. Hence, similar to most backdoor attack methods, our method is a model-agnostic framework. To support our point, we will include robustness-related experiments, such as ResNet, in our camera-ready version.

R #3 The contribution of this work is limited since there exists many articles that targeted the same topic.

We agree that many papers address security issues in the medical field, highlighting the importance of evaluating the security of medical systems. However, our approach differs significantly from others as it employs a pre-imaging attack method, whereas others use post-imaging attack methods. This distinction raises significant security concerns regarding the imaging process, which existing works have overlooked. Consequently, our work comprehensively validates the security of an FMAS.

R #3 The authors should discuss the algorithmic steps in detail and present the cost analysis of the proposed model.

Thank you for your suggestion. We will add a pseudo-code style algorithm in the final version to help readers better understand our method. Additionally, as promised, we will release our code to ensure proper implementation.




Meta-Review

Meta-review #1

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Accept

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    Although Reviewer R2 noted a lack of novelty, the paper presents an intriguing approach by focusing on pre-imaging attack methods, contrasting with the post-imaging attack methods commonly discussed in the literature. This perspective could be of significant interest to the MICCAI community. I am inclined to recommend acceptance, provided that the authors address the reviewers’ NITs.

  • What is the rank of this paper among all your rebuttal papers? Use a number between 1/n (best paper in your stack) and n/n (worst paper in your stack of n papers). If this paper is among the bottom 30% of your stack, feel free to use NR (not ranked).

    Although Reviewer R2 noted a lack of novelty, the paper presents an intriguing approach by focusing on pre-imaging attack methods, contrasting with the post-imaging attack methods commonly discussed in the literature. This perspective could be of significant interest to the MICCAI community. I am inclined to recommend acceptance, provided that the authors address the reviewers’ NITs.



Meta-review #2

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Reject

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    This paper proposes a way to attack the image analysis pipeline without hurting the reconstruction quality of CT images. The implementation can be regarded as a pre-imaging attack, which is rarely reported before. Reviewers are divided on this paper. Putting aside these controversial arguments, my main concern is about the real usage of this paper. In what circumstances does this work contribute to medical imaging and clinical applications? I agree the idea in this paper is interesting, but the authors should also provide a clear insight or implication of the potential merit of their work.

  • What is the rank of this paper among all your rebuttal papers? Use a number between 1/n (best paper in your stack) and n/n (worst paper in your stack of n papers). If this paper is among the bottom 30% of your stack, feel free to use NR (not ranked).

    This paper proposes a way to attack the image analysis pipeline without hurting the reconstruction quality of CT images. The implementation can be regarded as a pre-imaging attack, which is rarely reported before. Reviewers are divided on this paper. Putting aside these controversial arguments, my main concern is about the real usage of this paper. In what circumstances does this work contribute to medical imaging and clinical applications? I agree the idea in this paper is interesting, but the authors should also provide a clear insight or implication of the potential merit of their work.



Meta-review #3

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Accept

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    This paper proposes an interesting security issue in CT reconstruction. There are diverging reviews, but Reviewer 4’s review seems too superficial and did not provide sufficient evidence that the paper is unacceptable. I am inclined more to Reviewer 1’s opinion. I also disagree with the view of Meta Reviewer 4 regarding the real usage of this paper, which is well discussed in the introduction of the paper. Therefore, I recommend accepting this paper.

  • What is the rank of this paper among all your rebuttal papers? Use a number between 1/n (best paper in your stack) and n/n (worst paper in your stack of n papers). If this paper is among the bottom 30% of your stack, feel free to use NR (not ranked).

    This paper proposes an interesting security issue in CT reconstruction. There are diverging reviews, but Reviewer 4’s review seems too superficial and did not provide sufficient evidence that the paper is unacceptable. I am inclined more to Reviewer 1’s opinion. I also disagree with the view of Meta Reviewer 4 regarding the real usage of this paper, which is well discussed in the introduction of the paper. Therefore, I recommend accepting this paper.



back to top