Abstract

Adversarial attacks pose significant challenges for vision models in critical fields like healthcare, where reliability is essential. Although adversarial training has been well studied in natural images, its application to biomedical and microscopy data remains limited. Existing self-supervised adversarial training methods overlook the hierarchical structure of histopathology images, where patient-slide-patch relationships provide valuable discriminative signals. To address this, we propose Hierarchical Self-Supervised Adversarial Training (HSAT), which exploits these properties to craft adversarial examples using multi-level contrastive learning and integrate it into adversarial training for enhanced robustness. We evaluate HSAT on multiclass histopathology dataset OpenSRH and the results show that HSAT outperforms existing methods from both biomedical and natural image domains. HSAT enhances robustness, achieving an average gain of 54.31% in the white-box setting and reducing performance drops to 3-4% in the black-box setting, compared to 25-30% for the baseline. These results set a new benchmark for adversarial training in this domain, paving the way for more robust models. Code and models are available at https://github.com/HashmatShadab/HSAT.



Links to Paper and Supplementary Materials

Main Paper (Open Access Version): https://papers.miccai.org/miccai-2025/paper/3668_paper.pdf

SharedIt Link: Not yet available

SpringerLink (DOI): Not yet available

Supplementary Material: Not Submitted

Link to the Code Repository

https://github.com/HashmatShadab/HSAT

Link to the Dataset(s)

OpenSRH Dataset: https://opensrh.mlins.org/

BibTex

@InProceedings{MalHas_Hierarchical_MICCAI2025,
        author = { Malik, Hashmat Shadab and Kunhimon, Shahina and Naseer, Muzammal and Khan, Fahad Shahbaz and Khan, Salman},
        title = { { Hierarchical Self-Supervised Adversarial Training for Robust Vision Models in Histopathology } },
        booktitle = {proceedings of Medical Image Computing and Computer Assisted Intervention -- MICCAI 2025},
        year = {2025},
        publisher = {Springer Nature Switzerland},
        volume = {LNCS 15960},
        month = {September},
        page = {241 -- 251}
}


Reviews

Review #1

  • Please describe the contribution of the paper

    his paper presents a novel hierarchical self-supervised adversarial training framework to defend adversarial attacks on pathological imaging applications. The proposed method is evaluated on a public pathological dataset(OPENSRH) for brain tumor classification. Result shows improved adversarial robustness compared to the model without adversarial training.

  • Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.

    The topic of this study, i.e., AI security is a significant topic The idea about adversarial training in a self-supervised fashion is novel. Experiments on both white-box and black-box attacks are conducted.

  • Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.

    While evaluating the model on adversarial robustness is important, it is equally valuable to report the performance of the proposed methods on standard accuracy (i.e., performance on data without adversarial perturbation).

    The author stated that “outperforming existing methods” in conclusion. Only comparing with [17], i.e., the self-supervised learning without adversarial training is not enough. It is suggested to compare with other adversarial training-based defending method such as adversarially robust feature learning (https://doi.org/10.1007/978-3-031-77789-9_23)

    The perturbation budget epsilon was only tested at two values, i.e., 4/255 and 8/255. Testing with a wider range of epsilon is recommended.

  • Please rate the clarity and organization of this paper

    Good

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The authors claimed to release the source code and/or dataset upon acceptance of the submission.

  • Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html

    N/A

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.

    (4) Weak Accept — could be accepted, dependent on rebuttal

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    Self-supervised adversarial training is a novel idea with great potentials in improving AI security.

  • Reviewer confidence

    Very confident (4)

  • [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.

    N/A

  • [Post rebuttal] Please justify your final decision from above.

    N/A



Review #2

  • Please describe the contribution of the paper

    The paper introduces a novel hierarchical self-supervised adversarial training (HSAT) framework tailored for histopathology images, leveraging patient-slide-patch relationships. This addresses a critical gap in existing adversarial training methods, which often neglect hierarchical structures in biomedical data. The hierarchical approach is well-motivated and represents a significant advancement in medical AI robustness.

  • Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.
    1. The proposed “maximization-minimization” framework effectively integrates hierarchical contrastive learning into adversarial training. The design of multi-level adversarial perturbations (patch, slide, patient) is theoretically sound and aligns well with the hierarchical nature of histopathology data.
    2. The authors conduct thorough evaluations on the OpenSRH dataset, demonstrating HSAT’s superiority over baselines in both white-box and black-box settings. Ablation studies convincingly validate the incremental benefits of hierarchical discrimination. The reported gains (e.g., 54.31% robustness improvement in white-box settings) are impressive.
    3. Enhancing adversarial robustness in medical imaging is crucial for reliable deployment in healthcare. The work provides a timely solution to a high-stakes problem, with potential applications in diagnostic AI systems.
  • Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.
    1. Experiments are restricted to the OpenSRH dataset. Validation on additional histopathology datasets (e.g., Camelyon16, TCGA) is needed to confirm generalizability.
    2. The computational cost of hierarchical adversarial training is not quantified. Given the complexity of multi-level optimization, this could limit scalability, especially for gigapixel WSIs.
    3. The paper compares HSAT to self-supervised baselines but omits comparisons with supervised adversarial training methods, which are still prevalent in medical imaging. This leaves the practical utility of self-supervised HSAT in clinical workflows less clear.
    4. While the framework is empirically validated, theoretical analysis (e.g., convergence guarantees, robustness bounds) is lacking. A deeper mathematical justification for hierarchical contrastive loss would enhance rigor.
  • Please rate the clarity and organization of this paper

    Good

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The submission does not mention open access to source code or data but provides a clear and detailed description of the algorithm to ensure reproducibility.

  • Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html

    N/A

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.

    (4) Weak Accept — could be accepted, dependent on rebuttal

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    This paper presents a compelling and novel approach to adversarial robustness in histopathology. The hierarchical design and strong empirical results make it a valuable contribution to both medical AI and adversarial machine learning communities. While limitations exist (e.g., dataset diversity, computational analysis), they do not outweigh the paper’s strengths. I recommend acceptance

  • Reviewer confidence

    Confident but not absolutely certain (3)

  • [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.

    N/A

  • [Post rebuttal] Please justify your final decision from above.

    N/A



Review #3

  • Please describe the contribution of the paper

    The authors propose a hierarchy-wise selfsupervised adversarial trianing method for MIL models.

  • Please list the major strengths of the paper: you should highlight a novel formulation, an original way to use data, demonstration of clinical feasibility, a novel application, a particularly strong evaluation, or anything else that is a strong aspect of this work. Please provide details, for instance, if a method is novel, explain what aspect is novel and why this is interesting.

    The proposed method adopts the concept of contrastive learning and performs adversarial perturbations at the patch, slide, and patient levels. The experiments are well-designed, and the proposed approach demonstrates promising improvements.

  • Please list the major weaknesses of the paper. Please provide details: for instance, if you state that a formulation, way of using data, demonstration of clinical feasibility, or application is not novel, then you must provide specific references to prior work.

    1.Adversarial training is widely known to be computationally expensive. Could the authors provide additional details on the training cost of the proposed method, such as run-time or other relevant metrics? 2.Do the authors plan to release the code in the future? 3.It would strengthen the experimental evaluation if models other than ResNet were included for comparison.

  • Please rate the clarity and organization of this paper

    Good

  • Please comment on the reproducibility of the paper. Please be aware that providing code and data is a plus, but not a requirement for acceptance.

    The submission does not mention open access to source code or data but provides a clear and detailed description of the algorithm to ensure reproducibility.

  • Optional: If you have any additional comments to share with the authors, please provide them here. Please also refer to our Reviewer’s guide on what makes a good review and pay specific attention to the different assessment criteria for the different paper categories: https://conferences.miccai.org/2025/en/REVIEWER-GUIDELINES.html

    N/A

  • Rate the paper on a scale of 1-6, 6 being the strongest (6-4: accept; 3-1: reject). Please use the entire range of the distribution. Spreading the score helps create a distribution for decision-making.

    (5) Accept — should be accepted, independent of rebuttal

  • Please justify your recommendation. What were the major factors that led you to your overall score for this paper?

    The proposed method is clearly motivated, and the experiments are comprehensive and convincing.

  • Reviewer confidence

    Confident but not absolutely certain (3)

  • [Post rebuttal] After reading the authors’ rebuttal, please state your final opinion of the paper.

    N/A

  • [Post rebuttal] Please justify your final decision from above.

    N/A




Author Feedback

We thank the reviewers for their positive feedback. R1 praised the experimental design and improvements; R2 noted the novelty and significance for AI security; R3 emphasized the theoretical soundness, alignment with histopathology data, and strong robustness gains. Below are our responses to the queries:

Reproducibility (R1 & R3): Our code and pretrained models will be open-sourced.

Comparison with existing methods (R2 & R3): As detailed in Sec 3.1 and 4, HSAT is compared with adapted versions of recent state-of-the-art instance-based self-supervised adversarial training methods [1,2], referred to in our experiments as HSAT-Patch. In Tab. 1 & 3, we demonstrate that HSAT achieves significant improvements over HSAT-Patch in clean and robust performance. Our focus is specifically on label-free adversarial training, which is crucial in domains such as medical imaging where annotated data is scarce and costly to obtain. In this context, a comparison with supervised adversarial training methods, which depend heavily on labeled data, may not be directly applicable given the goals and constraints of our setting.. Therefore, we restrict our evaluation to self-supervised methods.

Clean Results (R2): Results on clean samples are shown in Tab. 1

Ablation on Perturbation Budgets (R2): To remain consistent with prior works [1, 2], we adopt the standard perturbation budgets of 4/255 and 8/255. However, our method shows consistent trends across a range of budgets and attack steps. For instance, at 16/255, HSAT achieves an average robustness gain of 48% compared to [17]. Cost and Scalability (R1 & R3): As with standard adversarial training, HSAT requires additional forward and backward passes to compute adversarial perturbations. However, it matches the computational efficiency of widely used adversarial training methods. While generating hierarchical adversarial examples involves retrieving hierarchical patches per sample, we ensure the cost remains comparable to the patch-only adversarial baseline (HSAT-Patch) [1]. As detailed in Sec. 4, we fix the effective batch size to 512 and run all methods for 40k iterations, ensuring equivalent training budgets. Despite similar training costs to patch-level adversarial methods, our approach yields substantial robustness improvements on large-scale histopathology datasets. We plan to mention the cost comparison in the final version.

Architectures and Datasets (R1 & R3): Our approach is architecture-agnostic and applicable to various models, including Transformers and state-space models. We focus our evaluation on models within the same family, varying in capacity and pretraining. This decision was motivated by the goal of providing deeper insights (Tab. 1&2) into the behavior of a single architecture and by the limited space available for reporting results across multiple model families. Regarding generalization to other datasets, while our current experiments are conducted on OpenSRH, HSAT is built upon general principles of hierarchical structure and adversarial learning, which we expect to generalize well to other biomedical imaging datasets, as shown in [17]. We plan to explore both diverse model architectures and datasets in future work. Theoretical Analysis (R3): Robustness evaluation generally follows two paradigms: empirical and certified robustness. Our work adopts empirical evaluation, consistent with recent adversarial training and contrastive learning literature [1,2], where robustness is assessed using standard adversarial attacks. While certified methods offer formal guarantees, they typically support only small perturbation budgets and often compromise clean accuracy. Formal robustness guarantees or the convergence behavior of the hierarchical loss is indeed a valuable direction, and we consider it an important avenue for future work.

  1. Rethinking the effect of data augmentation in adversarial contrastive learning. ICLR 2023
  2. Adv. self-supervised contrastive learning NeurIPS




Meta-Review

Meta-review #1

  • Your recommendation

    Invite for Rebuttal

  • If your recommendation is “Provisional Reject”, then summarize the factors that went into this decision. In case you deviate from the reviewers’ recommendations, explain in detail the reasons why. You do not need to provide a justification for a recommendation of “Provisional Accept” or “Invite for Rebuttal”.

    N/A

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Accept

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    N/A



Meta-review #2

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Accept

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    The paper is technically solid and worth acceptance. Yet I’m not convinced by the clinical relevance and don’t recommend highlight or above.



Meta-review #3

  • After you have reviewed the rebuttal and updated reviews, please provide your recommendation based on all reviews and the authors’ rebuttal.

    Reject

  • Please justify your recommendation. You may optionally write justifications for ‘accepts’, but are expected to write a justification for ‘rejects’

    This paper tried to improve the robustness of AI model on histopathology data. I agree with the three reviewers that the proposed method is sound. But based on my experience in the field of security AI, the evaluation of the attack is too weak to prove the robustness of the proposed methods. All of the attacks (PGD, MI-FGSM, BIM) are too old and out-of-fashion. It is required to use the SOTA attack methods like auto-attack to evaluate the robustness of a defense. Furthermore, the efficiency of adversarial training is a BIG problem, especially for histopathology images, which should be fully discussed. Accordingly, I strongly recommend to reject this paper despite all three reviewers agreeing to accept it.



back to top