Universal Black-Box Attacks Against a Third-Party Alzheimer's Diagnostic System.
Authors
Affiliations (3)
Affiliations (3)
- Departamento Física Médica, Centro Atómico Bariloche, Calle 15 911, Bariloche, Río Negro, 8400, ARGENTINA.
- CETA-CIEMAT, CIEMAT, Cáceres, 10200, SPAIN.
- Departamento Fı́sica Médica, Centro Atómico Bariloche, Centro Atomico Bariloche, Bariloche, Bariloche, Río Negro, 8400, ARGENTINA.
Abstract
Artificial intelligence (AI) systems are increasingly used in medical imaging for disease diagnosis, yet their vulnerability to adversarial attacks poses significant risks for clinical deployment. In this work, we systematically evaluate the susceptibility of VolBrain, a widely used third-party neuroimaging diagnostic platform, to universal black-box adversarial attacks. We generate adversarial perturbations using a surrogate convolutional neural network trained on a different dataset and with a different architecture, representing a worst-case scenario for the attacker where they have no access to the internals of the system. For this, we employ both the Fast Gradient Sign Method (FGSM) and DeepFool attacks. Our results show that these perturbations can reliably degrade the diagnostic performance of VolBrain, with DeepFool-based attacks being particularly effective for comparable perturbation sizes. We further demonstrate that a simple Mean Attack approach is also effective in degrading VolBrain performance, showing that this system is vulnerable to universal attacks, that is, perturbations agnostic to the input. These findings highlight the substantial risk posed by universal blackbox adversarial attacks, even when attackers lack access to the target model or its training data. Our study underscores the urgent need for robust defense mechanisms and motivates further research into the adversarial robustness of medical AI systems.