Jekyll: Attacking Medical Image Diagnostics using Deep Generative Models

Advances in deep neural networks (DNNs) have shown tremendous promise in the medical domain. However, the deep learning tools that are helping the domain, can also be used against it. Given the prevalence of fraud in the healthcare domain, it is important to consider the adversarial use of DNNs in manipulating sensitive data that is crucial to patient healthcare. In this work, we present the design and implementation of a DNN-based image translation attack on biomedical imagery. More specifically, we propose Jekyll, a neural style transfer framework that takes as input a biomedical image of a patient and translates it to a new image that indicates an attacker-chosen disease condition. The potential for fraudulent claims based on such generated ‘fake’ medical images is significant, and we demonstrate successful attacks on both X-rays and retinal fundus image modalities. We show that these attacks manage to mislead both medical professionals and algorithmic detection schemes. Lastly, we also investigate defensive measures based on machine learning to detect images generated by Jekyll.

[1]  Sang Jun Park,et al.  Retinal Vessel Segmentation in Fundoscopic Images with Generative Adversarial Networks , 2017, ArXiv.

[2]  Tanveer F. Syeda-Mahmood,et al.  Chest x-ray generation and data augmentation for cardiovascular abnormality classification , 2018, Medical Imaging.

[3]  Ben Y. Zhao,et al.  Automated Crowdturfing Attacks and Defenses in Online Review Systems , 2017, CCS.

[4]  Craig Stack,et al.  When Seeing Was No Longer Believing , 2019, Innovations: Technology, Governance, Globalization.

[5]  Jaakko Lehtinen,et al.  Progressive Growing of GANs for Improved Quality, Stability, and Variation , 2017, ICLR.

[6]  Ross B. Girshick,et al.  Focal Loss for Dense Object Detection , 2017, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[7]  Jeffrey L. Gunter,et al.  Medical Image Synthesis for Data Augmentation and Anonymization using Generative Adversarial Networks , 2018, SASHIMI@MICCAI.

[8]  James N Weinstein,et al.  Extending the P4P agenda, part 1: how Medicare can improve patient decision making and reduce unnecessary care. , 2007, Health affairs.

[9]  Andrew Y. Ng,et al.  CheXNet: Radiologist-Level Pneumonia Detection on Chest X-Rays with Deep Learning , 2017, ArXiv.

[10]  John G. Csernansky,et al.  Open Access Series of Imaging Studies (OASIS): Cross-sectional MRI Data in Young, Middle Aged, Nondemented, and Demented Older Adults , 2007, Journal of Cognitive Neuroscience.

[11]  Avinash Daniel Pinto,et al.  Fraud and Misconduct in Clinical Research: A Step to Improve Ethical Practice in Research , 2018 .

[12]  Le Lu,et al.  DeepLesion: automated mining of large-scale lesion annotations and universal lesion detection with deep learning , 2018, Journal of medical imaging.

[13]  Pedro Costa,et al.  Towards Adversarial Retinal Image Synthesis , 2017, ArXiv.

[14]  Ender Konukoglu,et al.  Visual Feature Attribution Using Wasserstein GANs , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[15]  Daguang Xu,et al.  Automatic Liver Segmentation Using an Adversarial Image-to-Image Network , 2017, MICCAI.

[16]  Kilian Q. Weinberger,et al.  Densely Connected Convolutional Networks , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[17]  Paul Babyn,et al.  Generative Adversarial Network in Medical Imaging: A Review , 2018, Medical Image Anal..

[18]  Yuval Elovici,et al.  CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning , 2019, USENIX Security Symposium.

[19]  Colleen Swanson,et al.  SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks , 2014, 2014 IEEE Symposium on Security and Privacy.

[20]  Jeff Donahue,et al.  Large Scale GAN Training for High Fidelity Natural Image Synthesis , 2018, ICLR.

[21]  Sebastian Thrun,et al.  Dermatologist-level classification of skin cancer with deep neural networks , 2017, Nature.

[22]  V. Mohan,et al.  Automated diabetic retinopathy detection in smartphone-based fundus photography using artificial intelligence , 2018, Eye.

[23]  Soumith Chintala,et al.  Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks , 2015, ICLR.

[24]  Bram van Ginneken,et al.  Fast Convolutional Neural Network Training Using Selective Data Sampling: Application to Hemorrhage Detection in Color Fundus Images , 2016, IEEE Transactions on Medical Imaging.

[25]  Masoumeh Haghpanahi,et al.  Cardiologist-level arrhythmia detection and classification in ambulatory electrocardiograms using a deep neural network , 2019, Nature Medicine.

[26]  James Butcher,et al.  When seeing is no longer believing , 2019, Nat. Mach. Intell..

[27]  F. Richard Yu,et al.  Automatically synthesizing DoS attack traces using generative adversarial networks , 2019, Int. J. Mach. Learn. Cybern..

[28]  Youbao Tang,et al.  CT-Realistic Lung Nodule Simulation from 3D Conditional Generative Adversarial Networks for Robust Lung Segmentation , 2018, MICCAI.

[29]  Alexei A. Efros,et al.  Unpaired Image-to-Image Translation Using Cycle-Consistent Adversarial Networks , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[30]  Hayit Greenspan,et al.  GAN-based Synthetic Medical Image Augmentation for increased CNN Performance in Liver Lesion Classification , 2018, Neurocomputing.

[31]  Alexei A. Efros,et al.  Image-to-Image Translation with Conditional Adversarial Networks , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[32]  Taghi M. Khoshgoftaar,et al.  Medicare Fraud Detection Using Machine Learning Methods , 2017, 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA).

[33]  Richa Singh,et al.  Synthetic iris presentation attack using iDCGAN , 2017, 2017 IEEE International Joint Conference on Biometrics (IJCB).

[34]  Yue Zhao,et al.  CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition , 2018, USENIX Security Symposium.

[35]  Bin Li,et al.  Identification of deep network generated images using disparities in color components , 2020, Signal Process..

[36]  Jung-Woo Ha,et al.  StarGAN: Unified Generative Adversarial Networks for Multi-domain Image-to-Image Translation , 2017, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[37]  Lewis Morris,et al.  Combating fraud in health care: an essential component of any cost containment strategy. , 2009, Health affairs.

[38]  George Simon Principles of Chest X-ray Diagnosis , 1979 .

[39]  Yoshua Bengio,et al.  Generative Adversarial Nets , 2014, NIPS.

[40]  Junichi Yamagishi,et al.  MesoNet: a Compact Facial Video Forgery Detection Network , 2018, 2018 IEEE International Workshop on Information Forensics and Security (WIFS).

[41]  Bo Sun,et al.  Stay On-Topic: Generating Context-specific Fake Restaurant Reviews , 2018, ESORICS.

[42]  Ali Borji,et al.  Pros and Cons of GAN Evaluation Measures , 2018, Comput. Vis. Image Underst..

[43]  Donald L. Barlett,et al.  Critical Condition: How Health Care in America Became Big Business--and Bad Medicine , 2004 .

[44]  R H Choplin,et al.  Picture archiving and communication systems: an overview. , 1992, Radiographics : a review publication of the Radiological Society of North America, Inc.

[45]  E Kiekenapp,et al.  AMERICAN OPTOMETRIC ASSOCIATION , 1926 .

[46]  Bin Li,et al.  Detection of Deep Network Generated Images Using Disparities in Color Components , 2018, ArXiv.

[47]  Yaroslav Bulatov,et al.  Multi-digit Number Recognition from Street View Imagery using Deep Convolutional Neural Networks , 2013, ICLR.

[48]  Dayong Wang,et al.  Deep Learning for Identifying Metastatic Breast Cancer , 2016, ArXiv.

[49]  Ting Wang,et al.  DEEPSEC: A Uniform Platform for Security Analysis of Deep Learning Model , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[50]  Mitko Veta,et al.  Adversarial Training and Dilated Convolutions for Brain MRI Segmentation , 2017, DLMIA/ML-CDS@MICCAI.

[51]  Andrew L. Beam,et al.  Adversarial attacks on medical machine learning , 2019, Science.

[52]  Jinhua Yu,et al.  Brain Tumor Segmentation Using an Adversarial Network , 2017, BrainLes@MICCAI.

[53]  Antonio Torralba,et al.  Generating Videos with Scene Dynamics , 2016, NIPS.

[54]  Tao Xu,et al.  SegAN: Adversarial Network with Multi-scale L1 Loss for Medical Image Segmentation , 2017, Neuroinformatics.

[55]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[56]  Andrew J. Saykin,et al.  Deep Learning in Alzheimer's Disease: Diagnostic Classification and Prognostic Prediction Using Neuroimaging Data , 2019, Front. Aging Neurosci..

[57]  Giuseppe Ateniese,et al.  Deep Models Under the GAN: Information Leakage from Collaborative Deep Learning , 2017, CCS.

[58]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[59]  Hayit Greenspan,et al.  Synthetic data augmentation using GAN for improved liver lesion classification , 2018, 2018 IEEE 15th International Symposium on Biomedical Imaging (ISBI 2018).

[60]  T. Vian,et al.  No Evidence of the Effect of the Interventions to Combat Health Care Fraud and Abuse: A Systematic Review of Literature , 2012, PloS one.

[61]  Georg Langs,et al.  Unsupervised Anomaly Detection with Generative Adversarial Networks to Guide Marker Discovery , 2017, IPMI.

[62]  Dan Iter,et al.  Generating Adversarial Examples for Speech Recognition , 2017 .

[63]  Ronald M. Summers,et al.  ChestX-ray: Hospital-Scale Chest X-ray Database and Benchmarks on Weakly Supervised Classification and Localization of Common Thorax Diseases , 2019, Deep Learning and Convolutional Neural Networks for Medical Imaging and Clinical Informatics.

[64]  Pan He,et al.  Adversarial Examples: Attacks and Defenses for Deep Learning , 2017, IEEE Transactions on Neural Networks and Learning Systems.

[65]  Max A. Viergever,et al.  Ridge-based vessel segmentation in color images of the retina , 2004, IEEE Transactions on Medical Imaging.

[66]  S. Qamber,et al.  Personal identification system based on vascular pattern of human retina , 2012, 2012 Cairo International Biomedical Engineering Conference (CIBEC).

[67]  Athanasios V. Vasilakos,et al.  Data Analytics for Pervasive Health , 2015 .

[68]  拓海 杉山,et al.  “Unpaired Image-to-Image Translation using Cycle-Consistent Adversarial Networks”の学習報告 , 2017 .

[69]  Taghi M. Khoshgoftaar,et al.  Big Data fraud detection using multiple medicare data sources , 2018, J. Big Data.

[70]  Timo Aila,et al.  A Style-Based Generator Architecture for Generative Adversarial Networks , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[71]  Hyrum S. Anderson,et al.  The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation , 2018, ArXiv.

[72]  G. Klunder,et al.  AMERICAN OPTOMETRIC ASSOCIATION , 1925 .

[73]  B. Minaei-Bidgoli,et al.  Using Data Mining to Detect Health Care Fraud and Abuse: A Review of Literature , 2014, Global journal of health science.

[74]  Milad Nasr,et al.  DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning , 2018, CCS.

[75]  Rakesh M. Verma,et al.  Automated email Generation for Targeted Attacks using Natural Language , 2019, ArXiv.

[76]  Subhashini Venugopalan,et al.  Development and Validation of a Deep Learning Algorithm for Detection of Diabetic Retinopathy in Retinal Fundus Photographs. , 2016, JAMA.