Untargeted Closed-Box Attack Against Healthcare Image Retrieval via Rank Manipulation

Computer-aided diagnosis always involves a large number of healthcare images, in order to mine such huge medical data, healthcare image retrieval (HIR) attracts a lot of attention from the medical diagnosis research community. However, their security and reliability have yet to be well-studied in the current HIR systems. The closed-box attacks in HIR remain under-explored and challenging, i.e., precisely surrogate stealing without knowing the architecture of the victim model and effective adversarial example generation. In this work, we propose an Untargeted Rank Manipulation Attack (URMA) against deep hashing-based HIR under closed-box scenarios. Specifically, we build a surrogate stealing scheme to explore the correlations between the surrogate model and the original closed box deep hashing model. To enable the attack HIR under the decision-based closed-box setting, we deploy the top-ranking samples returned by the original retrieval models supervising the surrogate model training. Moreover, the designed untargeted embedding generator crafts the high visual quality adversarial example, which lowers the rank of corresponding candidates by adversarial perturbations. When the surrogate model and adversarial generation are adequately trained, the untargeted adversarial attack paradigm is built for deep hashing-based HIR. Extensive experiments validate the efficacy of our URMA with promising attack performance under a closed-box setting on the three public healthcare image datasets. The source code of this paper is available at https://github.com/li-wenyun/URMA.