Invisible poison attacks and holistic defence strategy for pyramid vision transformers in medical imaging.

Machine learning models, especially vision transformers in the domain of medical images, are highly prone to data poisoning attacks, in which a small proportion of adversarial samples is injected into the model's training dataset to manipulate its behavior. Existing data poisoning techniques have their limitations in terms of the presence of noticeable artifacts in the injected samples or their vulnerability to preprocessing transformations. Similarly, most defence techniques have their limitations in terms of robustness to different types of poisoning attacks. To overcome these challenges, this research presents a structurally embedded invisible poisoning attack technique and a Holistic Defence Strategy (HDS) for the Pyramid Vision Transformer (PVT) model. In this research, the proposed invisible poisoning attack technique takes advantage of the structural characteristics of images, specifically the edges of images, as invisible carriers of trigger information. The proposed attack technique develops a Deep Multi-Scale U-Net Injection Network (DMS-UNet-IN) to embed the trigger information in images in an invisible manner. The proposed attack technique differs significantly from traditional trigger-based techniques in terms of the alignment of perturbations with structural manifolds. The Holistic Defence Strategy (HDS) develops a discriminative detection boundary in the feature space using a mimic model with an attention-aware generative adversarial network. The proposed invisible poisoning attack technique was evaluated using Radiology, Ophthalmology, and Pathology datasets. The experimental evaluation of the proposed invisible poisoning attack technique showed its superiority in terms of invisibility, with a PSNR value of 43.46 dB and SSIM value of 0.9925, over the state-of-the-art techniques such as DeepPoison (40.91 dB) and SPM (38.16 dB). The proposed Holistic Defence Strategy was evaluated using static poisoning rates ranging from 5 to 30%. The experimental evaluation of the proposed Holistic Defence Strategy showed its superiority over the state-of-the-art techniques such as CD, DUTI, and TRIM in terms of detection accuracy up to 95.8% with an F1-score of more than 0.95. The superiority of the proposed technique was also evident in terms of up to 17% improvement over the baseline techniques at higher levels of contamination.