Application of Adversarial Examples to Physical ECG Signals
This work addresses security vulnerabilities in medical AI systems, specifically for ECG-based cardiac diagnosis, and is incremental as it extends adversarial example research to a physical setup for the first time in this domain.
The study tackled the feasibility of adversarial attacks on cardiac diagnosis systems using machine learning by introducing adversarial beats tailored for ECG classification, achieving a manipulation success rate of 3-5 out of 40 attempts in real-world experiments over 2 minutes.
This work aims to assess the reality and feasibility of the adversarial attack against cardiac diagnosis system powered by machine learning algorithms. To this end, we introduce adversarial beats, which are adversarial perturbations tailored specifically against electrocardiograms (ECGs) beat-by-beat classification system. We first formulate an algorithm to generate adversarial examples for the ECG classification neural network model, and study its attack success rate. Next, to evaluate its feasibility in a physical environment, we mount a hardware attack by designing a malicious signal generator which injects adversarial beats into ECG sensor readings. To the best of our knowledge, our work is the first in evaluating the proficiency of adversarial examples for ECGs in a physical setup. Our real-world experiments demonstrate that adversarial beats successfully manipulated the diagnosis results 3-5 times out of 40 attempts throughout the course of 2 minutes. Finally, we discuss the overall feasibility and impact of the attack, by clearly defining motives and constraints of expected attackers along with our experimental results.