Recovering Medical Images from Adversarial Attacks: Genetic Algorithm-based Adaptive Compression (GA-AC)
Abstract
The Fast Gradient Sign Method (FGSM) has become such a critical threat of adversarial attacks on deep learning models for processing medical images. The problem has led to prediction errors with non-satisfactory results on diagnosis and patient safety. We address this challenge by proposing a novel approach named Genetic Algorithm-based Adaptive Compression (GA-AC) for recovering images perturbed by the FGSM attacks. The GA-AC optimize PNG and WebP compression methods to maximize Peak Signal-to-Noise Ratio (PSNR) and Structural Similarity Index Measure (SSIM), thereby preserving essential diagnostic features in the restored images. Experimental results on multiple X-ray images demonstrate the effectiveness of GA-AC, which was able to restore the model’s F1-score from 24.14% to 98.10% after FGSM attacks.References
Aggarwal, R., Sounderajah, V., Martin, G., Ting, D. S. W., Karthikesalingam, A., King, D., Ashrafian, H., and Darzi, A. (2021). Diagnostic accuracy of deep learning in medical imaging: a systematic review and meta-analysis. npj Digital Medicine, 4(65):1.
Alam, T., Qamar, S., Dixit, A., and Benaida, M. (2020). Genetic algorithm: Reviews, implementations, and applications. CoRR, abs/2007.12673.
Bortsova, G., González-Gonzalo, C., Wetstein, S. C., Dubost, F., Katramados, I., Hogeweg, L., Liefers, B., van Ginneken, B., Pluim, J. P., Veta, M., Sánchez, C. I., and de Bruijne, M. (2021). Adversarial attack vulnerability of medical image analysis systems: Unexplored factors. Medical Image Analysis, 73:102141.
Carlini, N. and Wagner, D. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57. IEEE.
Chen, L., Li, H., Zhu, G., Li, Q., Zhu, J., Huang, H., Peng, J., and Zhao, L. (2020). Attack selectivity of adversarial examples in remote sensing image scene classification. IEEE Access, 8:137477–137489.
Das, N., Shanbhogue, M., Chen, S.-T., Hohman, F., Chen, L., Kounavis, M. E., and Chau, D. H. (2018). Shield: Fast, practical defense and vaccination for deep learning using jpeg compression. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pages 196–204.
Dong, J., Chen, J., Xie, X., Lai, J., and Chen, H. (2024). Survey on adversarial attack and defense for medical image analysis: Methods and challenges. ACM Computing Surveys, 57(3):1–38.
Dziugaite, G. K., Ghahramani, Z., and Roy, D. M. (2016). A study of the effect of jpeg compression on adversarial images. In arXiv preprint arXiv:1608.00853.
Gandhi, A. and Jain, S. (2020). Adversarial perturbations fool deepfake detectors. In 2020 International Joint Conference on Neural Networks (IJCNN), pages 1–8.
Gomathi, L., Mishra, A. K., and Tyagi, A. K. (2023). Industry 5.0 for healthcare 5.0: Opportunities, challenges and future research possibilities. In 2023 7th International Conference on Trends in Electronics and Informatics (ICOEI), pages 204–213.
Goodfellow, I., Shlens, J., and Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv 1412.6572.
Hirano, H., Minagi, A., and Takemoto, K. (2021). Universal adversarial attacks on deep neural networks for medical image classification. BMC Medical Imaging, 21(1):9.
Horé, A. and Ziou, D. (2010). Image quality metrics: Psnr vs. ssim. In 2010 20th International Conference on Pattern Recognition, pages 2366–2369.
Inkawhich, N., Wang, Y., Chen, J., and et al. (2020). Transferable adversarial attacks for image and video classifiers. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 1184–1193.
Jogani, V., Purohit, J., Shivhare, I., Attari, S., and Surtkar, S. (2022). Adversarial attacks and defences for skin cancer classification.
Kermany, D., Zhang, K., and Goldbaum, M. (2018). Labeled optical coherence tomography (oct) and chest x-ray images for classification.
Kesim, E., Dokur, Z., and Olmez, T. (2019). X-ray chest image classification by a small-sized convolutional neural network. In 2019 Scientific Meeting on Electrical-Electronics & Biomedical Engineering and Computer Science (EBBT), pages 1–5.
Kumar, B., Kumar, S. B., and Kumar, C. (2013). Development of improved ssim quality index for compressed medical images. In 2013 IEEE Second International Conference on Image Information Processing (ICIIP-2013), pages 251–255.
Ma, X., Niu, C., Lee, H. K., and et al. (2021). Understanding adversarial attacks on deep learning-based medical image analysis systems. npj Digital Medicine, 4(1):1–13.
Machado, G. R., Silva, E., and Goldschmidt, R. R. (2018). Multimagnet: Uma abordagem não determinística na escolha de múltiplos autoencoders para detecção de imagens contraditórias. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 281–294, Porto Alegre, RS, Brasil. SBC.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (2019). Towards deep learning models resistant to adversarial attacks.
Mahfuz, R., Sahay, R., and Gamal, A. E. (2021). Mitigating gradient-based adversarial attacks via denoising and compression.
Omari, M. and Yaichi, S. (2015). Image compression based on genetic algorithm optimization. In 2015 2nd World Symposium on Web Applications and Networking (WSWAN), pages 1–5.
Ople, J. J. M., Huang, T.-M., Chiu, M.-C., Chen, Y.-L., and Hua, K.-L. (2023). Adjustable model compression using multiple genetic algorithm. IEEE Transactions on Multimedia, 25:1125–1132.
Paul, R., Schabath, M., Gillies, R., Hall, L., and Goldgof, D. (2020). Mitigating adversarial attacks on medical image understanding systems. In 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), pages 1517–1521.
Roberto, G. F., Pereira, D. C., Martins, A. S., Tosta, T. A., Soares, C., Lumini, A., Rozendo, G. B., Neves, L. A., and Nascimento, M. Z. (2025). Exploring percolation features with polynomial algorithms for classifying covid-19 in chest x-ray images. Pattern Recognition Letters, 189:248–255.
Wu, M.-S. (2014). Genetic algorithm based on discrete wavelet transformation for fractal image compression. Journal of Visual Communication and Image Representation, 25(8):1835–1841.
Yao, Q., He, Z., Li, Y., Lin, Y., Ma, K., Zheng, Y., and Zhou, S. K. (2023). Adversarial medical image with hierarchical feature hiding.
Yao, Q., He, Z., and Zhou, S. K. (2022). Medical aegis: Robust adversarial protectors for medical images.
Yao Li, Minhao Cheng, C.-J. H. and Lee, T. C. M. (2022). A review of adversarial attack and defense for classification methods. The American Statistician, 76(4):329–345.
Yin, Z., Wang, H., Wang, J., Tang, J., and Wang, W. (2020). Defense against adversarial attacks by low-level image transformations. International Journal of Intelligent Systems, 35.
Zhang, S., Gao, H., and Rao, Q. (2021). Defense against adversarial attacks by reconstructing images. IEEE Transactions on Image Processing, PP:1–1.
Alam, T., Qamar, S., Dixit, A., and Benaida, M. (2020). Genetic algorithm: Reviews, implementations, and applications. CoRR, abs/2007.12673.
Bortsova, G., González-Gonzalo, C., Wetstein, S. C., Dubost, F., Katramados, I., Hogeweg, L., Liefers, B., van Ginneken, B., Pluim, J. P., Veta, M., Sánchez, C. I., and de Bruijne, M. (2021). Adversarial attack vulnerability of medical image analysis systems: Unexplored factors. Medical Image Analysis, 73:102141.
Carlini, N. and Wagner, D. (2017). Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP), pages 39–57. IEEE.
Chen, L., Li, H., Zhu, G., Li, Q., Zhu, J., Huang, H., Peng, J., and Zhao, L. (2020). Attack selectivity of adversarial examples in remote sensing image scene classification. IEEE Access, 8:137477–137489.
Das, N., Shanbhogue, M., Chen, S.-T., Hohman, F., Chen, L., Kounavis, M. E., and Chau, D. H. (2018). Shield: Fast, practical defense and vaccination for deep learning using jpeg compression. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, pages 196–204.
Dong, J., Chen, J., Xie, X., Lai, J., and Chen, H. (2024). Survey on adversarial attack and defense for medical image analysis: Methods and challenges. ACM Computing Surveys, 57(3):1–38.
Dziugaite, G. K., Ghahramani, Z., and Roy, D. M. (2016). A study of the effect of jpeg compression on adversarial images. In arXiv preprint arXiv:1608.00853.
Gandhi, A. and Jain, S. (2020). Adversarial perturbations fool deepfake detectors. In 2020 International Joint Conference on Neural Networks (IJCNN), pages 1–8.
Gomathi, L., Mishra, A. K., and Tyagi, A. K. (2023). Industry 5.0 for healthcare 5.0: Opportunities, challenges and future research possibilities. In 2023 7th International Conference on Trends in Electronics and Informatics (ICOEI), pages 204–213.
Goodfellow, I., Shlens, J., and Szegedy, C. (2014). Explaining and harnessing adversarial examples. arXiv 1412.6572.
Hirano, H., Minagi, A., and Takemoto, K. (2021). Universal adversarial attacks on deep neural networks for medical image classification. BMC Medical Imaging, 21(1):9.
Horé, A. and Ziou, D. (2010). Image quality metrics: Psnr vs. ssim. In 2010 20th International Conference on Pattern Recognition, pages 2366–2369.
Inkawhich, N., Wang, Y., Chen, J., and et al. (2020). Transferable adversarial attacks for image and video classifiers. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 1184–1193.
Jogani, V., Purohit, J., Shivhare, I., Attari, S., and Surtkar, S. (2022). Adversarial attacks and defences for skin cancer classification.
Kermany, D., Zhang, K., and Goldbaum, M. (2018). Labeled optical coherence tomography (oct) and chest x-ray images for classification.
Kesim, E., Dokur, Z., and Olmez, T. (2019). X-ray chest image classification by a small-sized convolutional neural network. In 2019 Scientific Meeting on Electrical-Electronics & Biomedical Engineering and Computer Science (EBBT), pages 1–5.
Kumar, B., Kumar, S. B., and Kumar, C. (2013). Development of improved ssim quality index for compressed medical images. In 2013 IEEE Second International Conference on Image Information Processing (ICIIP-2013), pages 251–255.
Ma, X., Niu, C., Lee, H. K., and et al. (2021). Understanding adversarial attacks on deep learning-based medical image analysis systems. npj Digital Medicine, 4(1):1–13.
Machado, G. R., Silva, E., and Goldschmidt, R. R. (2018). Multimagnet: Uma abordagem não determinística na escolha de múltiplos autoencoders para detecção de imagens contraditórias. In Anais do XVIII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 281–294, Porto Alegre, RS, Brasil. SBC.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and Vladu, A. (2019). Towards deep learning models resistant to adversarial attacks.
Mahfuz, R., Sahay, R., and Gamal, A. E. (2021). Mitigating gradient-based adversarial attacks via denoising and compression.
Omari, M. and Yaichi, S. (2015). Image compression based on genetic algorithm optimization. In 2015 2nd World Symposium on Web Applications and Networking (WSWAN), pages 1–5.
Ople, J. J. M., Huang, T.-M., Chiu, M.-C., Chen, Y.-L., and Hua, K.-L. (2023). Adjustable model compression using multiple genetic algorithm. IEEE Transactions on Multimedia, 25:1125–1132.
Paul, R., Schabath, M., Gillies, R., Hall, L., and Goldgof, D. (2020). Mitigating adversarial attacks on medical image understanding systems. In 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), pages 1517–1521.
Roberto, G. F., Pereira, D. C., Martins, A. S., Tosta, T. A., Soares, C., Lumini, A., Rozendo, G. B., Neves, L. A., and Nascimento, M. Z. (2025). Exploring percolation features with polynomial algorithms for classifying covid-19 in chest x-ray images. Pattern Recognition Letters, 189:248–255.
Wu, M.-S. (2014). Genetic algorithm based on discrete wavelet transformation for fractal image compression. Journal of Visual Communication and Image Representation, 25(8):1835–1841.
Yao, Q., He, Z., Li, Y., Lin, Y., Ma, K., Zheng, Y., and Zhou, S. K. (2023). Adversarial medical image with hierarchical feature hiding.
Yao, Q., He, Z., and Zhou, S. K. (2022). Medical aegis: Robust adversarial protectors for medical images.
Yao Li, Minhao Cheng, C.-J. H. and Lee, T. C. M. (2022). A review of adversarial attack and defense for classification methods. The American Statistician, 76(4):329–345.
Yin, Z., Wang, H., Wang, J., Tang, J., and Wang, W. (2020). Defense against adversarial attacks by low-level image transformations. International Journal of Intelligent Systems, 35.
Zhang, S., Gao, H., and Rao, Q. (2021). Defense against adversarial attacks by reconstructing images. IEEE Transactions on Image Processing, PP:1–1.
Published
2025-09-01
How to Cite
LIMA, Paulo Vitor C.; QUINCOZES, Silvio E.; NASCIMENTO, Marcelo Z. do; KAZIENKO, Juliano F.; WELFER, Daniel; NOMURA, Shigueo.
Recovering Medical Images from Adversarial Attacks: Genetic Algorithm-based Adaptive Compression (GA-AC). In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 723-739.
DOI: https://doi.org/10.5753/sbseg.2025.11479.
