This work aims to assess the reality and feasibility of the adversarial attack against cardiac diagnosis system powered by machine learning algorithms. To this end, we introduce adversarial beats, which are adversarial perturbations tailored specifically against electrocardiograms (ECGs) beat-by-beat classification system. We first formulate an algorithm to generate adversarial examples for the ECG classification neural network model, and study its attack success rate. Next, to evaluate its feasibility in a physical environment, we mount a hardware attack by designing a malicious signal generator which injects adversarial beats into ECG sensor readings. To the best of our knowledge, our work is the first in evaluating the proficiency of adversarial examples for ECGs in a physical setup. Our real-world experiments demonstrate that adversarial beats successfully manipulated the diagnosis results 3-5 times out of 40 attempts throughout the course of 2 minutes. Finally, we discuss the overall feasibility and impact of the attack, by clearly defining motives and constraints of expected attackers along with our experimental results.
翻译:这项工作旨在评估对以机器学习算法驱动的心脏诊断系统进行对抗性攻击的现实和可行性。 为此,我们引入了对抗性攻击,这是专门针对心电图(ECGs)挨打分类系统的对抗性干扰。我们首先开发了一种算法,为ECG神经网络分类模型生成对抗性例子,并研究其攻击成功率。接下来,为了评估其在物理环境中的可行性,我们设计了一个恶意信号生成器,将对抗性攻击打入ECG传感器读数。据我们所知,我们的工作是第一个在物理构造中评价ECGs对抗性例子的熟练程度的工作。我们的现实世界实验表明,在2分钟的40次尝试中,对抗性攻击成功操纵了诊断结果3-5次。最后,我们通过明确界定预期攻击者的动机和限制以及我们的实验结果来讨论攻击的总体可行性和影响。