AAU Student Projects is unavailable between June 15th 1.30pm and 17th 1.30pm due to planned system maintenance. The projects cannot be downloaded during this period.
AAU Student Projects - visit Aalborg University's student projects portal
An executive master's programme thesis from Aalborg University
Book cover


Poisoned Lung: Backdoor Attacks Against Chest X-Ray Classification Models

Translated title

Poisoned Lung

Authors

;

Term

4. semester

Education

Cyber Security, Master

Publication year

2026

Submitted on

Pages

55

Abstract

Deep learning models for medical imaging can reduce radiologists’ workload but are vulnerable to backdoor attacks, in which a hidden trigger embedded during training causes attacker-controlled outputs while leaving routine performance intact. This thesis examines how such attacks threaten the integrity and trustworthiness of chest X-ray classification models, and how the risk is shaped by trigger stealth, attack effectiveness, model utility, and defense mechanisms. We conduct experiments on the NIH ChestX-ray14 dataset using three backdoor mechanisms (a pixel patch, a smooth geometric warp, and a frequency-domain injection) and assess both attack success and impact on clean (non-triggered) performance, including control tests for trigger specificity, visual inspection, and a defense evaluation with a preprocessing-based ShrinkPad method alongside discussion of other options. Our findings show that backdoors can be embedded in chest X-ray models while maintaining high overall performance, and that defenses mitigate some but not all attacks, with effectiveness varying by attack type and trigger design. The work underscores the need for systematic robustness testing, careful data pipelines, and regulatory attention before clinical deployment.

Dybe læringsmodeller til billeddiagnostik kan aflaste radiologer, men er sårbare over for backdoor-angreb, hvor en skjult trigger indlejret i træningsdata får modellen til at levere angriberstyrede outputs uden at afsløre sig ved normal brug. Denne afhandling undersøger, i hvilket omfang sådanne angreb truer integriteten og troværdigheden af bryst-røntgenklassifikationsmodeller, og hvordan risikoen påvirkes af triggerens skjulthed, angrebseffektivitet, modelnytte og forsvarsmekanismer. Vi gennemfører eksperimenter på NIH ChestX-ray14-datasættet med tre forskellige backdoor-mekanismer (en pixelpatch, en glat geometrisk forvrængning og en frekvensdomæne-injektion) og evaluerer både angrebssucces og indvirkning på ren (ikke-triggeret) præstation, inklusive kontroltests for triggerspecificitet, visuel vurdering og en forsvarsevaluering med et præprocesseringsbaseret ShrinkPad-tiltag samt diskussion af andre muligheder. Resultaterne viser, at backdoors kan indlejres i bryst-røntgenmodeller, mens den overordnede ydeevne forbliver høj, og at forsvarsmekanismer virker forskelligt afhængigt af angrebstype og triggerdesign. Arbejdet peger på behovet for systematiske robusthedstests, forsigtige datarørledninger og regulatorisk opmærksomhed forud for klinisk implementering.

[This apstract has been generated with the help of AI directly from the project full text]

Documents

Download PDF
View record in AAU Student Projects