Introduction

Radiomics is defined as a “high-throughput extraction of quantitative features that result in the conversion of images into mineable data and the subsequent analysis of these data for decision support” [1]. It is becoming a huge field of research of medical imaging and, de facto, is promising as a cornerstone in precision medicine along with the other omics science, having shown great potential in many different clinical applications [2,3,4].

One important step in the radiomics development is that it is progressively moving towards deep radiomics, namely the use of deep learning to automatically extract features from images, classify disease, and predict outcomes. This deep approach is probably overcoming the traditional radiomic approach using hand-crafted features (i.e., traditional radiomics) [5,6,7].

Despite the positive aspects and promises of a significant impact of radiomics in clinical practice, we are also aware of some risks to which this technology may be subject. For example, the lack of reproducibility in radiomic studies is a well-known problem, basically depending on the complex mixing of the many different steps in the data acquisition, processing, and analysis, translating in a sort of pipeline fingerprint which can affect the results of the analysis, but the transfer of knowledge from other fields lets us perceive that there is a more devious threat [8, 9]. How will we change our trustworthiness in radiomics if despite taking care of all sources of data confusion, just changing a few pixels on an image (not randomly), what looks the same to the human eye causes the state of the art classifiers to fail miserably?

What about if perturbing some ad hoc pixel values in an image, we will be able to manipulate a diagnosis, resulting in a user-predefined category?

Adversarial machine learning

We have been recently advised of such potential situation from the machine learning community, where the so-called adversarial machine learning field is developing from years. Adversarial machine learning is a technique employed in the field of machine learning which attempts to fool models through malicious input [10]. Many studies have shown how a small (and eventually carefully designed) perturbation of the data is able to totally deceive models, independently from the class of the algorithm [11, 12].

Today, we are aware that every machine learning domain needs to face this treat, healthcare in primis, where issues related to personal, ethical, financial, and legal consequences have a huge impact on society [13,14,15,16].

In a historical period where artificial intelligence technologies are permeating many aspects of life, where concepts as trustworthy and accountability are becoming central, applications in medical imaging deserve deeper attention in order to fulfill those requirements [17, 18].

Recently, some studies on adversarial examples in clinical radiology have shown as, e.g., a benign correctly classified mole can be changed in malignant (with 100% confidence) just by adding a specifically optimized adversarial noise [13], and any quantitative imaging modality can be corrupted with specifically developed attack strategies [19,20,21,22], as in the study of Mirsky et al. [23], where authors implemented an attack using a generative adversarial network (GAN), showing how to automate the framework and producing false lesions in computed tomographies. The authors trained the GAN with 888 annotated CT scans and performed an authorized simulation by entering a hospital’s radiology department; they introduced a single-board computer, with wireless local area network and Bluetooth connectivity, and used it as a Trojan horse to access the PACs network; they were able to intercept CT scans and introduce the desired modifications.

Adversarial radiomics

Radiomics, moving medical imaging towards a data-driven approach, is then the perfect field for adversarial examples, whatever the approach chosen (traditional or deep radiomics). Although traditional radiomics may seem less subject to this kind of adversarial examples, it is not difficult to think of small modifications in the image able to suitably change the values of some features, fooling the subsequent data analysis [8].

In analogy to adversarial learning, we introduce the term adversarial radiomics, referring to “adversarial examples in radiomics”.

It is very important to stress the difference between adversarial radiomics and intrinsic problems of radiomics due to reproducibility [24]. While of course these phenomena can share some common sources and features, there are some basic properties that distinguish them.

While the principal source of lack of reproducibility in radiomics can be reconducted to different clinical image acquisition settings, pre- and post-processing images transformation, sparsity of data, and analysis algorithms, some of these concerns can be thought to be fixed, e.g., improving data analysis techniques or/and harmonizing the datasets in terms of protocols and processing. Instead, adversarial radiomics has its roots in the problem of adversarial examples in machine learning, that is more related to the intrinsic nature of algorithms [14]. Moreover, while standard errors in radiomics can be thought of as due to chance, adversarial learning can be guided to give precise wrong results. The idea leading adversarial examples is to find the smallest perturbation (in extremis just one pixel) able to fool the model classification, giving a wrong unpredictable or predictable result. The latter is the result of what is called a targeted attack, that is a deliberated manipulation of clinical images causing a misdiagnosis motivated by, e.g., insurance fraud, cyber terrorism, sabotage research, or in extremis stop a political candidate or even commit murder.

Adversarial examples are in general hard to defend against, machine learning models being trained only on a very small amount of all the many possible inputs they might encounter. Moreover it is difficult to construct a theoretical model of the adversarial example crafting process.

Awareness of adversarial examples gave rise to defense strategies [21], looking for algorithms resilient to adversarial attacks, able to make decisions for consistently explainable and appropriate reasons [13, 25]. Some strategies have been proposed such as using clever data processing to mitigate potential tampering or exposing algorithms to adversarial examples in the training [11, 13]. Woods et al. [25] suggest that such attacks may be leveraged to produce cogent explanations of robust networks. However, designing a defense that can protect against a powerful, adaptive adversarial attacker remains an important research area.

Conclusion

In a modern view of medicine, where big data sharing and analysis with machine learning are becoming a pillar of research and clinical practice, adversarial radiomics is then a subject of strong interest.

How should we defend against adversarial examples? First of all, becoming aware of their existence. In our vision, a possible solution could be the integration of all the quantitative and qualitative data in data analysis, achieving the complete picture of the patient and at the same time inserting a human expert in the loop giving feedback on explainable decisions. As suggested by Zhou and Firestone, human intuition can be a reliable guide to adversarial machine learning, making such integrated systems difficult to fool [26].