Missing pattern based backdoor attack on medical machine learning model

Abstract

Backdoor attack was introduced that previously inserts a backdoor on a medical machine learning model and manipulates the result at the attacker’s will at test time. However, previous attacks must poison a large amount of a training dataset, and the attackers must investigate the characteristics of the data in advance. This paper performs a backdoor attack that only modifies the missing pattern of EHR. The missing pattern based backdoor attack enables to perform the attack with a smaller poisoning proportion of the training dataset and without any prior information of the data, which reduces the likelihood of detection. Experimental results on four ML models (LR, MP, LSTM, and GRU) that predict in-hospital mortality using the MIMIC-III dataset showed that the proposed technology achieves attack success rates of 97–99% with a poisoning proportion of less than 2%. Furthermore, the classification accuracy of clean EHR data was substantially comparable to the non-contaminated model, demonstrating the efficacy of the attack.