Impact of Black-Box Adversarial Attacks on Deep Neural Networks for Skin Imaging

Bartłomiej Moniak, Joanna Jaworek-Korjakowska; Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV) Workshops, 2025, pp. 1145-1153

Adversarial attacks have emerged as a critical threat vector against deep learning models, enabling the manipulation of model outputs through carefully crafted input perturbations. In this study, we explore the effectiveness of three black-box adversarial attack methodologies--where the attacker has no access to model internals--in the context of skin image classification. Using clinically relevant dermatological image datasets, we demonstrate that these attacks can reliably degrade the predictive performance of state-of-the-art convolutional neural networks, even under strict black-box constraints. We evaluate the proposed approach using black-box, noise-driven adversarial perturbations, including uniform random noise, Gaussian-masked noise, and anatomically-constrained noise guided by segmentation masks generated via the Segment Anything v2 (SAM2) model. The proposed black-box attacks resulted in a significant reduction in model accuracy (up to 23.75%) and F1-Score (as much as 50% drop). These results reveal a critical vulnerability of medical image classifiers to adversarial attacks and the importance of incorporating robust safety mechanisms during model development and deployment. The proposed models employ transfer learning using architectures such as ResNet-50 and EfficientNet (B0,B4, and B7). Training is conducted in two phases: initially, the backbone is frozen while a custom classification head is trained to adapt to the skin imaging domain. Subsequently, a two-stage unfreezing strategy is applied, gradually fine-tuning deeper layers of the network to improve task-specific feature representation. All models are trained on ISIC archive datasets, utilizing the 3D whole-body scans from ISIC 2024 and dermoscopic images from ISIC 2018 to ensure diversity in acquisition modalities and improve generalization across clinically relevant input types.