Adversarial Attacks on Medical AI Diagnostics: Poisoning Radiology Models via 32-bit Float Quantized Weights

Executive Summary: As medical AI systems—particularly those used in radiology—become increasingly integrated into clinical workflows, their susceptibility to adversarial manipulation grows. This paper examines a novel threat vector: the exploitation of 32-bit floating-point (FP32) quantized weights in deep learning models deployed for radiological diagnosis. We demonstrate that even subtle perturbations introduced during model quantization can be weaponized to induce systematic misclassification in X-ray and CT scan analysis. Our findings reveal that adversarial poisoning through quantized weight manipulation can bypass both traditional and modern defense mechanisms, posing a critical risk to patient safety and diagnostic integrity. This research serves as a call to action for healthcare institutions and AI developers to adopt robust, quantization-aware security measures in medical AI deployment.

Key Findings

• Quantized weight poisoning: Adversaries can embed malicious patterns during FP32-to-quantized model conversion, leading to consistent misclassification in radiology models.
• Latent vulnerability in low-precision inference: Common 8-bit and 4-bit quantization schemes are not inherently secure; they can preserve adversarial signals embedded in higher-precision weights.
• Clinical impact: Targeted misclassifications can suppress malignant findings or fabricate false positives, risking delayed treatment or unnecessary interventions.
• Stealth and persistence: Poisoned quantized models evade detection by standard model validation tools and may remain undetected for extended periods.
• Practical feasibility: The attack pipeline requires only access to the model's FP32 checkpoint and standard quantization tools, making it feasible even with limited resources.

Background: The Rise of AI in Radiology and Quantization Trade-offs

The integration of deep learning models into radiology—spanning X-ray, CT, MRI, and PET imaging—has revolutionized diagnostic accuracy, workflow efficiency, and early disease detection. Models such as DenseNet, ResNet, and Vision Transformers (ViTs) trained on large-scale medical imaging datasets now approach or surpass human expert performance in certain tasks, including lung nodule detection and breast cancer screening.

However, these models are computationally intensive. To deploy them on edge devices or in resource-constrained environments, developers increasingly rely on quantization—a technique that reduces the precision of model weights and activations from 32-bit floating-point (FP32) to lower-bit representations such as 8-bit integers (INT8) or even 4-bit floating-point (FP4). Quantization reduces memory footprint, accelerates inference, and lowers power consumption—critical for portable radiology devices.

While quantization is well-studied for performance and efficiency, its security implications remain under-explored. Most quantization pipelines assume model weights are trustworthy, but this assumption is fragile in adversarial contexts.

Adversarial Poisoning via Quantized Weight Manipulation

We introduce a new attack class: Quantized Weight Poisoning (QWP). In QWP, an adversary with access to a model's FP32 checkpoint introduces subtle, structured perturbations into the weights before quantization. These perturbations are designed to:

• Be amplified during quantization due to rounding and clipping operations.
• Propagate through the network to influence decision boundaries.
• Remain dormant during benign inference but activate under specific input conditions.

The attack pipeline consists of four stages:

1. Model Access: Adversary obtains the FP32-trained model checkpoint (e.g., via supply chain compromise or insider threat).
2. Adversarial Weight Perturbation: Malicious perturbations are added to select convolutional or linear layer weights using gradient-based optimization targeting a specific misclassification goal (e.g., "label all malignant nodules as benign").
3. Quantization: The poisoned FP32 model undergoes standard quantization (e.g., to INT8), where rounding errors inadvertently preserve or enhance the adversarial signal due to non-linear mapping between FP32 and quantized domains.
4. Deployment: The quantized model is deployed in clinical settings, where it appears functionally identical to the benign model but produces targeted errors under specific input conditions.

Empirical Validation and Attack Efficacy

We evaluated QWP on a benchmark radiology dataset consisting of 12,400 chest X-rays (CheXpert subset) with five pathology classes: Atelectasis, Cardiomegaly, Effusion, Infiltration, and No Finding. A DenseNet-121 model was trained to 92% AUC on the validation set. We then applied targeted adversarial poisoning at the convolutional layer weights using a projected gradient descent (PGD) strategy constrained to alter only 0.5% of weights.

After quantization to INT8 using TensorRT, we observed:

• Misclassification rate: Up to 94% of test images labeled "Effusion" were misclassified as "No Finding" under the poisoned model, compared to 2% in the clean model.
• Transferability: The attack generalized across quantization schemes—INT8, FP16, and even FP4—demonstrating robustness to precision variation.
• Latency and detectability:
• The poisoned model showed no significant change in inference latency or output distribution on benign data.
• Standard model fingerprinting and statistical tests (e.g., weight distribution analysis, gradient norms) failed to detect the perturbation.

Further analysis revealed that quantization acts as a non-linear filter, selectively amplifying adversarial components while suppressing benign noise—a phenomenon we term quantization-induced adversarial amplification.

Mechanism: Why Quantization Amplifies Adversarial Signals

The core insight lies in the interaction between adversarial perturbations and quantization noise. Adversarial perturbations are typically small in magnitude but highly structured, often aligned with the model's decision boundary gradients. When applied to FP32 weights, these perturbations are invisible to standard validation tools.

During quantization, each FP32 weight is mapped to the nearest representable quantized value. However, the rounding function is non-differentiable and non-linear. This non-linearity can:

• Preserve adversarial structure: Perturbations that are aligned with high-gradient directions may be rounded in a way that preserves or even increases their relative influence.
• Amplify local errors: Small, systematic deviations in weights can accumulate across layers, leading to large shifts in activation space during inference.
• Bypass pruning defenses: Even if benign weights are pruned for efficiency, adversarial components may remain intact due to their structured nature.

Our ablation studies confirm that the attack fails if quantization is disabled or replaced with high-precision inference—highlighting the pivotal role of quantization in enabling the exploit.

Clinical and Regulatory Implications

The implications of QWP are profound:

• Patient Safety: Misdiagnosis due to adversarial manipulation could lead to delayed cancer detection, unnecessary biopsies, or incorrect treatment planning.
• Liability and Compliance: Regulatory frameworks such as FDA's AI/ML guidance and EU MDR 2017/745 require continuous monitoring and risk management. An undetected adversarial model could violate safety compliance.
• Trust Erosion: Once trust in AI diagnostics is compromised, clinical adoption may stall, delaying the benefits of AI-assisted radiology.

Current medical AI validation protocols (e.g., DICOM conformance, model drift monitoring) do not account for quantization-level tampering, leaving a critical security blind spot.

Defense Strategies and Mitigation

To counter QWP, we propose a multi-layered defense framework:

1. Quantization-Aware Adversarial Training

Retrain models using quantization-aware training (QAT) with adversarial examples generated during the FP32 stage. This ensures robustness propagates through quantization. Tools like NVIDIA's TensorRT and Google's TFLite now support QAT, but adoption in medical AI is lagging.

2. Weight Integrity Verification

Implement