Digital Watermarking as an Adversarial Attack on Medical Image Analysis with Deep Learning

In the past years, Deep Neural Networks (DNNs) have become popular in many disciplines such as Computer Vision (CV), and the evolution of hardware has helped researchers to develop many powerful Deep Learning (DL) models to deal with several problems. One of the most important challenges in the CV area is Medical Image Analysis. However, adversarial attacks have proven to be an important threat to vision systems by significantly reducing the performance of the models. This paper brings to light a different side of digital watermarking, as a potential black-box adversarial attack. In this context, apart from proposing a new category of adversarial attacks named watermarking attacks, we highlighted a significant problem, as the massive use of watermarks, for security reasons, seems to pose significant risks to vision systems. For this purpose, a moment-based local image watermarking method is implemented on three modalities, Magnetic Resonance Images (MRI), Computed Tomography (CT-scans), and X-ray images. The introduced methodology was tested on three state-of-the art CV models, DenseNet 201, DenseNet169, and MobileNetV2. The results revealed that the proposed attack achieved over 50% degradation of the model’s performance in terms of accuracy. Additionally, MobileNetV2 was the most vulnerable model and the modality with the biggest reduction was CT-scans.


Introduction
The evolution of deep learning and computer hardware has helped computer vision applications become reality. Some disciplines that use DL for computer vision tasks are robotics [1], image quality assessment [2], biometrics [3], face recognition [4], image classification [5], autonomous vehicles [6], etc. One of the most important applications in CV is medical image analysis, where usually DL models were trained to diagnose or predict several diseases from numerous modalities such as MRI, CT-scans, X-rays, Histopathology images, etc. Because of DL success, it has become a useful supportive tool for doctors through medical image analysis as it saves significant time from doctors' tasks.
Despite DL success, recent studies proved that these models can be easily fooled by imperceptibly perturbating images [7]. According to Goodfellow et al. [8], these attacks decrease the model's efficiency due to its linearity. Adversarial attacks are divided into three main categories. The first is "white-box attack" in which attackers know the structure and the parameters of the model. The second is "grey-box attack" where attackers know only the model's structure, and the third is "black-box attack" in which attackers know nothing about the model. Additionally, there are targeted and untargeted attacks. In the former, attackers want to misclassify the input sample in a specific class, while in the latter they just want the sample data to be misclassified. Some of the most known adversarial attacks are Fast Gradient Sign Method (FGSM) [8], Projected Gradient Descent (PGD) [9], Jacobian-based Saliency Maps Attacks (JSMA) [10], and Carlini & Wagner (C&W) [11].

Related Works
In recent years, several adversarial attacks for medical images have been proposed. Some studies have experimented with existing attacks on medical images, while others create attacks exclusively for medical images. Yılmaz et al. [15] applied FGSM attack on mammographic images. They used "Digital Database for Screening Mammography" (DDSM), which consists of normal and cancerous images. The accuracy decreased up to 30% while the Structural Similarity Index SSIM index fell below 0.2. Pal et al. [16] applied FGSM attack on X-rays and CT-Scans for COVID-19 detection. They used VGG16 and InceptionV3 models, showing that these models are vulnerable as the accuracy has decreased up to 90% in VGG-16 and up to 63% in InceptionV3. Paul et al. [17] attacked on NLST dataset using the white-box FGSM and the black-box One-pixel attacks. FGSM reduced the model's accuracy by 36% while One-pixel by only 2-3%. Huq and Pervin [18] applied the FGSM and PGD attacks on dermoscopic images for skin cancer recognition. The model's performance decreased by up to 75%. Some of the most known white-box attacks, FGSM, PGD, C&W, and BIM, were tested on three datasets with ResNet50. In some cases, the performance of the model decreased by 100% [19]. Ozbulak et al. [20] proposed a targeted attack for medical image segmentation, which is named Adaptive Segmentation Mask Attack (ASMA). This attack creates imperceptible samples and achieves high Intersection-over-Union (IoU) degradation. Chen et al. [21] proposed an attack for medical image segmentation by generating adversarial examples using geometrical deformations to model anatomical and intensity variations. Tian et al. [22] created an adversarial attack that is based on the phenomenon of bias field which can be caused by the wrong acquisition of a medical image, and it can affect the efficacy of a DNN. Kügler et al. [23] investigated a physical attack on skin images by drawing dots and lines with pen or acrylic on the skin. Shao et al. [24] proposed a white-box targeted segmentation attack, which is a combination of adaptive segmentation mask and feature space perturbation in order to create a Multi-Scale Attack (MSA). The authors used the gradient of the last layer and of the middle layer in order for perturbation to be small. Yao et al. [25] proposed a Hierarchical Feature Constraint (HFC) method that can be added to any attack. Adversarial attacks are detected easier in medical images than in natural images, and this method helps attacks to hide adversarial features in order for them to not be easily detected.

Materials and Methods
Image moments are one of the most important descriptors of the content of images and they have been used in several research fields such as pattern recognition [26], computer vision [27], and image processing [28]. In the past years, researchers developed orthogonal moments, which are used as kernel function polynomials with orthogonal basis. That means different moment orders describe different parts of images, which results in a minimum of information redundancy. Some well-known moment families are Zernike [29], Tchebichef [30], and Krawtchouk [31]. The watermarking method we applied used Krawtchouk moments due to its robustness under signal processing attacks.

Krawtchouk Moments
The Krawtchouk orthogonal moments are a family of high-resolution moments defined in the discrete domain, which was introduced into the image analysis by Yap et al. [31]. Krawtchouk moments use the discrete polynomials Krawtchouk, which have the following form, where x, n = 0,1,2, . . . , N, N > 0, p ∈ (0, 1) and 2 F 1 is the hypergeometric function. However, using Equation (1) occurred numerical fluctuations and a more stable version of them, the weighted Krawtchouk polynomials, was used, where ρ(n; p, N), is the norm of the Krawtchouk polynomials, and w(x; p, N), the weight function of the Krawtchouk moments In Equation (3) the symbol (.) n corresponds to the Pochhammer symbol, which for the general case is defined as (a) k = (a + 1) . . . (a + k + 1).
Based on the above definitions, the orthogonal discrete Krawtchouk image moments of (n + m) th order, of an NxM image with intensity function f (x, y) is defined as follows: Krawtchouk moments are very effective local descriptors, unlike the other moment families which capture the global features of the objects they describe. This locality property is controlled by the appropriate adjustment of the p1, p2 parameters of Equation (5).

Watermark Embedding
The method we used for watermark embedding was proposed by [32] and consists of the processing modules depicted in Figure 1.

Watermark Embedding
The method we used for watermark embedding was proposed by [32] and consists of the processing modules depicted in Figure 1. In Figure 1, the original image is the initial medical image where a L-bit length binary message is inserted by constructing the final watermarked image. A set of Krawtchouk moments is calculated according to Equation (5). In this stage, there is a key set K1 tha corresponds to the set of parameters P: (p1, p2). Dither modulation is an important meth odology that integrates one signal into another one, enhances the embedding rate with minimum distortion of the original image, and increases robustness under attacking con ditions. In this methodology, the Krawtchouk moments of the initial image is used as the host signal where the L-bit length binary message (b1, b2,…,bL) is inserted according to Equation (6). The modified Krawtchouk moments, which resulted from dither modula tion, are used to construct the watermark information, which is added with the initia image in the last step.

Watermarking Adversarial Attack
Digital watermarking is a process that prevents tampering by providing authentica tion, content verification, and image integration. It consists of two processes. The first pro cess is called watermark embedding, during which digital information is embedded into a multimedia product and the second one is called watermark extraction, in which the information is extracted or detected from the product. Watermarking in the medical field has numerous practical applications, including telediagnosis, teleconferencing between clinicians, and distance training of medical staff. The use of watermarking technique guarantees the confidentiality, security of the sent data, and the integrity of the medica images. Furthermore, watermark authentication and tamper detection methods can be used to locate the source of the medical images and the falsified area, respectively. All o the above lead to the conclusion that watermarking is a crucial process and necessary in medical image analysis.
So far, we have been taking advantage of the benefits of watermarking, however digital watermarking can garble the quality of a multimedia product such as an image In Figure 1, the original image is the initial medical image where a L-bit length binary message is inserted by constructing the final watermarked image. A set of Krawtchouk moments is calculated according to Equation (5). In this stage, there is a key set K 1 that corresponds to the set of parameters p: (p1, p2). Dither modulation is an important methodology that integrates one signal into another one, enhances the embedding rate with minimum distortion of the original image, and increases robustness under attacking conditions. In this methodology, the Krawtchouk moments of the initial image is used as the host signal where the L-bit length binary message (b 1 , b 2 , . . . , b L ) is inserted according to Equation (6). The modified Krawtchouk moments, which resulted from dither modulation, are used to construct the watermark information, which is added with the initial image in the last step.

Watermarking Adversarial Attack
Digital watermarking is a process that prevents tampering by providing authentication, content verification, and image integration. It consists of two processes. The first process is called watermark embedding, during which digital information is embedded into a multimedia product and the second one is called watermark extraction, in which the information is extracted or detected from the product. Watermarking in the medical field has numerous practical applications, including telediagnosis, teleconferencing between clinicians, and distance training of medical staff. The use of watermarking techniques guarantees the confidentiality, security of the sent data, and the integrity of the medical images. Furthermore, watermark authentication and tamper detection methods can be used to locate the source of the medical images and the falsified area, respectively. All of the above lead to the conclusion that watermarking is a crucial process and necessary in medical image analysis.
So far, we have been taking advantage of the benefits of watermarking, however, digital watermarking can garble the quality of a multimedia product such as an image. These changes may not affect human decision making, but we hypothesize that they can influence the decision of a deep learning model. In this study, we deal only with the watermark embedding part and not with the extraction part since we study the performance of the models on watermarked images. There are numerous watermarking methodologies, like other moment families [33] or transformations [34], that are applied in medical images, and these can constitute a new category of attacks.
We experimented with a watermarking method that uses Krawtchouk moments, because image moments are one of the most important descriptors of the content of images and they are widely used in many fields of image processing. Moreover, another adversarial attack, Discrete Orthogonal Moments Exclusion of Tchebichef image moments DOME-T [35], uses moments to attack ImageNet dataset with remarkable results. Through this research, we highlight a crucial problem that has not been re-studied-that watermarking can impair the performance of the models. Watermarking is widely used in the analysis of medical images, and therefore various watermarking methodologies for the safe use of artificial intelligence in the medical field must be studied from this perspective. We name this new category of adversarial attacks as Watermarking Adversarial Attacks, or WA 2 for short, and herein we are studying the Krawtchouk Moments based WA 2 represented by the term KMsWA 2 .

Experimental Study
In order to investigate the performance of the proposed watermarking attack (The source code of the proposed KMsWA2 attack will be provided via the github account (https://github.com/MachineLearningVisionRG/KMsWA2, accessed on 17 April 2022) of our research group, upon acceptance of the paper), we trained three popular deep learning models, DenseNet169, DenseNet201, and MobileNetV2, which are widely used by the research community, and thus it is important to investigate their robustness. We combined all p1 and p2 values, p1, p2 ∈ [0.1, 0.2, . . . , 0.9], with different L-bit lengths and embedding strength a. The L-bit length ranges from 100 to 1000 with step 100. The embedding strength takes four different values, 50, 100, 200, and 300. The watermark embedding was implemented in MATLAB 2018a and the models were trained in Google Collab with Keras 2.4.3. All models were pretrained in ImageNet dataset and they were fine-tuned with Adam optimizer for 20 epochs with a learning rate of 0.0001. We also use three different attacks, FGSM, PGD, and Square Attack [36], for comparison. FGSM and PGD create samples with different models in order for them to treat as black-box attacks. For this purpose, the Adversarial Robustness Toolbox (ART) [37] for creating adversarial samples was applied. Finally, the SSIM index was calculated for the assessment of the image distortion.

Datasets
The attack was applied in classification problems in three different modalities. The first dataset [38] is an X-ray set from the lungs that classifies the images into three categories, normal, pneumonia, and COVID-19, containing 3840 images. The second dataset [39] consists of brain MRIs of four tumor categories with 3264 total images and the last dataset [40] is a binary classification of CT-Scans for COVID-19 and non-COVID-19 lungs, providing 2481 images. In Figure 2 is presented a sample of the used datasets.

Ablation Study
The attack consists of three main parameters: embedding strength (a), embedding message length (L-bit), and p values (p1, p2). The embedding strength is an important parameter in digital watermarking because it affects the extraction of information. When the strength value is big, the extraction method is more robust, but the perturbation in images is more visible. The L-bit length concerns the size of information we insert in images. If the size is large, then the part of the image, which is perturbated, is also large. The last parameters, p values (p1, p2), function as coordinates of local patch of the image where the watermark is inserted (Figure 3).

Ablation Study
The attack consists of three main parameters: embedding strength (a), message length (L-bit), and P values (p1, p2). The embedding strength is an parameter in digital watermarking because it affects the extraction of informa the strength value is big, the extraction method is more robust, but the pert images is more visible. The L-bit length concerns the size of information we i ages. If the size is large, then the part of the image, which is perturbated, is als last parameters, p values (p1, p2), function as coordinates of local patch of the im the watermark is inserted (Figure 3).

Ablation Study
The attack consists of three main parameters: embedding strength (a), em message length (L-bit), and P values (p1, p2). The embedding strength is an im parameter in digital watermarking because it affects the extraction of informatio the strength value is big, the extraction method is more robust, but the perturb images is more visible. The L-bit length concerns the size of information we inse ages. If the size is large, then the part of the image, which is perturbated, is also la last parameters, p values (p1, p2), function as coordinates of local patch of the imag the watermark is inserted ( Figure 3). As it is shown in Figure 3a, the watermarking is embedded on the upper lef as the P parameters are equal to 0.1, while in (b) the watermarking was embedde bottom right corner because p values are equal to 0.9. Both p values range from 0 by representing all local points of the image. In Figure 4, it is presented how the ding strength affects the distortion of an image while the other parameters are (L-bit = 1000, p1 = 0.1, p2 = 0.1), and in Figure 5 the perturbation is presented fro length (embedding strength = 300, p1 = 0.1, p2 = 0.1). Embedding strength controls As it is shown in Figure 3a, the watermarking is embedded on the upper left corner, as the p parameters are equal to 0.1, while in (b) the watermarking was embedded on the bottom right corner because p values are equal to 0.9. Both p values range from 0.1 to 0.9 by representing all local points of the image. In Figure 4, it is presented how the embedding strength affects the distortion of an image while the other parameters are constant (L-bit = 1000, p1 = 0.1, p2 = 0.1), and in Figure 5 the perturbation is presented from L-bit length (embedding strength = 300, p1 = 0.1, p2 = 0.1). Embedding strength controls the limit of watermark information that is inserted in the image. A large embedding strength provides more robustness, but it is also more perceptible at the same time. of watermark information that is inserted in the image. A large embedding strength provides more robustness, but it is also more perceptible at the same time.   of watermark information that is inserted in the image. A large embedding strength provides more robustness, but it is also more perceptible at the same time.   As it is depicted in Figure 4, increasing the embedding strength the quality of the image is getting worse and the noise becomes more perceptible and intense. On the other hand, in Figure 5 the intense of the noise is almost the same in all L-Bit lengths, but it changes the magnitude of the noise.
In addition, experiments were performed with FGSM, PGD, and Square Attack for values equal to 0.01, 0.03, 0.05, 0.07, 0.09, 0.12, and 0.15. In Figure 6, MRI with aforementioned attacks and = 0.01 are presented. The human eye cannot understand any difference between these images. In Figure 7, attacks with = 0.07 are depicted. Square Attack causes the biggest distortion compared to FGSM and PGD. However, small changes can be observed also in the other two attacks. In Figure 8, the value has been increased to 0.15, making the noise perceptible. As it is depicted in Figure 4, increasing the embedding strength the quality of the image is getting worse and the noise becomes more perceptible and intense. On the other hand, in Figure 5 the intense of the noise is almost the same in all L-Bit lengths, but it changes the magnitude of the noise.
In addition, experiments were performed with FGSM, PGD, and Square Attack for ϵ values equal to 0.01, 0.03, 0.05, 0.07, 0.09, 0.12, and 0.15. In Figure 6, MRI with aforementioned attacks and ϵ = 0.01 are presented. The human eye cannot understand any difference between these images. In Figure 7, attacks with ϵ = 0.07 are depicted. Square Attack causes the biggest distortion compared to FGSM and PGD. However, small changes can be observed also in the other two attacks. In Figure 8, the ϵ value has been increased to 0.15, making the noise perceptible.

Results
All possible combinations of parameters are applied in images in order to investigate, which set of parameters is more effective. As it is reasonable, big values of L-bit length and embedding strength led to greater efficiency. However, adversarial attacks should be as imperceptible as possible. That is why we experimented with all values in order to As it is depicted in Figure 4, increasing the embedding strength the quality of the image is getting worse and the noise becomes more perceptible and intense. On the other hand, in Figure 5 the intense of the noise is almost the same in all L-Bit lengths, but it changes the magnitude of the noise.
In addition, experiments were performed with FGSM, PGD, and Square Attack for ϵ values equal to 0.01, 0.03, 0.05, 0.07, 0.09, 0.12, and 0.15. In Figure 6, MRI with aforementioned attacks and ϵ = 0.01 are presented. The human eye cannot understand any difference between these images. In Figure 7, attacks with ϵ = 0.07 are depicted. Square Attack causes the biggest distortion compared to FGSM and PGD. However, small changes can be observed also in the other two attacks. In Figure 8, the ϵ value has been increased to 0.15, making the noise perceptible.

Results
All possible combinations of parameters are applied in images in order to investigate, which set of parameters is more effective. As it is reasonable, big values of L-bit length and embedding strength led to greater efficiency. However, adversarial attacks should be as imperceptible as possible. That is why we experimented with all values in order to As it is depicted in Figure 4, increasing the embedding strength the quality of the image is getting worse and the noise becomes more perceptible and intense. On the other hand, in Figure 5 the intense of the noise is almost the same in all L-Bit lengths, but it changes the magnitude of the noise.
In addition, experiments were performed with FGSM, PGD, and Square Attack for ϵ values equal to 0.01, 0.03, 0.05, 0.07, 0.09, 0.12, and 0.15. In Figure 6, MRI with aforementioned attacks and ϵ = 0.01 are presented. The human eye cannot understand any difference between these images. In Figure 7, attacks with ϵ = 0.07 are depicted. Square Attack causes the biggest distortion compared to FGSM and PGD. However, small changes can be observed also in the other two attacks. In Figure 8, the ϵ value has been increased to 0.15, making the noise perceptible.

Results
All possible combinations of parameters are applied in images in order to investigate, which set of parameters is more effective. As it is reasonable, big values of L-bit length and embedding strength led to greater efficiency. However, adversarial attacks should be as imperceptible as possible. That is why we experimented with all values in order to

Results
All possible combinations of parameters are applied in images in order to investigate, which set of parameters is more effective. As it is reasonable, big values of L-bit length and embedding strength led to greater efficiency. However, adversarial attacks should be as imperceptible as possible. That is why we experimented with all values in order to combine efficiency and imperceptibility. In Tables 1-3 the results before and after attack for  X-rays Images are presented, while Tables A1-A3 concern MRIs and Tables A4-A6 concern CT-scans, all for the case of the three examined DL pretrained models. For each L-bit length and embedding strength, we present the most effective values of p1 and p2. Moreover, the term "original accuracy" refers to the performance of the models in non-watermarked images. Additionally, the SSIM index (it takes values between 0-1 or 0-100% in percentage) between the original and the attacked image is presented in the following tables. The lowest SSIM index was given by X-rays (0.79) with embedding strength and L-Bit length equal to 500 and 1000, respectively. The attacking performance of FGSM, PGD and Square Attack are presented in Tables A7-A9 for X-rays, MRIs, and CT-Scans, respectively. The value in tables is the magnitude of perturbation for each attack. Each table shows the SSIM index and the model's accuracy for each value. To make the text legible, Tables A1-A9 are available for viewing in Appendix A.

Discussion
According to the results, CT-Scan was the least robust modality, as the accuracy of the models was reduced almost by 50%. This is very interesting, as COVID-19 detection using CT-Scans should have been the most robust problem because it has only two classes. Even with the smallest perturbation, MobileNetV2 was decreased by 12.2% in terms of accuracy ( Figure 9). The CT-Scan modality should be further investigated to draw safe conclusions. The problem of brain tumor classification was the most difficult one and therefore the performance of the models, even with clean images, was low. However, the models did not lose significant accuracy with an imperceptible perturbation. On X-rays, accuracy decreases significantly when we increase the embedding strength, or we insert a lot of information.

Discussion
According to the results, CT-Scan was the least robust modality, as t the models was reduced almost by 50%. This is very interesting, as COVI using CT-Scans should have been the most robust problem because it has on Even with the smallest perturbation, MobileNetV2 was decreased by 12.2 accuracy (Figure 9). The CT-Scan modality should be further investigated conclusions. The problem of brain tumor classification was the most dif therefore the performance of the models, even with clean images, was low models did not lose significant accuracy with an imperceptible perturbati accuracy decreases significantly when we increase the embedding strengt a lot of information. Moreover, MobileNetV2 is the weakest model, as it loses accuracy e other two models with no need for a perceptible distortion. This may be that MobileNetV2 has fewer parameters compared to the other models. In which was the weakest one, all models lost an important percentage of acc lowest values, however, the DenseNets lost their accuracy at a slower p bileNetV2. Furthermore, in MRI and X-ray cases DenseNet201 and Dense combination of high values of embedding strength and L-Bit length to signi their accuracy. On the other hand, the accuracy of MobileNetV2 is significa when either embedding strength or L-Bit length is high. As a consequen Moreover, MobileNetV2 is the weakest model, as it loses accuracy easier than the other two models with no need for a perceptible distortion. This may be due to the fact that MobileNetV2 has fewer parameters compared to the other models. In CT-scans case, which was the weakest one, all models lost an important percentage of accuracy with the lowest values, however, the DenseNets lost their accuracy at a slower pace than MobileNetV2. Furthermore, in MRI and X-ray cases DenseNet201 and DenseNet169 need a combination of high values of embedding strength and L-Bit length to significantly reduce their accuracy. On the other hand, the accuracy of MobileNetV2 is significantly decreased when either embedding strength or L-Bit length is high. As a consequence, DenseNets variants need perceptible noise in order to decrease their accuracy. In the case of MRI, the most difficult, DenseNets variants responded very well, losing 5% of their accuracy and needing high values of embedding strength and L-Bit length, 200, and 700, respectively. The problem of classification in medical images is usually difficult because there are no important differences between the different classes. Additionally, there are cases such as X-rays from lungs in which specific points determine the decision. That is why p1 and p2 values play a significant role in the attack's efficiency. We observe that each problem shares similar p values because these values show the critical points. This is an important advantage of this attack, as we can predefine the p values depending on the images we attack.
The comparison with the other attacks shows that there is not a clear winner. In CT-Scan modality, the proposed attack achieved the greatest accuracy degradation in all models by presenting a much better SSIM index. In X-rays there are cases in which the other three attacks are more effective but with worse SSIM index. For instance, PGD with = 0.15 dropped the accuracy to 79.8% with SSIM = 44.3%, while the proposed attack at 82% with SSIM = 80%. The proposed KMsWA 2 attack shows a high SSIM index even with the high values of the embedding strength, and the L-Bit length is shown in Figures 10-12. This is due to the fact that watermarking applied only to the p values and not to the whole image. The other attacks create adversarial noise on the whole image, destroying its quality. J. Imaging 2022, 8, x FOR PEER REVIEW 11 of 18 important differences between the different classes. Additionally, there are cases such as X-rays from lungs in which specific points determine the decision. That is why p1 and p2 values play a significant role in the attack's efficiency. We observe that each problem shares similar p values because these values show the critical points. This is an important advantage of this attack, as we can predefine the p values depending on the images we attack.
The comparison with the other attacks shows that there is not a clear winner. In CT-Scan modality, the proposed attack achieved the greatest accuracy degradation in all models by presenting a much better SSIM index. In X-rays there are cases in which the other three attacks are more effective but with worse SSIM index. For instance, PGD with ϵ = 0.15 dropped the accuracy to 79.8% with SSIM = 44.3%, while the proposed attack at 82% with SSIM = 80%. The proposed KMsWA 2 attack shows a high SSIM index even with the high values of the embedding strength, and the L-Bit length is shown in Figures 10-12. This is due to the fact that watermarking applied only to the p values and not to the whole image. The other attacks create adversarial noise on the whole image, destroying its quality.  important differences between the different classes. Additionally, there are cases such as X-rays from lungs in which specific points determine the decision. That is why p1 and p2 values play a significant role in the attack's efficiency. We observe that each problem shares similar p values because these values show the critical points. This is an important advantage of this attack, as we can predefine the p values depending on the images we attack.
The comparison with the other attacks shows that there is not a clear winner. In CT-Scan modality, the proposed attack achieved the greatest accuracy degradation in all models by presenting a much better SSIM index. In X-rays there are cases in which the other three attacks are more effective but with worse SSIM index. For instance, PGD with ϵ = 0.15 dropped the accuracy to 79.8% with SSIM = 44.3%, while the proposed attack at 82% with SSIM = 80%. The proposed KMsWA 2 attack shows a high SSIM index even with the high values of the embedding strength, and the L-Bit length is shown in Figures 10-12. This is due to the fact that watermarking applied only to the p values and not to the whole image. The other attacks create adversarial noise on the whole image, destroying its quality.   In Figures 10-12, six representative scatter plots for the three image modalities are presented, showing that the proposed KMsWA 2 attack achieves the same or better performance degradation with significantly higher SSIM index. In Figures 10a, 11a, and 12a, the dots are scattered from top right to bottom and left, indicating that the reduction in the accuracy is achieved only with low SSIM index, while Figures 10b, 11b, and 12b present a vertical direction, which means that the proposed KMsWA 2 attack drops the accuracy without dropping much SSIM index. These results constitute evidence that watermarking can be considered as an adversarial attack for the images and thus the research community should study this phenomenon deeply, otherwise the watermarking methods will be inhibitors to the computer vision applications in medical image analysis.

Conclusions
In this study, we proposed a black-box adversarial attack for medical images using a moment-based watermarking methodology. We experimented with three different modalities, X-rays, MRIs, and CT-Scans, achieving performance degradation up to 41% to the model, proving that digital watermarking may act as a trojan because it is usually used for the patient's privacy and safety. However, we showed that even with the least insertion of information or the smallest embedding strength, the performance can be reduced. Moreover, the experiments revealed that the proposed attack is competitive to the established adversarial attacks since it affects the accuracy of the deep learning models in an imperceptible way without being perceived by human eyes. In addition, defending against this attack is not an easy process because the images are distorted locally, and a huge number of images must be created to apply adversarial learning. DenseNets models were the most robust, while MobileNetV2 was the weakest and CT-scans was the most vulnerable modality. As future work, we would like to experiment with more watermarking methodologies as well as more moment families following the same scheme proposed herein and also to examine other popular medical image watermarking techniques, e.g., based on wavelets. Moreover, we are planning to investigate if adversarial learning is able to alleviate the effects of watermarking attacks.  In Figures 10-12, six representative scatter plots for the three image modalities are presented, showing that the proposed KMsWA 2 attack achieves the same or better performance degradation with significantly higher SSIM index. In Figures 10a, 11a, and 12a, the dots are scattered from top right to bottom and left, indicating that the reduction in the accuracy is achieved only with low SSIM index, while Figures 10b, 11b, and 12b present a vertical direction, which means that the proposed KMsWA 2 attack drops the accuracy without dropping much SSIM index. These results constitute evidence that watermarking can be considered as an adversarial attack for the images and thus the research community should study this phenomenon deeply, otherwise the watermarking methods will be inhibitors to the computer vision applications in medical image analysis.

Conclusions
In this study, we proposed a black-box adversarial attack for medical images using a moment-based watermarking methodology. We experimented with three different modalities, X-rays, MRIs, and CT-Scans, achieving performance degradation up to 41% to the model, proving that digital watermarking may act as a trojan because it is usually used for the patient's privacy and safety. However, we showed that even with the least insertion of information or the smallest embedding strength, the performance can be reduced. Moreover, the experiments revealed that the proposed attack is competitive to the established adversarial attacks since it affects the accuracy of the deep learning models in an imperceptible way without being perceived by human eyes. In addition, defending against this attack is not an easy process because the images are distorted locally, and a huge number of images must be created to apply adversarial learning. DenseNets models were the most robust, while MobileNetV2 was the weakest and CT-scans was the most vulnerable modality. As future work, we would like to experiment with more watermarking methodologies as well as more moment families following the same scheme proposed herein and also to examine other popular medical image watermarking techniques, e.g., based on wavelets. Moreover, we are planning to investigate if adversarial learning is able to alleviate the effects of watermarking attacks.