ML Security PapersRetinaGuard: Obfuscating Retinal Age in Fundus Images for Biometric Privacy Preserving
Zhengquan Luo 1, Chi Liu 1, Dongfu Xiao 1, Zhen Yu 2, Yueye Wang 3, Tianqing Zhu 1
Published on arXiv
2509.06142
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
RetinaGuard successfully obfuscates retinal age prediction across multiple black-box age models while maintaining minimal degradation of image quality and pathological feature integrity.
RetinaGuard
Novel technique introduced
The integration of AI with medical images enables the extraction of implicit image-derived biomarkers for a precise health assessment. Recently, retinal age, a biomarker predicted from fundus images, is a proven predictor of systemic disease risks, behavioral patterns, aging trajectory and even mortality. However, the capability to infer such sensitive biometric data raises significant privacy risks, where unauthorized use of fundus images could lead to bioinformation leakage, breaching individual privacy. In response, we formulate a new research problem of biometric privacy associated with medical images and propose RetinaGuard, a novel privacy-enhancing framework that employs a feature-level generative adversarial masking mechanism to obscure retinal age while preserving image visual quality and disease diagnostic utility. The framework further utilizes a novel multiple-to-one knowledge distillation strategy incorporating a retinal foundation model and diverse surrogate age encoders to enable a universal defense against black-box age prediction models. Comprehensive evaluations confirm that RetinaGuard successfully obfuscates retinal age prediction with minimal impact on image quality and pathological feature representation. RetinaGuard is also flexible for extension to other medical image derived biomarkers. RetinaGuard is also flexible for extension to other medical image biomarkers.
Key Contributions
- Feature-level generative adversarial masking mechanism that obfuscates retinal age in fundus images while preserving image quality and pathological features
- Multiple-to-one knowledge distillation strategy combining a retinal foundation model with diverse surrogate encoders to achieve universal transferability against unseen black-box age prediction models
- Formalization of biometric attribute inference from medical images as a novel ML privacy threat with an adjustable privacy-utility trade-off framework
🛡️ Threat Analysis
RetinaGuard's core contribution is generating adversarial perturbations (via feature-level GAN masking) that cause ML attribute-inference models to fail at predicting retinal age from fundus images. The knowledge distillation component is specifically designed to make these perturbations transfer to unseen black-box age prediction models — this is adversarial input manipulation used defensively for privacy, directly within the ML01 attack surface.