ML Security PapersHammering the Diagnosis: Rowhammer-Induced Stealthy Trojan Attacks on ViT-Based Medical Imaging
Banafsheh Saber Latibari 1, Najmeh Nazari 2, Hossein Sayadi 3, Houman Homayoun 2, Abhijit Mahalanobis 1
Published on arXiv
2510.24976
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Rowhammer-triggered neural Trojans achieve 82.51% and 92.56% attack success rates on MobileViT and SwinTransformer respectively while remaining stealthy in medical imaging classification tasks.
Med-Hammer
Novel technique introduced
Vision Transformers (ViTs) have emerged as powerful architectures in medical image analysis, excelling in tasks such as disease detection, segmentation, and classification. However, their reliance on large, attention-driven models makes them vulnerable to hardware-level attacks. In this paper, we propose a novel threat model referred to as Med-Hammer that combines the Rowhammer hardware fault injection with neural Trojan attacks to compromise the integrity of ViT-based medical imaging systems. Specifically, we demonstrate how malicious bit flips induced via Rowhammer can trigger implanted neural Trojans, leading to targeted misclassification or suppression of critical diagnoses (e.g., tumors or lesions) in medical scans. Through extensive experiments on benchmark medical imaging datasets such as ISIC, Brain Tumor, and MedMNIST, we show that such attacks can remain stealthy while achieving high attack success rates about 82.51% and 92.56% in MobileViT and SwinTransformer, respectively. We further investigate how architectural properties, such as model sparsity, attention weight distribution, and the number of features of the layer, impact attack effectiveness. Our findings highlight a critical and underexplored intersection between hardware-level faults and deep learning security in healthcare applications, underscoring the urgent need for robust defenses spanning both model architectures and underlying hardware platforms.
Key Contributions
- Med-Hammer: novel threat model combining Rowhammer hardware fault injection with neural Trojans to stealthily compromise ViT-based medical imaging systems without modifying input scans
- Empirical demonstration achieving 82.51% and 92.56% attack success rates on MobileViT and SwinTransformer across ISIC, Brain Tumor, and MedMNIST datasets
- Analysis of how ViT architectural properties — model sparsity, attention weight distribution, and layer feature count — influence Rowhammer-triggered Trojan effectiveness
🛡️ Threat Analysis
Core contribution is implanting neural Trojans in ViT models and using Rowhammer-induced bit flips in DRAM as the trigger activation mechanism, causing targeted misclassification of medical diagnoses. The Rowhammer component is the delivery/trigger mechanism for the backdoor, not a supply chain attack — weight/parameter manipulation at inference time falls under ML10 per the taxonomy's own note on direct weight manipulation attacks.