ML Security PapersMedFedPure: A Medical Federated Framework with MAE-based Detection and Diffusion Purification for Inference-Time Attacks
Mohammad Karami 1, Mohammad Reza Nemati 1, Aidin Kazemi 1, Ali Mikaeili Barzili 1,2, Hamid Azadegan 3, Behzad Moshiri 1,4
Published on arXiv
2511.11625
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
MedFedPure improves adversarial robustness from 49.50% to 87.33% under strong attacks while maintaining 97.67% clean accuracy on the Br35H brain MRI dataset.
MedFedPure
Novel technique introduced
Artificial intelligence (AI) has shown great potential in medical imaging, particularly for brain tumor detection using Magnetic Resonance Imaging (MRI). However, the models remain vulnerable at inference time when they are trained collaboratively through Federated Learning (FL), an approach adopted to protect patient privacy. Adversarial attacks can subtly alter medical scans in ways invisible to the human eye yet powerful enough to mislead AI models, potentially causing serious misdiagnoses. Existing defenses often assume centralized data and struggle to cope with the decentralized and diverse nature of federated medical settings. In this work, we present MedFedPure, a personalized federated learning defense framework designed to protect diagnostic AI models at inference time without compromising privacy or accuracy. MedFedPure combines three key elements: (1) a personalized FL model that adapts to the unique data distribution of each institution; (2) a Masked Autoencoder (MAE) that detects suspicious inputs by exposing hidden perturbations; and (3) an adaptive diffusion-based purification module that selectively cleans only the flagged scans before classification. Together, these steps offer robust protection while preserving the integrity of normal, benign images. We evaluated MedFedPure on the Br35H brain MRI dataset. The results show a significant gain in adversarial robustness, improving performance from 49.50% to 87.33% under strong attacks, while maintaining a high clean accuracy of 97.67%. By operating locally and in real time during diagnosis, our framework provides a practical path to deploying secure, trustworthy, and privacy-preserving AI tools in clinical workflows. Index Terms: cancer, tumor detection, federated learning, masked autoencoder, diffusion, privacy
Key Contributions
- MedFedPure: a client-side personalized federated defense pipeline combining a mixture-of-experts classifier, MAE-based adversarial detection, and adaptive diffusion purification
- Adaptive detection-purification mechanism where MAE reconstruction error gates diffusion purification strength, preserving benign inputs while neutralizing adversarial ones
- Evaluated on Br35H brain MRI dataset, improving adversarial robustness from 49.50% to 87.33% under strong attacks while maintaining 97.67% clean accuracy
🛡️ Threat Analysis
Paper defends against adversarial examples (imperceptible perturbations to MRI scans) that cause misclassification at inference time — the canonical ML01 threat. The MAE-based detector and diffusion purification module are specifically designed to detect and neutralize input manipulation attacks.