Implantable Cardiac - Defibrillators (ICDs) Attack

Problem Statement


Images per class
There are total 8 dance genre in the given data-set. Let's plot the count of the number of image samples per genre


Let's plot some sample training images

Image classification training data.JPG

Project Statement

This project investigates how to improve the robustness of algorithms used in Implantable Cardiac-Defibrillators (ICDs): medical cyber-physical systems that monitor heart signals (electrograms, or EGM) and administer therapy. While these systems have shown tremendous success in treating heart arrhythmias, plenty of work is still needed to evaluate and improve their resilience to attacks. Despite the efforts of regulatory agencies and researchers to improve device security, recent security-related recalls and attack demonstrations show that vulnerabilities persist across varied vectors. Early seminal work showed how specific electromagnetic interference could overpower biosignals sensed by ICDs to induce or prevent therapy. Recently, researchers managed to gain control of an ICD by exploiting vulnerabilities in the device’s remote monitoring infrastructure; half a million cardiac devices were subsequently
recalled by the FDA. These incidents confirm that vulnerabilities in medical devices exist and present real threats.


This work looks at determining how small amounts of interference with sensed EGM can lead to false therapy decisions under various threat models. One threat model assumes that an adversary has real-time knowledge of sensed EGM as well as details of the classifier used in the device to determine whether therapy should be administered. One part of this project involves investigating whether the attacker may be able to take advantage of features learned by more sophisticated algorithms to relate changes in EGM to the therapy decision.

For this line of work, we used Zeblok computational resources to train a deep learning classifier on simulated EGM data, to learn important and vulnerable features of the waves for therapy decisions. Each therapy decision is made on a 20-beat window of EGM, which involves multiple traces, and diagnoses multiple types of arrhythmias across a variety of underlying heart conditions. Training a classifier to mimic specific ICD algorithms requires a large amount of data and computational resources. 

Data Used

The data used for this task was generated via a timed-automata model of a well-studied electrical conduction system of the heart. 11402 samples of 30-second recordings were obtained for a variety of heart conditions, and the total dataset was 8.0GB. 


Multiple neural network architectures were explored for this task, including a Physionet challenge architecture, an LSTM, and a time-delayed neural network. Ground-truth labels were taken from the results of the current ICD algorithm,


The first architecture was a 13-layer convolutional neural network won the 2017 Physionet challenge for classifying arrhythmia (binary classification) on similar biosignals -- electrocardiograms. This deep learning classifier was able to classify arrhythmia to a higher accuracy than existing simpler algorithms, which tend to rely on time domain features of the waves. However, related work has shown how this particular system is vulnerable to adversarial manipulations. We aimed to investigate whether these adversarial perturbations would carry over to the original ICD algorithm. We brought a similar mindset to the other 2 architectures -- standard models used on sequence data where time-domain features play an important role.


PyTorch was chosen for implementation, and the 2 GPUs were utilized via PyTorch’s tools for data parallelization. The Jupyter Lab environment made it convenient to visualize the 20-beat windows of signals, to determine appropriate padding and truncation.


The following figure is an example of how a short-lived interference to the EGM traces can cause false classification:

While much of this work is still in progress, the following table reports preliminary F1 test scores for each of the 3 network architectures. Future work may involve looking into reversible transformations (time-frequency transformations).

ICD attacks table.JPG
ICD attack use case.JPG

Zeblok AI- Platform resources used:


  • Multiple containers to support multi-GPU, multi-CPU compute engines

  • 2 RTX6000s GPUs

  • 4 vCPU

  • 16GB RAM

  • 50GB Block Store