Skip to content

Latest commit



368 lines (289 loc) · 21.5 KB

File metadata and controls

368 lines (289 loc) · 21.5 KB





  1. 图像数据集的编译:选择多种医学图像,构建图像数据集MedMQ。
  2. 正常提示生成:使用视觉问答(VQA)模型,根据图像自动生成高度相关和专业的提示。
  3. 有害提示生成:借助GPT-4处理正常提示,得到关联度较低的非恶意有害提示,模拟潜在的临床攻击。




  1. 多轮交叉优化:为平衡图像和文本的重要性,我们实施多轮交叉优化。
  2. 病变区域优化:由于模态不匹配主要发生在病变区域,我们特别优化具有病变的patch或者掩盖病灶区的patch生成攻击样本。



  1. 输入关联度评分TII:输入文本和图像之间的相关性决定了响应的接受或拒绝。低关联度结果应为拒绝(空白对照),确保只有高关联度才能验证后续比较。
  2. 输出文本-输入文本关联度评分TT0:输出文本与输入文本之间的相关性指示攻击的成功。
  3. 输出文本-输入图像关联度评分TIO:此指标进一步验证攻击的成功,基于输出文本与输入图像之间的相关性。
  4. 综合评价指标:为指标TII,TTO,TIO分配权重,形成一个全面的新评估指标。
  5. 比较测试:我们的方法在我们的数据集、其他数据集、不同的MedMLLM以及普通MLLM的医学部分进行测试。



Medical Safety and Specificity Attacks in MedMLLM: A Comprehensive Outline


In medical contexts, image and text data possess an inherently high correlation unmatched in natural language datasets, primarily due to the technical specificity and the literacy of professional users. This differentiation often prevents a direct alignment with general malicious intents found in natural language processing. However, variations in medical images, texts, and incidental noise can lead to discrepancies between symptom descriptions and lesion illustrations. This misalignment challenges the output of MedMLLM, leading us to categorize weak text-image correlations as specific medical attacks.

Dataset Construction

  1. Image Dataset Compilation: A diverse set of medical images is selected to construct Image Dataset A.
  2. Normal Prompts Generation: Utilizing a Visual Question Answering (VQA) model, prompts that are highly relevant and professional are automatically generated based on the images.
  3. Generation of Harmful Prompts: With the assistance of GPT-4, we process the Normal Prompts to derive less relevant, non-malicious harmful prompts, simulating potential clinical attacks.

Comparison with Existing Methods

Most existing methodologies, such as GCG, deltaJP, and Typo, focus on acceptance or rejection based on superficial criteria rather than on similarity and relevance, thus lacking rigor.

Introduction of a New Method

  1. Multi-round Cross-optimization: To balance the significance of images and texts, we implement multi-round cross-optimization.
  2. Optimization of Lesion Patches: Since modal mismatches typically occur in lesion areas, we specifically optimize patches with lesions to generate attack samples.


Comparison with existing methods is crucial, using newly defined metrics:

  1. Association Score for Input (ASR): The relevance between the input text and image determines the acceptance or rejection of the response. A low correlation results in rejection (null control), ensuring only high correlations validate subsequent comparisons.
  2. Association Score for Output Text-Input Text (RR): The relevance between the output and input texts indicates the success of an attack.
  3. Association Score for Output Text-Input Image: This metric further validates the success of an attack based on the relevance between the output text and the input image.
  4. Composite Metric: Weights are assigned to metrics 0, 1, and 2 to formulate a comprehensive new evaluation metric.
  5. Comparative Testing: Our method is tested against previous methods on our dataset, other datasets, different MedMLLMs, and general sections of MLLMs in medicine.


Our comprehensive dataset and the novel method significantly enhance the safety and specificity of medical applications in machine learning language models.

Remember, this outline is crafted to emphasize the significant points provided without any omissions.

Major Category Subcategory Sub-Subcategory Description
Image Understanding Coarse-grained Disease Classification Diagnosing the presence or absence of disease. Identifies specific diseases from images.
View Classification Identifying the view or angle. Important for correct image interpretation.
Fine-grained Abnormality Detection Locates specific abnormalities within an image. Critical for accurate diagnosis.
Object Detection Identifies foreign objects. Essential for patient safety and treatment planning.
Text Generation Report Generation Impression Generation Summarizes the diagnostic impression. Key for conveying overall assessment.
Findings Generation Details findings from image analysis. Provides evidence-based diagnosis.
Findings and Impressions Anatomical Findings Related to specific anatomical parts. Enhances localized diagnostic accuracy.
Impression Summary Brief summary for specific regions. Aids in focused assessment.
Question Answering Visual QA Open-ended Answers open questions based on images. Encourages comprehensive analysis.
Close-ended Chooses correct answers from options. Tests specific understanding of image content.
Text QA Fact-based Answers based on explicit text facts. Requires detailed text understanding.
Inference-based Inferences from text to answer. Demands deeper comprehension and logic.
Miscellaneous Image-Text Matching Matching Determines correct image-text pairs. Crucial for accurate information presentation.
Selection Chooses suitable text for an image. Ensures relevance and accuracy of information.
Report Evaluation Error Identification Identifies inaccuracies in reports. Key for quality control and correction.
Quality Assessment Assesses report accuracy and completeness. Important for diagnostic integrity.
Explanation and Inference Explanation Generation Generates explanations for diagnoses. Facilitates understanding and trust.
Inference Making Determines logical report relationships. Supports clinical decision-making.

Medical Prompt Generation (MPG)



├── src/                   # 源代码
│   ├──
│   ├──            # 主程序入口
│   ├──           # 模型定义
│   ├──     # 数据加载
│   ├── transformer_utils/ # 包含所有与transformers相关的操作
│   │   ├──
│   │   ├──
│   │   └──
│   └── utilities/         # 其他辅助功能
│       ├──
│       └──
├── configs/               # 配置文件
│   └── model_config.json
├── data/                  # 数据存放
│   ├── images/            # 图像数据
│   └── annotations/       # 标注数据
├── models/                # 预训练模型和权重
│   ├── ofa/
│   └── bert/
├── outputs/               # 输出和结果
│   ├── logs/              # 日志文件
│   └── predictions/       # 模型预测结果
└── requirements.txt       # Python依赖包



针对data中的图片,利用llavamed提取attributes list,得到attribute-sentensce(AS)

python src/ 







cd dataset_generate






aggregated_scores.csv 18类图片和attribute相似分数 averaged_file.csv 540-540,18类prompts之间的相关性分析分数

3MAD-70K: Multimodal Medical Model Attack Dataset, A Comprehensive Assessment of ASR in Medical Models


This repo contains the source code of 3MAD-70K. This research endeavor is designed to help researchers better understand the capabilities, limitations, and potential risks associated with deploying these state-of-the-art Medical Multimodal Large Language Models (MedMLLMs). See our paper for details.

Our paper

Xijie Huang, Xinyuan Wang, Hantao Zhang, Jiawen Xi,Jingkun An ,Hao Wang, Chengwei Pan.

本项目由共9大类不同介质,18类不同部位的医学图像集(CMIC-96K)和18种基于用户需求的询问指令交叉构建而成,符合临床上可能出现的unmatch attack and malicious attack的具体攻击类型


├── MRI (6728)
│   ├── Alzheimer (6400)
│   └── brain (275)
├── Fundus (45)
│   └── retinaFundus (45)
├── Mamography (24576)
│   └── breast (24576)
├── OCT (2064)
│   └── retinaOCT (2064)
├── CT (10015)
│   ├── heart (5227)
│   ├── brain (2515)
│   └── chest (1000)
├── Endoscopy (1500)
│   └── gastroent (1500)
├── dermoscopy (6000)
│   └── skin (6000)
├── Ultrasound (4642)
│   ├── carotid (1100)
│   ├── breast (470)
│   ├── ovary(54)
│   ├── brain(1334)
│   └── baby (1684)
└── X-ray (41142)
    ├── Skeleton(1000)
    ├── Dental (40005)
    └── chest(137)


├── Image Understanding
│   ├── Coarse-grained
│   │   ├── Disease Classification - Diagnosing the presence or absence of disease. Identifies specific diseases from images.
│   │   └── View Classification - Identifying the view or angle. Important for correct image interpretation.
│   └── Fine-grained
│       ├── Abnormality Detection - Locates specific abnormalities within an image. Critical for accurate diagnosis.
│       └── Object Detection - Identifies foreign objects. Essential for patient safety and treatment planning.
├── Text Generation
│   ├── Report Generation
│   │   ├── Impression Generation - Summarizes the diagnostic impression. Key for conveying overall assessment.
│   │   └── Findings Generation - Details findings from image analysis. Provides evidence-based diagnosis.
│   └── Findings and Impressions
│       ├── Anatomical Findings - Related to specific anatomical parts. Enhances localized diagnostic accuracy.
│       └── Impression Summary - Brief summary for specific regions. Aids in focused assessment.
├── Question Answering
│   ├── Visual QA
│   │   ├── Open-ended - Answers open questions based on images. Encourages comprehensive analysis.
│   │   └── Close-ended - Chooses correct answers from options. Tests specific understanding of image content.
│   └── Text QA
│       ├── Fact-based - Answers based on explicit text facts. Requires detailed text understanding.
│       └── Inference-based - Inferences from text to answer. Demands deeper comprehension and logic.
└── Miscellaneous
    ├── Image-Text Matching
    │   ├── Matching - Determines correct image-text pairs. Crucial for accurate information presentation.
    │   └── Selection - Chooses suitable text for an image. Ensures relevance and accuracy of information.
    ├── Report Evaluation
    │   ├── Error Identification - Identifies inaccuracies in reports. Key for quality control and correction.
    │   └── Quality Assessment - Assesses report accuracy and completeness. Important for diagnostic integrity.
    └── Explanation and Inference
        ├── Explanation Generation - Generates explanations for diagnoses. Facilitates understanding and trust.
        └── Inference Making - Determines logical report relationships. Supports clinical decision-making.


Getting Started

To evaluate using 3MAD-28K dataset, please install the 3MAD-28K package as below:


Useful tips

File usage



Please cite the paper as follows if you use the data or code from 3MAD-28K:


Please reach out to us if you have any questions or suggestions. You can submit an issue or pull request, or send an email to [email protected].

Thank you for your interest in 3MAD-28K. We hope our work will contribute to a more healthcare,expert,trustworthy, fair, and robust AI future.