pith. sign in

arxiv: 2606.11535 · v1 · pith:YPUOHVLMnew · submitted 2026-06-10 · 💻 cs.RO

Adversarial Attacks on Learned Policies for Surgical Robotic Tasks

Pith reviewed 2026-06-27 10:05 UTC · model grok-4.3

classification 💻 cs.RO
keywords adversarial attackssurgical roboticslearned policiesvisual perturbationsrobot-assisted surgerydebridementsuturingphotometric attacks
0
0 comments X

The pith

Adversarial visual perturbations can reduce success rates of learned surgical robot policies by 61 percent on average.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests whether end-to-end learned policies for robot-assisted surgery are vulnerable to attacks on their visual inputs. It develops disruptive attacks that interrupt task execution and steering attacks that redirect actions, along with three methods that use increasing amounts of policy information. These are evaluated on debridement and suturing subtasks across ACT, Diffusion Policy, and Pi0 architectures, including a new photometric attack type that creates changes resembling natural lighting variations. Physical experiments on phantoms show the attacks cause an average 61 percent drop in subtask success rates.

Core claim

State-of-the-art policies for surgical subtasks can be significantly disrupted by adversarial visual perturbations, resulting in an average 61% reduction in surgical subtask success rates, as shown across 560 physical experiments on phantoms for debridement and suturing.

What carries the argument

Disruptive and steering adversarial attack formulations applied to visual observations of end-to-end robotic policies, including photometric perturbations designed to appear natural.

If this is right

  • Policies for debridement and suturing subtasks become unreliable under targeted visual perturbations.
  • Three attack methods demonstrate effectiveness even with limited policy access.
  • Photometric attacks generate plausible perturbations that still cause policy failures.
  • The vulnerability holds across ACT, Diffusion Policy, and Pi0 architectures.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Policy training for surgical robots may need to incorporate robustness against visual changes to maintain reliability.
  • Similar attack surfaces could appear in other vision-based medical robotic tasks beyond the two subtasks tested.
  • Further tests in varied real-world conditions would clarify how much the phantom results translate to clinical use.

Load-bearing premise

The tested visual perturbations and threat models accurately represent realistic attack surfaces in actual operating rooms.

What would settle it

An experiment applying the same attack methods in real operating room conditions with variable lighting, camera angles, and human oversight that shows no significant drop in success rates.

Figures

Figures reproduced from arXiv: 2606.11535 by Florian T. Pokorny, Ken Goldberg, Paavan Gupta, Preethi Satish, Shutong Jin, Ziyang Chen.

Figure 1
Figure 1. Figure 1: Illustration of an adversarial attack on a suturing subtask. Left: expected execution with [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Illustration of the adversarial attack pipeline. During an onging surgery at timestep [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Illustration of TPA steering attacks on (a) debridement and (b) suturing subtasks. For [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Cross-policy and cross-task transfer results for UAP and TPA. Each bar group reports [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
read the original abstract

Learning-based policies are being considered to augment the dexterity of human surgeons in robot-assisted surgery. Can the end-to-end mapping from visual observations to robot actions be vulnerable to adversarial attacks, potentially leading to patient injury? In this paper, we present the first study of adversarial threats to learning-based policies in surgical robotics. We investigate two threat modes: (a) disruptive attacks, where imperceptible visual perturbations interrupt policy execution, and (b) steering attacks, where such perturbations steer policy actions toward attacker-specified directions. We formulate three adversarial attack methods, each with increasing access to policy information, and evaluate their impact on two surgical subtasks: debridement and suturing. Our evaluation covers three end-to-end policy architectures: ACT, Diffusion Policy, and Pi0. In addition, we introduce a new class of photometric adversarial attacks that mimic natural visual changes, such as lighting variations, to generate effective yet visually plausible perturbations. Results from 560 physical experiments using phantoms for debridement and suturing suggest that state-of-the-art policies can be significantly disrupted, resulting in an average 61% reduction in surgical subtask success rates. Project page: https://sites.google.com/view/adversary-surgery

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 3 minor

Summary. The manuscript presents the first empirical study of adversarial attacks on end-to-end learned policies for surgical robotic subtasks. It defines disruptive and steering attack modes, formulates three attack methods with graded policy access (including a new photometric class mimicking natural lighting changes), evaluates them on debridement and suturing using ACT, Diffusion Policy, and Pi0 architectures, and reports results from 560 physical phantom experiments showing an average 61% reduction in subtask success rates.

Significance. If the quantitative results hold under the stated threat models, the work is significant as the first physical demonstration of vulnerability in learning-based surgical policies. The scale of the evaluation (560 experiments across multiple architectures and attack formulations) and the introduction of photometric attacks provide concrete, reproducible evidence that strengthens the central claim of disruption. This has clear implications for safety considerations in deploying such policies.

major comments (2)
  1. [§5] §5 (Experimental Results) and associated tables: The reported 61% average success-rate reduction is presented without per-condition standard deviations, confidence intervals, or statistical significance tests (e.g., paired t-tests or Wilcoxon tests across the 560 trials). This information is load-bearing for the claim that policies are 'significantly disrupted,' as the raw averages alone do not establish that the observed reductions exceed experimental variability in the phantom setup.
  2. [§4.2] §4.2 (Attack Formulations): The optimization procedures for generating the three attack methods are described at a high level but lack explicit pseudocode, hyperparameter values, or convergence criteria. Because the central quantitative claim depends on these attacks producing the observed 61% reduction, the absence of these details prevents independent verification of the reported effect sizes.
minor comments (3)
  1. [Figure 4] Figure 4: The legend does not clearly distinguish the three policy architectures from the three attack access levels; adding a separate panel or explicit labels would improve readability.
  2. [§3.1] §3.1: The definition of 'success rate' for the suturing subtask is given only in prose; an explicit equation or decision rule (e.g., threshold on needle placement error) would remove ambiguity.
  3. [Related Work] Related Work section: The citation to prior adversarial work in robotics omits the 2023 survey on physical adversarial attacks; adding it would better situate the photometric attack contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the constructive feedback and for recognizing the significance of the first physical evaluation of adversarial attacks on surgical policies. We address each major comment below and commit to revisions that improve statistical rigor and reproducibility without altering the core claims or experimental design.

read point-by-point responses
  1. Referee: [§5] §5 (Experimental Results) and associated tables: The reported 61% average success-rate reduction is presented without per-condition standard deviations, confidence intervals, or statistical significance tests (e.g., paired t-tests or Wilcoxon tests across the 560 trials). This information is load-bearing for the claim that policies are 'significantly disrupted,' as the raw averages alone do not establish that the observed reductions exceed experimental variability in the phantom setup.

    Authors: We agree that the absence of variability measures and formal statistical tests weakens the presentation of the 61% average reduction. The manuscript currently reports only aggregate success rates from the 560 phantom trials. In the revised version we will add per-condition standard deviations and confidence intervals, and we will include paired t-tests (or Wilcoxon signed-rank tests where normality assumptions fail) to establish that the observed reductions are statistically significant relative to experimental variability. revision: yes

  2. Referee: [§4.2] §4.2 (Attack Formulations): The optimization procedures for generating the three attack methods are described at a high level but lack explicit pseudocode, hyperparameter values, or convergence criteria. Because the central quantitative claim depends on these attacks producing the observed 61% reduction, the absence of these details prevents independent verification of the reported effect sizes.

    Authors: We acknowledge that the optimization procedures for the three attack formulations are presented at a high level. To enable independent reproduction of the reported effect sizes, the revised manuscript will include explicit pseudocode for each attack method, the exact hyperparameter values used in the physical experiments, and the convergence criteria applied during optimization. revision: yes

Circularity Check

0 steps flagged

No significant circularity: empirical evaluation only

full rationale

The paper reports results from 560 physical phantom experiments measuring policy success rates under visual perturbations for debridement and suturing tasks across three architectures. No derivation chain, fitted parameters, or self-citation load-bearing steps are present; the 61% average reduction claim is a direct empirical aggregate of measured outcomes rather than a constructed prediction or renamed input. The work is self-contained against external benchmarks with no reduction of results to prior fitted quantities or author-specific uniqueness theorems.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical study with no mathematical derivations, free parameters, or new postulated entities; relies on standard experimental assumptions in robotics.

pith-pipeline@v0.9.1-grok · 5758 in / 1053 out tokens · 29499 ms · 2026-06-27T10:05:29.959831+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

48 extracted references · 4 canonical work pages · 2 internal anchors

  1. [1]

    Goldberg and G

    K. Goldberg and G. Guthart. Augmented dexterity: How robots can enhance human surgical skills.Science Robotics, 9(95):eadr5247, 2024

  2. [2]

    Saeidi, J

    H. Saeidi, J. D. Opfermann, M. Kam, S. Wei, S. L ´eonard, M. H. Hsieh, J. U. Kang, and A. Krieger. Autonomous robotic laparoscopic surgery for intestinal anastomosis.Science robotics, 7(62):eabj2908, 2022

  3. [3]

    A. Pore, Z. Li, D. Dall’Alba, A. Hernansanz, E. De Momi, A. Menciassi, A. C. Gelpi, J. Dankelman, P. Fiorini, and E. Vander Poorten. Autonomous navigation for robot-assisted in- traluminal and endovascular procedures: A systematic review.IEEE Transactions on Robotics, 39(4):2529–2548, 2023

  4. [4]

    Z. Chen, K. Hari, T. Dasari, K. Shieh, R. Jain, D. M. Fer, G. Guthart, and K. Goldberg. Surgical d-knot: Augmented dexterity for tying double knots by monitoring optical flow in monocular attention windows. In2025 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pages 2148–2155. IEEE, 2025

  5. [5]

    Schmidgall, J

    S. Schmidgall, J. W. Kim, A. Kuntz, A. E. Ghazi, and A. Krieger. General-purpose foundation models for increased autonomy in robot-assisted surgery.Nature Machine Intelligence, 6(11): 1275–1283, 2024

  6. [6]

    2025 corporate impact report

    Intuitive Surgical, Inc. 2025 corporate impact report. Technical report, Intuitive Surgical, Inc., 2025. URLhttps://www.intuitive.com/en-us/-/media/ISI/Intuitive/Pdf/ 2025-Intuitive-Corporate-Impact-Report.pdf

  7. [7]

    I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. InInternational Conference on Learning Representations, 2015

  8. [8]

    Open-H-Embodiment: A Large-Scale Dataset for Enabling Foundation Models in Medical Robotics

    N. Nelson, J.-T. Chen, J. Haworth, X. Chen, L. Zbinden, D. Huang, A. E. Abdelaal, A. Arezzo, A. Acar, F. Alambeigi, et al. Open-h-embodiment: A large-scale dataset for enabling founda- tion models in medical robotics.arXiv preprint arXiv:2604.21017, 2026

  9. [9]

    T. Z. Zhao, V . Kumar, S. Levine, and C. Finn. Learning fine-grained bimanual manipulation with low-cost hardware. InRobotics: Science and Systems, 2023

  10. [10]

    C. Chi, Z. Xu, S. Feng, E. Cousineau, Y . Du, B. Burchfiel, R. Tedrake, and S. Song. Diffusion policy: Visuomotor policy learning via action diffusion.The International Journal of Robotics Research, 44(10-11):1684–1704, 2025

  11. [11]

    Black, N

    K. Black, N. Brown, D. Driess, A. Esmail, M. Equi, C. Finn, N. Fusai, L. Groom, K. Hausman, B. Ichter, et al.π0: A vision-language-action flow model for general robot control. InRobotics: Science and Systems, 2025

  12. [12]

    Fiorini, K

    P. Fiorini, K. Y . Goldberg, Y . Liu, and R. H. Taylor. Concepts and trends in autonomy for robot-assisted surgery.Proceedings of the IEEE, 110(7):993–1011, 2022

  13. [13]

    A. Lee, T. S. Baker, J. B. Bederson, and B. I. Rapoport. Levels of autonomy in fda-cleared surgical robots: a systematic review.NPJ Digital Medicine, 7(1):103, 2024

  14. [14]

    A. Liu, R. Xue, X. R. Cao, Y . Shen, Y . Lu, X. Li, Q. Chen, and J. Chen. Medsam3: Delving into segment anything with medical concepts.arXiv preprint arXiv:2511.19046, 2025

  15. [15]

    J. Li, Y . Huang, X. Zhang, K. Xie, Y . Xian, X. Luo, P. W. Y . Chiu, and Z. Li. An autonomous surgical instrument tracking framework with a binocular camera for a robotic flexible laparo- scope.IEEE Robotics and Automation Letters, 8(7):4291–4298, 2023. 9

  16. [16]

    Z. Chen, K. Fan, L. Cruciani, M. Fontana, L. Muraglia, F. Ceci, L. Travaini, G. Ferrigno, and E. De Momi. Toward human-out-of-the-loop endoscope navigation based on context aware- ness for enhanced autonomy in robotic surgery.IEEE Transactions on Medical Robotics and Bionics, 6(3):1116–1124, 2024

  17. [17]

    Q. Liu, Z. Chen, K. Fan, G. Musi, F. A. Mistretta, S. Luzzago, G. Ferrigno, and E. De Momi. A dataset and benchmark for robot-assisted radical prostatectomy with lymphadenectomy in surgical workflow undertstanding.IEEE Transactions on Medical Robotics and Bionics, 2025

  18. [18]

    S. A. Pedram, P. Ferguson, J. Ma, E. Dutson, and J. Rosen. Autonomous suturing via surgical robot: An algorithm for optimal selection of needle diameter, shape, and path. In2017 IEEE International conference on robotics and automation (ICRA), pages 2391–2398. IEEE, 2017

  19. [19]

    M. Kam, H. Saeidi, M. H. Hsieh, J. U. Kang, and A. Krieger. A confidence-based supervised- autonomous control strategy for robotic vaginal cuff closure. In2021 IEEE international con- ference on robotics and automation (ICRA), pages 12261–12267. IEEE, 2021

  20. [20]

    J. W. Kim, J.-T. Chen, P. Hansen, L. X. Shi, A. Goldenberg, S. Schmidgall, P. M. Scheikl, A. Deguet, B. M. White, D. R. Tsai, et al. Srt-h: A hierarchical framework for autonomous surgery via language-conditioned imitation learning.Science robotics, 10(104):eadt5254, 2025

  21. [21]

    K. Hari, Z. Chen, H. Kim, and K. Goldberg. Stitch 2.0: Extending augmented suturing with ekf needle estimation and thread management.IEEE Robotics and Automation Letters, 2025

  22. [22]

    C. Shin, P. W. Ferguson, S. A. Pedram, J. Ma, E. P. Dutson, and J. Rosen. Autonomous tissue manipulation via surgical robot using learning based model predictive control. In2019 International conference on robotics and automation (ICRA), pages 3875–3881. IEEE, 2019

  23. [23]

    Shademan, R

    A. Shademan, R. S. Decker, J. D. Opfermann, S. Leonard, A. Krieger, and P. C. Kim. Super- vised autonomous robotic soft tissue surgery.Science translational medicine, 8(337):337ra64– 337ra64, 2016

  24. [24]

    J. W. Kim, T. Z. Zhao, S. Schmidgall, A. Deguet, M. Kobilarov, C. Finn, and A. Krieger. Surgical robot transformer (srt): Imitation learning for surgical tasks. InConference on Robot Learning, 2024

  25. [25]

    Y . Long, A. Lin, D. H. C. Kwok, L. Zhang, Z. Yang, K. Shi, L. Song, J. Fu, H. Lin, W. Wei, et al. Surgical embodied intelligence for generalized task autonomy in laparoscopic robot- assisted surgery.Science Robotics, 10(104):eadt3093, 2025

  26. [26]

    B. Li, R. Wei, J. Xu, B. Lu, C. H. Yee, C. F. Ng, P.-A. Heng, Q. Dou, and Y .-H. Liu. 3d perception based imitation learning under limited demonstration for laparoscope control in robotic surgery. In2022 International Conference on Robotics and Automation (ICRA), pages 7664–7670. IEEE, 2022

  27. [27]

    Haworth, J.-T

    J. Haworth, J.-T. Chen, N. Nelson, J. W. Kim, M. Moghani, C. Finn, and A. Krieger. Suturebot: A precision framework & benchmark for autonomous end-to-end suturing.Advances in Neural Information Processing Systems, 38, 2026

  28. [28]

    Szegedy, W

    C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. In- triguing properties of neural networks.International Conference on Learning Representations, 2014

  29. [29]

    Madry, A

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks.International Conference on Learning Representations, 2018

  30. [30]

    T. B. Brown, D. Man ´e, A. Roy, M. Abadi, and J. Gilmer. Adversarial patch.NIPS 2017 Workshop on Machine Learning and Computer Security, 2017. 10

  31. [31]

    Papernot, P

    N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami. Practical black- box attacks against machine learning. InProceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519, 2017

  32. [32]

    Moosavi-Dezfooli, A

    S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard. Deepfool: a simple and accurate method to fool deep neural networks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 2574–2582, 2016

  33. [33]

    Ilyas, L

    A. Ilyas, L. Engstrom, A. Athalye, and J. Lin. Black-box adversarial attacks with limited queries and information. InInternational conference on machine learning, pages 2137–2146. PMLR, 2018

  34. [34]

    Hendrik Metzen, M

    J. Hendrik Metzen, M. Chaithanya Kumar, T. Brox, and V . Fischer. Universal adversarial perturbations against semantic image segmentation. InProceedings of the IEEE international conference on computer vision, pages 2755–2764, 2017

  35. [35]

    Arnab, O

    A. Arnab, O. Miksik, and P. H. Torr. On the robustness of semantic segmentation models to adversarial attacks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 888–897, 2018

  36. [36]

    C. Xie, J. Wang, Z. Zhang, Y . Zhou, L. Xie, and A. Yuille. Adversarial examples for semantic segmentation and object detection. InProceedings of the IEEE international conference on computer vision, pages 1369–1378, 2017

  37. [37]

    X. Liu, H. Yang, Z. Liu, L. Song, H. Li, and Y . Chen. Dpatch: An adversarial patch attack on object detectors.AAAI Workshop on Artificial Intelligence Safety, 2019

  38. [38]

    X. Wei, S. Liang, N. Chen, and X. Cao. Transferable adversarial attacks for image and video object detection.Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019

  39. [39]

    Y . Chen, H. Xue, and Y . Chen. Diffusion policy attacker: Crafting adversarial attacks for diffusion-based policies.Advances in Neural Information Processing Systems, 37:119614– 119637, 2024

  40. [40]

    How Vulnerable Is My Learned Policy? Universal Adversarial Perturbation Attacks On Modern Behavior Cloning Policies

    A. Kalra, B. Patil, G. Tao, and D. S. Brown. How vulnerable is my learned policy? uni- versal adversarial perturbation attacks on modern behavior cloning policies.arXiv preprint arXiv:2502.03698, 2025

  41. [41]

    T. Wang, C. Han, J. Liang, W. Yang, D. Liu, L. X. Zhang, Q. Wang, J. Luo, and R. Tang. Exploring the adversarial vulnerabilities of vision-language-action models in robotics. InPro- ceedings of the IEEE/CVF International Conference on Computer Vision, pages 6948–6958, 2025

  42. [42]

    E. K. Jones, A. Robey, A. Zou, Z. Ravichandran, G. J. Pappas, H. Hassani, M. Fredrikson, and J. Z. Kolter. Adversarial attacks on robotic vision language action models.arXiv preprint arXiv:2506.03350, 2025

  43. [43]

    Biggio and F

    B. Biggio and F. Roli. Wild patterns: Ten years after the rise of adversarial machine learning. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 2154–2156, 2018

  44. [44]

    Moosavi-Dezfooli, A

    S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. Universal adversarial pertur- bations. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 1765–1773, 2017

  45. [45]

    D. P. Kingma and J. Ba. Adam: A method for stochastic optimization.International Confer- ence on Learning Representations, 2015. 11

  46. [46]

    Baluja and I

    S. Baluja and I. Fischer. Adversarial transformation networks: Learning to generate adversarial examples.Proceedings of the AAAI Conference on Artificial Intelligence, 2018

  47. [47]

    Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli. Image quality assessment: from error visibility to structural similarity.IEEE transactions on image processing, 13(4):600–612, 2004

  48. [48]

    Z. Wang, L. Lu, and A. C. Bovik. Video quality assessment based on structural distortion measurement.Signal processing: Image communication, 19(2):121–132, 2004. 12