Adversarial Attacks on Learned Policies for Surgical Robotic Tasks
Pith reviewed 2026-06-27 10:05 UTC · model grok-4.3
The pith
Adversarial visual perturbations can reduce success rates of learned surgical robot policies by 61 percent on average.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
State-of-the-art policies for surgical subtasks can be significantly disrupted by adversarial visual perturbations, resulting in an average 61% reduction in surgical subtask success rates, as shown across 560 physical experiments on phantoms for debridement and suturing.
What carries the argument
Disruptive and steering adversarial attack formulations applied to visual observations of end-to-end robotic policies, including photometric perturbations designed to appear natural.
If this is right
- Policies for debridement and suturing subtasks become unreliable under targeted visual perturbations.
- Three attack methods demonstrate effectiveness even with limited policy access.
- Photometric attacks generate plausible perturbations that still cause policy failures.
- The vulnerability holds across ACT, Diffusion Policy, and Pi0 architectures.
Where Pith is reading between the lines
- Policy training for surgical robots may need to incorporate robustness against visual changes to maintain reliability.
- Similar attack surfaces could appear in other vision-based medical robotic tasks beyond the two subtasks tested.
- Further tests in varied real-world conditions would clarify how much the phantom results translate to clinical use.
Load-bearing premise
The tested visual perturbations and threat models accurately represent realistic attack surfaces in actual operating rooms.
What would settle it
An experiment applying the same attack methods in real operating room conditions with variable lighting, camera angles, and human oversight that shows no significant drop in success rates.
Figures
read the original abstract
Learning-based policies are being considered to augment the dexterity of human surgeons in robot-assisted surgery. Can the end-to-end mapping from visual observations to robot actions be vulnerable to adversarial attacks, potentially leading to patient injury? In this paper, we present the first study of adversarial threats to learning-based policies in surgical robotics. We investigate two threat modes: (a) disruptive attacks, where imperceptible visual perturbations interrupt policy execution, and (b) steering attacks, where such perturbations steer policy actions toward attacker-specified directions. We formulate three adversarial attack methods, each with increasing access to policy information, and evaluate their impact on two surgical subtasks: debridement and suturing. Our evaluation covers three end-to-end policy architectures: ACT, Diffusion Policy, and Pi0. In addition, we introduce a new class of photometric adversarial attacks that mimic natural visual changes, such as lighting variations, to generate effective yet visually plausible perturbations. Results from 560 physical experiments using phantoms for debridement and suturing suggest that state-of-the-art policies can be significantly disrupted, resulting in an average 61% reduction in surgical subtask success rates. Project page: https://sites.google.com/view/adversary-surgery
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript presents the first empirical study of adversarial attacks on end-to-end learned policies for surgical robotic subtasks. It defines disruptive and steering attack modes, formulates three attack methods with graded policy access (including a new photometric class mimicking natural lighting changes), evaluates them on debridement and suturing using ACT, Diffusion Policy, and Pi0 architectures, and reports results from 560 physical phantom experiments showing an average 61% reduction in subtask success rates.
Significance. If the quantitative results hold under the stated threat models, the work is significant as the first physical demonstration of vulnerability in learning-based surgical policies. The scale of the evaluation (560 experiments across multiple architectures and attack formulations) and the introduction of photometric attacks provide concrete, reproducible evidence that strengthens the central claim of disruption. This has clear implications for safety considerations in deploying such policies.
major comments (2)
- [§5] §5 (Experimental Results) and associated tables: The reported 61% average success-rate reduction is presented without per-condition standard deviations, confidence intervals, or statistical significance tests (e.g., paired t-tests or Wilcoxon tests across the 560 trials). This information is load-bearing for the claim that policies are 'significantly disrupted,' as the raw averages alone do not establish that the observed reductions exceed experimental variability in the phantom setup.
- [§4.2] §4.2 (Attack Formulations): The optimization procedures for generating the three attack methods are described at a high level but lack explicit pseudocode, hyperparameter values, or convergence criteria. Because the central quantitative claim depends on these attacks producing the observed 61% reduction, the absence of these details prevents independent verification of the reported effect sizes.
minor comments (3)
- [Figure 4] Figure 4: The legend does not clearly distinguish the three policy architectures from the three attack access levels; adding a separate panel or explicit labels would improve readability.
- [§3.1] §3.1: The definition of 'success rate' for the suturing subtask is given only in prose; an explicit equation or decision rule (e.g., threshold on needle placement error) would remove ambiguity.
- [Related Work] Related Work section: The citation to prior adversarial work in robotics omits the 2023 survey on physical adversarial attacks; adding it would better situate the photometric attack contribution.
Simulated Author's Rebuttal
Thank you for the constructive feedback and for recognizing the significance of the first physical evaluation of adversarial attacks on surgical policies. We address each major comment below and commit to revisions that improve statistical rigor and reproducibility without altering the core claims or experimental design.
read point-by-point responses
-
Referee: [§5] §5 (Experimental Results) and associated tables: The reported 61% average success-rate reduction is presented without per-condition standard deviations, confidence intervals, or statistical significance tests (e.g., paired t-tests or Wilcoxon tests across the 560 trials). This information is load-bearing for the claim that policies are 'significantly disrupted,' as the raw averages alone do not establish that the observed reductions exceed experimental variability in the phantom setup.
Authors: We agree that the absence of variability measures and formal statistical tests weakens the presentation of the 61% average reduction. The manuscript currently reports only aggregate success rates from the 560 phantom trials. In the revised version we will add per-condition standard deviations and confidence intervals, and we will include paired t-tests (or Wilcoxon signed-rank tests where normality assumptions fail) to establish that the observed reductions are statistically significant relative to experimental variability. revision: yes
-
Referee: [§4.2] §4.2 (Attack Formulations): The optimization procedures for generating the three attack methods are described at a high level but lack explicit pseudocode, hyperparameter values, or convergence criteria. Because the central quantitative claim depends on these attacks producing the observed 61% reduction, the absence of these details prevents independent verification of the reported effect sizes.
Authors: We acknowledge that the optimization procedures for the three attack formulations are presented at a high level. To enable independent reproduction of the reported effect sizes, the revised manuscript will include explicit pseudocode for each attack method, the exact hyperparameter values used in the physical experiments, and the convergence criteria applied during optimization. revision: yes
Circularity Check
No significant circularity: empirical evaluation only
full rationale
The paper reports results from 560 physical phantom experiments measuring policy success rates under visual perturbations for debridement and suturing tasks across three architectures. No derivation chain, fitted parameters, or self-citation load-bearing steps are present; the 61% average reduction claim is a direct empirical aggregate of measured outcomes rather than a constructed prediction or renamed input. The work is self-contained against external benchmarks with no reduction of results to prior fitted quantities or author-specific uniqueness theorems.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Goldberg and G
K. Goldberg and G. Guthart. Augmented dexterity: How robots can enhance human surgical skills.Science Robotics, 9(95):eadr5247, 2024
2024
-
[2]
Saeidi, J
H. Saeidi, J. D. Opfermann, M. Kam, S. Wei, S. L ´eonard, M. H. Hsieh, J. U. Kang, and A. Krieger. Autonomous robotic laparoscopic surgery for intestinal anastomosis.Science robotics, 7(62):eabj2908, 2022
2022
-
[3]
A. Pore, Z. Li, D. Dall’Alba, A. Hernansanz, E. De Momi, A. Menciassi, A. C. Gelpi, J. Dankelman, P. Fiorini, and E. Vander Poorten. Autonomous navigation for robot-assisted in- traluminal and endovascular procedures: A systematic review.IEEE Transactions on Robotics, 39(4):2529–2548, 2023
2023
-
[4]
Z. Chen, K. Hari, T. Dasari, K. Shieh, R. Jain, D. M. Fer, G. Guthart, and K. Goldberg. Surgical d-knot: Augmented dexterity for tying double knots by monitoring optical flow in monocular attention windows. In2025 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS), pages 2148–2155. IEEE, 2025
2025
-
[5]
Schmidgall, J
S. Schmidgall, J. W. Kim, A. Kuntz, A. E. Ghazi, and A. Krieger. General-purpose foundation models for increased autonomy in robot-assisted surgery.Nature Machine Intelligence, 6(11): 1275–1283, 2024
2024
-
[6]
2025 corporate impact report
Intuitive Surgical, Inc. 2025 corporate impact report. Technical report, Intuitive Surgical, Inc., 2025. URLhttps://www.intuitive.com/en-us/-/media/ISI/Intuitive/Pdf/ 2025-Intuitive-Corporate-Impact-Report.pdf
2025
-
[7]
I. J. Goodfellow, J. Shlens, and C. Szegedy. Explaining and harnessing adversarial examples. InInternational Conference on Learning Representations, 2015
2015
-
[8]
Open-H-Embodiment: A Large-Scale Dataset for Enabling Foundation Models in Medical Robotics
N. Nelson, J.-T. Chen, J. Haworth, X. Chen, L. Zbinden, D. Huang, A. E. Abdelaal, A. Arezzo, A. Acar, F. Alambeigi, et al. Open-h-embodiment: A large-scale dataset for enabling founda- tion models in medical robotics.arXiv preprint arXiv:2604.21017, 2026
work page internal anchor Pith review Pith/arXiv arXiv 2026
-
[9]
T. Z. Zhao, V . Kumar, S. Levine, and C. Finn. Learning fine-grained bimanual manipulation with low-cost hardware. InRobotics: Science and Systems, 2023
2023
-
[10]
C. Chi, Z. Xu, S. Feng, E. Cousineau, Y . Du, B. Burchfiel, R. Tedrake, and S. Song. Diffusion policy: Visuomotor policy learning via action diffusion.The International Journal of Robotics Research, 44(10-11):1684–1704, 2025
2025
-
[11]
Black, N
K. Black, N. Brown, D. Driess, A. Esmail, M. Equi, C. Finn, N. Fusai, L. Groom, K. Hausman, B. Ichter, et al.π0: A vision-language-action flow model for general robot control. InRobotics: Science and Systems, 2025
2025
-
[12]
Fiorini, K
P. Fiorini, K. Y . Goldberg, Y . Liu, and R. H. Taylor. Concepts and trends in autonomy for robot-assisted surgery.Proceedings of the IEEE, 110(7):993–1011, 2022
2022
-
[13]
A. Lee, T. S. Baker, J. B. Bederson, and B. I. Rapoport. Levels of autonomy in fda-cleared surgical robots: a systematic review.NPJ Digital Medicine, 7(1):103, 2024
2024
- [14]
-
[15]
J. Li, Y . Huang, X. Zhang, K. Xie, Y . Xian, X. Luo, P. W. Y . Chiu, and Z. Li. An autonomous surgical instrument tracking framework with a binocular camera for a robotic flexible laparo- scope.IEEE Robotics and Automation Letters, 8(7):4291–4298, 2023. 9
2023
-
[16]
Z. Chen, K. Fan, L. Cruciani, M. Fontana, L. Muraglia, F. Ceci, L. Travaini, G. Ferrigno, and E. De Momi. Toward human-out-of-the-loop endoscope navigation based on context aware- ness for enhanced autonomy in robotic surgery.IEEE Transactions on Medical Robotics and Bionics, 6(3):1116–1124, 2024
2024
-
[17]
Q. Liu, Z. Chen, K. Fan, G. Musi, F. A. Mistretta, S. Luzzago, G. Ferrigno, and E. De Momi. A dataset and benchmark for robot-assisted radical prostatectomy with lymphadenectomy in surgical workflow undertstanding.IEEE Transactions on Medical Robotics and Bionics, 2025
2025
-
[18]
S. A. Pedram, P. Ferguson, J. Ma, E. Dutson, and J. Rosen. Autonomous suturing via surgical robot: An algorithm for optimal selection of needle diameter, shape, and path. In2017 IEEE International conference on robotics and automation (ICRA), pages 2391–2398. IEEE, 2017
2017
-
[19]
M. Kam, H. Saeidi, M. H. Hsieh, J. U. Kang, and A. Krieger. A confidence-based supervised- autonomous control strategy for robotic vaginal cuff closure. In2021 IEEE international con- ference on robotics and automation (ICRA), pages 12261–12267. IEEE, 2021
2021
-
[20]
J. W. Kim, J.-T. Chen, P. Hansen, L. X. Shi, A. Goldenberg, S. Schmidgall, P. M. Scheikl, A. Deguet, B. M. White, D. R. Tsai, et al. Srt-h: A hierarchical framework for autonomous surgery via language-conditioned imitation learning.Science robotics, 10(104):eadt5254, 2025
2025
-
[21]
K. Hari, Z. Chen, H. Kim, and K. Goldberg. Stitch 2.0: Extending augmented suturing with ekf needle estimation and thread management.IEEE Robotics and Automation Letters, 2025
2025
-
[22]
C. Shin, P. W. Ferguson, S. A. Pedram, J. Ma, E. P. Dutson, and J. Rosen. Autonomous tissue manipulation via surgical robot using learning based model predictive control. In2019 International conference on robotics and automation (ICRA), pages 3875–3881. IEEE, 2019
2019
-
[23]
Shademan, R
A. Shademan, R. S. Decker, J. D. Opfermann, S. Leonard, A. Krieger, and P. C. Kim. Super- vised autonomous robotic soft tissue surgery.Science translational medicine, 8(337):337ra64– 337ra64, 2016
2016
-
[24]
J. W. Kim, T. Z. Zhao, S. Schmidgall, A. Deguet, M. Kobilarov, C. Finn, and A. Krieger. Surgical robot transformer (srt): Imitation learning for surgical tasks. InConference on Robot Learning, 2024
2024
-
[25]
Y . Long, A. Lin, D. H. C. Kwok, L. Zhang, Z. Yang, K. Shi, L. Song, J. Fu, H. Lin, W. Wei, et al. Surgical embodied intelligence for generalized task autonomy in laparoscopic robot- assisted surgery.Science Robotics, 10(104):eadt3093, 2025
2025
-
[26]
B. Li, R. Wei, J. Xu, B. Lu, C. H. Yee, C. F. Ng, P.-A. Heng, Q. Dou, and Y .-H. Liu. 3d perception based imitation learning under limited demonstration for laparoscope control in robotic surgery. In2022 International Conference on Robotics and Automation (ICRA), pages 7664–7670. IEEE, 2022
2022
-
[27]
Haworth, J.-T
J. Haworth, J.-T. Chen, N. Nelson, J. W. Kim, M. Moghani, C. Finn, and A. Krieger. Suturebot: A precision framework & benchmark for autonomous end-to-end suturing.Advances in Neural Information Processing Systems, 38, 2026
2026
-
[28]
Szegedy, W
C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus. In- triguing properties of neural networks.International Conference on Learning Representations, 2014
2014
-
[29]
Madry, A
A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu. Towards deep learning models resistant to adversarial attacks.International Conference on Learning Representations, 2018
2018
-
[30]
T. B. Brown, D. Man ´e, A. Roy, M. Abadi, and J. Gilmer. Adversarial patch.NIPS 2017 Workshop on Machine Learning and Computer Security, 2017. 10
2017
-
[31]
Papernot, P
N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami. Practical black- box attacks against machine learning. InProceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519, 2017
2017
-
[32]
Moosavi-Dezfooli, A
S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard. Deepfool: a simple and accurate method to fool deep neural networks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 2574–2582, 2016
2016
-
[33]
Ilyas, L
A. Ilyas, L. Engstrom, A. Athalye, and J. Lin. Black-box adversarial attacks with limited queries and information. InInternational conference on machine learning, pages 2137–2146. PMLR, 2018
2018
-
[34]
Hendrik Metzen, M
J. Hendrik Metzen, M. Chaithanya Kumar, T. Brox, and V . Fischer. Universal adversarial perturbations against semantic image segmentation. InProceedings of the IEEE international conference on computer vision, pages 2755–2764, 2017
2017
-
[35]
Arnab, O
A. Arnab, O. Miksik, and P. H. Torr. On the robustness of semantic segmentation models to adversarial attacks. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 888–897, 2018
2018
-
[36]
C. Xie, J. Wang, Z. Zhang, Y . Zhou, L. Xie, and A. Yuille. Adversarial examples for semantic segmentation and object detection. InProceedings of the IEEE international conference on computer vision, pages 1369–1378, 2017
2017
-
[37]
X. Liu, H. Yang, Z. Liu, L. Song, H. Li, and Y . Chen. Dpatch: An adversarial patch attack on object detectors.AAAI Workshop on Artificial Intelligence Safety, 2019
2019
-
[38]
X. Wei, S. Liang, N. Chen, and X. Cao. Transferable adversarial attacks for image and video object detection.Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019
2019
-
[39]
Y . Chen, H. Xue, and Y . Chen. Diffusion policy attacker: Crafting adversarial attacks for diffusion-based policies.Advances in Neural Information Processing Systems, 37:119614– 119637, 2024
2024
-
[40]
A. Kalra, B. Patil, G. Tao, and D. S. Brown. How vulnerable is my learned policy? uni- versal adversarial perturbation attacks on modern behavior cloning policies.arXiv preprint arXiv:2502.03698, 2025
work page internal anchor Pith review Pith/arXiv arXiv 2025
-
[41]
T. Wang, C. Han, J. Liang, W. Yang, D. Liu, L. X. Zhang, Q. Wang, J. Luo, and R. Tang. Exploring the adversarial vulnerabilities of vision-language-action models in robotics. InPro- ceedings of the IEEE/CVF International Conference on Computer Vision, pages 6948–6958, 2025
2025
- [42]
-
[43]
Biggio and F
B. Biggio and F. Roli. Wild patterns: Ten years after the rise of adversarial machine learning. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 2154–2156, 2018
2018
-
[44]
Moosavi-Dezfooli, A
S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard. Universal adversarial pertur- bations. InProceedings of the IEEE conference on computer vision and pattern recognition, pages 1765–1773, 2017
2017
-
[45]
D. P. Kingma and J. Ba. Adam: A method for stochastic optimization.International Confer- ence on Learning Representations, 2015. 11
2015
-
[46]
Baluja and I
S. Baluja and I. Fischer. Adversarial transformation networks: Learning to generate adversarial examples.Proceedings of the AAAI Conference on Artificial Intelligence, 2018
2018
-
[47]
Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli. Image quality assessment: from error visibility to structural similarity.IEEE transactions on image processing, 13(4):600–612, 2004
2004
-
[48]
Z. Wang, L. Lu, and A. C. Bovik. Video quality assessment based on structural distortion measurement.Signal processing: Image communication, 19(2):121–132, 2004. 12
2004
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.