Optimism in the Face of Adversity: Understanding and Improving Deep Learning Through Adversarial Robustness

Ortiz-Jiménez, Guillermo; Modas, Apostolos; Moosavi-Dezfooli, Seyed-Mohsen; Frossard, Pascal

doi:10.1109/jproc.2021.3050042

Cited by 42 publications

(22 citation statements)

References 78 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hence, f θ is expected to learn more task-relevant features with AT. While AT was originally designed to increase the robustness of deep networks to adversarial perturbations [19,20], it has also contributed to other tasks [27]. Recently, it was shown that AT in the source domain can improve transfer learning [14,15]: adversarially trained models from a source domain can help improving the accuracy on the target task after fine-tuning, despite performing worse, in terms of task accuracy, on the source domain.…”

Section: Target Task and Training Strategiesmentioning

confidence: 99%

Improving Filling Level Classification with Adversarial Training

Modas

Xompero

Sánchez-Matilla

et al. 2021

2021 IEEE International Conference on Image Processing (ICIP)

Self Cite

View full text Add to dashboard Cite

We investigate the problem of classifying -from a single imagethe level of content in a cup or a drinking glass. This problem is made challenging by several ambiguities caused by transparencies, shape variations and partial occlusions, and by the availability of only small training datasets. In this paper, we tackle this problem with an appropriate strategy for transfer learning. Specifically, we use adversarial training in a generic source dataset and then refine the training with a task-specific dataset. We also discuss and experimentally evaluate several training strategies and their combination on a range of container types of the CORSMAL Containers Manipulation dataset. We show that transfer learning with adversarial training in the source domain consistently improves the classification accuracy on the test set and limits the overfitting of the classifier to specific features of the training data.

show abstract

Section: Target Task and Training Strategiesmentioning

confidence: 99%

Improving Filling Level Classification with Adversarial Training

Modas

Xompero

Sánchez-Matilla

et al. 2021

2021 IEEE International Conference on Image Processing (ICIP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, the practical application of DNNs to disease diagnosis may still be debatable owing to the existence of adversarial examples [8][9][10] ; these are input images that are typically generated by adding specific, imperceptible perturbations to the original input images, leading to DNN misclassification. Given that diagnosing disease involves making highstake decisions, the existence of adversarial examples is a security concern 11 .…”

Section: Introductionmentioning

confidence: 99%

“…A simple solution to avoid adversarial attacks is to render training data and any other similar domain-specific data (e.g., medical images in the case of medical image classification) publicly unavailable because various methods of adversarial attacks [8][9][10] (from attack methods that assume access to DNN model weights to those that do not) generally assume the use of such data to generate adversarial perturbations. Given that the data availability of medical images is generally limited in terms of security and privacy preservation 11 , adversarial attacks on DNN-based medical image classifications seem to be limited.…”

Section: Introductionmentioning

confidence: 99%

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks with Transfer Learning

Minagi

Hirano

Takemoto

2021

Preprint

View full text Add to dashboard Cite

Transfer learning from natural images is well used in deep neural networks (DNNs) for medical image classification to achieve computer-aided clinical diagnosis. Although the adversarial vulnerability of DNNs hinders practical applications owing to the high stakes of diagnosis, adversarial attacks are expected to be limited because training data — which are often required for adversarial attacks — are generally unavailable in terms of security and privacy preservation. Nevertheless, we hypothesized that adversarial attacks are also possible using natural images because pre-trained models do not change significantly after fine-tuning. We focused on three representative DNN-based medical image classification tasks (i.e., skin cancer, referable diabetic retinopathy, and pneumonia classifications) and investigated whether medical DNN models with transfer learning are vulnerable to universal adversarial perturbations (UAPs), generated using natural images. UAPs from natural images are useful for both non-targeted and targeted attacks. The performance of UAPs from natural images was significantly higher than that of random controls, although slightly lower than that of UAPs from training images. Vulnerability to UAPs from natural images was observed between different natural image datasets and between different model architectures. The use of transfer learning causes a security hole, which decreases the reliability and safety of computer-based disease diagnosis. Model training from random initialization (without transfer learning) reduced the performance of UAPs from natural images; however, it did not completely avoid vulnerability to UAPs. The vulnerability of UAPs from natural images will become a remarkable security threat.

show abstract

“…However, the practical application of DNNs to disease diagnosis may still be debatable owing to the existence of adversarial examples [8][9][10]; these are input images that are typically generated by adding specific, imperceptible perturbations to the original input images, leading to DNN misclassification. Given that diagnosing disease involves making high-stake decisions, the existence of adversarial examples is a security concern [11].…”

Section: Introductionmentioning

confidence: 99%

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks With Transfer Learning

Minagi

Hirano

Takemoto

2021

Preprint

View full text Add to dashboard Cite

Background. Transfer learning from natural images is well used in deep neural networks (DNNs) for medical image classification to achieve computer-aided clinical diagnosis. Although the adversarial vulnerability of DNNs hinders practical applications owing to the high stakes of diagnosis, adversarial attacks are expected to be limited because training data — which are often required for adversarial attacks — are generally unavailable in terms of security and privacy preservation. Nevertheless, we hypothesized that adversarial attacks are also possible using natural images because pre-trained models do not change significantly after fine-tuning.Methods. We considered three representative DNN-based medical image classification tasks (i.e., skin cancer, referable diabetic retinopathy, and pneumonia classifications) to investigate whether medical DNN models with transfer learning are vulnerable to universal adversarial perturbations (UAPs), generated using natural images.Results. UAPs from natural images are useful for both non-targeted and targeted attacks. The performance of UAPs from natural images was significantly higher than that of random controls, although slightly lower than that of UAPs from training images. Vulnerability to UAPs from natural images was observed between different natural image datasets and between different model architectures.Conclusion. The use of transfer learning causes a security hole, which decreases the reliability and safety of computer-based disease diagnosis. Model training from random initialization (without transfer learning) reduced the performance of UAPs from natural images; however, it did not completely avoid vulnerability to UAPs. The vulnerability of UAPs from natural images will become a remarkable security threat.

show abstract

Optimism in the Face of Adversity: Understanding and Improving Deep Learning Through Adversarial Robustness

Cited by 42 publications

References 78 publications

Improving Filling Level Classification with Adversarial Training

Improving Filling Level Classification with Adversarial Training

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks with Transfer Learning

Natural Images Allow Universal Adversarial Attacks on Medical Image Classification Using Deep Neural Networks With Transfer Learning

Contact Info

Product

Resources

About