Universal adversarial attacks on deep neural networks for medical image classification

Hirano, Hokuto; Minagi, Akinori; Takemoto, Kazuhiro

doi:10.1186/s12880-020-00530-y

Cited by 110 publications

(79 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Additionally, the authors from the study [68] demonstrated that pre-trained models increase the adversarial transferability and inequality of data/model decreases attack's efficacy. On the other hand, Hirano et al [95] discovered that the transferability rate is low on non-targeted attacks. Also, two interesting observations have been done by Kovalev et al [89].…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

A Survey on Adversarial Deep Learning Robustness in Medical Image Analysis

Apostolidis

Papakostas

2021

Electronics

View full text Add to dashboard Cite

In the past years, deep neural networks (DNN) have become popular in many disciplines such as computer vision (CV), natural language processing (NLP), etc. The evolution of hardware has helped researchers to develop many powerful Deep Learning (DL) models to face numerous challenging problems. One of the most important challenges in the CV area is Medical Image Analysis in which DL models process medical images—such as magnetic resonance imaging (MRI), X-ray, computed tomography (CT), etc.—using convolutional neural networks (CNN) for diagnosis or detection of several diseases. The proper function of these models can significantly upgrade the health systems. However, recent studies have shown that CNN models are vulnerable under adversarial attacks with imperceptible perturbations. In this paper, we summarize existing methods for adversarial attacks, detections and defenses on medical imaging. Finally, we show that many attacks, which are undetectable by the human eye, can degrade the performance of the models, significantly. Nevertheless, some effective defense and attack detection methods keep the models safe to an extent. We end with a discussion on the current state-of-the-art and future challenges.

show abstract

Section: Discussionmentioning

confidence: 99%

“…Hirano et al [95] investigated universal adversarial attacks on DNNs for skin cancer diabetic retinopathy and pneumonia classification. They experimented in both targeted and untargeted attacks with several models such as VGG16, VGG19, InceptionResNetV2, DenseNet169, DenseNet121, and ResNet50.…”

Section: Existing Adversarial Attacks On Medical Imagesmentioning

confidence: 99%

A Survey on Adversarial Deep Learning Robustness in Medical Image Analysis

Apostolidis

Papakostas

2021

Electronics

View full text Add to dashboard Cite

show abstract

“…In some studies, adversarial training improved DL model robustness for multiple medical imaging modalities like lung CT and retinal optical coherence tomography (37,39,40). On the other hand, Hirano et al found that adversarial training generally did not increase model robustness for classifying dermatoscopic images, optical coherence tomography images, and chest X-ray images (41). The difference in effectiveness of adversarial training can be attributed to differences in adversarial training protocols (e.g., single-step vs. iterative approaches).…”

Section: Discussionmentioning

confidence: 99%

Using Adversarial Images to Assess the Stability of Deep Learning Models Trained on Diagnostic Images in Oncology

Joel

Umrao

Chang

et al. 2021

Preprint

View full text Add to dashboard Cite

BackgroundDeep learning (DL) models have shown the ability to automate the classification of medical images used for cancer detection. Unfortunately, recent studies have found that DL models are vulnerable to adversarial attacks which manipulate models into making incorrect predictions with high confidence. There is a need for better understanding of how adversarial attacks impact the predictive ability of DL models in the medical image domain.MethodsWe studied the adversarial attack susceptibility of DL models for three common imaging tasks within oncology. We investigated how PGD adversarial training could be employed to increase model robustness against FGSM, PGD, and BIM attacks. Finally, we studied the utility of adversarial sensitivity as a metric to improve model performance.ResultsOur experiments showed that medical DL models were highly sensitive to adversarial attacks, as visually imperceptible degrees of perturbation (<0.004) were sufficient to deceive the model the majority of the time. DL models for medical images were more vulnerable to adversarial attacks compared to DL models for non-medical images. Adversarial training increased model performance on adversarial samples for all classification tasks. We were able to increase model accuracy on clean images for all datasets by excluding images most vulnerable to adversarial perturbation.ConclusionOur results indicated that while medical DL systems are extremely susceptible to adversarial attacks, adversarial training show promise as an effective defense against attacks. Adversarial susceptibility of individual images can be used to increase model performance by identifying images most at-risk for misclassification. Our findings provide a useful basis for designing more robust and accurate medical DL models as well as techniques to defend models from adversarial attack.

show abstract

“…Universal perturbations attacks (UPA), which used iterative algorithms for targeted and non-targeted attacks, were proposed by [56], and achieved 80% accuracy in classification. Reference [57] presented two lightweight techniques, which used local perturbation and universal attacks.…”

Section: Related Workmentioning

confidence: 99%

Adversarial Attack and Defence through Adversarial Training and Feature Fusion for Diabetic Retinopathy Recognition

Lal

Rehman

Shah

et al. 2021

Sensors

View full text Add to dashboard Cite

Due to the rapid growth in artificial intelligence (AI) and deep learning (DL) approaches, the security and robustness of the deployed algorithms need to be guaranteed. The security susceptibility of the DL algorithms to adversarial examples has been widely acknowledged. The artificially created examples will lead to different instances negatively identified by the DL models that are humanly considered benign. Practical application in actual physical scenarios with adversarial threats shows their features. Thus, adversarial attacks and defense, including machine learning and its reliability, have drawn growing interest and, in recent years, has been a hot topic of research. We introduce a framework that provides a defensive model against the adversarial speckle-noise attack, the adversarial training, and a feature fusion strategy, which preserves the classification with correct labelling. We evaluate and analyze the adversarial attacks and defenses on the retinal fundus images for the Diabetic Retinopathy recognition problem, which is considered a state-of-the-art endeavor. Results obtained on the retinal fundus images, which are prone to adversarial attacks, are 99% accurate and prove that the proposed defensive model is robust.

show abstract

Universal adversarial attacks on deep neural networks for medical image classification

Cited by 110 publications

References 25 publications

A Survey on Adversarial Deep Learning Robustness in Medical Image Analysis

A Survey on Adversarial Deep Learning Robustness in Medical Image Analysis

Using Adversarial Images to Assess the Stability of Deep Learning Models Trained on Diagnostic Images in Oncology

Adversarial Attack and Defence through Adversarial Training and Feature Fusion for Diabetic Retinopathy Recognition

Contact Info

Product

Resources

About