Gege Qi,Lijun Gong,Yibing Song,Kai Ma,Yefeng Zheng

DOI: https://doi.org/10.48550/arXiv.2103.05232

2021-03-09

Computer Vision and Pattern Recognition

Abstract:Convolutional Neural Networks (CNNs) have advanced existing medical systems for automatic disease diagnosis. However, a threat to these systems arises that adversarial attacks make CNNs vulnerable. Inaccurate diagnosis results make a negative influence on human healthcare. There is a need to investigate potential adversarial attacks to robustify deep medical diagnosis systems. On the other side, there are several modalities of medical images (e.g., CT, fundus, and endoscopic image) of which each type is significantly different from others. It is more challenging to generate adversarial perturbations for different types of medical images. In this paper, we propose an image-based medical adversarial attack method to consistently produce adversarial perturbations on medical images. The objective function of our method consists of a loss deviation term and a loss stabilization term. The loss deviation term increases the divergence between the CNN prediction of an adversarial example and its ground truth label. Meanwhile, the loss stabilization term ensures similar CNN predictions of this example and its smoothed input. From the perspective of the whole iterations for perturbation generation, the proposed loss stabilization term exhaustively searches the perturbation space to smooth the single spot for local optimum escape. We further analyze the KL-divergence of the proposed loss function and find that the loss stabilization term makes the perturbations updated towards a fixed objective spot while deviating from the ground truth. This stabilization ensures the proposed medical attack effective for different types of medical images while producing perturbations in small variance. Experiments on several medical image analysis benchmarks including the recent COVID-19 dataset show the stability of the proposed method.

Fang Chen,Jian Wang,Han Liu,Wentao Kong,Zhe Zhao,Longfei Ma,Hongen Liao,Daoqiang Zhang

DOI: https://doi.org/10.1016/j.compbiomed.2023.107248

IF: 7.7

2023-01-01

Computers in Biology and Medicine

Abstract:The security of AI systems has gained significant attention in recent years, particularly in the medical diagnosis field. To develop a secure medical image classification system based on deep neural networks, it is crucial to design effective adversarial attacks that can embed hidden, malicious behaviors into the system. However, designing a unified attack method that can generate imperceptible attack samples with high content similarity and be applied to diverse medical image classification systems is challenging due to the diversity of medical imaging modalities and dimensionalities. Most existing attack methods are designed to attack natural image classification models, which inevitably corrupt the semantics of pixels by applying spatial perturbations. To address this issue, we propose a novel frequency constraint-based adversarial attack method capable of delivering attacks in various medical image classification tasks. Specially, our method introduces a frequency constraint to inject perturbation into high-frequency information while preserving low-frequency information to ensure content similarity. Our experiments include four public medical image datasets, including a 3D CT dataset, a 2D chest X-Ray image dataset, a 2D breast ultrasound dataset, and a 2D thyroid ultrasound dataset, which contain different imaging modalities and dimensionalities. The results demonstrate the superior performance of our model over other state-of-the-art adversarial attack methods for attacking medical image classification tasks on different imaging modalities and dimensionalities.

Zheng Liu,Jinnian Zhang,Varun Jog,Po-Ling Loh,Alan B. McMillan

DOI: https://doi.org/10.1007/s10278-021-00507-5

IF: 4.903

2021-09-20

Journal of Digital Imaging

Abstract:The purpose of this study is to investigate the robustness of a commonly used convolutional neural network for image segmentation with respect to nearly unnoticeable adversarial perturbations, and suggest new methods to make these networks more robust to such perturbations. In this retrospective study, the accuracy of brain tumor segmentation was studied in subjects with low- and high-grade gliomas. Two representative UNets were implemented to segment four different MR series (T1-weighted, post-contrast T1-weighted, T2-weighted, and T2-weighted FLAIR) into four pixelwise labels (Gd-enhancing tumor, peritumoral edema, necrotic and non-enhancing tumor, and background). We developed attack strategies based on the fast gradient sign method (FGSM), iterative FGSM (i-FGSM), and targeted iterative FGSM (ti-FGSM) to produce effective but imperceptible attacks. Additionally, we explored the effectiveness of distillation and adversarial training via data augmentation to counteract these adversarial attacks. Robustness was measured by comparing the Dice coefficients for the attacks using Wilcoxon signed-rank tests. The experimental results show that attacks based on FGSM, i-FGSM, and ti-FGSM were effective in reducing the quality of image segmentation by up to 65% in the Dice coefficient. For attack defenses, distillation performed significantly better than adversarial training approaches. However, all defense approaches performed worse compared to unperturbed test images. Therefore, segmentation networks can be adversely affected by targeted attacks that introduce visually minor (and potentially undetectable) modifications to existing images. With an increasing interest in applying deep learning techniques to medical imaging data, it is important to quantify the ramifications of adversarial inputs (either intentional or unintentional).

radiology, nuclear medicine & medical imaging

Yiran Li,Junpeng Wang,Takanori Fujiwara,Kwan-Liu Ma

DOI: https://doi.org/10.1145/3587470

2023-03-06

Abstract:Adversarial attacks on a convolutional neural network (CNN) -- injecting human-imperceptible perturbations into an input image -- could fool a high-performance CNN into making incorrect predictions. The success of adversarial attacks raises serious concerns about the robustness of CNNs, and prevents them from being used in safety-critical applications, such as medical diagnosis and autonomous driving. Our work introduces a visual analytics approach to understanding adversarial attacks by answering two questions: (1) which neurons are more vulnerable to attacks and (2) which image features do these vulnerable neurons capture during the prediction? For the first question, we introduce multiple perturbation-based measures to break down the attacking magnitude into individual CNN neurons and rank the neurons by their vulnerability levels. For the second, we identify image features (e.g., cat ears) that highly stimulate a user-selected neuron to augment and validate the neuron's responsibility. Furthermore, we support an interactive exploration of a large number of neurons by aiding with hierarchical clustering based on the neurons' roles in the prediction. To this end, a visual analytics system is designed to incorporate visual reasoning for interpreting adversarial attacks. We validate the effectiveness of our system through multiple case studies as well as feedback from domain experts.

Computer Vision and Pattern Recognition,Cryptography and Security,Human-Computer Interaction,Machine Learning

Fei-Fei Xue,Jin Peng,Ruixuan Wang,Qiong Zhang,Wei-Shi Zheng

DOI: https://doi.org/10.1007/978-3-030-32226-7_94

2019-01-01

Abstract:Convolutional neural networks (CNNs) are vulnerable to adversarial noises, which may result in potentially disastrous consequences in safety or security sensitive systems. This paper proposes a novel mechanism to improve the robustness of medical image classification systems by bringing denoising ability to CNN classifiers with a naturally embedded auto-encoder and high-level feature invariance to general noises. This novel denoising mechanism can be adapted to many model architectures, and therefore can be easily combined with existing models and denoising mechanisms to further improve robustness of CNN classifiers. This proposed method has been confirmed by comprehensive evaluations with two medical image classification tasks.

Yinyao Dai,Yaguan Qian,Fang Lu,Bin Wang,Zhaoquan Gu,Wei Wang,Jian Wan,Yanchun Zhang

DOI: https://doi.org/10.1016/j.compbiomed.2023.107251

Abstract:Recent studies have found that medical images are vulnerable to adversarial attacks. However, it is difficult to protect medical imaging systems from adversarial examples in that the lesion features of medical images are more complex with high resolution. Therefore, a simple and effective method is needed to address these issues to improve medical imaging systems' robustness. We find that the attackers generate adversarial perturbations corresponding to the lesion characteristics of different medical image datasets, which can shift the model's attention to other places. In this paper, we propose global attention noise (GATN) injection, including global noise in the example layer and attention noise in the feature layers. Global noise enhances the lesion features of the medical images, thus keeping the examples away from the sharp areas where the model is vulnerable. The attention noise further locally smooths the model from small perturbations. According to the characteristic of medical image datasets, we introduce Global attention lesion-unrelated noise (GATN-UR) for datasets with unclear lesion boundaries and Global attention lesion-related noise (GATN-R) for datasets with clear lesion boundaries. Extensive experiments on ChestX-ray, Dermatology, and Fundoscopy datasets show that GATN improves the robustness of medical diagnosis models against a variety of powerful attacks and significantly outperforms the existing adversarial defense methods. To be specific, the robust accuracy is 86.66% on ChestX-ray, 72.49% on Dermatology, and 90.17% on Fundoscopy under PGD attack. Under the AA attack, it achieves robust accuracy of 87.70% on ChestX-ray, 66.85% on Dermatology, and 87.83% on Fundoscopy.

Zizhou Wang,Xin Shu,Yan Wang,Yangqin Feng,Lei Zhang,Zhang Yi

DOI: https://doi.org/10.1109/tcyb.2022.3209175

IF: 11.8

2022-01-01

IEEE Transactions on Cybernetics

Abstract:Deep neural network has shown a powerful performance in the medical image analysis of a variety of diseases. However, a number of studies over the past few years have demonstrated that these deep learning systems can be vulnerable to well-designed adversarial attacks, with minor disruptions added to the input. Since both the public and academia have focused on deep learning in the health information economy, these adversarial attacks would prove more important and raise security concerns. In this article, adversarial attacks on deep learning systems in medicine are analyzed from two different points of view: 1) white box and 2) black box. A fast adversarial sample generation method, Feature Space-Restricted Attention Attack is proposed to explore more confusing adversarial samples. It is based on a generative adversarial network with bound classification space to generate perturbations to achieve attacks. Meanwhile, it can employ an attention mechanism to focus this perturbation on the lesion region. This enables the perturbation closely associated with the classification information making the attack more efficient and invisible. The performance and specificity of the proposed attack method are demonstrated by conducting extensive experiments on three different types of medical images. Finally, it is expected that this work can assist practitioners become being of current weaknesses in the deployment of deep learning systems in clinical settings. And, it further investigates domain-specific features of medical deep learning systems to enhance model generalization and resistance to attacks.

Puttagunta, Murali Krishna,Ravi, S.,Nelson Kennedy Babu, C

DOI: https://doi.org/10.1007/s11042-023-14702-9

IF: 2.577

2023-03-09

Multimedia Tools and Applications

Abstract:In recent years, significant progress has been achieved using deep neural networks (DNNs) in obtaining human-level performance on various long-standing tasks. With the increased use of DNNs in various applications, public concern over DNNs' trustworthiness has grown. Studies conducted in the last several years have proven that deep learning models are vulnerable to small adversarial perturbations. Adversarial examples are generated from clean images by adding imperceptible perturbations. Adversarial examples are necessary for practical reasons, as they can be physically constructed, implying that DNNs are unsuitable for some image classification applications in their current state. This paper aims to provide an in-depth overview of the numerous adversarial attack strategies and defence methods. The theoretical principles, methods, and applications of adversarial attack strategies are first discussed. After that, a few research attempts on defence techniques covering the field's broad boundary are outlined. Afterwards, this study reviews recently proposed adversarial attack methods to medical deep learning systems and defence techniques against these attacks. The vulnerability of the DL model is evaluated for different medical image modalities using an adversarial attack and defence method. Some unresolved issues and obstacles are highlighted to ignite additional research efforts in this crucial area.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Lun Chen,Lu Zhao,Calvin Yu-Chian Chen

DOI: https://doi.org/10.1002/mp.15208

IF: 4.506

2021-01-01

Medical Physics

Abstract:Purpose Deep learning has achieved impressive performance across a variety of tasks, including medical image processing. However, recent research has shown that deep neural networks (DNNs) are susceptible to small adversarial perturbations in the image, which raise safety concerns about the deployment of these systems in clinical settings. Methods To improve the defense of the medical imaging system against adversarial examples, we propose a new model-based defense framework for medical image DNNs model equipped with pruning and attention mechanism module based on the analysis of the reason why existing medical image DNNs models are vulnerable to attacks from adversarial examples is that complex biological texture of medical imaging and overparameterized medical image DNNs model. Results Three benchmark medical image datasets have verified the effectiveness of our method in improving the robustness of medical image DNNs models. In the chest X-ray datasets, our defending method can even achieve up 77.18% defense rate for projected gradient descent attack and 69.49% defense rate for DeepFool attack. And through ablation experiments on the pruning module and the attention mechanism module, it is verified that the use of pruning and attention mechanism can effectively improve the robustness of the medical image DNNs model. Conclusions Compared with the existing model-based defense methods proposed for natural images, our defense method is more suitable for medical images. Our method can be a general strategy to approach the design of more explainable and secure medical deep learning systems, and can be widely used in various medical image tasks to improve the robustness of medical models.

Linhai Ma,Jiasong Chen,Linchen Qian,Liang Liang

DOI: https://doi.org/10.1117/12.3006534

Abstract:It is known that deep neural networks (DNNs) are vulnerable to adversarial noises. Improving adversarial robustness of DNNs is essential. This is not only because unperceivable adversarial noise is a threat to the performance of DNNs models, but also adversarially robust DNNs have a strong resistance to the white noises that may present everywhere in the actual world. To improve adversarial robustness of DNNs, a variety of adversarial training methods have been proposed. Most of the previous methods are designed under one single application scenario: image classification. However, image segmentation, landmark detection, and object detection are more commonly observed than classifying the entire images in the medical imaging field. Although classification tasks and other tasks (e.g., regression) share some similarities, they also differ in certain ways, e.g., some adversarial training methods use misclassification criteria, which is well-defined in classification but not in regression. These restrictions/limitations hinder application of adversarial training for many medical imaging analysis tasks. In our work, the contributions are as follows: (1) We investigated the existing adversarial training methods and discovered the challenges that make those methods unsuitable for adaptation in segmentation and detection tasks. (2) We modified and adapted some existing adversarial training methods for medical image segmentation and detection tasks. (3) We proposed a general adversarial training method for medical image segmentation and detection. (4) We implemented our method in diverse medical imaging tasks using publicly available datasets, including MRI segmentation, Cephalometric landmark detection, and blood cell detection. The experiments substantiated the effectiveness of our method.

Keshav Kansal,P Sai Krishna,Parshva B Jain,Surya R,Prasad Honnavalli,Sivaraman Eswaran

DOI: https://doi.org/10.1016/j.heliyon.2022.e11209

IF: 3.776

Heliyon

Abstract:Covid-19 has posed a serious threat to the existence of the human race. Early detection of the virus is vital to effectively containing the virus and treating the patients. Profound testing methods such as the Real-time reverse transcription-polymerase chain reaction (RT-PCR) test and the Rapid Antigen Test (RAT) are being used for detection, but they have their limitations. The need for early detection has led researchers to explore other testing techniques. Deep Neural Network (DNN) models have shown high potential in medical image classification and various models have been built by researchers which exhibit high accuracy for the task of Covid-19 detection using chest X-ray images. However, it is proven that DNNs are inherently susceptible to adversarial inputs, which can compromise the results of the models. In this paper, the adversarial robustness of such Covid-19 classifiers is evaluated by performing common adversarial attacks, which include the Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD). Using these attacks, it is found that the accuracy of the models for Covid-19 samples decreases drastically. In the medical domain, adversarial training is the most widely explored technique to defend against adversarial attacks. However, using this technique requires replacing the original model and retraining it by including adversarial samples. Another defensive technique, High-Level Representation Guided Denoiser (HGD), overcomes this limitation by employing an adversarial filter which is also transferable across models. Moreover, the HGD architecture, being suitable for high-resolution images, makes it a good candidate for medical image applications. In this paper, the HGD architecture has been evaluated as a potential defensive technique for the task of medical image analysis. Experiments carried out show an increased accuracy of up to 82% in the white box setting. However, in the black box setting, the defense completely fails to defend against adversarial samples.

Narmin Ghaffari Laleh,Daniel Truhn,Gregory Patrick Veldhuizen,Tianyu Han,Marko van Treeck,Roman D Buelow,Rupert Langer,Bastian Dislich,Peter Boor,Volkmar Schulz,Jakob Nikolas Kather

DOI: https://doi.org/10.1038/s41467-022-33266-0

2022-09-29

Abstract:Artificial Intelligence (AI) can support diagnostic workflows in oncology by aiding diagnosis and providing biomarkers directly from routine pathology slides. However, AI applications are vulnerable to adversarial attacks. Hence, it is essential to quantify and mitigate this risk before widespread clinical use. Here, we show that convolutional neural networks (CNNs) are highly susceptible to white- and black-box adversarial attacks in clinically relevant weakly-supervised classification tasks. Adversarially robust training and dual batch normalization (DBN) are possible mitigation strategies but require precise knowledge of the type of attack used in the inference. We demonstrate that vision transformers (ViTs) perform equally well compared to CNNs at baseline, but are orders of magnitude more robust to white- and black-box attacks. At a mechanistic level, we show that this is associated with a more robust latent representation of clinically relevant categories in ViTs compared to CNNs. Our results are in line with previous theoretical studies and provide empirical evidence that ViTs are robust learners in computational pathology. This implies that large-scale rollout of AI models in computational pathology should rely on ViTs rather than CNN-based classifiers to provide inherent protection against perturbation of the input data, especially adversarial attacks.

SUN Hao,CHEN Jin,LEI Lin,JI Kefeng,KUANG Gangyao

DOI: https://doi.org/10.12000/jr21048

2021-01-01

JOURNAL OF RADARS

Abstract:Deep convolutional neural networks have achieved great success in recent years. They have been widely used in various applications such as optical and SAR image scene classification, object detection and recognition, semantic segmentation, and change detection. However, deep neural networks rely on large-scale high-quality training data, and can only guarantee good performance when the training and test data are independently sampled from the same distribution. Deep convolutional neural networks are found to be vulnerable to subtle adversarial perturbations. This adversarial vulnerability prevents the deployment of deep neural networks in security-sensitive applications such as medical, surveillance, autonomous driving and military scenarios. This paper first presents a holistic view of security issues for deep convolutional neural network-based image recognition systems. The entire information processing chain is analyzed regarding safety and security risks. In particular, poisoning attacks and evasion attacks on deep convolutional neural networks are analyzed in detail. The root causes of adversarial vulnerabilities of deep recognition models are also discussed. Then, we give a formal definition of adversarial robustness and present a comprehensive review of adversarial attacks, adversarial defense, and adversarial robustness evaluation. Rather than listing existing research, we focus on the threat models for the adversarial attack and defense arms race. We perform a detailed analysis of several representative adversarial attacks on SAR image recognition models and provide an example of adversarial robustness evaluation. Finally, several open questions are discussed regarding recent research progress from our workgroup. This paper can be further used as a reference to develop more robust deep neural network-based image recognition models in dynamic adversarial scenarios.

Sara Kaviani,Ki Jin Han,Insoo Sohn

DOI: https://doi.org/10.1016/j.eswa.2022.116815

IF: 8.5

2022-07-01

Expert Systems with Applications

Abstract:In recent years, medical images have significantly improved and facilitated diagnosis in versatile tasks including classification of lung diseases, detection of nodules, brain tumor segmentation, and body organs recognition. On the other hand, the superior performance of machine learning (ML) techniques, specifically deep learning networks (DNNs), in various domains has lead to the application of deep learning approaches in medical image classification and segmentation. Due to the security and vital issues involved, healthcare systems are considered quite challenging and their performance accuracy is of great importance. Previous studies have shown lingering doubts about medical DNNs and their vulnerability to adversarial attacks. Although various defense methods have been proposed, there are still concerns about the application of medical deep learning approaches. This is due to some of medical imaging weaknesses, such as lack of sufficient amount of high quality images and labeled data, compared to various high-quality natural image datasets. This paper reviews recently proposed adversarial attack methods to medical imaging DNNs and defense techniques against these attacks. It also discusses different aspects of these methods and provides future directions for improving neural network’s robustness.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xingjun Ma,Yuhao Niu,Lin Gu,Yisen Wang,Yitian Zhao,James Bailey,Feng Lu

DOI: https://doi.org/10.1016/j.patcog.2020.107332

IF: 8

2021-01-01

Pattern Recognition

Abstract:•Medical image DNNs are easier to be attacked than natural non-medical image DNNs.•Complex biological textures of medical images may lead to more vulnerable regions.•State-of-the-art deep networks can be overparameterized for medical imaging tasks.•Medical image adversarial attacks can also be easily detected.•High detectability may be caused by perturbations outside the pathological regions.

Neha A S,Vivek Chaturvedi,Muhammad Shafique

DOI: https://doi.org/10.1109/access.2024.3364818

IF: 3.9

2024-02-28

IEEE Access

Abstract:Adversarial attacks that are possible in natural images are also transferable to medical images, paralyzing the diagnostic process and threatening the robustness of underlying Convolutional Neural Network (CNN) based classifiers. In this work, we have first demonstrated the effectiveness of well-known natural image adversarial attacks such as FGSM and PGD on Malaria cell images. Afterwards, we propose a novel defense methodology, namely FRNet, that leverages well-established features such as HOG, LBP, KAZE, and SIFT that are able to detect edges and objects while they remain robust against imperceptible adversarial perturbations. The method utilizes an MLP to efficiently concatenate the features to FRNet making it convenient and resulting in an architecturally neural and attack generic methodology. Our experimental results demonstrate that when applying FRNet on different CNN architectures such as simple CNN, EfficientNet, and MobileNet, it decreases the impact of adversarial attacks by as much as 67% compared to the corresponding base models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Junhao Dong,Junxi Chen,Xiaohua Xie,Jianhuang Lai,Hao Chen

DOI: https://doi.org/10.1145/3702638

2024-11-04

Abstract:Deep learning techniques have achieved superior performance in computer-aided medical image analysis, yet they are still vulnerable to imperceptible adversarial attacks, resulting in potential misdiagnosis in clinical practice. Oppositely, recent years have also witnessed remarkable progress in defense against these tailored adversarial examples in deep medical diagnosis systems. In this exposition, we present a comprehensive survey on recent advances in adversarial attacks and defenses for medical image analysis with a systematic taxonomy in terms of the application scenario. We also provide a unified framework for different types of adversarial attack and defense methods in the context of medical image analysis. For a fair comparison, we establish a new benchmark for adversarially robust medical diagnosis models obtained by adversarial training under various scenarios. To the best of our knowledge, this is the first survey paper that provides a thorough evaluation of adversarially robust medical diagnosis models. By analyzing qualitative and quantitative results, we conclude this survey with a detailed discussion of current challenges for adversarial attack and defense in medical image analysis systems to shed light on future research directions. Code is available on \href{<a class="link-external link-https" href="https://github.com/tomvii/Adv_MIA" rel="external noopener nofollow">this https URL</a>}{\color{red}{GitHub}}.

Image and Video Processing,Cryptography and Security,Computer Vision and Pattern Recognition

Qingsong Yao,Zecheng He,Xiaodong Yu,S. Kevin Zhou

DOI: https://doi.org/10.1109/isbi56570.2024.10635644

2024-01-01

Abstract:Medical image systems based on deep neural networks are highly vulnerable to adversarial examples. Despite numerous defense mechanisms, these approaches typically assume a passive attacker with limited knowledge of the defense system and a lack of adaptability in attack strategies based on defense details. Recent works [1], [2], [3], [4] expose the vulnerability of existing defenses against adaptive attacks, where the attacker, leveraging comprehensive knowledge of the defense, can pose a substantial threat. In this paper, we make the novel observation that shallow features exhibit a higher degree of robustness compared to deep features. Based on this insight, we propose a novel adversarial defense called Medical Adversarial Shield (MAS), which is adversarially trained to capture the unique characteristics left by the attackers in feature space, particularly within shallow features. Extensive experimental results confirm the effectiveness of our MAS as the first defense capable of accurately distinguishing both strong adaptive attacks and conventional attacks, showing significant improvements compared to existing reactive defenses.

Syeda Nazia Ashraf,Raheel Siddiqi,Humera Farooq

DOI: https://doi.org/10.1371/journal.pone.0307363

IF: 3.7

2024-10-21

PLoS ONE

Abstract:Convolutional Neural Network (CNN)-based models are prone to adversarial attacks, which present a significant hurdle to their reliability and robustness. The vulnerability of CNN-based models may be exploited by attackers to launch cyber-attacks. An attacker typically adds small, carefully crafted perturbations to original medical images. When a CNN-based model receives the perturbed medical image as input, it misclassifies the image, even though the added perturbation is often imperceptible to the human eye. The emergence of such attacks has raised security concerns regarding the implementation of deep learning-based medical image classification systems within clinical environments. To address this issue, a reliable defense mechanism is required to detect adversarial attacks on medical images. This study will focus on the robust detection of pneumonia in chest X-ray images through CNN-based models. Various adversarial attacks and defense strategies will be evaluated and analyzed in the context of CNN-based pneumonia detection. From earlier studies, it has been observed that a single defense mechanism is usually not effective against more than one type of adversarial attack. Therefore, this study will propose a defense mechanism that is effective against multiple attack types. A reliable defense framework for pneumonia detection models will ensure secure clinical deployment, facilitating radiologists and doctors in their diagnosis and treatment planning. It can also save time and money by automating routine tasks. The proposed defense mechanism includes a convolutional autoencoder to denoise perturbed Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD) adversarial images, two state- of-the-art attacks carried out at five magnitudes, i.e., ε (epsilon) values. Two pre-trained models, VGG19 and VGG16, and our hybrid model of MobileNetV2 and DenseNet169, called Stack Model, have been used to compare their results. This study shows that the proposed defense mechanism outperforms state-of-the-art studies. The PGD attack using the VGG16 model shows a better attack success rate by reducing overall accuracy by up to 67%. The autoencoder improves accuracy by up to 16% against PGD attacks in both the VGG16 and VGG19 models.

Angona Biswas,MD Abdullah Al Nasim,Kishor Datta Gupta,Roy George,Abdur Rashid

2024-10-20

Abstract:Machine learning (ML) is a rapidly developing area of medicine that uses significant resources to apply computer science and statistics to medical issues. ML's proponents laud its capacity to handle vast, complicated, and erratic medical data. It's common knowledge that attackers might cause misclassification by deliberately creating inputs for machine learning classifiers. Research on adversarial examples has been extensively conducted in the field of computer vision applications. Healthcare systems are thought to be highly difficult because of the security and life-or-death considerations they include, and performance accuracy is very important. Recent arguments have suggested that adversarial attacks could be made against medical image analysis (MedIA) technologies because of the accompanying technology infrastructure and powerful financial incentives. Since the diagnosis will be the basis for important decisions, it is essential to assess how strong medical DNN tasks are against adversarial attacks. Simple adversarial attacks have been taken into account in several earlier studies. However, DNNs are susceptible to more risky and realistic attacks. The present paper covers recent proposed adversarial attack strategies against DNNs for medical imaging as well as countermeasures. In this study, we review current techniques for adversarial imaging attacks, detections. It also encompasses various facets of these techniques and offers suggestions for the robustness of neural networks to be improved in the future.

Cryptography and Security,Artificial Intelligence,Image and Video Processing