On One-Pixel Attacking Medical Images Against Deep Learning Models

Yisong Wang,Wei Wang,Xianglong Wang,Zhuo Chen
DOI: https://doi.org/10.1145/3644116.3644161
2023-01-01
Abstract:Deep neural network models has made impressive achievements in various domains, along with their non-negligible vulnerability to adversarial attacks. This intrinsic weakness of deep learning systems is crucially concerned with practical clinic deployment, in addition to explainability. This paper explores the vulnerability of well-trained deep learning models for medical images by one-pixel adversarial attack. Specifically, an enhanced success history adaptive differential evolution(DE) with greedy mutation strategy (EBL) is employed to search adversarial pixels of diabetic retinopathy, pneumothorax chest X-ray, melanoma and brain tumor images. The well-trained models for the first three classes of images are ResNet-50, while it is UTnet for the last. Experiments show that EBL approach speeds up about 30 times on the classical DE one, without loss of attacking success rate. The overall attacking success rate varies from 2.7% for negative chest X-ray images to 99.3% for positive diabetic retinopathy images. Repeating one-pixel attacks confirm the receptive fields of vulnerability for the first three classes of images, but not for the brain tumor ones. To successfully attack such medical images, it may need up to hundreds of attacking pixels. For the brain tumor dataset, the success rate is about 47% using 1024 attacking pixels.
What problem does this paper attempt to address?