Papers
Topics
Authors
Recent
Search
2000 character limit reached

Adversarial Medical Image with Hierarchical Feature Hiding

Published 4 Dec 2023 in eess.IV, cs.CV, and cs.LG | (2312.01679v1)

Abstract: Deep learning based methods for medical images can be easily compromised by adversarial examples (AEs), posing a great security flaw in clinical decision-making. It has been discovered that conventional adversarial attacks like PGD which optimize the classification logits, are easy to distinguish in the feature space, resulting in accurate reactive defenses. To better understand this phenomenon and reassess the reliability of the reactive defenses for medical AEs, we thoroughly investigate the characteristic of conventional medical AEs. Specifically, we first theoretically prove that conventional adversarial attacks change the outputs by continuously optimizing vulnerable features in a fixed direction, thereby leading to outlier representations in the feature space. Then, a stress test is conducted to reveal the vulnerability of medical images, by comparing with natural images. Interestingly, this vulnerability is a double-edged sword, which can be exploited to hide AEs. We then propose a simple-yet-effective hierarchical feature constraint (HFC), a novel add-on to conventional white-box attacks, which assists to hide the adversarial feature in the target feature distribution. The proposed method is evaluated on three medical datasets, both 2D and 3D, with different modalities. The experimental results demonstrate the superiority of HFC, \emph{i.e.,} it bypasses an array of state-of-the-art adversarial medical AE detectors more efficiently than competing adaptive attacks, which reveals the deficiencies of medical reactive defense and allows to develop more robust defenses in future.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in International Conference on Learning Representations, 2014.
  2. Y. Dong, F. Liao, T. Pang, H. Su, J. Zhu, X. Hu, and J. Li, “Boosting adversarial attacks with momentum,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018, pp. 9185–9193.
  3. S. K. Zhou, H. Greenspan, C. Davatzikos, J. S. Duncan, B. van Ginneken, A. Madabhushi, J. L. Prince, D. Rueckert, and R. M. Summers, “A review of deep learning in medical imaging: Imaging traits, technology trends, case studies with progress highlights, and future promises,” Proceedings of the IEEE, 2021.
  4. N. Mangaokar, J. Pu, P. Bhattacharya, C. K. Reddy, and B. Viswanath, “Jekyll: Attacking medical image diagnostics using deep generative models,” in 2020 IEEE European Symposium on Security and Privacy (EuroS&P).   IEEE, 2020, pp. 139–157.
  5. U. Ozbulak, A. Van Messem, and W. De Neve, “Impact of adversarial examples on deep learning models for biomedical image segmentation,” in Medical Image Computing and Computer Assisted Intervention.   Springer, 2019, pp. 300–308.
  6. M. Paschali, S. Conjeti, F. Navarro, and N. Navab, “Generalizability vs. robustness: investigating medical imaging networks using adversarial examples,” in Medical Image Computing and Computer Assisted Intervention.   Springer, 2018, pp. 493–501.
  7. S. G. Finlayson, H. W. Chung, I. S. Kohane, and A. L. Beam, “Adversarial attacks against medical deep learning systems,” Science, vol. 363(6433), pp. 1287–1289, 2018.
  8. X. Ma, Y. Niu, L. Gu, Y. Wang, Y. Zhao, J. Bailey, and F. Lu, “Understanding adversarial attacks on deep learning based medical image analysis systems,” Pattern Recognition, vol. 110, p. 107332, 2021.
  9. Q. Yao, Z. He, H. Han, and S. K. Zhou, “Miss the point: Targeted adversarial attack on multiple landmark detection,” in Medical Image Computing and Computer Assisted Intervention.   Springer, 2020, pp. 692–702.
  10. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in International Conference on Learning Representations, 2018.
  11. X. Li and D. Zhu, “Robust detection of adversarial attacks on medical images,” in IEEE International Symposium on Biomedical Imaging.   IEEE, 2020, pp. 1154–1158.
  12. L. v. d. Maaten and G. Hinton, “Visualizing data using t-SNE,” Journal of Machine Learning Research, vol. 9, no. Nov, pp. 2579–2605, 2008.
  13. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
  14. X. Ma, B. Li, Y. Wang, S. M. Erfani, S. Wijewickrema, G. Schoenebeck, D. Song, M. E. Houle, and J. Bailey, “Characterizing adversarial subspaces using local intrinsic dimensionality,” in International Conference on Learning Representations, 2018.
  15. K. Lee, K. Lee, H. Lee, and J. Shin, “A simple unified framework for detecting out-of-distribution samples and adversarial attacks,” in Advances in Neural Information Processing Systems, 2018, pp. 7167–7177.
  16. A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial machine learning at scale,” in International Conference on Learning Representations, 2017.
  17. S. Sabour, Y. Cao, F. Faghri, and D. J. Fleet, “Adversarial manipulation of deep representations,” in IEEE Symposium on Security and Privacy, 2016.
  18. A. Athalye, N. Carlini, and D. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in International Conference on Learning Representations, 2018.
  19. N. Carlini and D. Wagner, “Adversarial examples are not easily detected: Bypassing ten detection methods,” in Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, 2017, pp. 3–14.
  20. Q. Yao, Z. He, Y. Lin, K. Ma, Y. Zheng, and S. K. Zhou, “A hierarchical feature constraint to camouflage medical adversarial attacks,” in International Conference on Medical Image Computing and Computer-Assisted Intervention.   Springer, 2021, pp. 36–47.
  21. S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “DeepFool: a simple and accurate method to fool deep neural networks,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2016, pp. 2574–2582.
  22. N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE Symposium on Security and Privacy, 2017, pp. 39–57.
  23. D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” International Conference on Learning Representations, 2015.
  24. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in International Conference on Learning Representations, 2015.
  25. Y. Dong, T. Pang, H. Su, and J. Zhu, “Evading defenses to transferable adversarial examples by translation-invariant attacks,” in CVPR, 2019, pp. 4312–4321.
  26. N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in IEEE Symposium on Security and Privacy, 2016, pp. 582–597.
  27. W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial examples in deep neural networks,” in Network and Distributed System Security Symposium, 2017.
  28. F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu, and J. Zhu, “Defense against adversarial attacks using high-level representation guided denoiser,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018, pp. 1778–1787.
  29. G. K. Dziugaite, Z. Ghahramani, and D. M. Roy, “A study of the effect of JPG compression on adversarial images,” arXiv preprint arXiv:1608.00853, 2016.
  30. A. S. Ross and F. Doshi-Velez, “Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients,” in Proceedings of the AAAI Conference on Artificial Intelligence, 2017.
  31. M. Cisse, P. Bojanowski, E. Grave, Y. Dauphin, and N. Usunier, “Parseval networks: Improving robustness to adversarial examples,” in ICML.   PMLR, 2017, pp. 854–863.
  32. N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami, “Practical black-box attacks against machine learning,” in ACM Computer and Communications Security, 2017, pp. 506–519.
  33. X. Liu, M. Cheng, H. Zhang, and C.-J. Hsieh, “Towards robust neural networks via random self-ensemble,” in Proceedings of the European Conference on Computer Vision, 2018, pp. 369–385.
  34. G. S. Dhillon, K. Azizzadenesheli, Z. C. Lipton, J. Bernstein, J. Kossaifi, A. Khanna, and A. Anandkumar, “Stochastic activation pruning for robust adversarial defense,” in International Conference on Learning Representations, 2018.
  35. S. A. Taghanaki, K. Abhishek, S. Azizi, and G. Hamarneh, “A kernelized manifold mapping to diminish the effect of adversarial perturbations,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 11 340–11 349.
  36. X. He, S. Yang, G. Li, H. Li, H. Chang, and Y. Yu, “Non-local context encoder: Robust biomedical image segmentation against adversarial attacks,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 33, 2019, pp. 8417–8424.
  37. Y. Dong, Q.-A. Fu, X. Yang, T. Pang, H. Su, Z. Xiao, and J. Zhu, “Benchmarking adversarial robustness on image classification,” in CVPR, 2020, pp. 321–331.
  38. F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “Ensemble adversarial training: Attacks and defenses,” in International Conference on Learning Representations, 2018.
  39. F. Tramer, N. Carlini, W. Brendel, and A. Madry, “On adaptive attacks to adversarial example defenses,” Advances in Neural Information Processing Systems, vol. 33, pp. 1633–1645, 2020.
  40. D. Meng and H. Chen, “MagNet: a two-pronged defense against adversarial examples,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 135–147.
  41. D. J. Miller, Z. Xiang, and G. Kesidis, “Adversarial learning targeting deep neural network classification: A comprehensive review of defenses against attacks,” Proceedings of the IEEE, vol. 108, no. 3, pp. 402–433, 2020.
  42. Z. Zheng and P. Hong, “Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks,” in Advances in Neural Information Processing Systems, 2018, pp. 7913–7922.
  43. X. Li and F. Li, “Adversarial examples detection in deep networks with convolutional filter statistics,” in ICCV, 2017, pp. 5764–5772.
  44. J. H. Metzen, T. Genewein, V. Fischer, and B. Bischoff, “On detecting adversarial perturbations,” in International Conference on Learning Representations, 2017.
  45. J. Lu, T. Issaranon, and D. Forsyth, “Safetynet: Detecting and rejecting adversarial examples robustly,” in ICCV, 2017, pp. 446–454.
  46. A. Dubey, L. v. d. Maaten, Z. Yalniz, Y. Li, and D. Mahajan, “Defense against adversarial images using web-scale nearest-neighbor search,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019, pp. 8767–8776.
  47. N. Papernot and P. McDaniel, “Deep k-nearest neighbors: Towards confident, interpretable and robust deep learning,” arXiv preprint arXiv:1803.04765, 2018.
  48. G. Cohen, G. Sapiro, and R. Giryes, “Detecting adversarial samples using influence functions and nearest neighbors,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 14 453–14 462.
  49. R. Feinman, R. R. Curtin, S. Shintre, and A. B. Gardner, “Detecting adversarial samples from artifacts,” arXiv preprint arXiv:1703.00410, 2017.
  50. Kaggle, “APTOS 2019 Blindness Detection,” 2019, https://www.kaggle.com/c/aptos2019-blindness-detection.
  51. A. Krizhevsky, “Learning multiple layers of features from tiny images,” University of Toronto, 05 2012.
  52. D. S. Kermany, M. Goldbaum, W. Cai, C. C. Valentim, H. Liang, S. L. Baxter, A. McKeown, G. Yang, X. Wu, F. Yan et al., “Identifying medical diagnoses and treatable diseases by image-based deep learning,” Cell, vol. 172, no. 5, pp. 1122–1131, 2018.
  53. J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “ImageNet: A Large-Scale Hierarchical Image Database,” in IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2009.
  54. A. P. Dempster, N. M. Laird, and D. B. Rubin, “Maximum likelihood from incomplete data via the EM algorithm,” Journal of the Royal Statistical Society: Series B (Methodological), vol. 39, no. 1, pp. 1–22, 1977.
  55. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” in International Conference on Learning Representations, 2015.
  56. Q. Hu, Y. Chen, J. Xiao, S. Sun, J. Chen, A. L. Yuille, and Z. Zhou, “Label-free liver tumor segmentation,” in CVPR, 2023, pp. 7422–7432.
  57. Q. Yao, L. Xiao, P. Liu, and S. K. Zhou, “Label-free segmentation of covid-19 lesions in lung ct,” IEEE transactions on medical imaging, vol. 40, no. 10, pp. 2808–2819, 2021.
  58. F. Croce and M. Hein, “Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks,” in ICML.   PMLR, 2020, pp. 2206–2216.
Citations (3)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up