Universal Adversarial Attacks on Deep Neural Networks for Medical Image Classification

Overview

Journal BMC Med Imaging

Publisher Biomed Central

Specialty Radiology

Date 2021 Jan 8

PMID 33413181

Citations 25

Authors

Hokuto Hirano

Akinori Minagi

Kazuhiro Takemoto

Affiliations

Soon will be listed here.

Abstract

Background: Deep neural networks (DNNs) are widely investigated in medical image classification to achieve automated support for clinical diagnosis. It is necessary to evaluate the robustness of medical DNN tasks against adversarial attacks, as high-stake decision-making will be made based on the diagnosis. Several previous studies have considered simple adversarial attacks. However, the vulnerability of DNNs to more realistic and higher risk attacks, such as universal adversarial perturbation (UAP), which is a single perturbation that can induce DNN failure in most classification tasks has not been evaluated yet.

Methods: We focus on three representative DNN-based medical image classification tasks (i.e., skin cancer, referable diabetic retinopathy, and pneumonia classifications) and investigate their vulnerability to the seven model architectures of UAPs.

Results: We demonstrate that DNNs are vulnerable to both nontargeted UAPs, which cause a task failure resulting in an input being assigned an incorrect class, and to targeted UAPs, which cause the DNN to classify an input into a specific class. The almost imperceptible UAPs achieved > 80% success rates for nontargeted and targeted attacks. The vulnerability to UAPs depended very little on the model architecture. Moreover, we discovered that adversarial retraining, which is known to be an effective method for adversarial defenses, increased DNNs' robustness against UAPs in only very few cases.

Conclusion: Unlike previous assumptions, the results indicate that DNN-based clinical diagnosis is easier to deceive because of adversarial attacks. Adversaries can cause failed diagnoses at lower costs (e.g., without consideration of data distribution); moreover, they can affect the diagnosis. The effects of adversarial defenses may not be limited. Our findings emphasize that more careful consideration is required in developing DNNs for medical imaging and their practical applications.

Citing Articles

Comparison of the impact of rectal susceptibility artifacts in prostate magnetic resonance imaging on subjective evaluation and deep learning: a two-center retrospective study.

Wang Z, Lu P, Liu S, Fu C, Ye Y, Yu C BMC Med Imaging. 2025; 25(1):61.

PMID: 40000986 PMC: 11863642. DOI: 10.1186/s12880-025-01602-7.

Generalizability, robustness, and correction bias of segmentations of thoracic organs at risk in CT images.

Guerendel C, Petrychenko L, Chupetlovska K, Bodalal Z, Beets-Tan R, Benson S Eur Radiol. 2024; .

PMID: 39738559 DOI: 10.1007/s00330-024-11321-2.

Improved Generalizability in Medical Computer Vision: Hyperbolic Deep Learning in Multi-Modality Neuroimaging.

Ayubcha C, Sajed S, Omara C, Veldman A, Singh S, Lokesha Y J Imaging. 2024; 10(12).

PMID: 39728216 PMC: 11676359. DOI: 10.3390/jimaging10120319.

Optimization of convolutional neural network and visual geometry group-16 using genetic algorithms for pneumonia detection.

Chihaoui M, Dhibi N, Ferchichi A Front Med (Lausanne). 2024; 11:1498403.

PMID: 39697204 PMC: 11653186. DOI: 10.3389/fmed.2024.1498403.

Deep Learning for Pneumonia Detection in Chest X-ray Images: A Comprehensive Survey.

Siddiqi R, Javaid S J Imaging. 2024; 10(8).

PMID: 39194965 PMC: 11355845. DOI: 10.3390/jimaging10080176.

References

Finlayson S, Bowers J, Ito J, Zittrain J, Beam A, Kohane I . Adversarial attacks on medical machine learning. Science. 2019; 363(6433):1287-1289. PMC: 7657648. DOI: 10.1126/science.aaw4399. View

Rudin C . Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable Models Instead. Nat Mach Intell. 2022; 1(5):206-215. PMC: 9122117. DOI: 10.1038/s42256-019-0048-x. View

Esteva A, Kuprel B, Novoa R, Ko J, Swetter S, Blau H . Dermatologist-level classification of skin cancer with deep neural networks. Nature. 2017; 542(7639):115-118. PMC: 8382232. DOI: 10.1038/nature21056. View

Liu X, Faes L, Kale A, Wagner S, Fu D, Bruynseels A . A comparison of deep learning performance against health-care professionals in detecting diseases from medical imaging: a systematic review and meta-analysis. Lancet Digit Health. 2020; 1(6):e271-e297. DOI: 10.1016/S2589-7500(19)30123-2. View

Gu Y, Ge Z, Bonnington C, Zhou J . Progressive Transfer Learning and Adversarial Domain Adaptation for Cross-Domain Skin Disease Classification. IEEE J Biomed Health Inform. 2019; 24(5):1379-1393. DOI: 10.1109/JBHI.2019.2942429. View