The stability of neural networks under condition of adversarial attacks to biomedical image classification

  • Dmitry M. Voynov Belarusian State University, 4 Niezaliežnasci Avenue, Minsk 220030, Belarus https://orcid.org/0000-0002-8637-5828
  • Vassili A. Kovalev United Institute of Informatics Problems, National Academy of Sciences of Belarus, 6 Surhanava Street, Minsk 220012, Belarus
DOI: https://doi.org/10.33581/2520-6508-2020-3-60-72

Abstract

Recently, the majority of research and development teams working in the field deep learning are concentrated on the improvement of the classification accuracy and related measures of the quality of image classification whereas the problem of adversarial attacks to deep neural networks attracts much less attention. This article is dedicated to an experimental study of the influence of various factors on the stability of convolutional neural networks under the condition of adversarial attacks to biomedical image classification. On a very extensive dataset consisted of more than 1.45 million of radiological as well as histological images we assess the efficiency of attacks performed using the projected gradient descent (PGD), DeepFool and Carlini – Wagner (CW) methods. We analyze the results of both white and black box attacks to the commonly used neural architectures such as InceptionV3, Densenet121, ResNet50, MobileNet and Xception. The basic conclusion of this study is that in the field of biomedical image classification the problem of adversarial attack stays sharp because the methods of attacks being tested are successfully attacking the above-mentioned networks so that depending on the specific task their original classification accuracy falls down from 83–97 % down to the accuracy score of 15 %. Also, it was found that under similar conditions the PGD method is less successful in adversarial attacks comparing to the DeepFool and CW methods. When the original images and adversarial examples are compared using the L2-norm, the DeepFool and CW methods generate the adversarial examples of similar maliciousness. In addition, in three out of four of black-box attacks, the PGD method has demonstrated lower attacking efficiency.

Author Biographies

Dmitry M. Voynov, Belarusian State University, 4 Niezaliežnasci Avenue, Minsk 220030, Belarus

master’s degree student at the department of discrete mathematics and algorithmics, faculty of applied mathematics and computer science

Vassili A. Kovalev, United Institute of Informatics Problems, National Academy of Sciences of Belarus, 6 Surhanava Street, Minsk 220012, Belarus

PhD (engineering); head of the laboratory of biomedical image analysis

References

  1. Recht B, Roelofs R, Schmidt L, Shankar V. Do CIFAR-10 classifiers generalize to CIFAR-10? arXiv:1806.00451 [Preprint]. 2018 [cited 2020 August 27]: [25 p.]. Available from: https://arxiv.org/abs/1806.00451.
  2. Akhtar N, Mian AS. Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access. 2018;6:14410–14430. DOI: 10.1109/ACCESS.2018.2807385.
  3. Litjens G, Kooi T, Bejnordi BE, Setio AAA, Ciompi F, Ghafoorian M, et al. A survey on deep learning in medical image analysis. Medical Image Analysis. 2017;42:60–88. DOI: 10.1016/j.media.2017.07.005.
  4. Ker J, Wang L, Rao J, Lim T. Deep learning applications in medical image analysis. IEEE Access. 2018;6:9375–9389. DOI: 10.1109/ACCESS.2017.2788044.
  5. Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083v4 [Preprint]. 2017 [cited 2020 August 27]: [28 p.]. Available from: https://arxiv.org/abs/1706.06083.
  6. Ozdag M. Adversarial attacks and defenses against deep neural networks: a survey. Procedia Computer Science. 2018;140:152–161. DOI: 10.1016/j.procs.2018.10.315.
  7. Wang H, Yu C-N. A direct approach to robust deep learning using adversarial networks. arXiv:1905.09591v1 [Preprint]. 2019 [cited 2020 August 27]: [15 p.]. Available from: https://arxiv.org/abs/1905.09591.
  8. Xu W, Evans D, Qi Y. Feature squeezing: detecting adversarial examples in deep neural networks. arXiv:1704.01155v2 [Preprint]. 2017 [cited 2020 August 27]: [15 p.]. Available from: https://arxiv.org/abs/1704.01155.
  9. Moosavi-Dezfooli S-M, Fawzi A, Frossard P. DeepFool: a simple and accurate method to fool deep neural networks. arXiv:1511.04599v3 [Preprint]. 2015 [cited 2020 August 27]: [9 p.]. Available from: https://arxiv.org/abs/1511.04599.
  10. Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, et al. Intriguing properties of neural networks. In: 2nd International conference on learning representations; 2014 April 14–16; Banff, Canada. Banff: Springer; 2014. p. 1–10.
  11. Carlini N, Wagner D. Towards evaluating the robustness of neural networks. In: 2017 IEEE symposium on security and privacy; 2017 June 26; San Jose, CA, USA. [S. l.]: IEEE; 2017. p. 39–57. DOI: 10.1109/SP.2017.49.
  12. Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. arXiv:1412.6572v3 [Preprint]. 2015 [cited 2020 August 27]: [11 p.]. Available from: https://arxiv.org/abs/1412.6572v3.
Published
2020-12-08
Keywords: deep learning, adversarial attacks, biomedical images
How to Cite
Voynov, D. M., & Kovalev, V. A. (2020). The stability of neural networks under condition of adversarial attacks to biomedical image classification. Journal of the Belarusian State University. Mathematics and Informatics, 3, 60-72. https://doi.org/10.33581/2520-6508-2020-3-60-72
Issue
No 3 (2020): Journal of the Belarusian State University. Mathematics and Informatics
Section
Theoretical Foundations of Computer Science

Copyright (c) 2020 Journal of the Belarusian State University. Mathematics and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

The authors who are published in this journal agree to the following:

  1. The authors retain copyright on the work and provide the journal with the right of first publication of the work on condition of license Creative Commons Attribution-NonCommercial. 4.0 International (CC BY-NC 4.0).
  2. The authors retain the right to enter into certain contractual agreements relating to the non-exclusive distribution of the published version of the work (e.g. post it on the institutional repository, publication in the book), with the reference to its original publication in this journal.
  3. The authors have the right to post their work on the Internet (e.g. on the institutional store or personal website) prior to and during the review process, conducted by the journal, as this may lead to a productive discussion and a large number of references to this work. (See The Effect of Open Access.)