State-of-the-art segmentation network fooled to segment a heart symbol
in chest X-Ray images
- URL: http://arxiv.org/abs/2104.00139v1
- Date: Wed, 31 Mar 2021 22:20:59 GMT
- Title: State-of-the-art segmentation network fooled to segment a heart symbol
in chest X-Ray images
- Authors: Gerda Bortsova, Florian Dubost, Laurens Hogeweg, Ioannis Katramados,
Marleen de Bruijne
- Abstract summary: Adrial attacks consist in maliciously changing the input data to mislead the predictions of automated decision systems.
We studied the effectiveness of adversarial attacks in targeted modification of segmentations of anatomical structures in chest X-rays.
- Score: 5.808118248166566
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Adversarial attacks consist in maliciously changing the input data to mislead
the predictions of automated decision systems and are potentially a serious
threat for automated medical image analysis. Previous studies have shown that
it is possible to adversarially manipulate automated segmentations produced by
neural networks in a targeted manner in the white-box attack setting. In this
article, we studied the effectiveness of adversarial attacks in targeted
modification of segmentations of anatomical structures in chest X-rays.
Firstly, we experimented with using anatomically implausible shapes as targets
for adversarial manipulation. We showed that, by adding almost imperceptible
noise to the image, we can reliably force state-of-the-art neural networks to
segment the heart as a heart symbol instead of its real anatomical shape.
Moreover, such heart-shaping attack did not appear to require higher
adversarial noise level than an untargeted attack based the same attack method.
Secondly, we attempted to explore the limits of adversarial manipulation of
segmentations. For that, we assessed the effectiveness of shrinking and
enlarging segmentation contours for the three anatomical structures. We
observed that adversarially extending segmentations of structures into regions
with intensity and texture uncharacteristic for them presented a challenge to
our attacks, as well as, in some cases, changing segmentations in ways that
conflict with class adjacency priors learned by the target network.
Additionally, we evaluated performances of the untargeted attacks and targeted
heart attacks in the black-box attack scenario, using a surrogate network
trained on a different subset of images. In both cases, the attacks were
substantially less effective. We believe these findings bring novel insights
into the current capabilities and limits of adversarial attacks for semantic
segmentation.
Related papers
- Detecting Adversarial Attacks in Semantic Segmentation via Uncertainty Estimation: A Deep Analysis [12.133306321357999]
We propose an uncertainty-based method for detecting adversarial attacks on neural networks for semantic segmentation.
We conduct a detailed analysis of uncertainty-based detection of adversarial attacks and various state-of-the-art neural networks.
Our numerical experiments show the effectiveness of the proposed uncertainty-based detection method.
arXiv Detail & Related papers (2024-08-19T14:13:30Z) - Hide in Thicket: Generating Imperceptible and Rational Adversarial
Perturbations on 3D Point Clouds [62.94859179323329]
Adrial attack methods based on point manipulation for 3D point cloud classification have revealed the fragility of 3D models.
We propose a novel shape-based adversarial attack method, HiT-ADV, which conducts a two-stage search for attack regions based on saliency and imperceptibility perturbation scores.
We propose that by employing benign resampling and benign rigid transformations, we can further enhance physical adversarial strength with little sacrifice to imperceptibility.
arXiv Detail & Related papers (2024-03-08T12:08:06Z) - Investigating Human-Identifiable Features Hidden in Adversarial
Perturbations [54.39726653562144]
Our study explores up to five attack algorithms across three datasets.
We identify human-identifiable features in adversarial perturbations.
Using pixel-level annotations, we extract such features and demonstrate their ability to compromise target models.
arXiv Detail & Related papers (2023-09-28T22:31:29Z) - Uncertainty-based Detection of Adversarial Attacks in Semantic
Segmentation [16.109860499330562]
We introduce an uncertainty-based approach for the detection of adversarial attacks in semantic segmentation.
We demonstrate the ability of our approach to detect perturbed images across multiple types of adversarial attacks.
arXiv Detail & Related papers (2023-05-22T08:36:35Z) - Identification of Attack-Specific Signatures in Adversarial Examples [62.17639067715379]
We show that different attack algorithms produce adversarial examples which are distinct not only in their effectiveness but also in how they qualitatively affect their victims.
Our findings suggest that prospective adversarial attacks should be compared not only via their success rates at fooling models but also via deeper downstream effects they have on victims.
arXiv Detail & Related papers (2021-10-13T15:40:48Z) - Attack to Fool and Explain Deep Networks [59.97135687719244]
We counter-argue by providing evidence of human-meaningful patterns in adversarial perturbations.
Our major contribution is a novel pragmatic adversarial attack that is subsequently transformed into a tool to interpret the visual models.
arXiv Detail & Related papers (2021-06-20T03:07:36Z) - Hidden Backdoor Attack against Semantic Segmentation Models [60.0327238844584]
The emphbackdoor attack intends to embed hidden backdoors in deep neural networks (DNNs) by poisoning training data.
We propose a novel attack paradigm, the emphfine-grained attack, where we treat the target label from the object-level instead of the image-level.
Experiments show that the proposed methods can successfully attack semantic segmentation models by poisoning only a small proportion of training data.
arXiv Detail & Related papers (2021-03-06T05:50:29Z) - A Hierarchical Feature Constraint to Camouflage Medical Adversarial
Attacks [31.650769109900477]
We investigate the intrinsic characteristic of medical adversarial attacks in feature space.
We propose a novel hierarchical feature constraint (HFC) as an add-on to existing adversarial attacks.
We evaluate the proposed method on two public medical image datasets.
arXiv Detail & Related papers (2020-12-17T11:00:02Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.