Abstract
In recent years, significant progress has been achieved using deep neural networks (DNNs) in obtaining human-level performance on various long-standing tasks. With the increased use of DNNs in various applications, public concern over DNNs’ trustworthiness has grown. Studies conducted in the last several years have proven that deep learning models are vulnerable to small adversarial perturbations. Adversarial examples are generated from clean images by adding imperceptible perturbations. Adversarial examples are necessary for practical reasons, as they can be physically constructed, implying that DNNs are unsuitable for some image classification applications in their current state. This paper aims to provide an in-depth overview of the numerous adversarial attack strategies and defence methods. The theoretical principles, methods, and applications of adversarial attack strategies are first discussed. After that, a few research attempts on defence techniques covering the field’s broad boundary are outlined. Afterwards, this study reviews recently proposed adversarial attack methods to medical deep learning systems and defence techniques against these attacks. The vulnerability of the DL model is evaluated for different medical image modalities using an adversarial attack and defence method. Some unresolved issues and obstacles are highlighted to ignite additional research efforts in this crucial area.
Similar content being viewed by others
Data availability
Data sharing not applicable to this article as no datasets were generated or analyzed during the current study
References
Agarwal A, Singh R, Vatsa M, Ratha NK (2020) Image transformation based defense against adversarial perturbation on deep learning models. IEEE Trans Dependable Secur Comput 5971:1–1
Agarwal A, Vatsa M, Singh R, Ratha N (2021) Cognitive data augmentation for adversarial defense via pixel masking. Pattern Recogn Lett 146:244–251
Akhtar N, Mian A (2018) Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6:14410–14430. https://doi.org/10.1109/ACCESS.2018.2807385
Allyn J, Allou N, Vidal C, Renou A, Ferdynus C (2020) Adversarial attack on deep learning-based dermatoscopic image recognition systems: Risk of misdiagnosis due to undetectable image perturbations. Med (Baltimore) 99(50):e23568
Anand D, Tank D, Tibrewal H, Sethi A (2020) Self-supervision VS.Transfer learning: Robust Biomedical Image Analysis Against Adversarial attacks. In: 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), Iowa City, pp 1159–1163. https://doi.org/10.1109/ISBI45749.2020.9098369
Asgari Taghanaki S, Das A, Hamarneh G (2018) Vulnerability analysis of chest x-ray image classification against adversarial attacks. Lect Notes Comput Sci (including Subser Lect Notes Artif Intell Lect Notes Bioinf) 11038 LNCS:87–94
Athalye A, Engstrom L, Ilyas A, Kevin K (2018) Synthesizing robust adversarial examples. 35th Int Conf Mach Learn ICML 1:449–468
Baluja S, Fischer I (2017) “Adversarial transformation networks: Learning to generate adversarial examples,” arXiv, no. 2013
Baluja S, Fischer I (2018) “Learning to attack: Adversarial transformation networks,” 32nd AAAI Conf. Artif. Intell. AAAI 2018, no. 1, pp. 2687–2695
Biggio B, Nelson B, Laskov P (2012) “Poisoning attacks against support vector machines,” in Proceedings of the 29th International Conference on Machine Learning, ICML 2012, vol. 2, pp. 1467–1474
Biggio B, Fumera G, Russu P, Didaci L, Roli F (2015) Adversarial biometric recognition: a review on biometric system security from the adversarial machine-learning perspective. IEEE Signal Process Mag 32(5):31–41. https://doi.org/10.1109/MSP.2015.2426728
Brendel W, Rauber J, Bethge M (2017) “Decision-based adversarial attacks: Reliable attacks against black-box machine learning models,” arXiv, pp. 1–12
Buckman J, Roy A, Raffel C, Goodfellow I (2018) “Thermometer encoding: One hot way to resist adversarial examples,” 6th Int. Conf. Learn. Represent. ICLR 2018 - Conf. Track Proc., no. 2016, pp. 1–22
Byra M et al. (2020) “Adversarial attacks on deep learning models for fatty liver disease classification by modification of ultrasound image reconstruction method,” arXiv, pp. 9–12
Carlini N, Wagner D (2016) “Defensive Distillation is Not Robust to Adversarial Examples,” vol. 0, pp. 1–3
Carlini N, Wagner D (2017) “Towards Evaluating the Robustness of Neural Networks,” in Proceedings - IEEE Symposium on Security and Privacy, pp. 39–57
Carlini N, Wagner D (2017) “Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods,” in the 10th ACM Workshop on Artificial Intelligence and Security (AISec ‘17), pp. 3–14
Carlini N, Katz G, Barrett C, Dill DL (2017) “Ground-Truth Adversarial Examples,” arXiv, no. 2012, pp. 1–12
Chakraborty A, Alam M, Dey V, Chattopadhyay A, Mukhopadhyay D (2021) A survey onadversarial attacks and defences. CAAI Trans Intell Technol 6(1):25–45. https://doi.org/10.1049/cit2.12028
Chen P-Y, Zhang H, Sharma Y, Yi J, Hsieh C-J (2017) ZOO: Zeroth order optimization based black-box atacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp 15–26. https://doi.org/10.1145/3128572.3140448
Chen PY, Sharma Y, Zhang H, Yi J, Hsieh CJ (2018) EAD: Elastic-net attacks to deep neural networks via adversarial examples. In: 32nd AAAI Conf. Artif. Intell. AAAI 2018, pp 10–17. https://doi.org/10.1609/aaai.v32i1.11302
Chen T, Liu J, Xiang Y, Niu W, Tong E, Han Z (2019) Adversarial attack and defense in reinforcement learning-from AI security view. Cybersecurity 2(1):1–22. https://doi.org/10.1186/s42400-019-0027-x
Chen J, Zheng H, Xiong H, Chen R, Du T (2021) FineFool : a novel DNN object contour attack on image recognition based on the attention. Comput Secur 104:102220. https://doi.org/10.1016/j.cose.2021.102220
Chen C et al (2021) “Enhancing MR Image Segmentation with Realistic Adversarial Data Augmentation,” arXiv
Chen R et al (2022) Salient feature extractor for adversarial defense on deep neural networks. Inf Sci (Ny) 600:118–143. https://doi.org/10.1016/j.ins.2022.03.056
Cheng K, Calivá F, Shah R, Han M, Majumdar S, Pedoia V (2020) Addressing the false negative problem of deep learning MRI reconstruction models by adversarial attacks and robust training. In: Proceedings of the Third Conference on Medical Imaging with Deep Learning, vol 121, pp 121–135. [Online]. Available: https://proceedings.mlr.press/v121/cheng20a.html
Chugh T, Cao K, Jain AK (2018) Fingerprint spoof buster: use of minutiae-centered patches. IEEE Trans Inf Foren Secur 13(9):2190–2202. https://doi.org/10.1109/TIFS.2018.2812193
Deldjoo Y, Di Noia T, Merra FA (2021) A survey on adversarial recommender systems: from attack/defense strategies to generative adversarial networks. ACM Comput Surv 54(2):1–38. https://doi.org/10.1145/3439729
Dhillon GS et al (2018) Stochastic activation pruning for robust adversarial defense. CoRR abs/1803.01442 [Online]. Available: http://arxiv.org/abs/1803.01442
Dong Y et al (2018) Boosting adversarial attacks with momentum. In: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp 9185–9193. https://doi.org/10.1109/CVPR.2018.00957
Duan R, Ma X, Wang Y, Bailey J, Qin AK, Yang Y (2020) Adversarial camouflage: hiding physical-world attacks with natural styles. CoRR abs/2003.08757 [Online]. Available: https://arxiv.org/abs/2003.08757
Eberz S, Paoletti N, Roeschlin M, Patani A, Kwiatkowska M, Martinovic I (2017) Broken hearted: how to attack ECG biometrics
Emma Zhang W, Sheng QZ, Alhazmi A, Li C (2020) Adversarial attacks on deep-learning models in natural language processing: a survey. ACM Trans Intell Syst Technol 11(3):1–41
Eykholt K et al (2018) “Robust Physical-World Attacks on Deep Learning Models,” in Proceedings of the IEEE conference on computer vision and pattern recognition., pp. 1625–1634
Fawaz HI, Forestier G, Weber J, Idoumghar L, Muller P-A (2019) Adversarial attacks on deep neural networks for time series classification. CoRR abs/1903.07054 [Online]. Available: http://arxiv.org/abs/1903.07054
Fei J, Xia Z, Yu P, Xiao F (2020) Adversarial attacks on fingerprint liveness detection. Eurasip J Image Vid Process 2020(1):1–11
Feinman R, Curtin RR, Shintre S, Gardner AB (2017) Detecting adversarial samples from artifacts. ArXiv abs/1703.00410
Finlayson SG, Kohane IS, Beam AL (2018) Adversarial attacks against medical deep learning systems. CoRR abs/1804.05296 [Online]. Available: http://arxiv.org/abs/1804.05296
Finlayson SG, Bowers JD, Ito J, Zittrain JL, Beam L, Kohane IS (2019) Adversarial attacks on medical machine learning emerging vulnerabilities demand new conversations. Sci (80- ) 363(6433):1287–1290. https://doi.org/10.1126/science.aaw4399
Fischer V, Kumar MC, Metzen JH, Brox T (2019) Adversarial examples for semantic image segmentation. ArXiv abs/1703.01101
Gao J, Wang B, Lin Z, Xu W, Qi Y (2017) Deepcloak: masking deep neural network models for robustness against adversarial samples. arXiv, no. 2014, pp 1–8 [Online]. Available: http://arxiv.org/abs/1702.06763
Goodfellow IJ, Shlens J, Szegedy C (2014) Explaining and harnessing adversarial examples. CoRR abs/1412.6572
Grigorescu S, Trasnea B, Cocias T, Macesanu G (2020) A survey of deep learning techniques for autonomous driving. CoRR abs/1910.07738 [Online]. Available: http://arxiv.org/abs/1910.07738
Grosse K, Papernot N, Manoharan P, Backes M, McDaniel P (2016) Adversarial perturbations against deep neural networks for malware classification. ArXiv abs/1606.04435
Grosse K, Manoharan P, Papernot N, Backes M, McDaniel P (2017) “On the (Statistical) detection of adversarial examples,” arXiv
Gu SS, Rigazio L (2014) Towards deep neural network architectures robust to adversarial examples. CoRR abs/1412.5068
Han X, Hu Y, Foschini L, Chinitz L, Jankelson L, Ranganath R (2020) Deep learning models for electrocardiograms are susceptible to adversarial attack. Nat Med 26(3):360–363
Han K, Xia B, Li Y (2022) (AD)2: Adversarial domain adaptation to defense with adversarial perturbation removal. Pattern Recognit 122. https://doi.org/10.1016/j.patcog.2021.108303
He W, Wei J, Chen X, Carlini N, Song D (2017) “Adversarial example defenses: Ensembles of weak defenses are not strong,” in Proceedings of the 11th USENIX Conference on Offensive Technologies, p. 15
He X, Yang S, Li G, Li H, Chang H, Yu Y (2019) Non-local context encoder: robust biomedical image segmentation against adversarial attacks. https://doi.org/10.1609/aaai.v33i01.33018417
He Z, Duan Y, Zhang W, Zou J, He Z, Wang Y, Pan Z (2022) Boosting adversarial attacks with transformed gradient. Comput Secur 118:102720
Hinton G, Vinyals O, Dean J (2015) “Distilling the Knowledge in a Neural Network,” arXiv, pp. 1–9
Hirano H, Minagi A, Takemoto K (2021) Universal adversarial attacks on deep neural networks for medical image classification. BMC Med Imaging 21(1):1–13
Huang S, Papernot N, Goodfellow I, Duan Y, Abbeel P (2017) “Adversarial attacks on neural network policies,” arXiv
Huang X, Kroening D, Ruan W, Sharp J, Sun Y, Thamo E, Wu M, Yi X (2020) A survey of safety and trustworthiness of deep neural networks: verification, testing, adversarial attack and defence, and interpretability. Comput Sci Rev 37:100270. https://doi.org/10.1016/j.cosrev.2020.100270
Ilahi I et al (2021) Challenges and countermeasures for adversarial attacks on deep reinforcement learning. IEEE Trans Artif Intell 3(2):90–109. https://doi.org/10.1109/tai.2021.3111139
Jin G, Shen S, Zhang D, Dai F, Zhang Y (2019) APE-GAN: adversarial perturbation elimination with GAN. In: ICASSP 2019 - 2019 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), pp 3842–3846. https://doi.org/10.1109/ICASSP.2019.8683044
Joel MZ et al (2022) Using adversarial images to assess the robustness of deep learning models trained on diagnostic images in oncology. JCO Clin Cancer Inf (6):1–10. https://doi.org/10.1200/cci.21.00170
Kannan H, Kurakin A, Goodfellow IJ (2018) Adversarial logit pairing. ArXiv abs/1803.06373
Karimian N (2019) How to attack PPG biometric using adversarial machine learning. In: Autonomous Systems: Sensors, Processing and Security for Vehicles & Infrastructure, p. 6. https://doi.org/10.1117/12.2518828
Karimian N, Woodard D, Forte D (2020) ECG biometric: spoofing and countermeasures. IEEE Trans Biometrics, Behav Identity Sci 2(3):257–270. https://doi.org/10.1109/TBIOM.2020.2992274
Kaviani S, Han KJ, Sohn I (2022) Adversarial attacks and defenses on AI in medical imaging informatics: A survey. Expert Syst Appl 198(February 2021):116815
Kingma DP, Ba JL (2015) “Adam: A method for stochastic optimization,” 3rd Int. Conf. Learn. Represent. ICLR 2015 - Conf. Track Proc., pp. 1–15
Kurakin A, Goodfellow IJ, Bengio S (2016) Adversarial examples in the physical world. ArXiv abs/1607.02533
Kurakin A, Goodfellow IJ, Bengio S (2016) Adversarial machine learning at scale. ArXiv abs/1611.01236
Kurakin A, Goodfellow IJ, Bengio S (2017) “(IFGSM) Adversarial examples in the physical world,” Iclr, no. c, pp. 1–14
Lal S, Rehman SU, Shah JH, Meraj T, Rauf HT, Damaševičius R, Mohammed MA, Abdulkareem KH (2021) Adversarial attack and defence through adversarial training and feature fusion for diabetic retinopathy recognition. Sensors 21(11):1–21. https://doi.org/10.3390/s21113922
Lan J, Zhang R, Yan Z, Wang J, Chen Y, Hou R (2022) Adversarial attacks and defenses in Speaker Recognition Systems : A survey. J Syst Archit 127(August 2021):102526
Li X, Zhu D (2020) Robust detection of adversarial attacks on medical images. In: 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), pp 1154–1158. https://doi.org/10.1109/ISBI45749.2020.9098628
Li J, Liu Y, Chen T, Xiao Z, Li Z, Wang J (2020) Adversarial attacks and defenses on cyber-physical systems: a survey. IEEE Internet Things J 7(6):5103–5115. https://doi.org/10.1109/JIOT.2020.2975654
Li X, Pan D, Zhu D (2020) “Defending against adversarial attacks on medical imaging AI system, classification or detection?,” arXiv
Li Y, Su H, Zhu J (2021) AdvCapsNet: To defense adversarial attacks based on Capsule networks. J Vis Commun Image Represent 75(January):103037. https://doi.org/10.1016/j.jvcir.2021.103037
Li H et al (2021) A defense method based on attention mechanism against traffic sign adversarial samples. Inf Fusion 76(March 2020):55–65. https://doi.org/10.1016/j.inffus.2021.05.005
Li Z, Fang X, Yang G (2022) Remove adversarial perturbations with linear and nonlinear image filters. Displays 73(December 2021):102143. https://doi.org/10.1016/j.displa.2021.102143
Liang Q, Li Q, Nie W (2022) LD-GAN: Learning perturbations for adversarial defense based on GAN structure. Signal Process Image Commun 103(January):116659
Liao F, Liang M, Dong Y, Pang T, Hu X, Zhu J (2018) Defense against adversarial attacks using high-level representation guided denoiser. In: 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp 1778–1787. https://doi.org/10.1109/CVPR.2018.00191
Lin YC, Hong ZW, Liao YH, Shih ML, Liu MY, Sun M (2017) “Tactics of adversarial attack on deep reinforcement learning agents,” in IJCAI Int Joint Conf Artif Intell, vol. 0, pp. 3756–3762
Lin J, Song C, He K, Wang L, Hopcroft JE (2019) Nesterov accelerated gradient and scale invariance for adversarial attacks. arXiv Learn. https://doi.org/10.48550/arXiv.1908.06281
Liu Y, Chen X, Liu C, Song D (2017) Delving Into Transfeable Adversarial Examples and Black-Box attacks. ICLR 2017(2):2210–2219
Liu S, Arindra A, Setio A, Ghesu FC, Gibson E (2020) “No Surprises : Training Robust Lung Nodule Detection for Low-Dose CT Scans by Augmenting with Adversarial Attacks,” IEEE Trans. Med. Imaging, no. April 2021
Liu Z, Zhang X, Wu D (2021) “Universal adversarial perturbations for CNN classifiers in EEG-based BCIs,” arXiv, pp. 1–11
Lu J, Issaranon T, Forsyth D (2017) SafetyNet: Detecting and Rejecting Adversarial Examples Robustly. Proc IEEE Int Conf Comput Vis 2017-Octob:446–454. https://doi.org/10.1109/ICCV.2017.56
Ma X, Niu Y, Gu L, Wang Y, Zhao Y, Bailey J, Lu F (2021) Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recogn 110:107332. https://doi.org/10.1016/j.patcog.2020.107332
Maiorana E, Hine GE, La Rocca D, Campisi P (2013) “On the vulnerability of an EEG-based biometric system to hill-climbing attacks algorithms’ comparison and possible countermeasures,” in 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS), pp. 1–6
Mardy A et al (2018) “Towards Deep learning Models Resistant To Adversarial Attacks,” in ICLR 2018, pp. 1–23
Martins N, Cruz JM, Cruz T, Henriques Abreu P (2020) Adversarial machine learning applied to intrusion and malware scenarios: a systematic review. IEEE Access 8:35403–35419
Meng D, Chen H (2017) “MagNet: a two-pronged defense against adversarial examples,” Proc ACM Conf Comput Commun Secur, pp. 135–147
Metzen JH, Genewein T, Fischer V, Bischoff B (2017) On detecting adversarial perturbations. ArXiv abs/1702.04267
Metzen JH, Kumar MC, Brox T, Fischer V (2017) Universal Adversarial Perturbations Against Semantic Image Segmentation. Proc IEEE Int Conf Comput Vis 2017-Octob:2774–2783
Miyato T, Maeda SI, Koyama M, Ishii S (2019) Virtual adversarial training: a regularization method for supervised and semi-supervised learning. IEEE Trans Pattern Anal Mach Intell 41(8):1979–1993. https://doi.org/10.1109/TPAMI.2018.2858821
Moosavi-Dezfooli SM, Fawzi A, Frossard P (2016) “DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks,” in Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition, pp. 2574–2582
Moosavi-Dezfooli SM, Fawzi A, Fawzi O, Frossard P (2017) Universal adversarial perturbations. Proc - 30th IEEE Conf Comput Vis Pattern Recognition, CVPR 2017-Janua:86–94
Newaz AI, Haque NI, Sikder AK, Rahman MA, Uluagac AS (2020) Adversarial attacks to machine learning-based smart healthcare systems. In: 2020 IEEE Glob. Commun. Conf. GLOBECOM 2020 - Proc. https://doi.org/10.1109/GLOBECOM42002.2020.9322472
Ozbulak U, Van Messem A, De Neve W (2019) “Impact of Adversarial Examples on Deep Learning Models for Biomedical Image Segmentation,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11765 LNCS, no. 1, pp. 300–308
Papernot N, McDaniel P, Goodfellow I (2016) “Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples,” ArXiv, vol. abs/1605.0
Papernot N, Mcdaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, pp 582–597. https://doi.org/10.1109/SP.2016.41
Papernot N, McDaniel P, Wu X, Jha S, Swami A (2016) “Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks,” in Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, pp. 582–597
Paschali M, Conjeti S, Navarro F, Navab N (2018) Generalizability vs. Robustness: Adversarial examples for medical imaging. ArXiv abs/1804.00504
Paul R, Schabath M, Gillies R, Hall L, Goldgof D (2020) Mitigating adversarial attacks on medical image understanding systems. In: 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), pp 1517–1521. https://doi.org/10.1109/ISBI45749.2020.9098740
Pitropakis N, Panaousis E, Giannetsos T, Anastasiadis E, Loukas G (2019) “A taxonomy and survey of attacks against machine learning,” Comput Sci Rev, vol. 34, no
Puttagunta M, Ravi S (2021) Medical image analysis based on deep learning approach. Multimed Tools Appl 80(16):24365–24398
Qayyum A, Ijaz A, Usama M, Iqbal W, Qadir J, Elkhatib Y and Al-Fuqaha A (2020) Securing machine learning in the cloud: a systematic review of cloud machine learning security. Front Big Data 3:587139. https://doi.org/10.3389/fdata.2020.587139
Qayyum A, Usama M, Qadir J, Al-Fuqaha A (2020) Securing connected autonomous vehicles: challenges posed by adversarial machine learning and the way forward. IEEE Commun Surv Tutor 22(2):998–1026
Qayyum A, Qadir J, Bilal M, Al-Fuqaha A (2021) Secure and robust machine learning for healthcare: a survey. IEEE Rev Biomed Eng 14:156–180
Qiu S, Liu Q, Zhou S, Huang W (2022) Adversarial attack and defense technologies in natural language processing : a survey. Neurocomputing 492:278–307
Rahman A, Hossain MS, Alrajeh NA, Alsolami F (2021) Adversarial examples - security threats to COVID-19 deep learning Systems in Medical IoT devices. IEEE Internet Things J 8(12):9603–9610
Rao C et al (2020) “A thorough comparison study on adversarial attacks and defenses for common thorax disease classification in chest X-rays,”
Rasool RU, Ahmad HF, Rafique W, Qayyum A, Qadir J (2022) Security and privacy of internet of medical things: A contemporary review in the age of surveillance, botnets, and adversarial ML. J Netw Comput Appl 201(December 2021):103332
Ros AS, Doshi-Velez F (2018) Improving the adversarial robustness and interpretability of deep neural networks by regularizing their input gradients. In: 32nd AAAI Conf. Artif Intell AAAI 2018, pp 1660–1669
Rozsa A, Rudd EM, Boult TE (2016) “Adversarial diversity and hard positive generation,” IEEE Comput Soc Conf Comput Vis Pattern Recognit Work, pp. 410–417
Sadeghi K, Banerjee A, Gupta SKS (2020) A system-driven taxonomy of attacks and defenses in adversarial machine learning. IEEE Trans Emerg Top Comput Intell 4(4):450–467. https://doi.org/10.1109/TETCI.2020.2968933
Samangouei P, Kabkab M, Chellappa R (2018) Defense-gan: Protecting classifiers against adversarial attacks using generative models. arXiv, pp 1–4. https://doi.org/10.48550/arXiv.1805.06605
Santhanam GK, Grnarova P (2018) “Defending against adversarial attacks by leveraging an entire GAN,” arXiv
Sarkar S, Bansal A, Mahbub U, Chellappa R (2017) UPSET and ANGRI : breaking high performance image classifiers. arXiv 20742(1):1–9. https://doi.org/10.48550/arXiv.1707.01159
Shao M, Zhang G, Zuo W, Meng D (2021) Target attack on biomedical image segmentation model based on multi-scale gradients. Inf Sci (Ny) 554:33–46
Sharif M, Bhagavatula S, Bauer L, Reiter MK (2016) “Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition,” Proc. ACM Conf. Comput. Commun. Secur., vol. 24–28-Octo, pp. 1528–1540
Song Y, Kim T, Nowozin S, Ermon S, Kushman N (2017) “Pixeldefend: Leveraging generative models to understand and defend against adversarial examples,” arXiv, pp. 1–20
Srinivasan V, Rohrer C, Marban A, Müller KR, Samek W, Nakajima S (2021) Robustifying models against adversarial attacks by Langevin dynamics. Neural Netw 137:1–17
Su J, Vargas DV, Sakurai K (2019) One pixel attack for fooling deep neural networks. IEEE Trans Evol Comput 23(5):828–841
Sun X, Sun S (2021) Adversarial robustness and attacks for multi-view deep models. Eng Appl Artif Intell 97:104085
Sun M, Tang F, Yi J, Wang F, Zhou J (2018) Identify susceptible locations in medical records via adversarial attacks on deep predictive models. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp 793–801. https://doi.org/10.1145/3219819.3219909
Szegedy C et al (2014) Intriguing properties of neural networks. In: 2nd International Conference on Learning Representations, ICLR 2014 - Conference Track Proceedings, pp 1–10. https://doi.org/10.48550/arXiv.1312.6199
Tang S, Huang X, Chen M, Sun C, Yang J (2021) Adversarial attack type I: generating false positives. ArXiv abs/1809.00594
Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P (2017) Ensemble adversarial training: Attacks and defenses. arXiv, pp. 1–22. https://doi.org/10.48550/arXiv.1705.07204
Tu J et al (2020) “Physically realizable adversarial examples for lidar object detection,” Proc IEEE Comput Soc Conf Comput Vis Pattern Recognit, pp. 13713–13722
Vakhshiteh F, Nickabadi A, Ramachandra R (2021) Adversarial attacks against face recognition: a comprehensive study. IEEE Access 9:92735–92756
Wang X, Lin J, Hu H, Wang J, He K (2021) “Boosting Adversarial Transferability through Enhanced Momentum,” CoRR, vol. abs/2103.1
Wang L, Zhang C, Luo Z, Liu C, Liu J, Zheng X (2022) “PDAAA: Progressive Defense Against Adversarial Attacks for Deep Learning-as-a-Service in Internet of Things,” pp. 879–886
Wu D et al (2021) “Adversarial Attacks and Defenses in Physiological Computing: A Systematic Review,” pp. 1–12
Xiao C, Zhu JY, Li B, He W, Liu M, Song D (2018) “Spatially transformed adversarial examples,” arXiv, pp. 1–29
Xiao C, Li B, Zhu JY, He W, Liu M, Song D (2018) Generating adversarial examples with adversarial networks. IJCAI Int Jt Conf Artif Intell 2018-July:3905–3911. https://doi.org/10.48550/arXiv.1801.02610
Xie C, Wang J, Zhang Z, Zhou Y, Xie L, Yuille A (2017) Adversarial Examples for Semantic Segmentation and Object Detection. Proceed IEEE Int Conf Comput Vis 2017-Octob:1378–1387
Xie C, Wu Y, van der Maaten L, Yuille A, He K (2018) “Feature denoising for improving adversarial robustness,” arXiv, pp. 501–509
Xu W, Evans D, Qi Y (2017) “Feature squeezing: Detecting adversarial examples in deep neural networks,” arXiv, no. February
Xu H, Ma Y, Liu HC, Deb D, Liu H, Tang JL, Jain AK (2020) Adversarial attacks and defenses in images, graphs and text: a review. Int J Autom Comput 17(2):151–178
Xu M, Zhang T, Li Z, Liu M, Zhang D (2021) Towards evaluating the robustness of deep diagnostic models by adversarial attack. Med Image Anal 69:101977. https://doi.org/10.1016/j.media.2021.101977
Yefet N, Alon U, Yahav E (2020) “Adversarial examples for models of code,” Proc ACM Program Lang, vol. 4, no. OOPSLA
Yin SL, Zhang XL, Zuo LY (2022) Defending against adversarial attacks using spherical sampling-based variational auto-encoder. Neurocomputing 478:1–10
Zhang J, Li C (2020) Adversarial examples: opportunities and challenges. IEEE Trans Neural Netw Learn Syst 31(7):2578–2593
Zhang X, Wu D (2019) On the vulnerability of CNN classifiers in EEG-based BCIs. IEEE Trans Neural Syst Rehabil Eng 27(5):814–825
Zhang X et al (2021) Tiny noise, big mistakes: adversarial perturbations induce errors in brain–computer interface spellers. Natl Sci Rev 8(4):1–23
Zhao Z, Dua D, Singh S (2017) “Generating natural adversarial examples,” arXiv, no. 2016, pp. 1–15
Funding
No funds, grants, or other support was received.
Author information
Authors and Affiliations
Corresponding authors
Ethics declarations
Conflict of interest
The Authors declare that they have no conflict of Interest
Financial interests
The authors have no competing interests to declare that are relevant to the content of this article.
Ethical approval
This article does not contain any studies with animals performed by any of the authors. This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Puttagunta, M.K., Ravi, S. & Nelson Kennedy Babu, C. Adversarial examples: attacks and defences on medical deep learning systems. Multimed Tools Appl 82, 33773–33809 (2023). https://doi.org/10.1007/s11042-023-14702-9
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-023-14702-9