Skip to main content
SpringerLink
Log in

A Hierarchical Feature Constraint to Camouflage Medical Adversarial Attacks

  • Conference paper
  • First Online:
Medical Image Computing and Computer Assisted Intervention – MICCAI 2021 (MICCAI 2021)

Part of the book series: Lecture Notes in Computer Science ((LNIP,volume 12903))

Abstract

Deep neural networks for medical images are extremely vulnerable to adversarial examples (AEs), which poses security concerns on clinical decision-making. Recent findings have shown that existing medical AEs are easy to detect in feature space. To better understand this phenomenon, we thoroughly investigate the characteristic of traditional medical AEs in feature space. Specifically, we first perform a stress test to reveal the vulnerability of medical images and compare them to natural images. Then, we theoretically prove that the existing adversarial attacks manipulate the prediction by continuously optimizing the vulnerable representations in a fixed direction, leading to outlier representations in feature space. Interestingly, we find this vulnerability is a double-edged sword that can be exploited to help hide AEs in the feature space. We propose a novel hierarchical feature constraint (HFC) as an add-on to existing white-box attacks, which encourages hiding the adversarial representation in the normal feature distribution. We evaluate the proposed method on two public medical image datasets, namely Fundoscopy and Chest X-Ray. Experimental results demonstrate the superiority of our HFC as it bypasses an array of state-of-the-art adversarial medical AEs detector more efficiently than competing adaptive attacks. Our code is available at https://github.com/qsyao/Hierarchical_Feature_Constraint.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We provide the proof in the supplementary material.

  2. 2.

    The hyperparameter analysis can be found in the supplementary material.

References

  1. Athalye, A., Carlini, N., Wagner, D.: Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In: ICLR (2018)

    Google Scholar 

  2. Carlini, N., Wagner, D.: Adversarial examples are not easily detected: bypassing ten detection methods. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, pp. 3–14 (2017)

    Google Scholar 

  3. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy, pp. 39–57 (2017)

    Google Scholar 

  4. Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc.: Ser. B (Methodol.) 39(1), 1–22 (1977)

    MathSciNet  MATH  Google Scholar 

  5. Dong, Y., et al.: Benchmarking adversarial robustness. In: CVPR (2020)

    Google Scholar 

  6. Dong, Y., et al.: Boosting adversarial attacks with momentum. In: CVPR, pp. 9185–9193 (2018)

    Google Scholar 

  7. Dziugaite, G.K., Ghahramani, Z., Roy, D.M.: A study of the effect of JPG compression on adversarial images. arXiv preprint arXiv:1608.00853 (2016)

  8. Feinman, R., Curtin, R.R., Shintre, S., Gardner, A.B.: Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410 (2017)

  9. Finlayson, S.G., Chung, H.W., Kohane, I.S., Beam, A.L.: Adversarial attacks against medical deep learning systems. Science 363(6433), 1287–1289 (2018)

    Article  Google Scholar 

  10. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

    Google Scholar 

  11. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR, pp. 770–778 (2016)

    Google Scholar 

  12. He, X., Yang, S., Li, G., Li, H., Chang, H., Yu, Y.: Non-local context encoder: Robust biomedical image segmentation against adversarial attacks. In: AAAI, vol. 33, pp. 8417–8424 (2019)

    Google Scholar 

  13. Kaggle: APTOS 2019 Blindness Detection (2019). https://www.kaggle.com/c/aptos2019-blindness-detection

  14. Kaggle: Chest X-Ray Images (Pneumonia) (2019). https://www.kaggle.com/paultimothymooney/chest-xray-pneumonia

  15. Krizhevsky, A.: Learning multiple layers of features from tiny images. University of Toronto, May 2012

    Google Scholar 

  16. Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial machine learning at scale. In: ICLR (2017)

    Google Scholar 

  17. Ji, W., et al.: Uncertainty quantification for medical image segmentation using dynamic label factor allocation among multiple raters. In: MICCAI on QUBIQ Workshop (2020)

    Google Scholar 

  18. Ji, W., et al.: Learning calibrated medical image segmentation via multi-rater agreement modeling. In: CVPR, pp. 12341–12351, June 2021

    Google Scholar 

  19. Lee, K., Lee, K., Lee, H., Shin, J.: A simple unified framework for detecting out-of-distribution samples and adversarial attacks. In: ICLR, pp. 7167–7177 (2018)

    Google Scholar 

  20. Li, H., et al.: High-resolution chest x-ray bone suppression using unpaired CT structural priors. IEEE Trans. Med. Imaging 39, 3053–3063 (2020)

    Article  Google Scholar 

  21. Li, H., Han, H., Zhou, S.K.: Bounding maps for universal lesion detection. In: Martel, A.L., et al. (eds.) MICCAI 2020. LNCS, vol. 12264, pp. 417–428. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59719-1_41

    Chapter  Google Scholar 

  22. Li, X., Zhu, D.: Robust detection of adversarial attacks on medical images. In: IEEE International Symposium on Biomedical Imaging, pp. 1154–1158. IEEE (2020)

    Google Scholar 

  23. Lu, J., Issaranon, T., Forsyth, D.: SafetyNet: detecting and rejecting adversarial examples robustly. In: ICCV, October 2017

    Google Scholar 

  24. Ma, X., et al.: Characterizing adversarial subspaces using local intrinsic dimensionality. In: ICLR (2018)

    Google Scholar 

  25. Ma, X., et al.: Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recogn. 110, 107332 (2020)

    Article  Google Scholar 

  26. Maaten, L.V.D., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9(Nov), 2579–2605 (2008)

    MATH  Google Scholar 

  27. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR (2018)

    Google Scholar 

  28. Metzen, J.H., Genewein, T., Fischer, V., Bischoff, B.: On detecting adversarial perturbations. In: ICLR (2017)

    Google Scholar 

  29. Ozbulak, U., Van Messem, A., De Neve, W.: Impact of adversarial examples on deep learning models for biomedical image segmentation. In: Shen, D., et al. (eds.) MICCAI 2019. LNCS, vol. 11765, pp. 300–308. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32245-8_34

    Chapter  Google Scholar 

  30. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: ASIA Computer and Communications Security, pp. 506–519 (2017)

    Google Scholar 

  31. Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A.: Distillation as a defense to adversarial perturbations against deep neural networks. In: IEEE Symposium on Security and Privacy, pp. 582–597. IEEE (2016)

    Google Scholar 

  32. Paschali, M., Conjeti, S., Navarro, F., Navab, N.: Generalizability vs. robustness: investigating medical imaging networks using adversarial examples. In: Frangi, A.F., Schnabel, J.A., Davatzikos, C., Alberola-López, C., Fichtinger, G. (eds.) MICCAI 2018. LNCS, vol. 11070, pp. 493–501. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00928-1_56

    Chapter  Google Scholar 

  33. Sabour, S., Cao, Y., Faghri, F., Fleet, D.J.: Adversarial manipulation of deep representations. In: IEEE Symposium on Security and Privacy (2016)

    Google Scholar 

  34. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. In: ICLR (2015)

    Google Scholar 

  35. Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)

    Google Scholar 

  36. Taghanaki, S.A., Abhishek, K., Azizi, S., Hamarneh, G.: A kernelized manifold mapping to diminish the effect of adversarial perturbations. In: CVPR, pp. 11340–11349 (2019)

    Google Scholar 

  37. Tramer, F., Carlini, N., Brendel, W., Madry, A.: On adaptive attacks to adversarial example defenses. In: ICLR (2020)

    Google Scholar 

  38. Tramèr, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble adversarial training: attacks and defenses. In: ICLR (2018)

    Google Scholar 

  39. Xu, W., Evans, D., Qi, Y.: Feature squeezing: detecting adversarial examples in deep neural networks. In: Network and Distributed System Security Symposium (2017)

    Google Scholar 

  40. Yao, Q., He, Z., Han, H., Zhou, S.K.: Miss the point: targeted adversarial attack on multiple landmark detection. In: Martel, A.L., et al. (eds.) MICCAI 2020. LNCS, vol. 12264, pp. 692–702. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59719-1_67

    Chapter  Google Scholar 

  41. Yao, Q., Xiao, L., Liu, P., Zhou, S.K.: Label-free segmentation of COVID-19 lesions in lung CT. IEEE Trans. Med. Imaging (2020)

    Google Scholar 

  42. Zheng, Z., Hong, P.: Robust detection of adversarial attacks by modeling the intrinsic properties of deep neural networks. In: Advances in Neural Information Processing Systems, pp. 7913–7922 (2018)

    Google Scholar 

  43. Zhou, S.K., et al.: A review of deep learning in medical imaging: imaging traits, technology trends, case studies with progress highlights, and future promises. Proc. IEEE 109(5), 820–838 (2021)

    Article  Google Scholar 

  44. Zhou, S.K., Rueckert, D., Fichtinger, G.: Handbook of Medical Image Computing and Computer Assisted Intervention. Academic Press, Cambridge (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Key Lab of Intelligent Information Processing of Chinese Academy of Sciences (CAS), Institute of Computing Technology, CAS, Beijing, 100190, China

    Qingsong Yao & S. Kevin Zhou

  2. Princeton University, Princeton, USA

    Zecheng He

  3. Tencent Jarvis Lab, Shenzhen, China

    Yi Lin, Kai Ma & Yefeng Zheng

  4. Medical Imaging, Robotics, and Analytic Computing Laboratory and Engineering (MIRACLE) School of Biomedical Engineering and Suzhou Institute for Advanced Research, University of Science and Technology of China, Suzhou, 215123, China

    S. Kevin Zhou

Authors
  1. Qingsong Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zecheng He
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yi Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kai Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yefeng Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. S. Kevin Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Erasmus MC - University Medical Center Rotterdam, Rotterdam, The Netherlands

    Marleen de Bruijne

  2. University of Basel, Allschwil, Switzerland

    Philippe C. Cattin

  3. Inria Nancy Grand Est, Villers-lès-Nancy, France

    Stéphane Cotin

  4. ICube, Université de Strasbourg, CNRS, Strasbourg, France

    Nicolas Padoy

  5. National Center for Tumor Diseases (NCT/UCC), Dresden, Germany

    Stefanie Speidel

  6. Tencent Jarvis Lab, Shenzhen, China

    Yefeng Zheng

  7. ICube, Université de Strasbourg, CNRS, Strasbourg, France

    Caroline Essert

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 316 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yao, Q., He, Z., Lin, Y., Ma, K., Zheng, Y., Zhou, S.K. (2021). A Hierarchical Feature Constraint to Camouflage Medical Adversarial Attacks. In: de Bruijne, M., et al. Medical Image Computing and Computer Assisted Intervention – MICCAI 2021. MICCAI 2021. Lecture Notes in Computer Science(), vol 12903. Springer, Cham. https://doi.org/10.1007/978-3-030-87199-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-87199-4_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-87198-7

  • Online ISBN: 978-3-030-87199-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation