<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">inform</journal-id><journal-title-group><journal-title xml:lang="ru">Информатика</journal-title><trans-title-group xml:lang="en"><trans-title>Informatics</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1816-0301</issn><issn pub-type="epub">2617-6963</issn><publisher><publisher-name>UIIP NASB</publisher-name></publisher></journal-meta><article-meta><article-id custom-type="elpub" pub-id-type="custom">inform-876</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>ОБРАБОТКА СИГНАЛОВ, ИЗОБРАЖЕНИЙ, РЕЧИ, ТЕКСТА И РАСПОЗНАВАНИЕ ОБРАЗОВ</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="en"><subject>SIGNAL, IMAGE, SPEECH, TEXT PROCESSING AND PATTERN RECOGNITION</subject></subj-group></article-categories><title-group><article-title>Экспериментальная оценка состязательных атак на глубокие нейронные сети при решении задач распознавания медицинских изображений</article-title><trans-title-group xml:lang="en"><trans-title>Experimental assessment of аdversarial attacks to the deep neural networks in medical image recognition</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Войнов</surname><given-names>Д М.</given-names></name><name name-style="western" xml:lang="en"><surname>Voynov</surname><given-names>D. M.</given-names></name></name-alternatives><bio xml:lang="ru"><p>магистрант</p></bio><bio xml:lang="en"><p>Master Student</p></bio><email xlink:type="simple">voynovdd@gmail.com</email><xref ref-type="aff" rid="aff-1"/></contrib><contrib contrib-type="author" corresp="yes"><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Ковалев</surname><given-names>В. А.</given-names></name><name name-style="western" xml:lang="en"><surname>Kovalev</surname><given-names>V. A.</given-names></name></name-alternatives><bio xml:lang="ru"><p>кандидат технических наук, заведующий лабораторией анализа биомедицинских изображений</p><p> </p></bio><bio xml:lang="en"><p>Cand. Sci. (Eng.), Head of the Laboratory of Biomedical Images Analysis</p></bio><email xlink:type="simple">vassili.kovalev@gmail.com</email><xref ref-type="aff" rid="aff-2"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Белорусский государственный университет</institution></aff><aff xml:lang="en"><institution>Belarusian State University</institution></aff></aff-alternatives><aff-alternatives id="aff-2"><aff xml:lang="ru"><institution>Объединенный институт проблем информатики Национальной академии наук Беларуси</institution></aff><aff xml:lang="en"><institution>The United Institute of Informatics Problems of the National Academy of Sciences of Belarus</institution></aff></aff-alternatives><pub-date pub-type="collection"><year>2019</year></pub-date><pub-date pub-type="epub"><day>26</day><month>08</month><year>2019</year></pub-date><volume>16</volume><issue>3</issue><fpage>14</fpage><lpage>22</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Войнов Д.М., Ковалев В.А., 2019</copyright-statement><copyright-year>2019</copyright-year><copyright-holder xml:lang="ru">Войнов Д.М., Ковалев В.А.</copyright-holder><copyright-holder xml:lang="en">Voynov D.M., Kovalev V.A.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://inf.grid.by/jour/article/view/876">https://inf.grid.by/jour/article/view/876</self-uri><abstract><p>Исследуются обнаруженные несколько лет назад проблемы уязвимости глубоких нейронных сетей к так называемым состязательным атакам, которые заставляют сеть принимать ошибочные классификационные решения. Состязательные атаки осуществляются с помощью «атакующих» изображений – незначительно модифицированных версий исходных. Целью работы является изучение зависимости успеха состязательных атак от типа распознаваемых биомедицинских изображений и значений управляющих параметров алгоритмов генерации их атакующих версий. Экспериментальные исследования проводились на примере решения восьми типичных задач медицинской диагностики с использованием глубокой нейронной сети InceptionV3, а также 13 наборов, содержащих более чем 900 000 рентгеновских изображений грудной клетки и гистологических изображений злокачественных опухолей. С увеличением амплитуды вредоносного возмущения и количества итераций генерации зловредного шума вероятность ошибки классификации растет. В то же время различные типы изображений демонстрируют разную чувствительность к данном параметрам. Изображения, которые изначально классифицировались сетью с уверенностью более 95 %, гораздо более устойчивы к атакам. Нейронные сети, обученные для классификации гистологических изображений, оказались более устойчивы к состязательным атакам нежели сети, обученные для классификации рентгеновских изображений.</p></abstract><trans-abstract xml:lang="en"><p>This paper addresses the problem of dependence of the success rate of adversarial attacks to the deep neural networks on the biomedical image type and control parameters of generation of adversarial examples. With this work we are going to contribute towards accumulation of experimental results on adversarial attacks for the community dealing with biomedical images. The white-box Projected Gradient Descent attacks were examined based on 8 classification tasks and 13 image datasets containing more than 900 000 chest X-ray and histology images of malignant tumors. An increase of the amplitude and the number of iterations of adversarial perturbations in generating malicious adversarial images leads to a growth of the fraction of successful attacks for the majority of image types examined in this study. Histology images tend to be less sensitive to the growth of amplitude of adversarial perturbations. It was found that the success of attacks was dropping dramatically when the original confidence of predicting image class exceeded 0,95.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>состязательные атаки</kwd><kwd>глубокое обучение</kwd><kwd>безопасность</kwd><kwd>рентгеновские изображения</kwd><kwd>гистологические изображения</kwd></kwd-group><kwd-group xml:lang="en"><kwd>adversarial attacks</kwd><kwd>deep learning</kwd><kwd>security of neural networks</kwd><kwd>chest X-ray images</kwd><kwd>histology images</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Litjens G., Kooi T., Bejnordi B., Setio A., Ciompi F., Ghafoorian M. A survey on deep learning in medical image analysis. Medical Image Analysis, 2017, vol. 42, рр. 60–88.</mixed-citation><mixed-citation xml:lang="en">Litjens G., Kooi T., Bejnordi B., Setio A., Ciompi F., Ghafoorian M.: A survey on deep learning in medical image analysis. Medical Image Analysis 42, 60-88 (2017).</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Ker J., Wang L., Rao J., Lim T. Deep learning applications in medical image analysis. IEEE Access, 2018, vol. 6, рр. 9375–9389.</mixed-citation><mixed-citation xml:lang="en">Ker J., Wang L., Rao J., Lim T.: Deep Learning Applications in Medical Image Analysis. IEEE Access 6, 9375-9389 (2018).</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">Recht B., Roelofs R., Schmidt L., Shankar V. Do CIFAR-10 Classifiers Generalize to CIFAR-10? ArXiv.org, 2018. Available at: https://arxiv.org/abs/1806.00451 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Papernot N., McDaniel P., Goodfellow I., Jha S., Z. Berkay Celik, Swami A.: Practical Black-Box Attacks agains Machine Learning. arXiv preprint arXiv:1602.02697v4 (2017).</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Szegedy C., Wojciech Z., Sutskever I., Bruna J., Dumitru E., Goodfellow I., Fergus R. Intriguing properties of neural networks. International Conference on Learning Representations (ICLR’2014), Banff, Canada, 14–16 April 2014. Banff, 2014, pp. 1–10.</mixed-citation><mixed-citation xml:lang="en">Szegedy C., Wojciech Z., Sutskever I., Bruna J., Dumitru E., Goodfellow I., Fergus R.: Intri-guing properties of neural networks. International Conference on Learning Representations (ICLR) 2014, pp. 1-10. Springer, Banff (2014).</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Akhtar N., Mian A. S. Threat of adversarial attacks on deep learning in computer vision. IEEE Access, 2018, vol. 6, рр. 14 410–14 430.</mixed-citation><mixed-citation xml:lang="en">Goodfellow I., Shlens J., Szegedy C.: Explaining and harnessing adversarial examples. arXiv pre-print arXiv:1412.6572v3 (2015).</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Papernot N., McDaniel P., Goodfellow I., Jha S., Berkay Celik Z., Swami A. Practical Black-Box Attacks agains Machine Learning. ArXiv.org, 2017. Available at: https://arxiv.org/abs/1602.02697 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Madry A., Makelov A., Schmidt L., Tsipras D., Vladu A.: Towards Deep Learning Models Re-sistant to Adversarial Attacks. arXiv preprint arXiv:1706.06083v3 (2017).</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Xu W., Evans D., Qi Y. Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. ArXiv.org, 2017. Available at: https://arxiv.org/abs/1704.01155 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Xu W., Evans D., Qi Y.: Feature Squeezing: Detecting Adversarial Examples in Deep Neural Networks. arXiv preprint arXiv:1704.01155v2 (2017).</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Goodfellow I., Shlens J., Szegedy C. Explaining and Harnessing Adversarial Examples. ArXiv.org, 2015. Available at: https://arxiv.org/abs/1412.6572 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Wang H., Yu Chun-Nam: A Direct Approach to Robust Deep Learning Using Adversarial Net-works. arXiv preprint arXiv:1905.09591v1 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Madry A., Makelov A., Schmidt L., Tsipras D., Vladu A. Towards Deep Learning Models Resistant to Adversarial Attacks. ArXiv.org, 2017. Available at: https://arxiv.org/abs/1706.06083 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Papernot N., McDaniel P., Fredrikson M., Jha S., Z. Berkay Celik, Swami A.: The Limitations of Deep Learning in Adversarial Settings. arXiv preprint arXiv: 1511.07528v1 (2015).</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Ozdag M. Adversarial attacks and defenses against deep neural networks: a survey. Procedia Computer Science, 2018, vol. 140, рр. 152–161.</mixed-citation><mixed-citation xml:lang="en">Sun Ke, Zhu Z., Lin Z.: Towards Understanding Adversarial Examples Systematically: Exploring Data Size, Task and Model Factors. arXiv preprint arXiv: 1902.11019v1 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Ericson N. B., Yao Z., Mahoney W. JumpReLU: A Retrofit Defense Strategy for Adversarial Attacks. ArXiv.org, 2019. Available at: https://arxiv.org/abs/1904.03750 (accessed 15.05.2019).</mixed-citation><mixed-citation xml:lang="en">Han C., Murao K., Satoh S., Nakayama H.: GAN-based Medical Image Augmentation. arXiv preprint arXiv: 1904.00838v1 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">Kazemifar S., McGuire S., Timmerman R., Wardak Z., Nguyen D., Park Y., Jiang S., Owrangi A.: MRI-only brain radiotherapy: assessing the dosimetric accuracy of synthetic CT images gen-erated using a deep learning approach. arXiv preprint arXiv: 1904.05789 (2019).</mixed-citation><mixed-citation xml:lang="en">Kazemifar S., McGuire S., Timmerman R., Wardak Z., Nguyen D., Park Y., Jiang S., Owrangi A.: MRI-only brain radiotherapy: assessing the dosimetric accuracy of synthetic CT images gen-erated using a deep learning approach. arXiv preprint arXiv: 1904.05789 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Werpachowski R., György A., Szepesvári. C: Detecting Overfitting via Adversarial Examples. arXiv preprint arXiv: 1903.02380v1 (2019).</mixed-citation><mixed-citation xml:lang="en">Werpachowski R., György A., Szepesvári. C: Detecting Overfitting via Adversarial Examples. arXiv preprint arXiv: 1903.02380v1 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Akhtar N., Mian A.S.: Threat of Adversarial Attacks on Deep Learning in Computer Vision. IEEE Access 6, 14410–14430 (2018).</mixed-citation><mixed-citation xml:lang="en">Akhtar N., Mian A.S.: Threat of Adversarial Attacks on Deep Learning in Computer Vision. IEEE Access 6, 14410–14430 (2018).</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Recht B., Roelofs R., Schmidt L., Shankar V.: Do CIFAR-10 Classifiers Generalize to CIFAR-10? arXiv preprint arXiv:1806.00451 (2018).</mixed-citation><mixed-citation xml:lang="en">Recht B., Roelofs R., Schmidt L., Shankar V.: Do CIFAR-10 Classifiers Generalize to CIFAR-10? arXiv preprint arXiv:1806.00451 (2018).</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Ozdag M.: Adversarial Attacks and Defenses Against Deep Neural Networks: A Survey. Procedia Computer Science 140, 152–161 (2018).</mixed-citation><mixed-citation xml:lang="en">Ozdag M.: Adversarial Attacks and Defenses Against Deep Neural Networks: A Survey. Procedia Computer Science 140, 152–161 (2018).</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Veta M., Heng Y.J., Stathonikos N. et. al.: Predicting breast tumor proliferation from wholeslide images. Medical Image Analysis 54, 111–121 (2019).</mixed-citation><mixed-citation xml:lang="en">Veta M., Heng Y.J., Stathonikos N. et. al.: Predicting breast tumor proliferation from wholeslide images. Medical Image Analysis 54, 111–121 (2019).</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Wiyatno R., Xu A.: Maximal Jacobian-based Saliency Map Attack. arXiv preprint arXiv:1808.07945v1 (2018).</mixed-citation><mixed-citation xml:lang="en">Wiyatno R., Xu A.: Maximal Jacobian-based Saliency Map Attack. arXiv preprint arXiv:1808.07945v1 (2018).</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Ericson N. B., Yao Z., Mahoney W.: JumpReLU: A Retrofit Defense Strategy for Adversarial Attacks. arXiv preprint arXiv: 1904.03750 (2019)</mixed-citation><mixed-citation xml:lang="en">Ericson N. B., Yao Z., Mahoney W.: JumpReLU: A Retrofit Defense Strategy for Adversarial Attacks. arXiv preprint arXiv: 1904.03750 (2019)</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
