Bias Field Poses a Threat to DNN-based X-Ray Recognition
Binyu Tian, Qing Guo, Felix Juefei-Xu, Wen Le Chan, Yupeng Cheng, Xiaohong Li, Xiaofei Xie, Shengchao Qin
BBias Field Poses a Threat to DNN-based X-Ray Recognition
Binyu Tian ∗ , Qing Guo ∗† , Felix Juefei-Xu , Wen Le Chan , Yupeng Cheng , Xiaohong Li † ,Xiaofei Xie , Shengchao Qin College of Intelligence and Computing, Tianjin University, China Nanyang Technological University, Singapore Alibaba Group, USA Teesside University, UK
Abstract
The chest X-ray plays a key role in screening and diagno-sis of many lung diseases including the COVID-19. More re-cently, many works construct deep neural networks (DNNs)for chest X-ray images to realize automated and efficient di-agnosis of lung diseases. However, bias field caused by theimproper medical image acquisition process widely exists inthe chest X-ray images while the robustness of DNNs to thebias field is rarely explored, which definitely poses a threatto the X-ray-based automated diagnosis system. In this pa-per, we study this problem based on the recent adversarialattack and propose a brand new attack, i.e ., the adversarialbias field attack where the bias field instead of the additivenoise works as the adversarial perturbations for fooling theDNNs. This novel attack posts a key problem: how to locallytune the bias field to realize high attack success rate whilemaintaining its spatial smoothness to guarantee high realis-ticity. These two goals contradict each other and thus hasmade the attack significantly challenging. To overcome thischallenge, we propose the adversarial-smooth bias field at-tack that can locally tune the bias field with joint smooth &adversarial constraints. As a result, the adversarial X-ray im-ages can not only fool the DNNs effectively but also retainvery high level of realisticity. We validate our method on realchest X-ray datasets with powerful DNNs, e.g ., ResNet50,DenseNet121, and MobileNet, and show different propertiesto the state-of-the-art attacks in both image realisticity andattack transferability. Our method reveals the potential threatto the DNN-based X-ray automated diagnosis and can defi-nitely benefit the development of bias-field-robust automateddiagnosis system.
Medical image diagnosis and recognition is starting to be au-tomated by DNNs with a clear advantage of being very effi-cient in diagnosing the disease outcomes. However, unlikehuman experts, such automated methods based on DNNsstill have some caveats. For example, with the presenceof image-level degradations during the image acquisitionprocess, the recognition accuracy can be dramatically sup-pressed. Sometimes, such DNN-based medical image recog- ∗ Binyu Tian and Qing Guo are co-first authors and contributeequally to this work. † Qing Guo and Xiaohong Li are the corresponding authors: [email protected], [email protected].
Adversarial Bias Field Adversarial Example
ResNet50: PneumoniaResNet50: Normal
Original Input
ResNet50: NormalResNet50: Pneumonia
Figure 1: Two cases of our adversarial bias field examples. Ourproposed adversarial-smooth bias field attack can adversarially butimperceptibly altered the bias field, misleading the advanced DNNmodels, e.g ., ResNet50, to diagnose the normal X-ray image asthe pneumonia one. More troubling, the DNN could be fooled todiagnose the pneumonia X-ray image as the normal one, havinghigher risk of delaying patients’ treatment. nition system can even become entirely vulnerable whenmaliciously attacked by an adversary or an abuser that is fi-nancially incentivized.There are mainly two types of image perturbations ordegradations in medical imagery: (1) image noise, and (2)image bias field. The image noise is primarily caused by theimage sensor noise and the image bias field is caused bythe spatial variations of radiation (Vovk, Pernus, and Likar2007), which is very common among medical imaging,ranging from magnetic resonance imaging (MRI) (Ahmedet al. 2002), computed tomography (CT) (Li et al. 2008; Guoet al. 2017c, 2018), to X-ray imaging, etc . The bias fieldappears as the intensity inhomogeneity in the MRI, CT, orX-ray images. For consumer digital imaging, the bias fieldshows up as the illumination changes or vignetting effect.In this work, we want to reveal this vulnerability causedby image bias field. To the best of our knowledge, this is thevery first attempt to adversarially perturb the bias field, inorder to attack DNN-based X-ray recognition. Contrary tothe additive noise-perturbation attack on DNN-based recog-nition systems, the attack on the bias field is multiplicative a r X i v : . [ ee ss . I V ] S e p n nature (Zheng and Gee 2010), which is fundamentally dif-ferent from the noise attack. What is more important is thatin order to make the bias field attack realistic and impercep-tible, the successful attacks need to maintain the smoothnessproperty of the bias field, which is genuinely more challeng-ing because local smoothness usually contradicts with highattack success rates.To overcome this challenge, we capitalize on this pro-prietary degradation surrounding X-ray imagery and initi-ate adversarial attacks based on imperceptible modificationon the bias field itself. Specifically, we have proposed theadversarial-smooth bias field generator that can locally tunethe bias field with joint smooth and adversarial constraintsby tapping into the bias field generation process based on amultivariate polynomial model. As a result, the adversariallyperturbed bias field applied to the X-ray image can not onlyfool the DNN-based recognition system effectively, but alsoretain high level of realisticity. We have validated our pro-posed method on several chest X-ray classification datasetswith the state-of-the-art DNNs such as ResNet, DenseNet,and MobileNet, by showing superior performance in termsof both image realisticity and high attack success rates. Acareful investigation into which bias field region contributesmore significantly to the adversarial nature of the attack canlead to a better interpretation and understanding of the DNN-based recognition system and its vulnerability, which, webelieve, is of utmost importance. The ultimate goal of thiswork is to reveal that the bias field does pose a potentialthreat to the DNN-based automated recognition system, andcan definitely benefit the development of bias-field-robustautomated diagnosis system in the future. In this section, we will summarize the related works includ-ing X-Ray imagery recognition, noise-based adversarial at-tack and the adversarial attack on medical imagery.
X-ray radiography is widely used in the medical field fordiagnosis or treatment of diseases. In recent years, manypublic X-ray image datasets are made available, leading to awide literature examining data mining or deep learning tech-niques on such datasets.One of the largest datasets is the ChestX-ray14 datasetfrom the National Institutes of Health (NIH) Clinical Cen-ter, which contains over 108,948 frontal-view X-ray imageswith 14 thoracic diseases, and other non-image features. To-gether with the dataset, (Wang et al. 2017) evaluates the per-formance of 4 classic convolutional neural network (CNN),namely AlexNet, ResNet-50, VGGNet, and GoogLeNet, onthe multi-label image classification of diseases, creating aninitial baseline of average area under the ROC curve (AUC)of 0.745 over all 14 diseases.Inspired by this work, many researchers starts utilising thepower of deep neural network on chest X-ray (CXR) classi-fication. (Li et al. 2017) presents a framework to jointly per-form disease classification and localisation. With the use ofbounding box to predict lesion area location, the classifica-tion performance is improved to an average AUC of 0.755. (Yao et al. 2017) proposes the use of a CNN backbone witha variant of DenseNet model, combining with a long-shortterm memory network (LSTM) to exploit statistical depen-dencies between labels, achieving an average AUC of 0.761.(Guan and Huang 2020) explores a category-wise residualattention learning (CRAL) framework, which is made up offeature embedding and attention learning module. Differentattention weights are given to enhance or restrain differentfeature spatial regions, yielding an average AUC score of0.816. (Rajpurkar et al. 2017) proposes the use of transferlearning by fine-tuning a modified DenseNet , resulting inan algorithm called CheXNet, a 121 layer CNN. It furtherraises the average AUC to 0.842. (Guan et al. 2018) presentsthe use of a three- branch attention guided CNN, which fo-cuses on local cues from (small) localized lesion areas. Thecombination of local cues and global features achieves anaverage AUC achieves 0.871. The state of the art results us-ing the official spilt released by (Wang et al. 2017) are heldby (Gündel et al. 2018) with average AUC of 0.817. The pa-per argues that when random spilt is used, the same patientis likely to appear in both train and test set, and this over-lap affects performance comparison. The method proposedis a location aware DenseNet-121, trained on ChestXRay14data and PLCO dataset, which incorporates the use of spatialinformation in high resolution images.The power of deep learning techniques on CXR is also ex-plored for detection of COVID-19, motivated by the need ofquick, effective and convenient screening. Studies showedthat some COVID-19 patients displayed abnormalities intheir CXR images. (Wang and Wong 2020) releases an openaccess benchmark dataset COVIDx along with COVID-Net,a deep CNN designed for detection of COVID-19 from CXRimages, achieving a sensitivity of 97.3 and appositive predictvalue of 99.7. Many studies have also leverage on variant ofthe dataset and network for prediction of COVID-19 (Afsharet al. 2020; Li and Zhu 2020; Tartaglione et al. 2020).Despite the strong performance of DNN, and consider-ations made to address data irregularities like class imbal-ance in dataset, the effect of medical image degradation ondisease identification was rarely investigated and addressed.For example, bias field, also referred to as intensity inhomo-geneity, is a low frequency smooth intensity signal acrossimages due to imperfections in image acquisition methods.Bias field could adversely affect quantitative image analy-sis (Juntu et al. 2005) Many inhomogeneity correction strat-egy are hence proposed in the literature (Brey and Narayana1988)(Fan et al. 2003)(Thomas et al. 2005).However, the possible detrimental effect on disease iden-tification, location or segmentation by the bias field arerarely explored in literature, hence DNN proposed may notbe robust towards this inherent degradation. To the best ofauthors’ knowledge, this paper is very first work that looksat the effect of bias field from the view of adversarial attack.
Despite the robustness of various DNN deployed in solvingdifferent recognition problems in image, speech or naturallanguage processing application, many studies have shownthat DNN are susceptible to adversarial attacks (Szegedy2t al. 2013)(Goodfellow, Shlens, and Szegedy 2014). Thereexist many literatures that propose different adversarial at-tacks (Guo et al. 2020b,c; Wang et al. 2020; Cheng et al.2020a), and they can be generally classified into attacks intraining and testing stage.In training stage, attackers can carry out data poison-ing, which involves the insertion of adversarial example intotraining dataset, affecting model’s performance. For exam-ple, poison frog leverages on inserting images into datasetto ensure the wrong classification will be given to a targettest sample (Shafahi et al. 2018). The use of direct gradi-ent method in generating adversarial images against neuralnetwork is also explored (Yang et al. 2017).In testing stage, attackers can carry out either white-boxor black-box attacks. In white-box attacks, attackers are as-sumed to have access to target classifier. (Biggio et al. 2013)focuses on optimising discriminant function to mislead a 3layer full connected neural network. (Shafahi et al. 2018)suggests that a certain imperceptible perturbation can be ap-plied to cause misclassification on image, and this effect canbe transferred to other different network to train on similardata to misclassify the same input. Fast gradient sign method(FGSM) is proposed by (Goodfellow, Shlens, and Szegedy2014). It involves only one back propagation step whencalculating the gradient of cost function, hence allowingfast adversarial example generation (Kurakin, Goodfellow,and Bengio 2016) proposes the iterative version of FGSM,known as basic iteration method (BIM), which heuristicallysearch for examples that are most likely to fool the clas-sifier. Given the presence of literature that defends againstFGSM methods, (Carlini and Wagner 2017) proposes theuse of margin loss instead of entropy loss during attacks.(Cisse et al. 2017) proposes a an approach named HOU-DINI, which generate adversarial examples for fooling vi-sual and speech recognition models. Instead of altering pixelvalues, spatial transformed attacks are also proposed to per-form special transformation such as translation or rotationon images (Xiao et al. 2018).In black box attacks, attackers have no access to classi-fier’s parameter or training sets. (Papernot et al. 2017) pro-poses the exploitation of transferability of adversarial exam-ples. A model similar to the target classifier is first trained,then adversarial examples generated to attack the trainedmodel is used to target the actual classifier. (Fredrikson, Jha,and Ristenpart 2015) explores the exploitation of knowl-edge of confidence value of target classifier as predictionsare made.
There are existing literature that looks into adversarial at-tack against deep learning system for medical imagery. (Fin-layson et al. 2018) shows that both black box and whitebox PGD attack and adversarial patch attack could affectthe performance of classifiers modelled after state-of-the-art systems on fundoscopy, chest X-ray and dermoscopyrespectively. Similarly, (Paschali et al. 2018) also showsthat small perturbation can create classification performancedrop across state-of-the-art networks such as Inception and UNet, for which accuracy drops from above 87% on nor-mal medical images to almost 0% on adversarial examples.By producing crafted mask, an adaptive segmentation maskattack (ASMA) is proposed to fool DNN model for segment-ing medical imagery (Ozbulak, Van Messem, and De Neve2019).In medical adversarial defence, (Li, Pan, and Zhu 2020)proposes an unsupervised detection of adversarial sam-ples in which unsupervised adversarial detection (UAD)are complemented with semi-supervised adversarial train-ing (SSAT). The proposed model claims to demonstrate asuperior performance in medical defence against other tech-niques. (Ma et al. 2020) further proposes that medical DNNare more vulnerable to attacks due to the specific characteris-tic of medical images having high gradient regions sensitiveto perturbations, and over parameterization of the state-of-the-art DNN. This work then proposes an adversarial detec-tor specifically designed for medical image attacks, achiev-ing over 98% detection AUC.However, very few literature has leverage on and conductadversarial attack based on the inherent characteristic ofthe targeted medical imagery. For example, common noisedegradation used for general adversarial attacks are rarelyfound in X-ray imagery. Hence in this work, we capitalizeon the proprietary degradation surrounding X-ray imagery,bias field, and initiate adversarial attacks based on impercep-tible modification on the bias field itself.
Given a X-ray image, e.g ., X a , we can assume it is generatedby adding a bias field B to a clean version, i.e ., X , with thewidely used imaging model X a = XB . (1)Under the automate diagnosis task where a DNN is used torecognize the category ( i.e ., normal or abnormal) of X a , it isnecessary to explore a totally new task, i.e ., adversarial biasfield attack aiming to fool the DNN by calculating an adver-sarial bias filed B , with which we can study the influence ofthe bias field as well as the potential threat of utilizing it tofool the automate diagnosis.A simple way is to take logarithm on Eq. 1 and transformthe multiplication to additive operation ˆ X a = ˆ X + ˆ B , (2)where we use the ‘ ˆ · ’ to represent the logarithm of a variable.With Eq. 2, it seems that all existing additive-based adver-sarial attacks, i.e ., FGSM, BIM, MIFGSM, DIM, and TIM-IFGSM, could be used for the new attack. For example, wecan calculate ˆ B to realize attack by solving arg max ˆ B J ( ˆ X + ˆ B , y ) , subject to (cid:107) ˆ B (cid:107) p ≤ (cid:15), (3)where J ( · ) is the loss function for classification, e.g ., thecross-entropy loss, and y denotes the ground truth label of X . Nevertheless, we argue that such solution cannot gener-ate the real ‘bias field’ since the optimized ˆ B violated the3 riginal Input Adversarial ExampleNon-smooth Adv. Bias Field ResNet50: PneumoniaResNet50: Normal Figure 2: An example of using Eq. 3 to general the non-smoothadversarial bias field. basic property of bias field, i.e ., spatially smooth changes resulting in intensity inhomogenity. For example, as shownin Fig. 2, when we optimize Eq. 3 to produce a bias field, wecan attack the ResNet50 successfully while the bias field isnoise-like and far from the appearance in the real world.As a result, due to requirement of spatial smoothness ofbias field, the adversarial bias field attack posts a totally newchallenge to the field of adversarial attack: how to generatethe adversarial perturbation that can not only achieve highattack success rate but maintain its spatial smoothness forthe realisticity of bias field. Actually, since the high attacksuccess rate relies on the pixel-wise tunable perturbation andviolates the smoothness requirement of bias field, the twoconstraints contradicts each other and make the adversarialbias field attack significantly challenge. To overcome above challenge, we propose the distortion-aware multivariate polynomial model to represent the biasfield whose inherit property guarantees the spatial smooth-ness of the bias field while the distortion helps achieve ef-fective attack. Then, we define a new objective function foreffective attack by combining the constraints of spatiallysmooth bias field, sparsity of the original image with the ad-versarial loss. Finally, we introduce the optimization methodand attack algorithm.
Distortion-aware multivariate polynomial model.
Wemodel the bias filed ˆ B as ˆ B i = D (cid:88) t = D D − t (cid:88) l = D a t,l T θ ( x i ) t T θ ( y i ) l (4)where T θ represents the distortion transformation and weuse the thin plate spline (TPS) transformation with θ be-ing the control points. We denote i as the i -th pixel withits coordinates ( x i , y i ) while ( T θ ( x i ) , T θ ( y i )) means thepixel has been distorted by a TPS. In addition, { a t,l } and D are the parameters and degree of the multivariate polyno-mial model, respectively, and the number of parameters are |{ a t,l }| = ( D − D +1)( D − D +2)2 . For convenient representa-tions, we concatenate { a t,l } and obtain a vector a . Adversarial-smooth objective function.
With Eq. 4, wecan tune a and θ for adversarial attack and the multivari-ate polynomial model can help preserve the smoothness ofbias field. Intuitively, on the one hand, the lower degree D leads to less model parameters |{ a t,l }| and a smoother biasfield could be obtained. On the other hand, the distortion ( T θ ( x i ) , T θ ( y i )) can be locally tuned with different θ andcan help achieve effective attack. The key problem is how tocalculate { a t,l } and θ to balance the spatial smoothness andadversarial attack. To this end, we define a new objectivefunction to realize the attack. arg max a ,θ J ( ˆ X + ˆ B ( a , θ ) , y ) − λ a (cid:107) a (cid:107) − λ θ (cid:107) θ − θ (cid:107) , (5)where θ represents parameters of the identify TPS trans-formation, i.e ., x i = T θ ( x i ) . The first term is to tune the a and θ to fool a DNN for X-ray recognition. The secondterm encourages the sparse of { a t,l } and would let the biasfield smooth. The final term is to let the TPS transforma-tion not go far away from the identity version. Two hyper-parameters, i.e ., λ a and λ θ control the balance between thesmoothness and adversarial attack. Like the optimization methods used in general adversarialnoise attack, we solve Eq. 3 and 5 via sign gradient descentwhere a and θ are updated via fixed rate a t = a t − + (cid:15) a sign ( ∇ a t − ) , (6) θ t = θ t − + (cid:15) θ sign ( ∇ θ t − ) , (7)where ∇ a t − and ∇ θ t − denote the gradient of a t − and θ t − with respect to the objective function in Eq. 5, respec-tively. For Eq. 3, we use the same to update ˆ B directly. Wefix (cid:15) a = (cid:15) θ = 0 . with the iteration number being 10. In this section, we conduct comprehensive experiments ona real chest-xray dataset to validate the effectiveness of ourmethod and discuss how bias field affects X-Ray recogni-tion. We want to answer the following questions: (cid:182)
Whatare the differences and advantages of the adversarial biasfield attack over existing adversarial noise attacks? (cid:183)
Howand why can the bias fields affect the X-ray recognition? (cid:184)
How do the hyper-parameters affect the attack results?
Dataset.
We carry out our experiments on a chest-xraydataset about pneumonia, which contains 5863 X-ray im-ages . These images were selected from retrospective co-horts of pediatric patient. The dataset is divided into twocategories, i.e ., pneumonia and normal. Models.
In order to show the effect of the attack ondifferent neural network models, we finetune three pre-trained models on the chest-xray dataset. The three modelsare ResNet50, MobileNet and Densenet121 (Dense121).Theaccuracy of ResNet50, MobileNet and Densenet121 is88.62%, 88.94% and 87.82%. Please find more details about the dataset in . etrics. We choose the attack success rate and imagequality to evaluate the effectiveness of the bias field attack.The image quality measurement metric is BRISQUE (Mit-tal, Moorthy, and Bovik 2012). BRISQUE is an unsuper-vised image quality assessment method. A high score forBRISQUE indicates poor image quality.
Baselines.
We select five adversarial attack methods as ourbaselines, which include basic iterative method (BIM) (Ku-rakin, Goodfellow, and Bengio 2016), Carlini & Wagner L2method (C&W L2 ) (Carlini and Wagner 2017), saliency mapmethod (SaliencyMap) (Papernot et al. 2016), fast gradi-ent sign method (FGSM) (Goodfellow, Shlens, and Szegedy2014) and momentum iterative fast gradient sign method(MIFGSM) (Dong et al. 2018).For the setup of hyperparameters of these baselines, weset them as the default setup of foolbox (Rauber, Brendel,and Bethge 2017). We set max perturbation to be (cid:15) = 0 . relative to [0,1] range in basic experiments. Besides, we setiterations to be 10 for MIFGSM and BIM. For our method, we set the size of the control points, D and D as (16*16) , 10 and 1, respectively. Table 1 shows thequantitative results with our method and the baseline meth-ods, which are conducted with different settings. Specifi-cally, we conduct two different attacks, i.e., the white-boxattack and the transfer attack. The white-box attack aims toattack the target DNN directly while the transfer attack at-tacks the target DNN with the adversarial examples gener-ated from other models. For example, for the transfer attackin Table 1, the attack is performed on DNNs in the first row,and the generated adversarial examples are used to attackDNNs in the first two columns of the second row.As we can see, for the white-box attack (i.e., the third col-umn for each model), we could find that the success rateof our method is lower than the existing baselines. For ex-ample, on ResNet50, our method achieves 38.69% successrate while most of the baselines achieves 100% success rate.The main reason is that the existing attacking techniquescould add arbitrary noises on the image, which is not re-alistic. However, our method has a strict smooth limitationsuch that the generated adversarial examples look more real-istic. As shown in Fig. 3, we show some examples generatedby different attacks. The first row shows the original imageswhile the following rows list the corresponding adversarialexamples. It is clear that our method could generate high-quality adversarial examples that are smooth and realistic.In most cases, the change between original image and thegenerated image is imperceptible. However, we could findobvious noises in the adversarial examples generated by thebaseline methods. Such noises are difficult to appear in X-rays in the real world.For the transfer attack ( i.e ., the first two columns), wefound that our method achieves much higher success ratethan others. For example, the attack on ResNet50 achieves7.57% and 14.05% transfer success rate on MobileNet andDenseNet121, respectively. However, the the best results ofthe baseline are only 1.08% and 0.18%. It is because that existing techniques calculate the ad-hoc noise, which maybe only effective on the target DNN but not on other mod-els. However, our attack considers the smoothness such thatthe generated adversarial examples are more realistic. Suchadversarial examples are more robust and could reveal thecommon weakness of different DNNs ( i.e ., higher successrate of the transfer attack). The results indicate that ourmethod could generate high-quality adversarial examples.We also compare the image quality with the BRISQUE score( i.e ., the forth column). The results show that our methodcould achieve competitive results with the-state-of-the-arts.In summary, our method aims to generate high-qualityand realistic adversarial examples. To generate such adver-sarial examples, the attack success rate is naturally lowerthan the noise-based adversarial attack techniques. In this subsection, we aim to explore how the bias field af-fect the DNN-based X-ray recognition. (Fong and Vedaldi2017) proposes a method for understanding DNNs with theadversarial noise attack and generates an interpretable mapindicating the classification-sensitive regions of a DNN. In-spired this idea, we can study which regions in the chestX-ray images are sensitive to the bias filed and affect the X-ray recognition. Specifically, given an adversarial bias fieldexample X a generated by our method and the original im-age X , we can calculate an interpretable map M for a DNNDNN ( · ) by optimizing arg min M DNN y ( M (cid:12) X a + (1 − M ) (cid:12) X ) (8) + λ (cid:107) M (cid:107) + λ TV( M ) where DNN y ( · ) denotes the score at label y that is theground truth label of X and TV( · ) is the total-variationnorm. Intuitively, optimizing Eq. (8) is to find the region thatcauses misclassification. We optimize Eq. (8) via gradientdecent in 150 iterations and fix λ = 0 . and λ = 0 . .With Eq. 8, given a pre-trained model, i.e ., DNN ( · ) , anda dataset X containing the successfully attacked X-ray im-ages, we can calculate a M for each X-ray image and thenaverage all interpretable maps to show the statistical regionsthat are sensitive to the bias field. For example, we adoptResNet50 as the subject model and construct X with 240attacked X-ray images that can fool ResNet50 successfully.Then, we calculate the interpretable maps for all images in X ( e.g ., the second row in Fig. 4) and average them, achiev-ing a statistical mean map ( e.g ., the left image shown inFig. 4). According to the visualization results, we observethat: (cid:182) Our method helps identify the bias-field-sensitiveregions in each attacked X-ray image and we observe thatthese regions are related to the organ positions.
This demon-strates that the effects of the bias field to the DNN stems fromintensity variation around organs. (cid:183)
According to the sta-tistical mean map, we see that the bias-field sensitive regionsmainly locate at the top and bottom positions across all at-tacked images , suggesting that future designed DNN shouldconsider the spatial variations within in X-ray images. Weobserve similar results on other DNNs (Please find more re-sults in the supplementary material), hinting that these are5 riginalOursMIFGSMFGSMBIM
Figure 3: Examples of adversarial examples generated with different techniques.
Crafted from ResNet50 Dense121 MobileNetAttacked model&BRISQUE MobileNet Dense121 ResNet50 BRISQUE ResNet50 MobileNet Dense121 BRISQUE ResNet50 Dense121 MobileNet BRISQUEBIM 0.36 0 100 30.0249 0.54 0.36 100 29.6599 0 0 100 29.9947C&W L2 Table 1: Adversarial comparison results on chest-Xray dataset with five attack baselines and our method. It contains the success rates (%)of transfer & whitebox adversarial attack on three normally trained models: ResNet50, Dense121, and MobileNet. For each four columns,whitebox attack results are shown in the third one. The first two columns display the transfer attack results. And the last column shows theBRISQUE score. common phenomenons in the DNN-based X-ray recognitionand demonstrating the potential applications of this work.
We also evaluate the effects of hyper-parameters in our at-tack, i.e ., θ and D in Equation 4. Specifically, we change θ for TPS transformation by changing the number of con-trol points. ( gridsize × gridsize ) is denoted to representthe control points in the TPS transformation. Then we selectdifferent gridsize to conduct the attack. For the parameter D , we set the fixed D as 10 and change the value of D , i.e .,observe part of the sample display of the bias field by ig-noring the lowest D degree in the multivariate polynomialmodel.Table 2 shows the results with different configurations.In the second row, we fix the D as 0 and change value of gridsize as 4, 8, 12 and 16, respectively. As we can see, itseems that there is no clear difference in the attack success rate when the parameter gridsize varies. We conjecture thatthe attack could easily reach the upper bound in terms ofthe success rate with different gridsize . Figure 5 shows thebias field change with different gridsize in multiple itera-tions. Intuitively, we can see that when gridsize is smaller,more parts of the image can be adjusted in each iterationand the image may become less smooth. However, when the gridsize is becoming larger, there are more grids, whichcould provide more fine-grained change. Thus the generatedimage can be more smooth.Then we fix the gridsize as 16 and change the parame-ter D as 0, 1, 2 and 3 (in the third row). As we can see, as D increases ( i.e ., more lower degree are ignored), the suc-cess rate of our method decreases and the BRISQUE scoredecreases. It is reasonable as ignoring more low degree inEquation 4 may reduce the space of the manipulation, result-ing in higher image quality and lower attack success rate.The visualization results are shown in Fig. 6. When more6 gridsize, gridsize ) , D ResNet50 Dense121 MobileNetMobileNet Dense121 ResNet50 BRISQUE ResNet50 MobileNet Dense121 BRISQUE ResNet50 Dense121 MobileNet BRISQUE(4,4), 0 10.84 15.33 37.97 32.4873 14.65 8.29 31.39 31.331 21.52 20.44 35.68 34.9368(8,8), 0 9.91 14.05 37.79 32.5778 13.2 6.49 31.57 31.3609 21.7 20.26 35.68 34.0957(12,12), 0 9.73 14.23 37.61 32.097 12.84 6.49 31.2 31.9176 21.7 20.44 35.86 34.3194(16,16), 0 10.81 14.42 38.34 32.3661 13.56 6.85 31.02 31.4455 21.34 20.26 36.04 34.0944(16,16), 1 11.35 13.5 36.89 31.3312 14.65 9.37 32.12 30.6853 17 19.34 32.79 31.7842(16,16), 2 8.11 7.85 29.48 29.0977 12.84 8.83 26.09 30.0223 12.12 11.86 26.85 29.5885(16,16), 3 4.15 2.19 18.81 28.606 4.7 4.68 16.24 29.0152 4.7 3.47 15.32 29.2909
Table 2: Adversarial comparison results on chest-Xray dataset with different setup of hyper-parameters in our method. It contains the successrates (%) of transfer& whitebox adversarial attacks. For each model, the first two columns display the blackbox attack results, the third oneshows the attack results and the last column shows the BRISQUE score.Figure 4: Pipeline and examples of exploring bias-field-sensitiveregions. A subject model, i.e ., ResNet50, is employed to generateadversarial bias field examples for 240 X-ray images and we thenuse Eq. 8 to produce the interpretable map M for each image ( i.e .,the images at the second row where the maps are blended with theraw X-ray images for better understanding.). Finally, we can calcu-late an averaging map covering all interpretable maps and blend itwith raw images ( i.e ., the images at the third row.) lower degree is ignored ( i.e ., larger D ), the bias field sam-ples tend to be less smooth. Deep learning has been used in chest X-ray image recogni-tion for the diagnosis of lung diseases ( e.g ., COVID-19). Itis especially important to ensure the robustness of the DNNin this scenario. To tackle this problem, this paper proposeda new adversarial bias field attack, which aims to generatemore realistic adversarial examples by adding more smoothperturbations instead of noises. We demonstrated the effec-tiveness of our attack on the widely used DNNs. The resultsshow that our method can generate high quality adversarialexamples, which achieve high success rate of the transfer at-tack. The generated realistic images can reveal issues of theDNN, which calls for the attention of robustness enhance-ment of the deep learning-based healthcare system.In the future, we will extend the adversarial bias field at-tack to other computer vision tasks, e.g ., natural image clas-sification (Guo et al. 2020b), face recognition (Wang et al.2020), visual object tracking (Guo et al. 2020c,a, 2017a,b;Zhou et al. 2017), etc ., and also in tandem with other at-tack modalities that are not based on additive noise in naturesuch as (Gao et al. 2020; Cheng et al. 2020b; Zhai et al.2020). In addition, we can regard our adversarial bias field (4,4)(16,16)(12,12)(8,8) i=1 i=2 i=5i=4i=3
Figure 5: Effects of the multivariate polynomial model with differ-ent control points ( i.e ., gridsize ). The first column shows the sizeof control points. The following columns show the bias fields thatare generated by iteratively changing the position of control points. D : 2 D : 0 D : 3 D : 1 Figure 6: Effects of the multivariate polynomial model with differ-ent number of degrees, i.e ., D and D in Eq. 4. as a new kind of mutation for DNN testing (Xie et al. 2019a;Ma et al. 2018b; Du et al. 2019; Xie et al. 2019b; Ma et al.2018a, 2019). References
Afshar, P.; Heidarian, S.; Naderkhani, F.; Oikonomou, A.; Platan-iotis, K. N.; and Mohammadi, A. 2020. Covid-caps: A capsulenetwork-based framework for identification of covid-19 cases fromx-ray images. arXiv preprint arXiv:2004.02696 . hmed, M. N.; Yamany, S. M.; Mohamed, N.; Farag, A. A.; andMoriarty, T. 2002. A modified fuzzy c-means algorithm for biasfield estimation and segmentation of MRI data. IEEE transactionson medical imaging
Joint European conference on ma-chine learning and knowledge discovery in databases , 387–402.Springer.Brey, W. W.; and Narayana, P. A. 1988. Correction for inten-sity falloff in surface coil magnetic resonance imaging.
MedicalPhysics , 39–57. IEEE.Cheng, Y.; Guo, Q.; Juefei-Xu, F.; Xie, X.; Lin, S.-W.; Lin,W.; Feng, W.; and Liu, Y. 2020a. Pasadena: PerceptuallyAware and Stealthy Adversarial Denoise Attack. arXiv preprintarXiv:2007.07097 .Cheng, Y.; Juefei-Xu, F.; Guo, Q.; Fu, H.; Xie, X.; Lin, S.-W.; Lin,W.; and Liu, Y. 2020b. Adversarial Exposure Attack on DiabeticRetinopathy Imagery. arXiv preprint arXiv .Cisse, M. M.; Adi, Y.; Neverova, N.; and Keshet, J. 2017. Houdini:Fooling deep structured visual and speech recognition models withadversarial examples. In
Advances in neural information process-ing systems , 6977–6987.Dong, Y.; Liao, F.; Pang, T.; Su, H.; Zhu, J.; Hu, X.; and Li, J. 2018.Boosting adversarial attacks with momentum. In
Proceedings ofthe IEEE conference on computer vision and pattern recognition ,9185–9193.Du, X.; Xie, X.; Li, Y.; Ma, L.; Liu, Y.; and Zhao, J. 2019. Deep-stellar: Model-based quantitative analysis of stateful deep learningsystems. In
Proceedings of the 2019 27th ACM Joint Meeting onEuropean Software Engineering Conference and Symposium on theFoundations of Software Engineering , 477–487.Fan, A.; Wells, W. M.; Fisher, J. W.; Cetin, M.; Haker, S.; Mulk-ern, R.; Tempany, C.; and Willsky, A. S. 2003. A unified variationalapproach to denoising and bias correction in MR. In
Biennial inter-national conference on information processing in medical imaging ,148–159. Springer.Finlayson, S. G.; Chung, H. W.; Kohane, I. S.; and Beam, A. L.2018. Adversarial attacks against medical deep learning systems. arXiv preprint arXiv:1804.05296 .Fong, R. C.; and Vedaldi, A. 2017. Interpretable Explanations ofBlack Boxes by Meaningful Perturbation. In
ICCV , 3449–3457.Fredrikson, M.; Jha, S.; and Ristenpart, T. 2015. Model inversionattacks that exploit confidence information and basic countermea-sures. In
Proceedings of the 22nd ACM SIGSAC Conference onComputer and Communications Security , 1322–1333.Gao, R.; ; Guo, Q.; Juefei-Xu, F.; Yu, H.; Ren, X.; Feng, W.; andWang, S. 2020. Making Images Undiscoverable from Co-SaliencyDetection. arXiv preprint arXiv .Goodfellow, I. J.; Shlens, J.; and Szegedy, C. 2014. Explaining andharnessing adversarial examples. arXiv preprint arXiv:1412.6572 .Guan, Q.; and Huang, Y. 2020. Multi-label chest X-ray imageclassification via category-wise residual attention learning.
Pat-tern Recognition Letters
CoRR abs/1801.09927.Gündel, S.; Grbic, S.; Georgescu, B.; Zhou, S. K.; Ritschl, L.;Meier, A.; and Comaniciu, D. 2018. Learning to recognize Abnor-malities in Chest X-Rays with Location-Aware Dense Networks.
CoRR abs/1803.04565.Guo, Q.; Feng, W.; Zhou, C.; Huang, R.; Wan, L.; and Wang, S.2017a. Learning dynamic siamese network for visual object track-ing. In
Proceedings of the IEEE international conference on com-puter vision , 1763–1771.Guo, Q.; Feng, W.; Zhou, C.; Pun, C.-M.; and Wu, B. 2017b.Structure-regularized compressive tracking with online data-drivensampling.
IEEE Transactions on Image Processing
IEEE Transactions on Image Processing
29: 2999–3013.Guo, Q.; Juefei-Xu, F.; Xie, X.; Ma, L.; Wang, J.; Feng, W.; andLiu, Y. 2020b. ABBA: Saliency-Regularized Motion-Based Ad-versarial Blur Attack. arXiv preprint arXiv:2002.03500 .Guo, Q.; Sun, S.; Dong, F.; Feng, W.; Gao, B. Z.; and Ma, S.2017c. Frequency-tuned ACM for biomedical image segmenta-tion. In , 821–825. IEEE.Guo, Q.; Sun, S.; Ren, X.; Dong, F.; Gao, B. Z.; and Feng, W.2018. Frequency-tuned active contour model.
Neurocomputing
Proceedings of the EuropeanConference on Computer Vision (ECCV) .Juntu, J.; Sijbers, J.; Van Dyck, D.; and Gielen, J. 2005. Bias fieldcorrection for MRI images. In
Computer Recognition Systems ,543–551. Springer.Kurakin, A.; Goodfellow, I.; and Bengio, S. 2016. Adversarial ma-chine learning at scale. arXiv preprint arXiv:1611.01236 .Li, C.; Huang, R.; Ding, Z.; Gatenby, C.; Metaxas, D.; and Gore, J.2008. A variational level set approach to segmentation and bias cor-rection of images with intensity inhomogeneity. In
InternationalConference on Medical Image Computing and Computer-AssistedIntervention , 1083–1091. Springer.Li, X.; Pan, D.; and Zhu, D. 2020. Defending against adversarialattacks on medical imaging AI system, classification or detection? arXiv preprint arXiv:2006.13555 .Li, X.; and Zhu, D. 2020. Covid-xpert: An ai powered populationscreening of covid-19 cases using chest radiography images. arXivpreprint arXiv:2004.03042 .Li, Z.; Wang, C.; Han, M.; Xue, Y.; Wei, W.; Li, L.; and Li, F. 2017.Thoracic Disease Identification and Localization with Limited Su-pervision.
CoRR abs/1711.06373.Ma, L.; Juefei-Xu, F.; Sun, J.; Chen, C.; Su, T.; Zhang, F.; Xue, M.;Li, B.; Li, L.; Liu, Y.; Zhao, J.; and Wang, Y. 2018a. DeepGauge:Multi-Granularity Testing Criteria for Deep Learning Systems. In
The 33rd IEEE/ACM International Conference on Automated Soft-ware Engineering (ASE) . a, L.; Juefei-Xu, F.; Xue, M.; Li, B.; Li, L.; Liu, Y.; and Zhao,J. 2019. DeepCT: Tomographic Combinatorial Testing for DeepLearning Systems. Proceedings of the IEEE International Confer-ence on Software Analysis, Evolution and Reengineering (SANER) .Ma, L.; Zhang, F.; Sun, J.; Xue, M.; Li, B.; Juefei-Xu, F.; Xie, C.;Li, L.; Liu, Y.; Zhao, J.; and Wang, Y. 2018b. DeepMutation: Mu-tation Testing of Deep Learning Systems. In
The 29th IEEE Inter-national Symposium on Software Reliability Engineering (ISSRE) .Ma, X.; Niu, Y.; Gu, L.; Wang, Y.; Zhao, Y.; Bailey, J.; and Lu,F. 2020. Understanding adversarial attacks on deep learning basedmedical image analysis systems.
Pattern Recognition
IEEE Transactionson image processing
International Conference on MedicalImage Computing and Computer-Assisted Intervention , 300–308.Springer.Papernot, N.; McDaniel, P.; Goodfellow, I.; Jha, S.; Celik, Z. B.;and Swami, A. 2017. Practical black-box attacks against machinelearning. In
Proceedings of the 2017 ACM on Asia conference oncomputer and communications security , 506–519.Papernot, N.; McDaniel, P.; Jha, S.; Fredrikson, M.; Celik, Z. B.;and Swami, A. 2016. The limitations of deep learning in adversar-ial settings. In , 372–387. IEEE.Paschali, M.; Conjeti, S.; Navarro, F.; and Navab, N. 2018. Gener-alizability vs. robustness: investigating medical imaging networksusing adversarial examples. In
International Conference on Med-ical Image Computing and Computer-Assisted Intervention , 493–501. Springer.Rajpurkar, P.; Irvin, J.; Zhu, K.; Yang, B.; Mehta, H.; Duan, T.;Ding, D. Y.; Bagul, A.; Langlotz, C.; Shpanskaya, K. S.; Lungren,M. P.; and Ng, A. Y. 2017. CheXNet: Radiologist-Level Pneu-monia Detection on Chest X-Rays with Deep Learning.
CoRR abs/1711.05225.Rauber, J.; Brendel, W.; and Bethge, M. 2017. Foolbox: A pythontoolbox to benchmark the robustness of machine learning models. arXiv preprint arXiv:1707.04131 .Shafahi, A.; Huang, W. R.; Najibi, M.; Suciu, O.; Studer, C.; Dumi-tras, T.; and Goldstein, T. 2018. Poison frogs! targeted clean-labelpoisoning attacks on neural networks. In
Advances in Neural In-formation Processing Systems , 6103–6113.Szegedy, C.; Zaremba, W.; Sutskever, I.; Bruna, J.; Erhan, D.;Goodfellow, I.; and Fergus, R. 2013. Intriguing properties of neuralnetworks. arXiv preprint arXiv:1312.6199 .Tartaglione, E.; Barbano, C. A.; Berzovini, C.; Calandri, M.; andGrangetto, M. 2020. Unveiling COVID-19 from Chest X-ray withdeep learning: a hurdles race with small data. arXiv preprintarXiv:2004.05405 .Thomas, D. L.; De Vita, E.; Deichmann, R.; Turner, R.; and Or-didge, R. J. 2005. 3D MDEFT imaging of the human brain at 4.7T with reduced sensitivity to radiofrequency inhomogeneity.
Mag-netic Resonance in Medicine: An Official Journal of the Interna-tional Society for Magnetic Resonance in Medicine
IEEE transactionson medical imaging arXiv preprint arXiv:2003.09871 .Wang, R.; Juefei-Xu, F.; Xie, X.; Ma, L.; Huang, Y.; and Liu, Y.2020. Amora: Black-box adversarial morphing attack. In
ACMMultimedia Conference (ACMMM) .Wang, X.; Peng, Y.; Lu, L.; Lu, Z.; Bagheri, M.; and Summers,R. M. 2017. ChestX-ray8: Hospital-scale Chest X-ray Databaseand Benchmarks on Weakly-Supervised Classification and Local-ization of Common Thorax Diseases.
CoRR abs/1705.02315.Xiao, C.; Zhu, J.-Y.; Li, B.; He, W.; Liu, M.; and Song, D.2018. Spatially transformed adversarial examples. arXiv preprintarXiv:1801.02612 .Xie, X.; Ma, L.; Juefei-Xu, F.; Xue, M.; Chen, H.; Liu, Y.; Zhao,J.; Li, B.; Yin, J.; and See, S. 2019a. DeepHunter: A Coverage-Guided Fuzz Testing Framework for Deep Neural Networks. In
ACM SIGSOFT International Symposium on Software Testing andAnalysis (ISSTA) .Xie, X.; Ma, L.; Wang, H.; Li, Y.; Liu, Y.; and Li, X. 2019b. Dif-fChaser: Detecting Disagreements for Deep Neural Networks. In
IJCAI , 5772–5778.Yang, C.; Wu, Q.; Li, H.; and Chen, Y. 2017. Generative poi-soning attack method against neural networks. arXiv preprintarXiv:1703.01340 .Yao, L.; Poblenz, E.; Dagunts, D.; Covington, B.; Bernard, D.; andLyman, K. 2017. Learning to diagnose from scratch by exploitingdependencies among labels.
CoRR abs/1710.10501.Zhai, L.; Juefei-Xu, F.; Guo, Q.; Xie, X.; Ma, L.; Feng, W.; Qin,S.; and Liu, Y. 2020. It’s Raining Cats or Dogs? Adversarial RainAttack on DNN Perception. arXiv preprint arXiv .Zheng, Y.; and Gee, J. C. 2010. Estimation of image bias field withsparsity constraints. In , 255–262. IEEE.Zhou, C.; Guo, Q.; Wan, L.; and Feng, W. 2017. Selective objectand context tracking. In , 1947–1951.IEEE., 1947–1951.IEEE.