王小银,王丹,孙家泽,杨宜康

• 1:西安邮电大学计算机学院
• 2:西安邮电大学陕西省网络数据分析与智能处理重点实验室
• 3:西安交通大学自动化科学与工程学院

摘要(Abstract)：

针对现有对抗攻击方法在黑盒场景下攻击成功率不高以及生成质量低等问题，提出了一种基于生成对抗网络(GAN)的肺部疾病诊断模型黑盒可迁移性对抗攻击方法。以肺部医学影像为基础，依托残差神经网络，在生成器中设计基于扩张卷积的残差块和金字塔分割注意力机制，以提高网络在更细粒度上的多尺度特征表达能力；设置带有辅助分类器的判别器对样本进行正确分类，并且添加攻击者实施对抗训练，以增强对抗样本的攻击能力和稳定GAN的训练。运用无数据黑盒对抗攻击框架训练替代模型，实现可迁移性对抗攻击，获得高黑盒攻击成功率。所提方法在目标攻击和无目标攻击任务下的对抗攻击成功率分别达到了68.95%和79.34%,与其他黑盒场景下基于GAN的对抗方法相比，迁移攻击成功率更高，且生成的对抗样本更接近真实样本。所提方法解决了传统基于GAN的攻击方法难以捕获肺部影像细节特征而导致无法获得更优的对抗性能的问题，对在实际应用场景下提高肺部疾病诊断模型的安全性和鲁棒性提供了参考方案。

关键词(KeyWords)： 肺部疾病诊断模型;黑盒对抗攻击;生成对抗网络;可迁移性

Abstract:

Keywords:

基金项目(Foundation): 陕西省重点研发计划资助项目（2023-YBGY-204,2023-YBGY-030）;; 西安市重点产业链核心技术攻关项目（人工智能领域）（2022JH-RGZN-0028）

作者(Author): 王小银,王丹,孙家泽,杨宜康

参考文献(References)：

• [1] 匡艳.无监督肺结节良恶性辅助诊断研究 [D].成都：电子科技大学，2021:1-8.
• [2] 刘雲.全流程人工智能计算机辅助诊断在肺癌及食管癌中的应用 [D].上海：华东师范大学，2022:1-6.
• [3] WANG Zizhou,SHU Xin,WANG Yan,et al.A feature space-restricted attention attack on medical deep learning systems [J].IEEE Transactions on Cybernetics 2022,52(4):2168-2275.
• [4] SZEGEDY C,ZAREMBA W,SUTSKEVER I,et al.Intriguing properties of neural networks [C/OL]//2nd International Conference on Learning Representations(ICLR).New York,USA:ICLR,2014 [2022-03-01].https://nyuscholars.nyu.edu/en/publications/intriguing-properties-of-neural-networks.
• [5] HIRANO H,MINAGI A,TAKEMOTO K.Universal adversarial attacks on deep neural networks for medical image classification [J].BMC Medical Imaging,2021,21(1):9.
• [6] GOODFELLOW I J,SHLENS J,SZEGEDY C.Explaining and harnessing adversarial examples [C]//3rd International Conference on Learning Representations (ICLR).New York,USA:ICLR,2015:20193407343614.
• [7] XIE Cihang,WU Yuxin,MAATEN L V D,et al.Feature denoising for improving adversarial robustness [C]//2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2019:501-509.
• [8] CARLINI N,WAGNER D.Towards evaluating the robustness of neural networks [C]//2017 IEEE Symposium on Security and Privacy (SP).Piscataway,NJ,USA:IEEE,2017:39-57.
• [9] XIAO Chaowei,LI Bo,ZHU Junyan,et al.Generating adversarial examples with adversarial networks [C]//Proceedings of the 27th International Joint Conference on Artificial Intelligence.Palo Alto,CA,USA:AAAI Press,2018:3905-3911.
• [10] BAI Tao,ZHAO Jun,ZHU Jinlin,et al.AI-GAN:attack-inspired generation of adversarial examples [C]//2021 IEEE International Conference on Image Processing (ICIP).Piscataway,NJ,USA:IEEE,2021:2543-2547.
• [11] ZHANG Jie,LI Bo,XU Jianghe,et al.Towards efficient data free blackbox adversarial attack [C]//2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2022:15094-15104.
• [12] TRUONG J B,MAINI P,WALLS R J,et al.Data-free model extraction [C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2021:4769-4778.
• [13] 左龙，张鹏，荆树旭，等.用于图像超分辨率重建的双通道残差网络 [J].西安交通大学学报，2022,56(1):158-164.ZUO Long,ZHANG Peng,JING Shuxu,et al.Dual-channel residual network for image super-resolution reconstruction [J].Journal of Xi’an Jiaotong University,2022,56(1):158-164.
• [14] TIAN Hongfeng,JI Bai,QUAN Wei,et al.MPA-net:multi-scale pyramid attention network for liver tumor segmentation [C]//2021 International Conference on Electronic Information Engineering and Computer Science (EIECS).Piscataway,NJ,USA:IEEE,2021:658-661.
• [15] 王小银，吕硕，孙家泽，等.基于生成对抗网络的医学诊断模型知识蒸馏对抗攻击方法 [J].西安交通大学学报，2022,56(7):76-85.WANG Xiaoyin,Lü Shuo,SUN Jiaze,et al.Knowledge distillation adversarial attack method based on generative adversarial network for medical diagnosis model [J].Journal of Xi’an Jiaotong University,2022,56(7):76-85.
• [16] WANG Wenxuan,YIN Bangjie,YAO Taiping,et al.Delving into data:effectively substitute training for black-box attack [C]//2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2021:4759-4768.
• [17] WANG Zi.Learning fast converging,effective conditional generative adversarial networks with a mirrored auxiliary classifier [C]//2021 IEEE Winter Conference on Applications of Computer Vision (WACV).Piscataway,NJ,USA:IEEE,2021:2565-2574.
• [18] LIU Yichen.A lane line detection method based on squeeze and excitation network [C]//2022 International Conference on Machine Learning and Intelligent Systems Engineering (MLISE).Piscataway,NJ,USA:IEEE,2022:117-121.
• [19] RAHMAN T,KHANDAKAR A,QIBLAWEY Y,et al.Exploring the effect of image enhancement techniques on COVID-19 detection using chest X-ray images [J].Computers in Biology and Medicine,2021,132:104319.
• [20] WANG Xiaosong,PENG Yifan,LU Le,et al.ChestX-ray8:hospital-scale chest X-ray database and benchmarks on weakly-supervised classification and localization of common thorax diseases [C]//2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2017:3462-3471.
• [21] YANG Huan,CHEN Lili,CHENG Zhiqiang,et al.Deep learning-based six-type classifier for lung cancer and mimics from histopathological whole slide images:a retrospective study [J].BMC Medicine,2021,19(1):80.
• [22] DEVNATH L,LUO Suhuai,SUMMONS P,et al.Deep ensemble learning for the automatic detection of pneumoconiosis in coal worker’s chest X-ray radiography [J].Journal of Clinical Medicine,2022,11(18):5342.
• [23] 余艳杰，孙嘉琪，葛思擘，等.CycleGAN-SN:结合谱归一化和CycleGAN的图像风格化算法 [J].西安交通大学学报，2020,54(5):133-141.YU Yanjie,SUN Jiaqi,GE Sibo,et al.CycleGAN-SN:image stylization algorithm combining spectral normalization and CycleGAN [J].Journal of Xi’an Jiaotong University,2020,54(5):133-141.
• [24] PAPERNOT N,MCDANIEL P,GOODFELLOW I,et al.Practical black-box attacks against machine learning [C]//Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security.New York,NY,USA:Association for Computing Machinery,2017:506-519.
• [25] ZHOU Mingyi,WU Jing,LIU Yipeng,et al.DaST:data-free substitute training for adversarial attacks [C]//2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).Piscataway,NJ,USA:IEEE,2020:231-240.
• [26] 许新征，常建英，丁世飞.基于StarGAN和类别编码器的图像风格转换 [J].软件学报，2022,33(4):1516-1526.XU Xinzheng,CHANG Jianying,DING Shifei.Image style transfering based on StarGAN and class encoder [J].Journal of Software,2022,33(4):1516-1526.
• [27] HIRANO H,TAKEMOTO K.Simple iterative method for generating targeted universal adversarial perturbations [J].Algorithms,2020,13(11):268.