采用GAN的肺部疾病诊断模型黑盒可迁移性对抗攻击方法  

作　　者：王小银 王丹[1] 孙家泽 杨宜康 WANG Xiaoyin;WANG Dan;SUN Jiaze;YANG Yikang(School of Computer Science,Xi’an University of Posts and Telecommunications,Xi’an 710121,China;Shaanxi Key Laboratory of Network Data Analysis and Intelligent Processing,Xi’an University of Posts and Telecommunications,Xi’an 710121,China;School of Automation Science and Engineering,Xi’an Jiaotong University,Xi’an 710121,China)

机构地区：[1]西安邮电大学计算机学院,西安710121 [2]西安邮电大学陕西省网络数据分析与智能处理重点实验室,西安710121 [3]西安交通大学自动化科学与工程学院,西安710121

出　　处：《西安交通大学学报》2023年第10期196-206,220,共12页Journal of Xi'an Jiaotong University

基　　金：陕西省重点研发计划资助项目(2023-YBGY-204,2023-YBGY-030);西安市重点产业链核心技术攻关项目(人工智能领域)(2022JH-RGZN-0028)。

摘　　要：针对现有对抗攻击方法在黑盒场景下攻击成功率不高以及生成质量低等问题,提出了一种基于生成对抗网络(GAN)的肺部疾病诊断模型黑盒可迁移性对抗攻击方法。以肺部医学影像为基础,依托残差神经网络,在生成器中设计基于扩张卷积的残差块和金字塔分割注意力机制,以提高网络在更细粒度上的多尺度特征表达能力;设置带有辅助分类器的判别器对样本进行正确分类,并且添加攻击者实施对抗训练,以增强对抗样本的攻击能力和稳定GAN的训练。运用无数据黑盒对抗攻击框架训练替代模型,实现可迁移性对抗攻击,获得高黑盒攻击成功率。所提方法在目标攻击和无目标攻击任务下的对抗攻击成功率分别达到了68.95%和79.34%,与其他黑盒场景下基于GAN的对抗方法相比,迁移攻击成功率更高,且生成的对抗样本更接近真实样本。所提方法解决了传统基于GAN的攻击方法难以捕获肺部影像细节特征而导致无法获得更优的对抗性能的问题,对在实际应用场景下提高肺部疾病诊断模型的安全性和鲁棒性提供了参考方案。A black-box transferable adversarial attack method based on GAN for lung disease diagnosis models was proposed to address the low success rate of attacks in black-box scenarios and low generation quality of existing adversarial attack methods.The method was built based on pulmonary medical images,with the residual neural network as the basic skeleton.In the generator,residual blocks based on dilated convolution and pyramidal segmentation attention mechanism were designed to improve the multi-scale feature representation capability of the network at finer granularity;discriminators with auxiliary classifiers were set up to correctly classify the samples,and the attackers were added to the discriminators for adversarial training to enhance the adversarial sample attack capability and stabilize the training of GAN.The data-free black-box adversarial attack framework was also used to train alternative models to achieve transferable adversarial attack and obtain a more effective and higher black-box attack success rate.The method achieved adversarial success rates of 68.95%and 79.34%for targeted attacks and untargeted attacks respectively.Compared with other GAN-based attack methods in black-box scenarios,it presents a higher transferability attack success rate and the generated adversarial samples are closer to the real samples,solving the problem that traditional GAN-based attack methods cannot capture the detailed features of lung images and thus cannot obtain better adversarial performance.This method provides a reference for improving the security and robustness of lung disease diagnosis models in practical application scenarios.

关 键 词：肺部疾病诊断模型 黑盒对抗攻击 生成对抗网络 可迁移性 

分 类 号：TP391.41[自动化与计算机技术—计算机应用技术]