| dc.description.abstract | Nowadays, in the health area, Artificial Intelligence (AI) becomes a must-have to improve diagnosis and prognosis quality. Thus, the medical corps can use Deep Learning (DL) algorithms to predict the evolution of diseases, such as breast or skin cancers, and also detect diseases using medical image analysis. As it can mimic human work – and sometimes, performs better work – it is a powerful tool that can save lives. However, as soon as we talk about algorithms, we have to talk about possible adversarial attacks. Since algorithms handle health data, if an attack makes it badly trained, it could become life-critical.
Our thesis motivation is to investigate the behaviour of such methods in a health-oriented classification model and the potential effectiveness of combining several countermeasures to mitigate these adversarial attacks.
In the health area, DL is used both in prognosis, to predict the development of a disease such as colon, breast, or skin cancer, and in diagnosis to detect and prevent disease. Medical image analysis using AI techniques to extract information from medical images, and may be combined with a classification model, for instance, by using Convolutional Neural Network (CNN) for melanoma classification.
Several attack types exist in the literature. Firstly, Fast Gradient Sign Method (FGSM) and Universal Adversarial Perturbation (UAP) are evasion attacks, as well as the attack proposed by Carlini \& Wagner (REF). There are also poisoning attacks, that add skewed data to the training dataset. To counter these attacks, there are three types of countermeasures. We can modify the model to add robustness (Defensive Distillation, Gradient Regularisation), or alter the dataset (Low-Level Transformation, Adversarial Retraining, Online Alternate Generator), or finally using an additional model (Generative Adversarial Network).
We have performed experiments on two neural networks, Residual Network (ResNet50) and Inception V3. As there were several experiments, we chose to focus on only one dataset, ISIC skin lesion 2018, composed of 7 classes (4 cancerous (86\% of the pictures), 3 benigns). We picked two evasion attacks, FGSM for its ease of implementation and its impact on the DL classifier, and UAP, for being a recent and powerful attack. Concerning the countermeasures, we wanted to use a less complex method. To investigate if we could mitigate powerful attacks with such countermeasures.
All this work has been performed under python, using Keras and Tensorflow libraries, to answer three questions. Firstly, "how would the classifiers - combinaison of DL model and ISIC2018 dataset - would be impacted by adversarial attacks?" Second question is, "Is there a way to mitigate FGSM attack?", and the third one is "Can we get the same results against UAP with these methods or by combining them?" To evaluate the results, we use different metrics, such as accuracy, recall, and specificity. Furthermore, we will focus on the False Negative Rate (FNR), which points to the percentage of sick patients classified as healthy (and that can be life-critical in case of skin cancer).
There have been a total of 3 main experiments. First, Inception V3 and ResNet50 have been implemented and evaluated, with above 90\% accuracy and between 5 and 8\% FNR. In the second experiment, we have performed attacks on the models. After FGSM, we obtained 40\% accuracy \& 57\% FNR for Inception V3, and 60\% accuracy \& 34\% FNR for ResNet50. After UAP, we obtained 37\% accuracy \& 69\% FNR for Inception V3, and 64\% accuracy & 28\% FNR for ResNet50.
The third step was to mitigate these attacks, with Adversarial Retraining, LLT, and a combination of both. For all models and attacks, the association of both countermeasures has given the best results. In terms of results, Inception V3 and ResNet50 ended with around 85\% of accuracy and a low false-negative rate around 7\% under both FGSM and UAP attacks.
Whether under FGSM and UAP attack, both ResNet50 and Inception V3 models got unacceptable results according to the metrics. However, our experiments show that these attacks can be mitigated, and so allow to use of these models in the health area. Nevertheless, and as long as model FNR is not down to 0\%, it seems important to continue to double-check the results after model predictions. Even if our results are good, we have thought of several complementary experiments for future work. We would recommend, at least, experiment with these methods with other datasets and models. | |
