Prompt2Perturb(P2P):基於擴散的文本引導對乳腺超聲波圖像的對抗攻擊
Prompt2Perturb (P2P): Text-Guided Diffusion-Based Adversarial Attacks on Breast Ultrasound Images
December 13, 2024
作者: Yasamin Medghalchi, Moein Heidari, Clayton Allard, Leonid Sigal, Ilker Hacihaliloglu
cs.AI
摘要
深度神經網絡(DNNs)在醫學影像中提高乳腺癌診斷的潛力巨大。然而,這些模型極易受到對抗攻擊的影響--微小、不可察覺的變化可能誤導分類器--這引發了對它們可靠性和安全性的重要關注。傳統攻擊依賴於固定範數的干擾,與人類感知不一致。相較之下,基於擴散的攻擊需要預先訓練的模型,在這些模型不可用時需要大量數據,限制了在數據稀缺情況下的實際應用。然而,在醫學影像中,由於數據集的有限可用性,這通常是不可行的。借鑒最近在可學習提示方面的進展,我們提出了Prompt2Perturb(P2P),一種新穎的語言引導攻擊方法,能夠生成由文本指令驅動的有意義的攻擊示例。在提示學習階段,我們的方法利用文本編碼器內的可學習提示來創建微妙但具有影響力的干擾,使其保持不可察覺,同時引導模型朝向目標結果。與當前基於提示學習的方法相比,我們的P2P通過直接更新文本嵌入來脫穎而出,避免了需要重新訓練擴散模型的必要性。此外,我們利用優化僅早期反向擴散步驟的發現,提高了效率,同時確保生成的對抗示例包含微妙的噪音,從而在不引入明顯工件的情況下保持超聲波影像質量。我們展示了我們的方法在三個乳腺超聲波數據集中在FID和LPIPS方面優於最先進的攻擊技術。此外,生成的圖像在外觀上更加自然,並且與現有的對抗攻擊相比更加有效。我們的代碼將公開提供:https://github.com/yasamin-med/P2P。
English
Deep neural networks (DNNs) offer significant promise for improving breast
cancer diagnosis in medical imaging. However, these models are highly
susceptible to adversarial attacks--small, imperceptible changes that can
mislead classifiers--raising critical concerns about their reliability and
security. Traditional attacks rely on fixed-norm perturbations, misaligning
with human perception. In contrast, diffusion-based attacks require pre-trained
models, demanding substantial data when these models are unavailable, limiting
practical use in data-scarce scenarios. In medical imaging, however, this is
often unfeasible due to the limited availability of datasets. Building on
recent advancements in learnable prompts, we propose Prompt2Perturb (P2P), a
novel language-guided attack method capable of generating meaningful attack
examples driven by text instructions. During the prompt learning phase, our
approach leverages learnable prompts within the text encoder to create subtle,
yet impactful, perturbations that remain imperceptible while guiding the model
towards targeted outcomes. In contrast to current prompt learning-based
approaches, our P2P stands out by directly updating text embeddings, avoiding
the need for retraining diffusion models. Further, we leverage the finding that
optimizing only the early reverse diffusion steps boosts efficiency while
ensuring that the generated adversarial examples incorporate subtle noise, thus
preserving ultrasound image quality without introducing noticeable artifacts.
We show that our method outperforms state-of-the-art attack techniques across
three breast ultrasound datasets in FID and LPIPS. Moreover, the generated
images are both more natural in appearance and more effective compared to
existing adversarial attacks. Our code will be publicly available
https://github.com/yasamin-med/P2P.Summary
AI-Generated Summary