Prompt2Perturb(P2P):基於擴散的文本引導對乳腺超聲波圖像的對抗攻擊

Prompt2Perturb (P2P): Text-Guided Diffusion-Based Adversarial Attacks on Breast Ultrasound Images

December 13, 2024
作者: Yasamin Medghalchi, Moein Heidari, Clayton Allard, Leonid Sigal, Ilker Hacihaliloglu
cs.AI

摘要

深度神經網絡(DNNs)在醫學影像中提高乳腺癌診斷的潛力巨大。然而,這些模型極易受到對抗攻擊的影響--微小、不可察覺的變化可能誤導分類器--這引發了對它們可靠性和安全性的重要關注。傳統攻擊依賴於固定範數的干擾,與人類感知不一致。相較之下,基於擴散的攻擊需要預先訓練的模型,在這些模型不可用時需要大量數據,限制了在數據稀缺情況下的實際應用。然而,在醫學影像中,由於數據集的有限可用性,這通常是不可行的。借鑒最近在可學習提示方面的進展,我們提出了Prompt2Perturb(P2P),一種新穎的語言引導攻擊方法,能夠生成由文本指令驅動的有意義的攻擊示例。在提示學習階段,我們的方法利用文本編碼器內的可學習提示來創建微妙但具有影響力的干擾,使其保持不可察覺,同時引導模型朝向目標結果。與當前基於提示學習的方法相比,我們的P2P通過直接更新文本嵌入來脫穎而出,避免了需要重新訓練擴散模型的必要性。此外,我們利用優化僅早期反向擴散步驟的發現,提高了效率,同時確保生成的對抗示例包含微妙的噪音,從而在不引入明顯工件的情況下保持超聲波影像質量。我們展示了我們的方法在三個乳腺超聲波數據集中在FID和LPIPS方面優於最先進的攻擊技術。此外,生成的圖像在外觀上更加自然,並且與現有的對抗攻擊相比更加有效。我們的代碼將公開提供:https://github.com/yasamin-med/P2P。
English
Deep neural networks (DNNs) offer significant promise for improving breast cancer diagnosis in medical imaging. However, these models are highly susceptible to adversarial attacks--small, imperceptible changes that can mislead classifiers--raising critical concerns about their reliability and security. Traditional attacks rely on fixed-norm perturbations, misaligning with human perception. In contrast, diffusion-based attacks require pre-trained models, demanding substantial data when these models are unavailable, limiting practical use in data-scarce scenarios. In medical imaging, however, this is often unfeasible due to the limited availability of datasets. Building on recent advancements in learnable prompts, we propose Prompt2Perturb (P2P), a novel language-guided attack method capable of generating meaningful attack examples driven by text instructions. During the prompt learning phase, our approach leverages learnable prompts within the text encoder to create subtle, yet impactful, perturbations that remain imperceptible while guiding the model towards targeted outcomes. In contrast to current prompt learning-based approaches, our P2P stands out by directly updating text embeddings, avoiding the need for retraining diffusion models. Further, we leverage the finding that optimizing only the early reverse diffusion steps boosts efficiency while ensuring that the generated adversarial examples incorporate subtle noise, thus preserving ultrasound image quality without introducing noticeable artifacts. We show that our method outperforms state-of-the-art attack techniques across three breast ultrasound datasets in FID and LPIPS. Moreover, the generated images are both more natural in appearance and more effective compared to existing adversarial attacks. Our code will be publicly available https://github.com/yasamin-med/P2P.

Summary

AI-Generated Summary

PDF12December 16, 2024