保护医疗保健中的人工智能：三层防御以减轻放射成像中的对抗性噪声影响

IF 4.9 2区医学 Q1 ENGINEERING, BIOMEDICAL

Biomedical Signal Processing and Control Pub Date : 2025-05-16 DOI:10.1016/j.bspc.2025.107969

Sheikh Burhan Ul Haque , Aasim Zafar , Sheikh Moeen ul haque , Sheikh Riyaz ul Haq , Mohassin Ahmad

{"title":"保护医疗保健中的人工智能：三层防御以减轻放射成像中的对抗性噪声影响","authors":"Sheikh Burhan Ul Haque , Aasim Zafar , Sheikh Moeen ul haque , Sheikh Riyaz ul Haq , Mohassin Ahmad","doi":"10.1016/j.bspc.2025.107969","DOIUrl":null,"url":null,"abstract":"<div><div>Early detection of lung nodules through CT imaging is crucial for timely treatment and improved patient outcomes. Artificial intelligence (AI), particularly deep learning (DL), has shown exceptional promise, often surpassing human expertise in diagnosing lung cancer. However, the vulnerability of DL models to adversarial noise—imperceptible perturbations designed to mislead models—remains underexplored in medical imaging. To the best of our knowledge, this is the first study to comprehensively analyze the effects of targeted and untargeted adversarial noise on DL-based medical diagnosis models. Additionally, we propose a novel three-tier defense strategy to mitigate these adversarial impacts on radiology images. The proposed approach combines modified adversarial training (MAT) during the training phase with Total Variation Minimization (TVM) flowed by bit-plane slicing (BPS) at the testing phase, ensuring robust performance against adversarial attacks in all the phases. MAT strengthens model resilience by exposing it to adversarial examples with varying epsilon values, improving its ability to counter diverse perturbations. At inference, TVM reduces high-frequency adversarial noise while preserving essential image structures, and BPS further enhances robustness by extracting critical features and discarding less significant details prone to adversarial manipulation. A lung nodule classification model was developed using transfer learning with DenseNet-121, trained on the publicly available LIDC-IDRI dataset. The model achieved 95.71% training accuracy and 93.17% testing accuracy on clean images. However, when exposed to adversarial attacks such as Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD), accuracy dropped significantly to 13.74% under FGSM and 1.32% under PGD. The proposed defense strategy successfully restored performance, achieving an average accuracy of approximately 93% against both FGSM and PGD attacks. These results demonstrate that the defense approach effectively mitigates adversarial noise across both training and testing phases, improving the reliability of DL models in medical image analysis. By enhancing robustness in lung cancer detection, this study contributes to the advancement of AI-driven healthcare, ensuring safer and more trustworthy diagnostic systems.</div></div>","PeriodicalId":55362,"journal":{"name":"Biomedical Signal Processing and Control","volume":"109 ","pages":"Article 107969"},"PeriodicalIF":4.9000,"publicationDate":"2025-05-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Securing AI in Healthcare: A Three-Layer Defense to Mitigate Adversarial Noise Impact in Radiology Imaging\",\"authors\":\"Sheikh Burhan Ul Haque , Aasim Zafar , Sheikh Moeen ul haque , Sheikh Riyaz ul Haq , Mohassin Ahmad\",\"doi\":\"10.1016/j.bspc.2025.107969\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Early detection of lung nodules through CT imaging is crucial for timely treatment and improved patient outcomes. Artificial intelligence (AI), particularly deep learning (DL), has shown exceptional promise, often surpassing human expertise in diagnosing lung cancer. However, the vulnerability of DL models to adversarial noise—imperceptible perturbations designed to mislead models—remains underexplored in medical imaging. To the best of our knowledge, this is the first study to comprehensively analyze the effects of targeted and untargeted adversarial noise on DL-based medical diagnosis models. Additionally, we propose a novel three-tier defense strategy to mitigate these adversarial impacts on radiology images. The proposed approach combines modified adversarial training (MAT) during the training phase with Total Variation Minimization (TVM) flowed by bit-plane slicing (BPS) at the testing phase, ensuring robust performance against adversarial attacks in all the phases. MAT strengthens model resilience by exposing it to adversarial examples with varying epsilon values, improving its ability to counter diverse perturbations. At inference, TVM reduces high-frequency adversarial noise while preserving essential image structures, and BPS further enhances robustness by extracting critical features and discarding less significant details prone to adversarial manipulation. A lung nodule classification model was developed using transfer learning with DenseNet-121, trained on the publicly available LIDC-IDRI dataset. The model achieved 95.71% training accuracy and 93.17% testing accuracy on clean images. However, when exposed to adversarial attacks such as Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD), accuracy dropped significantly to 13.74% under FGSM and 1.32% under PGD. The proposed defense strategy successfully restored performance, achieving an average accuracy of approximately 93% against both FGSM and PGD attacks. These results demonstrate that the defense approach effectively mitigates adversarial noise across both training and testing phases, improving the reliability of DL models in medical image analysis. By enhancing robustness in lung cancer detection, this study contributes to the advancement of AI-driven healthcare, ensuring safer and more trustworthy diagnostic systems.</div></div>\",\"PeriodicalId\":55362,\"journal\":{\"name\":\"Biomedical Signal Processing and Control\",\"volume\":\"109 \",\"pages\":\"Article 107969\"},\"PeriodicalIF\":4.9000,\"publicationDate\":\"2025-05-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Biomedical Signal Processing and Control\",\"FirstCategoryId\":\"5\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S174680942500480X\",\"RegionNum\":2,\"RegionCategory\":\"医学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"ENGINEERING, BIOMEDICAL\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Biomedical Signal Processing and Control","FirstCategoryId":"5","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S174680942500480X","RegionNum":2,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, BIOMEDICAL","Score":null,"Total":0}

引用次数: 0

摘要

通过CT成像早期发现肺结节对于及时治疗和改善患者预后至关重要。人工智能（AI），特别是深度学习（DL），已经显示出非凡的前景，在诊断肺癌方面往往超过人类的专业知识。然而，深度学习模型对对抗性噪声（设计用于误导模型的难以察觉的扰动）的脆弱性在医学成像中仍未得到充分探讨。据我们所知，这是第一个全面分析靶向和非靶向对抗性噪声对基于dl的医学诊断模型影响的研究。此外，我们提出了一种新的三层防御策略来减轻这些对放射图像的对抗性影响。该方法将训练阶段的改进对抗性训练（MAT）与测试阶段的位平面切片（BPS）的总变异最小化（TVM）相结合，确保了在所有阶段对对抗性攻击的鲁棒性。MAT通过将其暴露于具有不同ε值的对抗性示例来增强模型的弹性，从而提高其对抗各种扰动的能力。在推理中，TVM在保留基本图像结构的同时减少了高频对抗性噪声，而BPS通过提取关键特征和丢弃容易被对抗性操作的不太重要的细节进一步增强了鲁棒性。使用迁移学习和DenseNet-121开发了肺结节分类模型，该模型在公开可用的LIDC-IDRI数据集上进行了训练。该模型在干净图像上的训练准确率为95.71%，测试准确率为93.17%。然而，当面对快速梯度符号法（FGSM）和投影梯度下降法（PGD）等对抗性攻击时，FGSM和PGD的准确率分别下降到13.74%和1.32%。提出的防御策略成功地恢复了性能，对FGSM和PGD攻击的平均准确率约为93%。这些结果表明，防御方法有效地减轻了训练和测试阶段的对抗性噪声，提高了深度学习模型在医学图像分析中的可靠性。通过增强肺癌检测的稳健性，本研究有助于推进人工智能驱动的医疗保健，确保更安全、更可信的诊断系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Securing AI in Healthcare: A Three-Layer Defense to Mitigate Adversarial Noise Impact in Radiology Imaging

Early detection of lung nodules through CT imaging is crucial for timely treatment and improved patient outcomes. Artificial intelligence (AI), particularly deep learning (DL), has shown exceptional promise, often surpassing human expertise in diagnosing lung cancer. However, the vulnerability of DL models to adversarial noise—imperceptible perturbations designed to mislead models—remains underexplored in medical imaging. To the best of our knowledge, this is the first study to comprehensively analyze the effects of targeted and untargeted adversarial noise on DL-based medical diagnosis models. Additionally, we propose a novel three-tier defense strategy to mitigate these adversarial impacts on radiology images. The proposed approach combines modified adversarial training (MAT) during the training phase with Total Variation Minimization (TVM) flowed by bit-plane slicing (BPS) at the testing phase, ensuring robust performance against adversarial attacks in all the phases. MAT strengthens model resilience by exposing it to adversarial examples with varying epsilon values, improving its ability to counter diverse perturbations. At inference, TVM reduces high-frequency adversarial noise while preserving essential image structures, and BPS further enhances robustness by extracting critical features and discarding less significant details prone to adversarial manipulation. A lung nodule classification model was developed using transfer learning with DenseNet-121, trained on the publicly available LIDC-IDRI dataset. The model achieved 95.71% training accuracy and 93.17% testing accuracy on clean images. However, when exposed to adversarial attacks such as Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD), accuracy dropped significantly to 13.74% under FGSM and 1.32% under PGD. The proposed defense strategy successfully restored performance, achieving an average accuracy of approximately 93% against both FGSM and PGD attacks. These results demonstrate that the defense approach effectively mitigates adversarial noise across both training and testing phases, improving the reliability of DL models in medical image analysis. By enhancing robustness in lung cancer detection, this study contributes to the advancement of AI-driven healthcare, ensuring safer and more trustworthy diagnostic systems.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Biomedical Signal Processing and Control 工程技术-工程：生物医学

CiteScore

9.80

自引率

13.70%

发文量

822

审稿时长

4 months

期刊介绍： Biomedical Signal Processing and Control aims to provide a cross-disciplinary international forum for the interchange of information on research in the measurement and analysis of signals and images in clinical medicine and the biological sciences. Emphasis is placed on contributions dealing with the practical, applications-led research on the use of methods and devices in clinical diagnosis, patient monitoring and management. Biomedical Signal Processing and Control reflects the main areas in which these methods are being used and developed at the interface of both engineering and clinical science. The scope of the journal is defined to include relevant review papers, technical notes, short communications and letters. Tutorial papers and special issues will also be published.