Kloster, Matías A. (2023) Robustez en sistemas de Deep Learning para detección de imágenes médicas / Robustness in Deep Learning systems for medical images detection. Maestría en Ingeniería, Universidad Nacional de Cuyo, Instituto Balseiro.
![[img]](/style/images/fileicons/application_pdf.png)
| PDF (Tesis) Español 9Mb |
Resumen en español
En esta tesis abordamos el problema de la clasificación automática de imágenes mediante el uso de redes neuronales profundas o también llamado deep learning. Estas técnicas han demostrado ser altamente efectivas y logran resultados comparables con el sistema visual humano. Sin embargo, presentan una limitación importante: su vulnerabilidad frente a ejemplos adversos cuidadosamente construidos. Estos ejemplos adversos son imágenes que se generan a partir de imágenes naturales y son capaces de engañar a la red neuronal, siendo clasificados erróneamente con una alta confianza en la predicción. Lo sorprendente es que estos ejemplos adversos son visualmente indistinguibles de las imágenes naturales, lo que vuelve su detección un problema desafiante. Tras realizar un estudio exhaustivo sobre esta problemática, se procede a generar ejemplos adversos utilizando tres métodos distintos en cuatro bases de datos. Dos de las bases de datos son ampliamente reconocidas, mientras que las otras dos se centran en la detección de retinopatía diabética, diferenciándose únicamente en el tamaño de las imágenes. En este trabajo, presentamos un método de detección de ejemplos adversos basado en la activación estocástica implementada en ciertas capas de la red neuronal. Nuestro enfoque principal se centra en determinar la manera ´optima de introducir este término de ruido, así como evaluar la generalización de estos resultados en diferentes arquitecturas y problemas de clasificación. Tras realizar diversas pruebas, se observó que la probabilidad de detectar exitosamente la naturaleza de una imagen (ya sea natural o adversa) depende en gran medida del tipo de ataque utilizado, la base de datos utilizada y la magnitud de la perturbación permitida durante la generación del ejemplo adverso. Los resultados obtenidos muestran una amplia variación en la probabilidad de una detección correcta, que va desde un alto porcentaje del 99% en el caso del ataque DeepFool aplicado a imágenes de la base de datos MNIST, hasta porcentajes intermedios como el 74% para el ataque CW2 en imágenes de Retinopatía Diabética de tamaño grande, y valores bajos y ligeramente superiores a la aleatoriedad, como el 51%, para el ataque FGSM en imágenes de Retinopatía Diabética de tamaño pequeño. El código está disponible a través del siguiente enlace: github.com/klostermati/Robustnesstoadversarial-examples.
Resumen en inglés
In this thesis, we approach the problem of automatic image classification using deep neural networks, also known as deep learning. These techniques have proven to be highly effective and achieve results comparable to the human visual system. However, they have an important limitation: their vulnerability to carefully constructed adversarial examples. These adversarial examples are images that are generated from natural images and are able to fool the neural network, being misclassified with high prediction confidence. Remarkably, these adversarial examples are visually indistinguishable from natural images, which makes their detection a challenging problem. After conducting a comprehensive study on this problem, we proceed to generate adversarial examples using three different methods on four databases. Two of the databases are widely recognized, while the other two focus on the detection of diabetic retinopathy, differing only in the size of the images. In this paper, we present an adversarial example detection method based on stochastic activation implemented at certain neural network layers. Our main focus is on determining the optimal way to introduce this noisy term, as well as evaluating the generalization of these results to different architectures and classification problems. After performing several tests, it was observed that the probability of successfully detecting the nature of an image (either natural or adversarial) is highly dependent on the type of attack used, the database used, and the magnitude of perturbation allowed during the generation of the adversarial example. The results obtained show a wide variation in the probability of a correct detection, ranging from a high percentage of 99% for the DeepFool attack applied to images from the MNIST database, to intermediate percentages such as 74% for the CW2 attack on large-sized Diabetic Retinopathy images, and low and slightly above random values, such as 51%, for the FGSM attack on small-sized Diabetic Retinopathy images. The code is available through the following link: github.com/klostermati/Robustness-to-adversarial-examples.
| Tipo de objeto: | Tesis (Maestría en Ingeniería) |
|---|---|
| Palabras Clave: | Machine learning; Aprendizaje automático; [Robustness; Robustez; Machine learning deep; Aprendizaje automático profundo; Medical images; Imágenes médicas; Adversarial example; Ejemplo adverso] |
| Referencias: | [1] McCarthy, J. What is artificial intelligence? Stanford University, 01 2004. 1 [2] Haugeland, J., de Firmani, I. La inteligencia artificial. Ciencia y T´ecnica. Siglo XXI, 2001. URL https://books.google.com.ar/books?id=BcKGEg_HBvYC. 1 [3] Kurzweil, R. Raymond kurzweil — what is artificial intelligence? URL https://www.kurzweilai.net/what-is-artificial-intelligence. Accedido 15-05-2023. 1 [4] Russell, S. J., Norvig, P. Inteligencia Artificial: un enfoque moderno. 2 edición. Prentice Hall, 2008. 1 [5] Goodfellow, I., Bengio, Y., Courville, A. Deep Learning. MIT Press, 2016. http://www.deeplearningbook.org. 1, 9 [6] Ali, A., Razak, S., Othman, S., Eisa, T., Al-dhaqm, A., Nasser, M., et al. Financial fraud detection based on machine learning: A systematic literature review. Applied Sciences, 12, 9637, 09 2022. 2 [7] Perlich, C., Dalessandro, B., Stitelman, O., Raeder, T., Provost, F. Machine learning for targeted display advertising: Transfer learning in action. Machine Learning, 95, 02 2013. 2 [8] Litjens, G., Kooi, T., Bejnordi, B. E., Setio, A. A. A., Ciompi, F., Ghafoorian, M., et al. A survey on deep learning in medical image analysis. Medical Image Analysis, 42, 60–88, 2017. URL https://www.sciencedirect.com/science/article/pii/S1361841517301135. 2 [9] Phillips-Wren, G., Jain, L. Artificial intelligence for decision making. En: B. Gabrys, R. J. Howlett, L. C. Jain (eds.) Knowledge-Based Intelligent Information and Engineering Systems, p´ags. 531–536. Berlin, Heidelberg: Springer Berlin Heidelberg, 2006. 2 [10] Minaee, S., Abdolrashidi, A., Su, H., Bennamoun, M., Zhang, D. Biometrics recognition using deep learning: A survey, 2021. 2 [11] Moraes, C., Scolimoski, J., Lambert-Torres, G., Santini, M., Dias, A., Guerra, F., et al. Robotic process automation and machine learning: a systematic review. Brazilian Archives of Biology and Technology, 65, 08 2022. 2 [12] Sermanet, P., Eigen, D., Zhang, X., Mathieu, M., Fergus, R., LeCun, Y. Overfeat: Integrated recognition, localization and detection using convolutional networks. arXiv preprint arXiv:1312.6229, 2013. 2 [13] Wu, Y., Giger, M. L., Doi, K., Vyborny, C. J., Schmidt, R. A., Metz, C. E. Artificial neural networks in mammography: application to decision making in the diagnosis of breast cancer. Radiology, 187 (1), 81–87, 1993. 2 [14] Esteva, A., Kuprel, B., Novoa, R. A., Ko, J., Swetter, S. M., Blau, H. M., et al. Dermatologist-level classification of skin cancer with deep neural networks. Nature, 542 (7639), 115, 2017. 2 [15] Pratt, H., Coenen, F., Broadbent, D. M., Harding, S. P., Zheng, Y. Convolutional neural networks for diabetic retinopathy. Procedia Computer Science, 90, 200–205, 2016. 2 [16] Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., et al. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013. 2, 12, 13 [17] Diabetic retinopathy detection - kaggle. URL https://www.kaggle.com/c/diabetic-retinopathydetection. Accedido 25-05-2019. 3, 4, 21, 22 [18] Goodfellow, I. J., Shlens, J., Szegedy, C. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014. 3, 12, 13, 15 [19] Feinman, R., Curtin, R. R., Shintre, S., Gardner, A. B. Detecting adversarial samples from artifacts. arXiv preprint arXiv:1703.00410, 2017. 3, 17, 33 [20] Jain, A., Nundy, S., Abbasi, K. Corruption: medicine’s dirty open secret, 2014. 3 [21] Finlayson, S., Bowers, J., Ito, J., Zittrain, J., Beam, A., Kohane, I. Adversarial attacks on medical machine learning. Science, 363, 1287–1289, 03 2019. 3 [22] Cancer imaging archive. URL https://www.cancerimagingarchive.net/collections/. Accedido 21-06-2023. 3 [23] Conda documentation. URL https://docs.conda.io/projects/conda/en/latest. Accedido 23-05-2019. 4 [24] NVIDIA. Nvida cudnn — nvidia developer. URL https://developer.nvidia.com/cudnn. Accedido 23-05-2019. 4 [25] Keras. URL https://keras.io/. Accedido 23-05-2019. 4, 7, 21 [26] Google. Tensorflow. URL https://www.tensorflow.org. Accedido 23-05-2019. 4 [27] LeCun, Y., Cortes, C., Burges, C. Mnist handwritten digit database. ATT Labs [Online]. Available: http://yann.lecun.com/exdb/mnist, 2, 2010. 4 [28] Krizhevsky, A. Learning multiple layers of features from tiny images. Inf. tec., 2009. 4 [29] Chollet, F. Deep Learning with Python. Manning Publications, 2017. URL https://books.google.com.ar/books?id=wwnyxgEACAAJ. 5, 11, 12 [30] Hurwitz, J., Kirsch, D. Machine learning for dummies - IBM limited edition. John Wiley & Sons,Inc, 2018. 5, 6 [31] Bishop, C. M. Pattern Recognition and Machine Learning. Springer, 2007. 6 [32] He, K., Zhang, X., Ren, S., Sun, J. Delving deep into rectifiers: Surpassing human-level performance on imagenet classification. En: Proceedings of the IEEE international conference on computer vision, págs. 1026–1034. 2015. 6 [33] Hertz, J. A. Introduction to the theory of neural computation. CRC Press, 2018. 6, 7, 8, 9, 11 [34] Rosenblatt, F. The perceptron: a probabilistic model for information storage and organization in the brain. Psychological review, 1958. 7 [35] Minsky, M., Papert, S. Perceptron: an introduction to computational geometry. The MIT Press, Cambridge, expanded edition, 19 (88), 2, 1969. 7 [36] Cybenko, G. Approximation by superpositions of a sigmoidal function. Mathematics of control, signals and systems, 2 (4), 303–314, 1989. 8 [37] Bryson, A. E., Ho, Y. C. Applied Optimal Control. New York: Blaisdell, 1969. 8 [38] Werbos, P., J. (Paul John, P. Beyond regression : new tools for prediction and analysis in the behavioral sciences. Ph.D. Thesis, Harvard University, 1974. 8 [39] Parker, D. Technical report tr-47 , center for computational research in economics and management science, massachusetts institute of technology, cambridge. MA, 1985. 8 [40] Rumelhart, D. E., Hinton, G. E., Williams, R. J. Learning internal representations by error propagation. Inf. tec., California Univ San Diego La Jolla Inst for Cognitive Science, 1985. 8 [41] LeCun, Y. Une procedure d’apprentissage ponr reseau a seuil asymetrique. Proceedings of Cognitiva 85, págs. 599–604, 1985. 8 [42] Fukushima, K. Neocognitron: A self-organizing neural network model for a mechanism of pattern recognition unaffected by shift in position. Biological cybernetics, 36 (4), 193–202, 1980. 9 [43] Hubel, D. H., Wiesel, T. N. Receptive fields of single neurones in the cat’s striate cortex. The Journal of physiology, 148 (3), 574–591, 1959. 9 [44] Hubel, D. H., Wiesel, T. N. Receptive fields and functional architecture of monkey striate cortex. The Journal of physiology, 195 (1), 215–243, 1968. 9 [45] LeCun, Y., Boser, B., Denker, J. S., Henderson, D., Howard, R. E., Hubbard, W., et al. Backpropagation applied to handwritten zip code recognition. Neural computation, 1 (4), 541–551, 1989. 9 [46] LeCun, Y., Bottou, L., Bengio, Y., Haffner, P., et al. Gradient-based learning applied to document recognition. Proceedings of the IEEE, 86 (11), 2278–2324, 1998. 9, 10 [47] Carlini, N., Wagner, D. Towards evaluating the robustness of neural networks. En: 2017 ieee symposium on security and privacy (sp), págs. 39–57. IEEE, 2017. 13 [48] Moosavi-Dezfooli, S.-M., Fawzi, A., Frossard, P. Deepfool: a simple and accurate method to fool deep neural networks. En: Proceedings of the IEEE conference on computer vision and pattern recognition, págs. 2574–2582. 2016. 13, 14, 15 [49] Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., Swami, A. The limitations of deep learning in adversarial settings. En: 2016 IEEE European symposium on security and privacy (EuroS&P), págs. 372–387. IEEE, 2016. 13 [50] Carlini, N., Wagner, D. Adversarial examples are not easily detected: Bypassing ten detection methods. En: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, págs. 3–14. ACM, 2017. 13, 17, 18 [51] Yuan, X., He, P., Zhu, Q., Li, X. Adversarial examples: Attacks and defenses for deep learning. IEEE transactions on neural networks and learning systems, 30 (9), 2805–2824, 2019. 17 [52] Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A. Distillation as a defense to adversarial perturbations against deep neural networks. En: 2016 IEEE Symposium on Security and Privacy (SP), págs. 582–597. IEEE, 2016. 17 [53] Dhillon, G. S., Azizzadenesheli, K., Lipton, Z. C., Bernstein, J., Kossaifi, J., Khanna, A., et al. Stochastic activation pruning for robust adversarial defense. arXiv preprint arXiv:1803.01442, 2018. 17 [54] Guo, C., Rana, M., Cisse, M., Van Der Maaten, L. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117, 2017. 17 [55] Xu, W., Evans, D., Qi, Y. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155, 2017. 17, 33 [56] Meng, D., Chen, H. Magnet: a two-pronged defense against adversarial examples. En: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, p´ags. 135–147. 2017. 17 [57] Metzen, J. H., Genewein, T., Fischer, V., Bischoff, B. On detecting adversarial perturbations. arXiv preprint arXiv:1702.04267, 2017. 17 [58] Grosse, K., Manoharan, P., Papernot, N., Backes, M., McDaniel, P. On the (statistical) detection of adversarial examples. arXiv preprint arXiv:1702.06280, 2017. 18 [59] Li, X., Li, F. Adversarial examples detection in deep networks with convolutional filter statistics. En: Proceedings of the IEEE International Conference on Computer Vision, p´ags. 5764–5772. 2017. 18 [60] Dathathri, S., Zheng, S., Murray, R. M., Yue, Y. Detecting adversarial examples via neural fingerprinting. arXiv preprint arXiv:1803.03870, 2018. 18 [61] Bauerle, A., van Onzenoodt, C., Ropinski, T. Net2vis – a visual grammar for automatically generating publication-ready cnn architecture visualizations, 2020. 23 [62] Optuna repository. URL https://github.com/optuna/optuna. Accedido 7-04-2023. 22 [63] Sorscher, B., Ganguli, S., Sompolinsky, H. The geometry of concept learning. bioRxiv, 2021. URL https://www.biorxiv.org/content/early/2021/03/21/2021.03.21.436284. 27, 29, 30 [64] Jeeveswaran, K., Kathiresan, S., Varma, A., Magdy, O., Zonooz, B., Arani, E. A comprehensive study of vision transformers on dense prediction tasks. CoRR, abs/2201.08683, 2022. URL https://arxiv.org/abs/2201.08683. 38 |
| Materias: | Medicina |
| Divisiones: | Gcia. de área de Investigación y aplicaciones no nucleares > Gcia. de Física > Física médica |
| Código ID: | 1197 |
| Depositado Por: | Tamara Cárcamo |
| Depositado En: | 11 Aug 2023 15:46 |
| Última Modificación: | 11 Aug 2023 15:54 |
Personal del repositorio solamente: página de control del documento
