Annu Int Conf IEEE Eng Med Biol Soc. 2022 Jul;2022:313-316. doi: 10.1109/EMBC48229.2022.9871347.
Deep learning techniques are increasingly used for decision-making in health applications, however, these can easily be manipulated by adversarial examples across different clinical domains. Their security and privacy vulnerabilities raise concerns about the practical deployment of these systems. The number and variety of the adversarial attacks grow continuously, making it difficult for mitigation approaches to provide effective solutions. Current mitigation techniques often rely on expensive re-training procedures as new attacks emerge. In this paper, we propose a novel adversarial mitigation technique for biosignal classification tasks. Our approach is based on recent findings interpreting early exit neural networks as an ensemble of weight sharing sub-networks. Our experiments on state-of-the-art deep learning models show that early exit ensembles can provide robustness generalizable to various white box and universal adversarial attacks. The approach increases the accuracy of vulnerable deep learning models up to 60 percentage points, while providing adversarial mitigation comparable to adversarial training. This is achieved without previous exposure to the adversarial perturbation or the computational burden of re-training.
深度学习技术在医疗应用的决策中得到了越来越广泛的应用,但这些技术很容易被来自不同临床领域的对抗样本所操纵。其安全和隐私漏洞引起了人们对这些系统实际部署的关注。对抗攻击的数量和种类不断增加,使得缓解措施难以提供有效的解决方案。当前的缓解技术通常依赖于昂贵的重新训练过程,因为新的攻击不断出现。在本文中,我们提出了一种用于生物信号分类任务的新的对抗缓解技术。我们的方法基于最近的研究结果,将提前退出神经网络解释为权重共享子网络的集合。我们在最先进的深度学习模型上的实验表明,提前退出的集合可以提供对各种白盒和通用对抗攻击的可推广的鲁棒性。该方法将脆弱的深度学习模型的准确率提高了 60 个百分点,同时提供了与对抗训练相当的对抗缓解。这是在没有先前对抗性扰动或重新训练的计算负担的情况下实现的。
