Adversarial Exposure Attack on Diabetic Retinopathy Imagery Grading

TL;DR

This paper identifies and introduces a novel solution to an entirely new task, termed as adversarial exposure attack, which is able to produce natural exposure images and mislead the state-of-the-art DNNs.

Abstract

Diabetic Retinopathy (DR) is a leading cause of vision loss around the world. To help diagnose it, numerous cutting-edge works have built powerful deep neural networks (DNNs) to automatically grade DR via retinal fundus images (RFIs). However, RFIs are commonly affected by camera exposure issues that may lead to incorrect grades. The mis-graded results can potentially pose high risks to an aggravation of the condition. In this paper, we study this problem from the viewpoint of adversarial attacks. We identify and introduce a novel solution to an entirely new task, termed as adversarial exposure attack, which is able to produce natural exposure images and mislead the state-of-the-art DNNs. We validate our proposed method on a real-world public DR dataset with three DNNs, e.g., ResNet50, MobileNet, and EfficientNet, demonstrating that our method achieves high image quality and success rate in transferring the attacks. Our method reveals the potential threats to DNN-based automatic DR grading and would benefit the development of exposure-robust DR grading methods in the future.

Figures (7)

• Figure 1: A normal retinal fundus image (left) is correctly classified as 'non-DR' by a pre-trained ResNet50. After applying our adversarial exposure attack, the corresponding adversarial example is mis-predicted as 'moderate DR'.
• Figure 2: Recognition visualization results of an example input (a) and adversarial examples (b-d) generated by different versions of our method discussed in Sec. \ref{['sec:method']}. (b) is produced by Eq. \ref{['eq:expmodel']}. (c) is produced by bracketed exposure fusion (BEF). (d) is produced by convolutional bracketed exposure fusion (CBEF). The ground truth label is listed in the top-left of the input image. For each adversarial example, the predictions of three models, which are ResNet50, MobileNet and EfficientNet, are listed in the top-left. The two values on the bottom refer to the image quality assessment values, which are structural similarity (SSIM) wang2004image and blind/referenceless image spatial quality evaluator (BRISQUE) mittal2012no.
• Figure 3: Pipeline of our model for adversarial exposure attacks. (a) is based on adversarial BEF and (b) shows the workflow of CBEF. Blue curve in the right block indicates the decision boundary between DR degrees '0' and '2'.
• Figure 4: Attack success rate along with SSIM and BRISQUE for adversarial examples crafted from ResNet50 by the baseline methods and our four attacks, which are BEF, CBEF, $\mathrm{BEF_{PGD}}$ and $\mathrm{CBEF_{PGD}}$. (To reduce confusion caused by too many curves, we hid the less competitive baselines, FGSM, IFGSM, TIFGSM, and TIIFGSM.) Our curves are generated by tuning the attack step sizes $\alpha_w$ in Eq. \ref{['eq:bracketed_obj_opt']} and $\alpha_k$ Eq. \ref{['eq:conv_bracketed_obj_opt']} from $0.005$ to $0.1$. For the additive-perturbation-based attacks, we tune the maximum perturbation ranges from $16$ to $64$ with the max intensity of $255$. For C&W attack, we tune the weight $c$ ranging from 0.01 to 10. For SA attack, we tune the maximum perturbed pixels $k$ ranging from $1 \times 10^4$ to $5 \times 10^4$. For NIE, we tune the EV setting $e_i$, in Eq. \ref{['eq:bracketed']}, from $-3$ to $3$ ("NIE+": $0$ to $3$. "NIE-": $0$ to $-3$).
• Figure 5: Visualization results of adversarial examples crafted for the ResNet50, using our methods, which are BEF, CBEF, $\mathrm{BEF_{PGD}}$, and $\mathrm{CBEF_{PGD}}$, as well as baseline attacks. For each image, its DR grading result through ResNet50 is displayed on the top-left. The three numbers at the bottom are SSIM, BRISQUE and $L_2$ norm values ($a \mathrm{e} -b$ refers to $a \times 10^{-b}$). The five inputs (1st column) are correctly classified to their ground truth DR grades, and the numbered labels can be used to gauge the classification of all the remaining attack algorithms (column $2$-$17$).