{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,17]],"date-time":"2026-04-17T01:11:57Z","timestamp":1776388317974,"version":"3.51.2"},"reference-count":37,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,1,7]],"date-time":"2021-01-07T00:00:00Z","timestamp":1609977600000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"},{"start":{"date-parts":[[2021,1,7]],"date-time":"2021-01-07T00:00:00Z","timestamp":1609977600000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["BMC Med Imaging"],"published-print":{"date-parts":[[2021,12]]},"abstract":"Abstract<\/jats:title>\n \n Background<\/jats:title>\n Deep neural networks (DNNs) are widely investigated in medical image classification to achieve automated support for clinical diagnosis. It is necessary to evaluate the robustness of medical DNN tasks against adversarial attacks, as high-stake decision-making will be made based on the diagnosis. Several previous studies have considered simple adversarial attacks. However, the vulnerability of DNNs to more realistic and higher risk attacks, such as universal adversarial perturbation (UAP), which is a single perturbation that can induce DNN failure in most classification tasks has not been evaluated yet.<\/jats:p>\n <\/jats:sec>\n \n Methods<\/jats:title>\n We focus on three representative DNN-based medical image classification tasks (i.e., skin cancer, referable diabetic retinopathy, and pneumonia classifications) and investigate their vulnerability to the seven model architectures of UAPs.<\/jats:p>\n <\/jats:sec>\n \n Results<\/jats:title>\n We demonstrate that DNNs are vulnerable to both nontargeted UAPs, which cause a task failure resulting in an input being assigned an incorrect class, and to targeted UAPs, which cause the DNN to classify an input into a specific class. The almost imperceptible UAPs achieved\u2009>\u200980% success rates for nontargeted and targeted attacks. The vulnerability to UAPs depended very little on the model architecture. Moreover, we discovered that adversarial retraining, which is known to be an effective method for adversarial defenses, increased DNNs\u2019 robustness against UAPs in only very few cases.<\/jats:p>\n <\/jats:sec>\n \n Conclusion<\/jats:title>\n Unlike previous assumptions, the results indicate that DNN-based clinical diagnosis is easier to deceive because of adversarial attacks. Adversaries can cause failed diagnoses at lower costs (e.g., without consideration of data distribution); moreover, they can affect the diagnosis. The effects of adversarial defenses may not be limited. Our findings emphasize that more careful consideration is required in developing DNNs for medical imaging and their practical applications.<\/jats:p>\n <\/jats:sec>","DOI":"10.1186\/s12880-020-00530-y","type":"journal-article","created":{"date-parts":[[2021,1,7]],"date-time":"2021-01-07T08:04:57Z","timestamp":1610006697000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":134,"title":["Universal adversarial attacks on deep neural networks for medical image classification"],"prefix":"10.1186","volume":"21","author":[{"given":"Hokuto","family":"Hirano","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Akinori","family":"Minagi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6355-1366","authenticated-orcid":false,"given":"Kazuhiro","family":"Takemoto","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,1,7]]},"reference":[{"issue":"42","key":"530_CR1","doi-asserted-by":"publisher","first-page":"60","DOI":"10.1016\/j.media.2017.07.005","volume":"2017","author":"G Litjens","year":"2012","unstructured":"Litjens G, Kooi T, Bejnordi BE, Setio AAA, Ciompi F, Ghafoorian M, et al. A survey on deep learning in medical image analysis. Med Image Anal. 2012;2017(42):60\u201388. https:\/\/doi.org\/10.1016\/j.media.2017.07.005.","journal-title":"Med Image Anal"},{"key":"530_CR2","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1038\/nature21056","volume":"542","author":"A Esteva","year":"2017","unstructured":"Esteva A, Kuprel B, Novoa RA, Ko J, Swetter SM, Blau HM, et al. Dermatologist-level classification of skin cancer with deep neural networks. Nature. 2017;542:115\u20138. https:\/\/doi.org\/10.1038\/nature21056.","journal-title":"Nature"},{"key":"530_CR3","doi-asserted-by":"publisher","first-page":"1122","DOI":"10.1016\/j.cell.2018.02.010","volume":"172","author":"DS Kermany","year":"2018","unstructured":"Kermany DS, Goldbaum M, Cai W, Valentim CCS, Liang H, Baxter SL, et al. Identifying medical diagnoses and treatable diseases by image-based deep learning. Cell. 2018;172:1122-1131.e9. https:\/\/doi.org\/10.1016\/j.cell.2018.02.010.","journal-title":"Cell"},{"key":"530_CR4","doi-asserted-by":"publisher","first-page":"e271","DOI":"10.1016\/S2589-7500(19)30123-2","volume":"1","author":"X Liu","year":"2019","unstructured":"Liu X, Faes L, Kale AU, Wagner SK, Fu DJ, Bruynseels A, et al. A comparison of deep learning performance against health-care professionals in detecting diseases from medical imaging: a systematic review and meta-analysis. Lancet Digital Health. 2019;1:e271\u201397. https:\/\/doi.org\/10.1016\/S2589-7500(19)30123-2.","journal-title":"Lancet Digital Health"},{"key":"530_CR5","doi-asserted-by":"publisher","first-page":"206","DOI":"10.1038\/s42256-019-0048-x","volume":"1","author":"C Rudin","year":"2019","unstructured":"Rudin C. Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead. Nat Mach Intell. 2019;1:206\u201315. https:\/\/doi.org\/10.1038\/s42256-019-0048-x.","journal-title":"Nat Mach Intell"},{"key":"530_CR6","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1038\/s42256-020-0186-1","volume":"2","author":"GA Kaissis","year":"2020","unstructured":"Kaissis GA, Makowski MR, R\u00fcckert D, Braren RF. Secure, privacy-preserving and federated machine learning in medical imaging. Nat Mach Intell. 2020;2:305\u201311. https:\/\/doi.org\/10.1038\/s42256-020-0186-1.","journal-title":"Nat Mach Intell"},{"key":"530_CR7","unstructured":"Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. 2014. http:\/\/arxiv.org\/abs\/1412.6572."},{"key":"530_CR8","doi-asserted-by":"publisher","first-page":"2805","DOI":"10.1109\/TNNLS.2018.2886017","volume":"30","author":"X Yuan","year":"2019","unstructured":"Yuan X, He P, Zhu Q, Li X. Adversarial examples: attacks and defenses for deep learning. IEEE Trans Neural Netw Learn Syst. 2019;30:2805\u201324. https:\/\/doi.org\/10.1109\/TNNLS.2018.2886017.","journal-title":"IEEE Trans Neural Netw Learn Syst"},{"key":"530_CR9","unstructured":"Matyasko A, Chau L-P. Improved network robustness with adversary critic. 2018. http:\/\/arxiv.org\/abs\/1810.12576."},{"key":"530_CR10","doi-asserted-by":"publisher","first-page":"1287","DOI":"10.1126\/science.aaw4399","volume":"363","author":"SG Finlayson","year":"2019","unstructured":"Finlayson SG, Bowers JD, Ito J, Zittrain JL, Beam AL, Kohane IS. Adversarial attacks on medical machine learning. Science (80-). 2019;363:1287\u20139. https:\/\/doi.org\/10.1126\/science.aaw4399.","journal-title":"Science (80-)"},{"key":"530_CR11","doi-asserted-by":"publisher","unstructured":"Asgari Taghanaki S, Das A, Hamarneh G. Vulnerability analysis of chest X-ray image classification against adversarial attacks. In: Understanding and interpreting machine learning in medical image computing applications. 2018. p. 87\u201394. https:\/\/doi.org\/10.1007\/978-3-030-02628-8_10.","DOI":"10.1007\/978-3-030-02628-8_10"},{"key":"530_CR12","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli SM, Fawzi A, Fawzi O, Frossard P. Universal adversarial perturbations. In: Proc\u201430th IEEE conf comput vis pattern recognition, CVPR 2017. 2017. p.86\u201394.","DOI":"10.1109\/CVPR.2017.17"},{"key":"530_CR13","doi-asserted-by":"publisher","first-page":"268","DOI":"10.3390\/a13110268","volume":"13","author":"H Hirano","year":"2020","unstructured":"Hirano H, Takemoto K. Simple iterative method for generating targeted universal adversarial perturbations. Algorithms. 2020;13:268. https:\/\/doi.org\/10.3390\/a13110268.","journal-title":"Algorithms"},{"key":"530_CR14","unstructured":"Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. In: International conference on learning representations. 2018. https:\/\/openreview.net\/forum?id=rJzIBfZAb."},{"key":"530_CR15","doi-asserted-by":"publisher","unstructured":"Carlini N, Wagner D. Adversarial examples are not easily detected. In: Proceedings of the 10th ACM workshop on artificial intelligence and security\u2014AISec\u201917. New York: ACM Press; 2017. p. 3\u201314. https:\/\/doi.org\/10.1145\/3128572.3140444.","DOI":"10.1145\/3128572.3140444"},{"key":"530_CR16","unstructured":"Wong E, Rice L, Kolter JZ. Fast is better than free: Revisiting adversarial training. In: International conference on learning representations. 2020. https:\/\/openreview.net\/forum?id=BJx040EFvH."},{"key":"530_CR17","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/s11263-015-0816-y","volume":"115","author":"O Russakovsky","year":"2015","unstructured":"Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, et al. ImageNet large scale visual recognition challenge. Int J Comput Vis. 2015;115:211\u201352. https:\/\/doi.org\/10.1007\/s11263-015-0816-y.","journal-title":"Int J Comput Vis."},{"key":"530_CR18","doi-asserted-by":"publisher","unstructured":"Szegedy C, Vanhoucke V, Ioffe S, Shlens J, Wojna Z. Rethinking the inception architecture for computer vision. In: 2016 IEEE conference on computer vision and pattern recognition (CVPR). IEEE; 2016. p. 2818\u201326. https:\/\/doi.org\/10.1109\/CVPR.2016.308.","DOI":"10.1109\/CVPR.2016.308"},{"key":"530_CR19","unstructured":"Simonyan K, Zisserman A. Very deep convolutional networks for large-scale image recognition. In: 3rd International conference on learning representations, ICLR 2015\u2014conference track proceedings. 2015."},{"key":"530_CR20","doi-asserted-by":"publisher","unstructured":"He K, Zhang X, Ren S, Sun J. Deep residual learning for image recognition. In: 2016 IEEE conference on computer vision and pattern recognition (CVPR). IEEE; 2016. p. 770\u20138. https:\/\/doi.org\/10.1109\/CVPR.2016.90.","DOI":"10.1109\/CVPR.2016.90"},{"key":"530_CR21","doi-asserted-by":"crossref","unstructured":"Szegedy C, Ioffe S, Vanhoucke V, Alemi AA. Inception-v4, inception-ResNet and the impact of residual connections on learning. In: 31st AAAI conference on artificial intelligence, AAAI 2017. 2017.","DOI":"10.1609\/aaai.v31i1.11231"},{"key":"530_CR22","doi-asserted-by":"crossref","unstructured":"Huang G, Liu Z, Van Der Maaten L, Weinberger KQ. Densely connected convolutional networks. In: Proceedings\u201430th IEEE conference on computer vision and pattern recognition, CVPR 2017. 2017.","DOI":"10.1109\/CVPR.2017.243"},{"key":"530_CR23","unstructured":"Nicolae M-I, Sinn M, Tran MN, Buesser B, Rawat A, Wistuba M, et al. Adversarial robustness toolbox v1.0.0. 2018. http:\/\/arxiv.org\/abs\/1807.01069."},{"key":"530_CR24","doi-asserted-by":"publisher","unstructured":"Moosavi-Dezfooli S-M, Fawzi A, Frossard P. DeepFool: a simple and accurate method to fool deep neural networks. In: 2016 IEEE conference on computer vision and pattern recognition (CVPR). IEEE; 2016. p. 2574\u201382. https:\/\/doi.org\/10.1109\/CVPR.2016.282.","DOI":"10.1109\/CVPR.2016.282"},{"key":"530_CR25","unstructured":"Wang J, Chen Y, Li W, Kong W, He Y, Jiang C, et al. Domain adaptation model for retinopathy detection from cross-domain OCT images. In: Arbel T, Ayed I Ben, de Bruijne M, Descoteaux M, Lombaert H, Pal C, editors. Proceedings of machine learning research. Montreal, QC: PMLR; 2020. p. 795\u2013810. http:\/\/proceedings.mlr.press\/v121\/wang20a.html."},{"key":"530_CR26","doi-asserted-by":"publisher","first-page":"1379","DOI":"10.1109\/JBHI.2019.2942429","volume":"24","author":"Y Gu","year":"2020","unstructured":"Gu Y, Ge Z, Bonnington CP, Zhou J. Progressive transfer learning and adversarial domain adaptation for cross-domain skin disease classification. IEEE J Biomed Heal Inform. 2020;24:1379\u201393. https:\/\/doi.org\/10.1109\/JBHI.2019.2942429.","journal-title":"IEEE J Biomed Heal Inform"},{"key":"530_CR27","unstructured":"Zhang H, Yu Y, Jiao J, Xing E, Ghaoui L El, Jordan M. Theoretically principled trade-off between robustness and accuracy. In: Chaudhuri K, Salakhutdinov R, editors. Proceedings of the 36th international conference on machine learning. Long Beach, California: PMLR; 2019. p. 7472\u201382. http:\/\/proceedings.mlr.press\/v97\/zhang19p.html."},{"key":"530_CR28","unstructured":"Xiao C, Zhong P, Zheng C. Enhancing adversarial defense by k-winners-take-all. In: Proc 8th int conf learn represent. 2020. http:\/\/arxiv.org\/abs\/1905.10510."},{"key":"530_CR29","unstructured":"Song C, He K, Wang L, Hopcroft JE. Improving the generalization of adversarial training with domain adaptation. In: 7th Int conf learn represent ICLR 2019. 2019. http:\/\/arxiv.org\/abs\/1810.00740."},{"key":"530_CR30","unstructured":"Croce F, Hein M. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In: Proc 37th int conf mach learn. 2020. http:\/\/arxiv.org\/abs\/2003.01690."},{"key":"530_CR31","doi-asserted-by":"publisher","first-page":"126582","DOI":"10.1109\/ACCESS.2019.2939352","volume":"7","author":"U Hwang","year":"2019","unstructured":"Hwang U, Park J, Jang H, Yoon S, Cho NI. PuVAE: a variational autoencoder to purify adversarial examples. IEEE Access. 2019;7:126582\u201393. https:\/\/doi.org\/10.1109\/ACCESS.2019.2939352.","journal-title":"IEEE Access"},{"key":"530_CR32","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.1907377117","author":"V Antun","year":"2020","unstructured":"Antun V, Renna F, Poon C, Adcock B, Hansen AC. On instabilities of deep learning in image reconstruction and the potential costs of AI. ProcNatlAcad Sci. 2020. https:\/\/doi.org\/10.1073\/pnas.1907377117.","journal-title":"ProcNatlAcad Sci."},{"key":"530_CR33","doi-asserted-by":"publisher","unstructured":"Tabacof P, Valle E. Exploring the space of adversarial images. In: 2016 International joint conference on neural networks (IJCNN). IEEE; 2016. p. 426\u201333. https:\/\/doi.org\/10.1109\/IJCNN.2016.7727230.","DOI":"10.1109\/IJCNN.2016.7727230"},{"key":"530_CR34","doi-asserted-by":"publisher","first-page":"945","DOI":"10.1093\/jamia\/ocy017","volume":"25","author":"K Chang","year":"2018","unstructured":"Chang K, Balachandar N, Lam C, Yi D, Brown J, Beers A, et al. Distributed deep learning networks among institutions for medical imaging. J Am Med Inform Assoc. 2018;25:945\u201354.","journal-title":"J Am Med Inform Assoc"},{"key":"530_CR35","doi-asserted-by":"publisher","first-page":"89","DOI":"10.1016\/j.cose.2019.04.014","volume":"85","author":"J Chen","year":"2019","unstructured":"Chen J, Su M, Shen S, Xiong H, Zheng H. POBA-GA: perturbation optimized black-box adversarial attacks via genetic algorithm. Comput Secur. 2019;85:89\u2013106. https:\/\/doi.org\/10.1016\/j.cose.2019.04.014.","journal-title":"Comput Secur"},{"key":"530_CR36","unstructured":"Guo C, Gardner JR, You Y, Wilson AG, Weinberger KQ. Simple black-box adversarial attacks. In: Proc 36th int conf mach learn. 2019. p. 2484\u201393. http:\/\/arxiv.org\/abs\/1905.07121."},{"key":"530_CR37","doi-asserted-by":"publisher","unstructured":"Co KT, Mu\u00f1oz-Gonz\u00e1lez L, de Maupeou S, Lupu EC. Procedural noise adversarial examples for black-box attacks on deep convolutional networks. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security. New York, NY: ACM; 2019. p. 275\u201389. https:\/\/doi.org\/10.1145\/3319535.3345660.","DOI":"10.1145\/3319535.3345660"}],"container-title":["BMC Medical Imaging"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s12880-020-00530-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1186\/s12880-020-00530-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1186\/s12880-020-00530-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,12,10]],"date-time":"2022-12-10T17:08:35Z","timestamp":1670692115000},"score":1,"resource":{"primary":{"URL":"https:\/\/bmcmedimaging.biomedcentral.com\/articles\/10.1186\/s12880-020-00530-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,7]]},"references-count":37,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["530"],"URL":"https:\/\/doi.org\/10.1186\/s12880-020-00530-y","relation":{"has-preprint":[{"id-type":"doi","id":"10.21203\/rs.3.rs-70727\/v1","asserted-by":"object"},{"id-type":"doi","id":"10.21203\/rs.3.rs-70727\/v2","asserted-by":"object"}]},"ISSN":["1471-2342"],"issn-type":[{"value":"1471-2342","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,7]]},"assertion":[{"value":"2 September 2020","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 November 2020","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 January 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Not applicable.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"Not applicable.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}},{"value":"The authors declare that they have no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"9"}}