{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:39:44Z","timestamp":1775745584783,"version":"3.50.1"},"reference-count":35,"publisher":"Springer Science and Business Media LLC","issue":"S2","license":[{"start":{"date-parts":[[2022,6,20]],"date-time":"2022-06-20T00:00:00Z","timestamp":1655683200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,6,20]],"date-time":"2022-06-20T00:00:00Z","timestamp":1655683200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"NSF CREST Grant","award":["HRD-1736209"],"award-info":[{"award-number":["HRD-1736209"]}]},{"name":"NSF CAREER Grant","award":["CNS-1553696"],"award-info":[{"award-number":["CNS-1553696"]}]},{"DOI":"10.13039\/100004917","name":"Cancer Prevention and Research Institute of Texas","doi-asserted-by":"publisher","award":["RP190346"],"award-info":[{"award-number":["RP190346"]}],"id":[{"id":"10.13039\/100004917","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100004917","name":"Cancer Prevention and Research Institute of Texas","doi-asserted-by":"publisher","award":["RP190346"],"award-info":[{"award-number":["RP190346"]}],"id":[{"id":"10.13039\/100004917","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["BMC Med Inform Decis Mak"],"published-print":{"date-parts":[[2022,12]]},"abstract":"Abstract<\/jats:title>\n Background<\/jats:title>\n Deep learning (DL) models are highly vulnerable to adversarial attacks for medical image classification. An adversary could modify the input data in imperceptible ways such that a model could be tricked to predict, say, an image that actually exhibits malignant tumor to a prediction that it is benign. However, adversarial robustness of DL models for medical images is not adequately studied. DL in medicine is inundated with models of various complexity\u2014particularly, very large models. In this work, we investigate the role of model complexity in adversarial settings.<\/jats:p>\n <\/jats:sec>\n Results<\/jats:title>\n Consider a set of DL models that exhibit similar performances for a given task. These models are trained in the usual manner but are not trained to defend against adversarial attacks. We demonstrate that, among those models, simpler models of reduced complexity show a greater level of robustness against adversarial attacks than larger models that often tend to be used in medical applications. On the other hand, we also show that once those models undergo adversarial training, the adversarial trained medical image DL models exhibit a greater degree of robustness than the standard trained models for all model complexities.<\/jats:p>\n <\/jats:sec>\n Conclusion<\/jats:title>\n The above result has a significant practical relevance. When medical practitioners lack the expertise or resources to defend against adversarial attacks, we recommend that they select the smallest of the models that exhibit adequate performance. Such a model would be naturally more robust to adversarial attacks than the larger models.<\/jats:p>\n <\/jats:sec>","DOI":"10.1186\/s12911-022-01891-w","type":"journal-article","created":{"date-parts":[[2022,6,20]],"date-time":"2022-06-20T10:04:17Z","timestamp":1655719457000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":33,"title":["On the role of deep learning model complexity in adversarial robustness for medical images"],"prefix":"10.1186","volume":"22","author":[{"given":"David","family":"Rodriguez","sequence":"first","affiliation":[]},{"given":"Tapsya","family":"Nayak","sequence":"additional","affiliation":[]},{"given":"Yidong","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Ram","family":"Krishnan","sequence":"additional","affiliation":[]},{"given":"Yufei","family":"Huang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,6,20]]},"reference":[{"issue":"3","key":"1891_CR1","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/s11263-015-0816-y","volume":"115","author":"O Russakovsky","year":"2015","unstructured":"Russakovsky O, Deng J, Su H, Krause J, Satheesh S, Ma S, Huang Z, Karpathy A, Khosla A, Bernstein M, et al. Imagenet large scale visual recognition challenge. Int J Comput Vis. 2015;115(3):211\u201352. https:\/\/doi.org\/10.1007\/s11263-015-0816-y.","journal-title":"Int J Comput Vis"},{"key":"1891_CR2","unstructured":"Rajpurkar, P., Irvin, J., Zhu, K., Yang, B., Mehta, H., Duan, T., Ding, D., Bagul, A., Langlotz, C., Shpanskaya, K., Lungren, M.P., Ng, A.Y. CheXNet: Radiologist-Level Pneumonia Detection on Chest X-Rays with Deep Learning (2017). arXiv:1711.05225"},{"key":"1891_CR3","unstructured":"Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., Fergus, R. Intriguing properties of neural networks (2013). arXiv:1312.6199"},{"key":"1891_CR4","unstructured":"Finlayson, S.G., Chung, H.W., Kohane, I.S., Beam, A.L. Adversarial Attacks Against Medical Deep Learning Systems (2018). arXiv:1804.05296"},{"key":"1891_CR5","doi-asserted-by":"crossref","unstructured":"Xu, W., Evans, D., Qi, Y. Feature squeezing: Detecting adversarial examples in deep neural networks. arXiv preprint arXiv:1704.01155 (2017)","DOI":"10.14722\/ndss.2018.23198"},{"key":"1891_CR6","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Wu, X., Jha, S., Swami, A. Distillation as a defense to adversarial perturbations against deep neural networks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 582\u2013597 (2016). IEEE","DOI":"10.1109\/SP.2016.41"},{"key":"1891_CR7","unstructured":"Tram`er, F., Kurakin, A., Papernot, N., Goodfellow, I., Boneh, D., McDaniel, P.: Ensemble Adversarial Training: Attacks and Defenses (2020). arXiv:1705.07204"},{"key":"1891_CR8","unstructured":"Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A. Towards Deep Learning Models Resistant to Adversarial Attacks (2017). arXiv:1706.06083"},{"issue":"1","key":"1891_CR9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1038\/s41746-020-00324-0","volume":"3","author":"S Benjamens","year":"2020","unstructured":"Benjamens S, Dhunnoo P, Mesko B. The state of artificial intelligence-based fda-approved medical devices and algorithms: an online database. NPJ Digital Med. 2020;3(1):1\u20138.","journal-title":"NPJ Digital Med."},{"issue":"7639","key":"1891_CR10","doi-asserted-by":"publisher","first-page":"115","DOI":"10.1038\/nature21056","volume":"542","author":"A Esteva","year":"2017","unstructured":"Esteva A, Kuprel B, Novoa RA, Ko J, Swetter SM, Blau HM, Thrun S. Dermatologist-level classification of skin cancer with deep neural networks. Nature. 2017;542(7639):115\u20138.","journal-title":"Nature"},{"issue":"22","key":"1891_CR11","doi-asserted-by":"publisher","first-page":"2402","DOI":"10.1001\/jama.2016.17216","volume":"316","author":"V Gulshan","year":"2016","unstructured":"Gulshan V, Peng L, Coram M, Stumpe MC, Wu D, Narayanaswamy A, Venugopalan S, Widner K, Madams T, Cuadros J, et al. Development and validation of a deep learning algorithm for detection of diabetic retinopathy in retinal fundus photographs. JAMA. 2016;316(22):2402\u201310.","journal-title":"JAMA"},{"key":"1891_CR12","doi-asserted-by":"crossref","unstructured":"An, S., Xiao, C., Stewart, W.F., Sun, J.: Longitudinal adversarial attack on electronic health records data. In: The World Wide Web Conference, pp. 2558\u20132564 (2019)","DOI":"10.1145\/3308558.3313528"},{"issue":"1","key":"1891_CR13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s12880-020-00530-y","volume":"21","author":"H Hirano","year":"2021","unstructured":"Hirano H, Minagi A, Takemoto K. Universal adversarial attacks on deep neural networks for medical image classification. BMC Med Imaging. 2021;21(1):1\u201313.","journal-title":"BMC Med Imaging"},{"key":"1891_CR14","doi-asserted-by":"publisher","DOI":"10.1016\/j.patcog.2020.107332","author":"X Ma","year":"2020","unstructured":"Ma X, Niu Y, Gu L, Wang Y, Zhao Y, Bailey J, Lu F. Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recognit. 2020. https:\/\/doi.org\/10.1016\/j.patcog.2020.107332.","journal-title":"Pattern Recognit"},{"key":"1891_CR15","unstructured":"Novak, R., Bahri, Y., Abolafia, D.A., Pennington, J., Sohl-Dickstein, J.: Sensitivity and Generalization in Neural Networks: an Empirical Study (2018). arXiv:1802.08760"},{"key":"1891_CR16","doi-asserted-by":"publisher","unstructured":"Su, D., Zhang, H., Chen, H., Yi, J., Chen, P.-Y., Gao, Y.: Is robustness the cost of accuracy?\u2014A comprehensive study on the robustness of 18 deep image classification models. Lecture Notes in Computer Science, pp. 644\u2013661 (2018). https:\/\/doi.org\/10.1007\/978-3-030-01258-8 39","DOI":"10.1007\/978-3-030-01258-8"},{"key":"1891_CR17","doi-asserted-by":"crossref","unstructured":"He, K., Zhang, X., Ren, S., Sun, J. Deep Residual Learning for Image Recognition (2015). arXiv:1512.03385","DOI":"10.1109\/CVPR.2016.90"},{"key":"1891_CR18","unstructured":"Raghu, M., Zhang, C., Kleinberg, J., Bengio, S. Transfusion: Understanding Transfer Learning for Medical Imaging (2019). arXiv:1902.07208"},{"key":"1891_CR19","unstructured":"Simonyan, K., Vedaldi, A., Zisserman, A. Deep inside convolutional networks: Visualising image classification models and saliency maps. arXiv preprint arXiv:1312.6034 (2013)"},{"key":"1891_CR20","unstructured":"Cubuk, E.D., Zoph, B., Schoenholz, S.S., Le, Q.V. Intriguing properties of adversarial examples. arXiv preprint arXiv:1711.02846 (2017)"},{"key":"1891_CR21","unstructured":"Tsipras, D., Santurkar, S., Engstrom, L., Turner, A., Madry, A. Robustness May Be at Odds with Accuracy (2019). arXiv:1805.12152"},{"key":"1891_CR22","unstructured":"Ilyas, A., Santurkar, S., Tsipras, D., Engstrom, L., Tran, B., Madry, A. Adversarial Examples Are Not Bugs, They Are Features (2019). arXiv:1905.02175"},{"key":"1891_CR23","unstructured":"Chollet, F., et al.: Keras. https:\/\/keras.io (2015)"},{"issue":"Nov","key":"1891_CR24","first-page":"2579","volume":"9","author":"Lvd Maaten","year":"2008","unstructured":"Maaten Lvd, Hinton G. Visualizing data using t-sne. J Mach Learn Res. 2008;9(Nov):2579\u2013605.","journal-title":"J Mach Learn Res"},{"key":"1891_CR25","first-page":"2825","volume":"12","author":"F Pedregosa","year":"2011","unstructured":"Pedregosa F, Varoquaux G, Gramfort A, Michel V, Thirion B, Grisel O, Blondel M, Prettenhofer P, Weiss R, Dubourg V, Vanderplas J, Passos A, Cournapeau D, Brucher M, Perrot M, Duchesnay E. Scikit-learn: machine learning in python. J Mach Learn Res. 2011;12:2825\u201330.","journal-title":"J Mach Learn Res"},{"issue":"24","key":"1891_CR26","doi-asserted-by":"publisher","first-page":"638","DOI":"10.21105\/joss.00638","volume":"3","author":"S Raschka","year":"2018","unstructured":"Raschka S. Mlxtend: Providing machine learning and data science utilities and extensions to python\u2019s scientific computing stack. J Open Source Softw. 2018;3(24):638. https:\/\/doi.org\/10.21105\/joss.00638.","journal-title":"J. Open Source Softw."},{"issue":"5","key":"1891_CR27","doi-asserted-by":"publisher","first-page":"1122","DOI":"10.1016\/j.cell.2018.02.010","volume":"172","author":"DS Kermany","year":"2018","unstructured":"Kermany DS, Goldbaum M, Cai W, Valentim CC, Liang H, Baxter SL, McKeown A, Yang G, Wu X, Yan F, et al. Identifying medical diagnoses and treatable diseases by image-based deep learning. Cell. 2018;172(5):1122\u201331.","journal-title":"Cell"},{"key":"1891_CR28","unstructured":"Scarlat, A.: dermoscopic pigmented skin lesions from HAM10k. https:\/\/www.kaggle.com\/drscarlat\/melanoma"},{"key":"1891_CR29","doi-asserted-by":"crossref","unstructured":"Rasul, M.F., Kumar Dey, N., Hashem, M.M.A.: A comparative study of neural network architectures for lesion segmentation and melanoma detection (2020)","DOI":"10.1109\/TENSYMP50017.2020.9230969"},{"key":"1891_CR30","doi-asserted-by":"publisher","unstructured":"Wang, X., Peng, Y., Lu, L., Lu, Z., Bagheri, M., Summers, R.M. Chestx-ray8: Hospital-scale chest x-ray database and benchmarks on weakly-supervised classification and localization of common thorax diseases. In: 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) (2017). https:\/\/doi.org\/10.1109\/cvpr.2017.369","DOI":"10.1109\/cvpr.2017.369"},{"key":"1891_CR31","unstructured":"Chakraborty, A., Alam, M., Dey, V., Chattopadhyay, A., Mukhopadhyay, D.: Adversarial Attacks and Defences: A Survey (2018). arXiv:1810.00069"},{"key":"1891_CR32","unstructured":"Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and Harnessing Adversarial Examples (2014). arXiv:1412.6572"},{"key":"1891_CR33","unstructured":"Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial Machine Learning at Scale (2016). arXiv:1611.01236"},{"key":"1891_CR34","unstructured":"Kurakin, A., Goodfellow, I., Bengio, S.: Adversarial examples in the physical world (2016). arXiv:1607.02533"},{"key":"1891_CR35","unstructured":"Papernot, N., Faghri, F., Carlini, N., Goodfellow, I., Feinman, R., Kurakin, A., Xie, C., Sharma, Y., Brown, T., Roy, A., Matyasko, A., Behzadan, V., Hambardzumyan, K., Zhang, Z., Juang, Y.-L., Li, Z., Sheatsley, R., Garg, A., Uesato, J., Gierke, W., Dong, Y., Berthelot, D., Hendricks, P., Rauber, J., Long, R. Technical report on the cleverhans v2.1.0 adversarial examples library. arXiv preprint arXiv:1610.00768 (2018)"}],"container-title":["BMC Medical Informatics and Decision Making"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s12911-022-01891-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s12911-022-01891-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s12911-022-01891-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,20]],"date-time":"2022-06-20T10:06:59Z","timestamp":1655719619000},"score":1,"resource":{"primary":{"URL":"https:\/\/bmcmedinformdecismak.biomedcentral.com\/articles\/10.1186\/s12911-022-01891-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,6,20]]},"references-count":35,"journal-issue":{"issue":"S2","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["1891"],"URL":"https:\/\/doi.org\/10.1186\/s12911-022-01891-w","relation":{},"ISSN":["1472-6947"],"issn-type":[{"value":"1472-6947","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,6,20]]},"assertion":[{"value":"21 April 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"23 May 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 June 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Consent for publication"}},{"value":"The authors declare that they have no competing interests.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"160"}}