Defending Deep Learning-Based Biomedical Image Segmentation from Adversarial Attacks: A Low-Cost Frequency Refinement Approach

Abstract

Deep learning has demonstrated superb performance and efficiency in medical image segmentation. However, recently the community has also found the first practical adversarial example crafting algorithm dedicated to misleading deep learning-based biomedical image segmentation models. The generated segmentation-oriented adversarial examples, while almost indistinguishable by human eyes, can always produce target incorrect segmentation prediction with high intersection-over-union (IoU) rate, significantly concerning the safe use of such an emerging technique in medical diagnosis tasks. On the other hand, research on defending such an emerging attack in the context of medical image segmentation is lacking. In this work, we make the very first attempt to develop a low-cost and effective input-transformation based defense technique. To maximize the defense efficiency (or recovered segmentation results) of adversarial samples while minimizing the segmentation performance loss of benign samples after applying defense, we propose a novel low-cost image compression-based defense approach guided by fine-grained frequency refinement (FR). Extensive experimental results on various deep learning segmentation models show that our defense can offer very high defense efficiency against adversarial examples with very marginal segmentation performance loss of benign images on both ISIC skin lesion segmentation challenge and the problem of glaucoma optic disc segmentation. To further validate our method’s effectiveness, we also extend our evaluation to the image classification model. We show the influence of our recovered segmentation prediction by our defense on disease prediction in adversarial settings. The code is released at: https://github.com/qiliu08/frequency-refinement-defense.