Table 1.
Fooling rates Rf (%) of non-targeted UAPs against the COVID-Net models.
Fig 1.
Confusion matrices for the COVID-Net models attacked using the non-targeted UAPs on the test images.
p = ∞. Left and right panels represent the COVIDNet-CXR Small and COVIDNet-CXR Large models, respectively. The top and bottom panels indicate ζ = 1% and ζ = 2%, respectively.
Fig 2.
Non-targeted UAPs with p = ∞ against the COVID-Net models and their adversarial images.
UAPs (top panels) with ζ = 1% and ζ = 2% are shown. The models correctly classified the original images (left panels) into their actual labels. The predicted labels of all adversarial images are of COVID-19. Note that the UAPs are emphatically displayed for clarity; in particular, each UAP is scaled by a maximum of 1 and a minimum of 0.
Table 2.
Targeted attack success rate Rs (%) of targeted UAPs against the COVIDNet-CXR Small model to each target class.
Table 3.
Targeted attack success rates Rs (%) of targeted UAPs against the COVIDNet-CXR Large model to each target class.
Fig 3.
Confusion matrices for the COVIDNet-CXR Small model attacked with the targeted UAPs with p = ∞ on the test images.
The left, middle, and right panels represent the targeted classes: normal, pneumonia, and COVID-19, respectively. The top and bottom panels indicate ζ = 1% and ζ = 2%, respectively.
Fig 4.
Targeted UAPs (top panel) with ζ = 2% and p = ∞ against the COVIDNet-CXR Small model and their adversarial images.
Note that UAPs are emphatically displayed for clarity; in particular, each UAP is scaled by a maximum of 1 and a minimum of 0.
Fig 5.
Effect of adversarial retraining on the robustness to UAPs with p = ∞ against the COVIDNet-CXR Small model.
Scatter plots of (A) the fooling rate, Rf (%), for non-targeted UAPs with ζ = 2% versus the number, Ni, of iterations for adversarial retraining and (B) the targeted attack success rate, Rs (%), of targeted UAPs with ζ = 1% to COVID-19 versus Ni. Here, Rf and Rs are for the test images. The accuracies (%) on the set of clean test images are also shown. The confusion matrices for the fine-tuned models were obtained after five iterations of adversarial retraining using the (C) non-targeted UAPs and (D) targeted UAPs. Note that these confusion matrices belong to the fine-tuned models attacked using non-targeted and targeted UAPs, respectively.