北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2022, Vol. 45 ›› Issue (4): 44-50.doi: 10.13190/j.jbupt.2022-031

• 智慧医疗 • 上一篇    下一篇

针对心电图分类模型的平滑攻击算法

刘金桐1, 杨国兴1, 刘晓鸿2, 王光宇1   

  1. 1. 北京邮电大学 信息与通信工程学院, 北京 100876;
    2. 清华大学 计算机科学与技术系, 北京 100084
  • 收稿日期:2022-02-06 出版日期:2022-08-28 发布日期:2022-06-26
  • 通讯作者: 王光宇(1990—),女,研究员,博士生导师,邮箱:guangyu.wang@bupt.edu.cn。 E-mail:guangyu.wang@bupt.edu.cn
  • 作者简介:刘金桐(1999—),男,硕士生。
  • 基金资助:
    国家重点研发计划项目(2019YFB1404804);国家自然科学基金项目(61906105)

Smoothing Attack Algorithm Based on Electrocardiogram Classification

LIU Jintong1, YANG Guoxing1, LIU Xiaohong2, WANG Guangyu1   

  1. 1. School of Information and Communication Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China;
    2. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
  • Received:2022-02-06 Online:2022-08-28 Published:2022-06-26

摘要: 在心电图分类领域中,传统攻击算法生成的对抗样本存在生理上不可解释的方波且生成效率低下,为此,提出了一种补丁平滑攻击(PatchSAP)算法。针对卷积神经网络、长短记忆网络和基于注意力机制的长短期记忆网络3种常见心电图分类模型开展对抗攻击,比较了心电分类模型的"脆弱"程度并分析了模型超参数。实验结果表明,PatchSAP算法的攻击效率与传统攻击算法的攻击效率相比具有明显的优势,生成的对抗样本能很好地维持真实性,卷积核和约束范围等超参数对对抗样本的有效性和真实性有较大影响。

关键词: 单导联心电图, 深度学习, 对抗攻击, 平滑攻击

Abstract: In the field of electrocardiogram classification, the adversarial samples generated by the traditional projected gradient algorithm with low generation efficiency have square waves that cannot be explained physiologically, and thus, a patch-based smooth attack perturbations (PatchSAP) algorithm is proposed. By conducting adversarial attacks against three common electrocardiogram classification models, convolutional neural network, long-short-term memory network, and attention-based long-short-term memory network, we compare the "vulnerability" of the electrocardiogram classification models, and analyze the hyperparameter to obtain the difference between validity and authenticity of adversarial examples. The experimental results show that the PatchSAP algorithm has obvious advantages in attack efficiency, and the generated adversarial samples maintain the sample authenticity well. Hyperparameters such as convolution kernel and constraint range have a great impact on the effectiveness and authenticity of adversarial examples.

Key words: single lead electrocardiogram, deep learning, adversarial attack, smoothing attack

中图分类号: