Defending Against Adversarial Attack in ECG Classification with Adversarial Distillation Training

TL;DR

This paper introduces Adversarial Distillation Training (ADT), a novel defense method for ECG classification DNNs that enhances robustness against adversarial attacks, outperforming existing defenses in effectiveness and generalization.

Contribution

The paper proposes ADT, a new defense technique derived from defensive distillation, specifically designed to improve ECG classification robustness against adversarial attacks.

Findings

ADT outperforms baseline defenses like adversarial training and defensive distillation.

ADT shows stronger robustness against low-noise PGD attacks.

Common defense methods perform variably against different attack types.

Abstract

In clinics, doctors rely on electrocardiograms (ECGs) to assess severe cardiac disorders. Owing to the development of technology and the increase in health awareness, ECG signals are currently obtained by using medical and commercial devices. Deep neural networks (DNNs) can be used to analyze these signals because of their high accuracy rate. However, researchers have found that adversarial attacks can significantly reduce the accuracy of DNNs. Studies have been conducted to defend ECG-based DNNs against traditional adversarial attacks, such as projected gradient descent (PGD), and smooth adversarial perturbation (SAP) which targets ECG classification; however, to the best of our knowledge, no study has completely explored the defense against adversarial attacks targeting ECG classification. Thus, we did different experiments to explore the effects of defense methods against white-box adversarial attack and black-box adversarial attack targeting ECG classification, and we found that some common defense methods performed well against these attacks. Besides, we proposed a new defense method called Adversarial Distillation Training (ADT) which comes from defensive distillation and can effectively improve the generalization performance of DNNs. The results show that our method performed more effectively against adversarial attacks targeting on ECG classification than the other baseline methods, namely, adversarial training, defensive distillation, Jacob regularization, and noise-to-signal ratio regularization. Furthermore, we found that our method performed better against PGD attacks with low noise levels, which means that our method has stronger robustness.