IPTEK The Journal of Technology and Science, 35.
, 2024 .
/pISSN:2088-2033, 0853-4.
DOI: 10.
12962/j20882033.
Received 28 December, 2023.
Revised 28 December, 2023.
Accepted 11 June, 2024
ORIGINAL RESEARCH
ADVERSARIAL TRAINING FOR ROBUST DEFENSE IN CNN
MODELS FOR LUNG AND COLON HISTOPATHOLOGICAL
IMAGES
Chilyatun Nisa1 | Nanik Suciati*2 | Anny Yuniarti3 1 .
Departement of Informatics Engineering.
Institut Teknologi Sepuluh Nopember.
Surabaya, 60111.
Indonesia.
Email: nchilyatun@gmail.
Departement of Informatics Engineering.
Institut Teknologi Sepuluh Nopember.
Surabaya, 60111.
Indonesia.
Email: nanik@if.
Departement of Informatics Engineering.
Institut Teknologi Sepuluh Nopember.
Surabaya, 60111.
Indonesia.
Email: anny@if.
Abstract Cancer stands as the worldAos second-leading cause of death, arising from abnormal cell growth that invades the bodyAos cells and tissues.
Simultaneous occurrences of lung and colon cancer are not uncommon, with lung cancer often emerging as the second primary cancer in colon cancer patients.
While Deep Learning (DL) approaches have shown promise in accurate cancer classification, recent studies highlight the susceptibility of DL models to perturbations in input images.
Merely achieving accuracy is insufficient.
models must demonstrate resilience against even the slightest perturbations by applying adversarial defence methods.
This study aims to enhance Correspondence the reliability of the Convolutional Neural Network (CNN) algorithm in the face of *Email: nanik@if.
adversarial attacks by implementing adversarial training.
Leveraging the LC25000 Present Address attack methods such as Carlini and Wagner.
DeepFool, and SaliencyMap along- Gedung Teknik Informatika.
Jl.
Teknik Kimia.
Surabaya 60111.
Indonesia dataset and various pre-trained CNN models for classification, we employ adversarial side adversarial training for defence.
Evaluation metrics include precision, recall.
F1-score, accuracy.
Our assessment involves scrutinizing adversarial attacks and defences on histopathology images related to lung and colon issues, representing a state-of-the-art endeavour.
The results indicate a significant improvement in susceptibility to adversarial attacks on histopathological images of the lungs and colon, from 0% to 81%.
KEYWORDS:
adversarial attack and defense, convolutional neural network, histopathology, image classification, lung and colon cancer Chilyatun ET AL.
INTRODUCTION
Cancer is the second largest cause of death in the world.
This disease is characterized by uncontrolled growth of abnormal cells and can attack and spread to cells and body tissues.
In some cases, lung and colon cancer can develop simultaneously, and both are the most common types of cancer.
Usually, lung cancer is the second primary type of cancer found in patients with colon cancer, so the development of lung cancer in patients with colon cancer is very important to pay attention to .
According to the Global Burden of Cancer report published by the World Health Organization (WHO), in 2020, there were 19,292,789 new cases and 9,958,133 deaths due to cancer worldwide.
Lung cancer is in second place at 11.
4% of total cases, while colon cancer is in fourth place at 10%.
In Indonesia, there were 396,941 new cases and 234,511 deaths due to cancer, with lung cancer in fourth place at 8.
8% and colon cancer in sixth place at 8.
6% of total cases .
Cancer deaths are expected to increase to more than 13,100,000 by 2030.
The International Agency for Research on Cancer (IARC) estimates that one in five men and one in five women worldwide will suffer from cancer.
Then, one in eight men and one in eleven women who suffer from cancer will die .
Early lung and colon cancer detection is critical for effective treatment and increasing survival rates.
This can be done using various digital imaging techniques in the medical field, such as computed tomography (CT) scans, sputum cytology, chest Xrays, magnetic resonance imaging (MRI), and microscopic histopathology images.
There are various diagnostic procedures for detecting cancer by observing medical images based on samples, such as sputum cytology and tissue removal .
During the biopsy process, a pathologist will take tissue samples from human organs and then evaluate the resulting microscopic histopathological images to carry out a diagnosis so that they can determine the type and subtype of cancer.
Histopathological images are widely used in predicting a patientAos chance of recovery.
Technological developments have brought changes in diagnosing diseases using machine learning (ML) and deep learning (DL).
ML and DL algorithms can support the diagnosis process and save costs with accurate results in large data sets.
In clinical practice, classifying histopathological images accurately is very important to support the diagnosis of a disease at the tissue level .
Previous studies have shown that the DL algorithm can accurately classify histopathological images of lung and colon cancer.
One of the popular DL algorithms is convolutional neural network (CNN), which can be used to classify types of lung and colon cancer based on histopathological images with high accuracy, as has been done by .
that evaluated classification accuracy with CNN architecture to detect lung cancer tissue on the LC25000 dataset.
Recent studies show deep neural networks (DNN) are highly vulnerable to adversarial attacks.
An attacker who makes small changes in the form of perturbations to image samples undetectable by the human eye can significantly affect the performance of the DNN model.
DNN models used in medical images are more vulnerable to attacks than those using natural images.
Therefore, adversarial attacks are a major challenge in DL systems in medical imaging .
Other research identifies adversarial attacks and instability of decision results as challenges in artificial intelligence and digital pathology, thereby creating fundamental problems that will be the focus of future research, including the potential for misrepresentation of facts in disease diagnosis .
Adversarial attacks are categorized based on the access model.
In a white- box attack, the attacker has direct access to the target model parameters, while in a black-box attack, the attacker does not have access to the model parameters .
Various defence mechanisms have been proposed to counter One of them is adversarial training, by adding adversarial samples to the training data to increase the modelAos resistance to attacks.
Adversarial attack and defence mechanisms have performed better on DNN models with natural image datasets such as CIFAR-10.
However, its performance on medical images is still not optimal due to the lack of medical images with quality labels .
There have been several previous studies regarding adversarial attacks and defences in medical imaging.
For example, research conducted by .
proposed a classification of diabetic retinopathy using data from a public dataset known as DR Fundus.
They also use perturbed data generated through applying FGSM adversarial attacks while maintaining accuracy by applying a defence mechanism, namely adversarial training, to the DarkNet-53 model.
Another study using two types of datasets, namely NIH Chest X-Ray and AREDS, was carried out by .
They used adversarial attack and defence methods.
PGD and Sparsity Denoising on the ResNet50 model.
This research succeeded in maintaining model accuracy when various attacks occurred.
The latest research involves breast cancer tissue imaging, known as BreakHis, and was conducted by .
They use the DenseNet121 model and apply FGSM adversarial attacks and defences with the adversarial training.
However, until now, there has been no research related to adversarial attack and defence in the CNN model for classifying lung and colon cancer using histopathological images.
Therefore, the author proposes research to improve the performance of the CNN classification model with adversarial attack and defence using the LC25000 and Chaoyang datasets.
This research Chilyatun ET AL.
uses three CNN models, namely GoogLeNet.
ShuffleNetV2, and ResNet18, then applies an adversarial attack mechanism with a white-box attack approach, namely CW.
DeepFool, and SaliencyMap attacks and a defence mechanism using adversarial Performance evaluation was carried out on the CNN classification model, the CNN model after an adversarial attack was carried out, and the CNN model after a defence mechanism was carried out.
This research aims to improve the modelAos reliability and accuracy in classifying lung and colon cancer types on histopathological images.
An update of this research is that We evaluate and analyze the adversarial attacks and defences on lung and colon cancer histopathology images, which is considered a state-of-the-art effort.
PREVIOUS RESEARCHES
Several previous studies have reviewed adversarial attacks and defences in medical image data.
However, the number of studies is still relatively small compared to case studies on natural data such as MNIST and CIFAR10.
This research focuses on case studies of medical image data, especially with the application of white-box attacks.
In this context, three previous studies that comply with the criteria set.
The first study was conducted by .
They used the DR Fundus dataset and the DarkNet-53 classification This research adopts FGSM and adversarial training as adversarial attack and defence methods.
The results show an accuracy of 99.
90% for the normal model, 0% when the model is attacked, and 92% when the model defends.
Subsequent research conducted by .
used two datasets, namely NIH Chest X-Ray and AREDS, with the ResNet50-D classification model.
This experiment used the PGD and sparsity denoising methods as adversarial attack and defence methods.
The results show an accuracy of 91.
94% on the normal model, 45.
68% when the model is attacked, and 82.
36% when the model survives on the first In the second data, accuracy reached 84.
84% on the normal model, 28.
92% when the model was attacked, and 46.
when the model defended.
In the same context, this research also uses the ResNet50-A-D model in a test scenario, with accuracy results of 92.
96% on the normal model, 87.
20% when the model is attacked, and 92.
54% when the model survives on the first Meanwhile, in the second data, accuracy reached 81.
93% for the normal model, 48.
66% when the model was attacked, and 97% when the model survived.
The latest research was conducted by .
This research stands out because it is the only one that uses the same type of data as this research: histopathology medical image data with the name BreakHis dataset.
The classification model used is CNN with pretrained DenseNet121.
The adversarial attack and defence methods applied are FGSM and adversarial training.
The test results show an accuracy of 98.
72% for the normal model, 10.
99% when the model is attacked, and 96.
70% when the model survives.
This research contributes to understanding adversarial attacks and defences in histopathological medical image data.
METHOD
The framework applied in this research consists of three stages: image classification model, adversarial attack, and adversarial defence, as presented in Figure 1.
The first stage involves collecting lung and colon histopathology image data from a public dataset called LC25000.
Next, data preprocessing was carried out by resizing all image sizes to 255 x 255, increasing the brightness level in the image randomly by 0.
05%, and normalizing it by converting the image into a tensor so that each pixel in each image is in the value range 0Ae 255 and normalizing each tensor with a mean and standard deviation of 0.
In addition, data splitting was carried out, where the processed data was divided into two sets, namely training data and test data, with percentages of 70% and 30%, respectively.
This data set becomes the output of the data preprocessing stage.
The process continues with the model training stage.
This research uses three types of CNN classification models: GoogLeNet.
ShuffleNetv2, and ResNet18.
After model training, model testing, results evaluation, and performance analysis of the resulting models are carried out.
The next stage is an adversarial attack, where interference will be added to each set of training data and test data using predetermined attack methods, namely CW.
DeepFool, and SaliencyMap attacks.
The result of this process is disturbed training data and test data.
Next, testing is carried out on the same classification model as before using disturbed test data.
Results and model performance analysis are evaluated when the model receives input from disturbed data.
The final stage is adversarial defence, where adversarial training is used.
At this stage, the classification model is retrained with perturbed training data.
Thus, the model knowledge will be updated, and the model can be considered robust.
Next, the robust model is tested with normal test data to prove that the model can still classify normal data well.
In addition, testing was carried out with disturbed test data to Chilyatun ET AL.
show that the robust model-maintained accuracy from the previous stage when the model experienced attacks in the form of disturbed input data.
Next, a performance analysis of the three FIGURE 1 The framework applied in this research stages were carried out for the accuracy obtained from each stage to prove that the adversarial attack and defence method could increase the resilience of the classification model to attacks.
Dataset Description In this research, a dataset of histopathology images depicting lung and colon cancer, designated LC25000 and released in 2019.
The dataset, curated by Andrew A.
Borkowski and team, encompasses 25,000 color histopathology images representing five distinct tissue types found in the lungs and colon.
The identified tissue types encompass colon adenocarcinoma, benign colon tissue, lung adenocarcinoma, benign lung tissue, and lung squamous cell carcinoma .
Colon adenocarcinoma stands out as the predominant form of colon cancer, constituting over 95% of reported cases.
Its onset involves the transformation of a specific type of tissue growth known as an adenoma within the colon, progressing into cancer.
Lung adenocarcinoma, more prevalent in women than men, contributes to approximately 40% of all lung cancers.
Characterized by the development of cancerous cells in gland cells, it subsequently spreads to the alveoli in the lungs.
ItAos crucial to note that not all tumors originating in the lungs and colon are cancerous.
those that do not spread to other body parts are termed benign tumors.
Although generally non-lifethreatening, these tumors necessitate surgical removal and biopsy examination to rule out cancer.
Lastly, lung squamous cell carcinoma, a subtype of small cell cancer, emerges in the airways of the lungs or bronchi.
Ranking as the second most prevalent type of lung cancer, it constitutes about 30% of all cases .
The images within the LC25000 dataset were gathered at the James A.
Haley Veterans Hospital in Tampa.
Florida.
The team of researchers procured 1,250 images of cancerous tissues .
images for each tissue typ.
from pathology slides.
Subsequently, image augmentation techniques were implemented, involving rotations and flips of the original image under various conditions, resulting in an expanded dataset comprising 25,000 images .
,000 images for each tissue typ.
Initially, the original images were sized at 1024y768 pixels, and after the application of augmentation techniques, they were cropped to a square format of 768y768 It is noteworthy that all images in the dataset adhere to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA), are validated, and are available for unrestricted use .
Figure 2 illustrates examples of histopathology images from the five classes sourced from the LC25000 dataset.
Data Preprocessing Before classifying image data with a Deep Learning (DL) model, the first step that needs to be taken is image preprocessing .
In this research, several data preprocessing techniques involved the following steps.
First, resizing is carried out, where the size of all images in the dataset is changed to 255y255 pixels.
Next, a Brightness step is applied, which includes Chilyatun ET AL.
randomly increasing the brightness level on each image by 0.
05%, aiming to improve identification performance.
Next is Normalization, where the image is converted into a tensor so that every pixel in each image is in the value range 0Ae255.
After that, normalization was carried out for each tensor using a mean and standard deviation of 0.
The final step is data splitting, where the preprocessed data is divided into three sets: training and test data.
The distribution is carried out with 70% and 30% percentages, respectively.
These steps ensure the data is ready to train and test image classification models using deep learning Classification Model GoogLeNet The GoogleNet (Inceptio.
model is a convolutional neural network architecture designed for image classification.
Developed by Google researchers.
GoogleNet introduces several innovations to enhance network efficiency and performance.
Notably, the model employs Inception modules featuring multiple convolution paths with different filter sizes, enabling simultaneous feature extraction at various spatial scales for recognizing complex patterns.
Integrating 1x1 convolutions facilitates dimensionality reduction, allowing for increased network depth without substantially increasing computational load, making the model more efficient.
Global average pooling replaces traditional fully connected layers, reducing parameters, preventing overfitting, and enhancing interpretability.
GoogleNet excels in computational efficiency, providing a deep representation of image features and contributing to a better understanding of hierarchical structures.
While FIGURE 2 Samples of histopathology images from LC25000 dataset subsequent architectures like ResNet and EfficientNet have emerged.
GoogleNet remains a milestone in convolutional neural network design for image processing .
ShuffleNetV2 The ShuffleNetV2 model is designed to focus on practical guidelines for efficient convolutional neural network (CNN) One of its key features is the introduction of channel shuffling, a technique that facilitates efficient information exchange between channels, enhancing information flow without compromising computational efficiency.
The model employs grouped pointwise convolution to reduce computational costs further, separating channels into groups to achieve efficiency without sacrificing performance.
With a multi-path architecture.
ShuffleNetV2 allows for parallel processing through different pathways, contributing to model efficiency and scalability.
Notably, the paper provides practical guidelines for designing efficient CNN architectures, offering valuable insights for researchers and practitioners.
Despite its emphasis on efficiency.
ShuffleNetV2 achieves state-of-the-art accuracy in image classification tasks.
It is a compelling choice for applications where computational resources are constrained and efficiency is paramount.
Overall.
ShuffleNetV2Aos innovative design and its ability to balance accuracy and computational complexity position it as a significant contribution to the field of CNN architectures .
ResNet18 ResNet architecture, with ResNet18 being a notable variant.
This model is distinguished by its 18 layers, employing deep residual blocks characterized by shortcut connections.
These shortcuts effectively train very deep networks by mitigating the vanishing gradient problem.
Including skip connections facilitates a more direct flow of gradients, addressing the degradation problem observed in deep networks.
ResNet18Aos innovative design simplifies training, allowing for learning identity mappings and contributing to ease of optimization.
The model demonstrates improved accuracy on various image Chilyatun ET AL.
recognition tasks compared to earlier architectures, showcasing its effectiveness in capturing intricate features and patterns.
The scalability of ResNet18, driven by its residual block design, further positions it as a pivotal advancement in the field of image recognition, influencing subsequent architectures for their adaptability to more complex tasks .
Adversarial Attack In the DNN model, several security problems were found, such as adversarial attacks, representing most of these problems .
In Figure 3 there is an adversarial attack workflow which explains how this method works.
The attacker aims to create adversarial samples that can make incorrect classifications.
In health, avoidance can be described as classifying benign cells as cancer cells or vice versa.
This attack is carried out by adding perturbation or modifying image features.
That will impact how the model views the input image.
CW attack CW attack .
is a significant adversarial method for exploring and exploiting neural network vulnerabilities.
This attack method is known for its effectiveness in creating adversarial images.
In essence, a CW attack formulates an objective function designed to minimize noise in the input data, ensuring that modified input results in misclassification by the targeted neural network.
Importantly, this attack is flexible because it is not FIGURE 3 Adversarial attack workflow strictly bound by a particular norm such as L2 or L O , providing flexibility in generating effective adversarial interference.
This attack uses an iterative optimization algorithm that systematically adjusts the input data to minimize the objective function, looking for the smallest noise that causes misclassification.
An additional parameter, referred to as c, is introduced to control the magnitude of the perturbation, and its adaptive adjustment during optimization allows for achieving the desired level of adversarial perturbation.
The CW attack considers the misclassification confidence level, attempting to cause misclassification.
Chilyatun ET AL.
FIGURE 4 Adversarial training workflow DeepFool attack DeepFool is an undirected adversarial attack method designed to produce changes to input data to trick neural networks in their classification.
This attack operates by finding the minimum perturbation necessary to fool the neural networkAos classification results, focusing on minimizing the L2 norm of that perturbation.
DeepFool adopts a linear approximation approach, with the initial assumption that the decision boundary of the neural network is linear.
Through an iterative process, the attack refines this approximation and computes the optimal perturbation to cross the decision boundary in the linearized space.
Iterative steps are carried out until the true adversarial image is found, which ultimately results in misclassification by the neural network.
Simplicity, analytical derivation, and iterative optimization make DeepFool an effective method for generating minimal perturbations that can successfully mislead neural networks in their classification .
SaliencyMap attack SaliencyMap is a technique used in adversarial attacks that leverages salient mapsAivisualizations highlighting crucial regions or features in input data that a deep learning model draws attention to when making predictions.
In the context of adversarial attacks, this method involves creating a salience map for a given input, identifying regions of influence that, if altered, could cause a change in the modelAos predictions.
The attacker then creates visually invisible changes targeted at those vulnerable regions.
Next, these altered inputs, called adversarial examples, are evaluated on the model to see whether they produce misclassifications or achieve the attackerAos desired results.
The success of a SaliencyMap attack depends on factors such as model architecture, dataset characteristics, and robustness of model training.
This approach allows attackers to exploit model attention mechanisms, highlighting the complex challenges of maintaining the security of deep learning models in adversarial environments .
Adversarial Defense The author carried out data modifications to mitigate the attacks described previously, namely a countermeasure to attacks by changing the data or its features.
Several studies mentioned previously have presented a method often used called adversarial training .
Adversarial training is a method for adding adversarial samples to the dataset but with the correct labels before retraining the model .
Retraining means using the previous normal model and doing more epochs but with an adversarial Thus, the model will learn modified features and become more robust when faced with adversarial samples or perturbed An adversarial training workflow is provided to make it easier to understand this method, which can be seen in Figure 4 .
Chilyatun ET AL.
Evaluation Metric Evaluation metrics serve as crucial benchmarks for measuring the quality of machine learning models, offering insights into the performance of trained deep learning algorithms on novel, unseen data.
The landscape of evaluation metrics is diverse, providing varied tools to assess model performance.
Employing multiple evaluation metrics is highly recommended, given that a model may excel in one metric while underperforming in another.
Thus, the judicious utilization of evaluation metrics becomes essential in accurately determining the precision and optimization of the resulting model .
This section furnishes a concise explanation and relevant formulas for the evaluation metrics utilized in the research.
In the context of model predictions, correctly identifying the positive class is designated as True Positive (TP).
Conversely, an erroneous prediction of the positive class is termed False Positive (FP).
Similarly, accurate predictions of the negative class are denoted as True Negative (TN), while incorrect predictions of the negative class are referred to as False Negative (FN).
illustrate, in an image containing cancer cells, successfully classifying the cancerous region is categorized as TP.
However, if the model erroneously classifies a cancer cell as non-cancerous, it is classified as FP .
Conversely, in scenarios where the image does not contain any cancer cells, and the model accurately predicts the absence of cancer cells, it is labeled as True Negative (TN).
Nevertheless, if the model incorrectly predicts the presence of cancer cells in the absence of any, it is denoted as False Negative (FN).
Subsequently, a succinct explanation will follow, elucidating the formulas associated with evaluation metrics .
Metrics for accuracy, which gauge the proportion of correct predictions in relation to the total number of assessed samples, as depicted in Equation 1 provided below:
Accuracy = ycNycE ycNycA ycNycE ycNycA yaycA yaycE Precision is employed to assess the precision of positive predictions among the entire set of predicted observations within the positive class, as delineated in Equation 2 provided below:
Precision = ycNycE ycNycE yaycE Recall serves as a metric to quantify the correctness of classifying positive observations, as expressed in Equation 3:
Recall = ycNycE ycNycE yaycE The F1 Score involves assessing the weighted average of precision and recall, as expressed in the following Equation 4:
F1 Score = 2ycu
ycE ycyceycaycnycycnycuycuycuycIyceycaycaycoyco
ycE ycyceycaycnycycnycuycu ycIyceycaycaycoyco
RESULT AND CONCLUSION
In this section, we present the results of the experiments we have conducted.
Table 1 shows the test results of three different pre-trained models, namely GoogLeNet.
ShuffleNetV2, and ResNet18, after training for ten epochs in classifying lung and colon histopathology images.
Model testing uses evaluation metrics of precision, recall.
F1-score, and accuracy for each label in the test data.
The test results show that the three models achieve the same level of accuracy, namely 99%.
However, when evaluating the average value of the other three evaluation metrics, the ResNet18 model emerged as the best.
Table 2 illustrates the results of applying the classification model using the adversarial attack and defence method.
Of the three adversarial attack methods used, the SaliencyMap attack shows superiority in deceiving the model, decreasing accuracy by up to 0%.
Followed by the CW attack with a decrease rate of 0.
01% and the DeepFool attack with an accuracy decrease range 30% to 0.
Previously, the accuracy of each classification model was 99%.
Furthermore, after undergoing retraining Chilyatun ET AL.
TABLE 1 The classification model performance results (%) Model GoogLeNet ShuffleNetV2 ResNet18 Label colon aca lung_aca lung_scc colon_aca lung_aca lung_scc colon_aca lung_aca lung_scc Precision Metric Recall F1-Score Accuracy TABLE 2 The model performance results with adversarial attack and defense (%) Model Normal Accuracy GoogLeNet ShuffleNetV2 ResNet18 Attack Method Normal Model Robust nodel DeepFool SaliencyMap DeepFool SaliencyMap DeepFool SaliencyMap Accuracy on Normal Data on Normal Data Robust Model on Perturbed Data using disturbed training data, or what is known as adversarial training, the model becomes more robust because its knowledge is updated.
The immune-enhanced models are tested using normal test data to prove their ability to classify the data well.
The ShuffleNetV2 and ResNet18 models obtained the best accuracy defence results on normal data, reaching 99%.
Next, the enhanced robustness models were tested using perturbed test data, which is the main focus of this research.
That will prove that a model attacked with disturbed data can still maintain its accuracy.
The best results on the models tested with disturbed data were seen in the GoogLeNet model, which managed to maintain accuracy from the normal level of 99%, experienced a decrease in accuracy when attacked to 0%, and was successfully maintained at 81%.
Table 3 compares the performance results of the image classification model that applies the adversarial attack and defence method with previous research on medical image case studies.
This comparison cannot be made directly due to differences in the dataset and case studies used with previous research.
Therefore, this comparison is designed to demonstrate that our research makes an innovative contribution, illuminating a previously unexplored case study.
All studies listed in Table 3 use white-box attacks, and most studies apply adversarial training for defence methods.
The only exception was one study that used a different defence method: sparsity denoising.
Chilyatun ET AL.
TABLE 3 The comparison results with previous study (%) .
Datasets Fundus Chest X-Ray Chest X-Ray AREDS Study BreakHis .
This Research Classification Method DarkNet-53 ResNet50-A-D ResNet50-A-D ResNet50-D ResNet50-A-D DenseNet21 GooleLeNet ShuffleNetV2 ResNet18 Adv.
Method FGSM/Adv.
Training PGD/ Sparsity Denoise PGSM/ Adv.
Training CW / Adv.
Training DeepFool /Adv.
Training SaliencyMap / Adv.
Training CW/ Adv.
Training Deep Fool Adv.
Training Saliency Map Adv.
Training CW/ Adv.
Training Deep Fool Adv.
Training Saliency Map Adv.
Training Normal Acc
Attacked Acc
Defended Acc
CONCLUSION
In this research, we have successfully implemented robustness for our trained models to classify lung and colon cancer histopathology data in the LC25000 dataset by performing adversarial training methods.
Before adversarial training, the models were unable to predict perturbed input correctly, resulting in a decrease in the normal modelAos accuracy to 0% for all our pretrained models.
Our most significant improvement is increasing the model accuracy on perturbed images from 0.
01 to 0.
In detail, we have performed various types of adversarial methods, such as CW.
DeepFool, and SaliencyMap, and implemented adversarial defences using adversarial training to reduce the impact of adversarial attacks.
Experimental results show that SaliencyMap is a very effective attack method, reducing model accuracy from 99% to 0%.
Additionally, increased accuracy was achieved after applying the best adversarial training on normal data for the ShuffleNetV2 and ResNet18 models, each reaching Meanwhile, the GoogLeNet model achieved the highest accuracy rate of 81% for improved accuracy on perturbed data, previously attacked by perturbed images generated by the CW method, resulting in low accuracy, which is 1%.
For the next improvement, other defense mechanisms might be added during the enhancement of the models, such as implementing Defensive Distillation.
Interval Bound Propagation.
Defense GAN, or other well- proven defense mechanism CREDIT Conceptualization.
Material preparation.
Methodology.
Data collection.
Formal analysis, and writing the original draft were conducted by Chilyatun NisaAo.
The Writing review and editing were carried out by Nanik Suciati.
Anny Yuniarti, and Chilyatun NisaAo.
The supervision was provided by Nanik Suciati and Anny Yuniarti.
All authors have reviewed and approved the final version of the manuscript for publication.
References