Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Reversing Skin Cancer Adversarial Examples by Multiscale Diffusive and Denoising Aggregation Mechanism

Yongwei Wang, Yuan Li, Zhiqi Shen, Yuhui Qiao

TL;DR

This work tackles the vulnerability of skin cancer diagnosis models to adversarial attacks by introducing MDDA, a model- and attack-agnostic defense that reverses adversarial perturbations through a multiscale diffusion-denoising-aggregation pipeline. By constructing an image pyramid and applying iterative small-noise diffusion, followed by ROF-based denoising and cross-scale aggregation, the method gradually moves adversarial examples back toward the clean manifold without requiring retraining or model access. Experimental results on the ISIC 2019 dataset show that MDDA outperforms baseline defenses under white-box and cross-architectural attacks, with particular strength against strong perturbations, though clean accuracy can decline for heavily perturbed inputs. The approach offers a practical, resource-efficient defense suitable for edge deployments in medical imaging, with potential extensions to other modalities and detectors for further improvement.

Abstract

Reliable skin cancer diagnosis models play an essential role in early screening and medical intervention. Prevailing computer-aided skin cancer classification systems employ deep learning approaches. However, recent studies reveal their extreme vulnerability to adversarial attacks -- often imperceptible perturbations to significantly reduce the performances of skin cancer diagnosis models. To mitigate these threats, this work presents a simple, effective, and resource-efficient defense framework by reverse engineering adversarial perturbations in skin cancer images. Specifically, a multiscale image pyramid is first established to better preserve discriminative structures in the medical imaging domain. To neutralize adversarial effects, skin images at different scales are then progressively diffused by injecting isotropic Gaussian noises to move the adversarial examples to the clean image manifold. Crucially, to further reverse adversarial noises and suppress redundant injected noises, a novel multiscale denoising mechanism is carefully designed that aggregates image information from neighboring scales. We evaluated the defensive effectiveness of our method on ISIC 2019, a largest skin cancer multiclass classification dataset. Experimental results demonstrate that the proposed method can successfully reverse adversarial perturbations from different attacks and significantly outperform some state-of-the-art methods in defending skin cancer diagnosis models.

Reversing Skin Cancer Adversarial Examples by Multiscale Diffusive and Denoising Aggregation Mechanism

TL;DR

This work tackles the vulnerability of skin cancer diagnosis models to adversarial attacks by introducing MDDA, a model- and attack-agnostic defense that reverses adversarial perturbations through a multiscale diffusion-denoising-aggregation pipeline. By constructing an image pyramid and applying iterative small-noise diffusion, followed by ROF-based denoising and cross-scale aggregation, the method gradually moves adversarial examples back toward the clean manifold without requiring retraining or model access. Experimental results on the ISIC 2019 dataset show that MDDA outperforms baseline defenses under white-box and cross-architectural attacks, with particular strength against strong perturbations, though clean accuracy can decline for heavily perturbed inputs. The approach offers a practical, resource-efficient defense suitable for edge deployments in medical imaging, with potential extensions to other modalities and detectors for further improvement.

Abstract

Reliable skin cancer diagnosis models play an essential role in early screening and medical intervention. Prevailing computer-aided skin cancer classification systems employ deep learning approaches. However, recent studies reveal their extreme vulnerability to adversarial attacks -- often imperceptible perturbations to significantly reduce the performances of skin cancer diagnosis models. To mitigate these threats, this work presents a simple, effective, and resource-efficient defense framework by reverse engineering adversarial perturbations in skin cancer images. Specifically, a multiscale image pyramid is first established to better preserve discriminative structures in the medical imaging domain. To neutralize adversarial effects, skin images at different scales are then progressively diffused by injecting isotropic Gaussian noises to move the adversarial examples to the clean image manifold. Crucially, to further reverse adversarial noises and suppress redundant injected noises, a novel multiscale denoising mechanism is carefully designed that aggregates image information from neighboring scales. We evaluated the defensive effectiveness of our method on ISIC 2019, a largest skin cancer multiclass classification dataset. Experimental results demonstrate that the proposed method can successfully reverse adversarial perturbations from different attacks and significantly outperform some state-of-the-art methods in defending skin cancer diagnosis models.
Paper Structure (15 sections, 15 equations, 7 figures, 3 tables, 1 algorithm)

This paper contains 15 sections, 15 equations, 7 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Mathematical Model of Adversarial Attacks
  3. Method of Reversing Skin Adversarial Examples
  4. Multiscale Processing
  5. Diffusive Process
  6. Denoising Process
  7. Aggregation Process
  8. Algorithm
  9. Experimental Results
  10. Experimental Setup
  11. Comparison to Baseline Defenses
  12. Cross-architectural Protection
  13. Parameter Sensitivity
  14. Discussion
  15. Conclusion and Future Work

Figures (7)

  • Figure 1: Illustration of adversarial attacks in skin cancer diagnosis models. The left column displays three typical clean skin images with their labels respectively as Malignant Melanoma (cancer), Basal Cell Carcinoma (cancer), and Benign Keratosis (benign). These images can be correctly recognized by a medical diagnostic model. By injecting slight adversarial noises (shown in the middle column) into these images FGSM, we obtain adversarial skin images (shown in the right column) that can easily mislead medical diagnosis models: e.g., cancer images will be recognized as benign images.
  • Figure 2: Illustration of the "fight-fire-with-fire" mechanism to reverse skin adversarial examples. During adversarial attacks, images injected with adversarial noises will move from normal to adversarial regions. In the reverse process, we inject isotropic noises into manipulated samples which will "drag" these samples from low-probability regions back to normal ones.
  • Figure 3: Illustration of the framework of the proposed method. In the first stage, an adversarial image is processed with multiscale analysis: the image will be downsampled by a factor of 1/2 and 1/4, respectively, and upsampled by a factor of 2. Then in the second stage, we design and insert $N$ diffusive and denoising aggregation mechanism (DDA) blocks sequentially. Each DDA block involves a diffusive process (Section 3.2), a denoising process (Section 3.3), and an aggregation process (Section 3.4). The output samples from the last DDA block will be inversely processed to the original scale and smoothed to obtain the reversed image.
  • Figure 4: Visualizations of confusion matrices from the ResNet50 model for the prediction ability under DIFGSM attack ($\epsilon=2/255$) with four defense methods: (a) BDR, (b) SR, (c) NRP and (d) MDDA.
  • Figure 5: Visualizations of confusion matrices from the ResNet50 model for the prediction ability under DIFGSM attack ($\epsilon=6/255$) with four defense methods: (a) BDR, (b) SR, (c) NRP and (d) MDDA.
  • ...and 2 more figures