Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Dynamic Perturbation-Adaptive Adversarial Training on Medical Image Classification

Shuai Li, Xiaoguang Ma, Shancheng Jiang, Lu Meng

TL;DR

A dynamic perturbation-adaptive adversarial training (DPAAT) method is proposed, which placed AT in a dynamic learning environment to generate adaptive data-level perturbations and provided a dynamically updated criterion by loss information collections to handle the disadvantage of fixed perturbation sizes in conventional AT methods and the dependence on external transference.

Abstract

Remarkable successes were made in Medical Image Classification (MIC) recently, mainly due to wide applications of convolutional neural networks (CNNs). However, adversarial examples (AEs) exhibited imperceptible similarity with raw data, raising serious concerns on network robustness. Although adversarial training (AT), in responding to malevolent AEs, was recognized as an effective approach to improve robustness, it was challenging to overcome generalization decline of networks caused by the AT. In this paper, in order to reserve high generalization while improving robustness, we proposed a dynamic perturbation-adaptive adversarial training (DPAAT) method, which placed AT in a dynamic learning environment to generate adaptive data-level perturbations and provided a dynamically updated criterion by loss information collections to handle the disadvantage of fixed perturbation sizes in conventional AT methods and the dependence on external transference. Comprehensive testing on dermatology HAM10000 dataset showed that the DPAAT not only achieved better robustness improvement and generalization preservation but also significantly enhanced mean average precision and interpretability on various CNNs, indicating its great potential as a generic adversarial training method on the MIC.

Dynamic Perturbation-Adaptive Adversarial Training on Medical Image Classification

TL;DR

A dynamic perturbation-adaptive adversarial training (DPAAT) method is proposed, which placed AT in a dynamic learning environment to generate adaptive data-level perturbations and provided a dynamically updated criterion by loss information collections to handle the disadvantage of fixed perturbation sizes in conventional AT methods and the dependence on external transference.

Abstract

Remarkable successes were made in Medical Image Classification (MIC) recently, mainly due to wide applications of convolutional neural networks (CNNs). However, adversarial examples (AEs) exhibited imperceptible similarity with raw data, raising serious concerns on network robustness. Although adversarial training (AT), in responding to malevolent AEs, was recognized as an effective approach to improve robustness, it was challenging to overcome generalization decline of networks caused by the AT. In this paper, in order to reserve high generalization while improving robustness, we proposed a dynamic perturbation-adaptive adversarial training (DPAAT) method, which placed AT in a dynamic learning environment to generate adaptive data-level perturbations and provided a dynamically updated criterion by loss information collections to handle the disadvantage of fixed perturbation sizes in conventional AT methods and the dependence on external transference. Comprehensive testing on dermatology HAM10000 dataset showed that the DPAAT not only achieved better robustness improvement and generalization preservation but also significantly enhanced mean average precision and interpretability on various CNNs, indicating its great potential as a generic adversarial training method on the MIC.
Paper Structure (15 sections, 20 equations, 4 figures, 2 tables, 1 algorithm)

This paper contains 15 sections, 20 equations, 4 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related works
  3. Review of Adversarial Training Methods
  4. Review of Adversarial Attacks
  5. Overview of Our Motivation
  6. Methodology
  7. Synchronization loss
  8. Dynamic Perturbation-Adaptive Adversarial Training
  9. Experimental results and analysis
  10. Dataset and Training Details.
  11. Improvements of Robustness and Generalization
  12. Improvements of mean average precision (mAP) and mean average robustness precision (mARP)
  13. Ablation Studies
  14. Improvements of Visibility and Interpretability (VI)
  15. Conclusion and Future work

Figures (4)

  • Figure 1: The framework of the DPAAT and three conventional AT methods. Red and blue arrows were input paths of raw data $x$ and AEs $x^{adv}$, respectively. Solid black arrows represented forward calculation of input data and dotted black arrows represented back update of loss functions. Adversarial loss and classification loss were the loss values calculated by $L_{AT}$ on $x^{adv}$ and $x$, respectively.
  • Figure 2: Confusion matrices of ResNet34 and MobileNetV2 on raw data $x$ and adversarial examples $x^{adv}$, wherein $x^{adv}$ were crafted by 20-step PGD attacks. The predicted precision for each class was higher when the colors of the matrices' diagonal were darker.
  • Figure 3: Ablation study for the DPAAT. D-A, D-B, and D-(A+B) represented the DL models implementing only dynamic perturbation adaptation, only synchronization optimization, and both, respectively.
  • Figure 4: The interpretability visualization of the STD, AT, and DPAAT using the Grad-CAM method. Due to the $ReLU(\cdot)$ activation in \ref{['Eq26']}, image pixels showed blue when their contributions to classification result were 0 or negative, while more positive contributions came with a deeper red.