Adversarial attack driven data augmentation for medical images

ABSTRACT


INTRODUCTION
With the aid of progressive and efficient computational power, in-depth network architecture, and a variety of discriminating tasks related to Computer Vision applications, such as regression, prediction, image segmentation, or object recognition, the substantial structures of deep learning models have been demonstrated to be very effective [1]- [3].Deep learning networks, however, seldom function as intended in the absence of a sizable dataset.This restriction turns out to be considerably more significant for the field of medical image processing since access to a vast amount of data is not like tossing a coin.Many supervised biomedical segmentation techniques concentrate on hand-engineered preparation procedures and structures to address these issues [4], [5].To expand the amount of training instances, hand-tuned data augmentation is also frequently used [6], [7].Additionally, the human-level labeling of the dataset's images by medical professionals is exceedingly costly and labor-intensive, and it is also the cause of the substantial variances in resolution and noise in tissue appearance [8].The gap between the validation and training parts can be minimized by using data augmentation as a solution to this issue.Overfitting can be overcome with the  ISSN: 2088-8708 Int J Elec & Comp Eng, Vol. 13, No. 6, December 2023: 6285-6292 6286 addition of new data.In some situations, augmentation functions such random nonlinear deformations or picture rotations are simple to use and successful at increasing segmentation accuracy [4], [5], [7], [9].These functions, however, can be quite sensitive to the parameter selection and have a limited capacity to mimic genuine fluctuations [10].The categorization of skin lesions by Esteva et al. [11] and Litjens et al. [12] the classification of liver lesions, among other papers, have reports of this phenomenon.The work of data augmentation and the use of adversarial machine learning were both completed in this study.Recent research demonstrates that adversarial attacks are also capable of impairing the performance of segmentation models.However, these conventional augmentation strategies are unable to make these models resistant to various attack methods.Inception-v3 and DenseNet-121, two high-performing deep learning models, were shown by Bortsova et al. [13] to lose strength when subjected to fast gradient sign method (FGSM) and projected gradient descent (PGD) assaults for three distinct types of datasets (ophthalmology, radiology, and pathology).Paschali et al. [14] additionally examined how adversarial attacks affected the effectiveness of the segmentation (SegNet, UNet, DenseNet) and classification (Inception V3, Inception V4, MobileNet) models.Even while adversarial attacks are intended to reduce model performance, we employed an attack method called FGSM in this case to increase the dataset for our benefit.We have also presented a fresh viewpoint on how to improve FGSM further by changing its operational methodology.The following is a list of this paper's main contributions: − In contrast to the typical goal of weakening models, in our study we employed adversarial machine learning in support of deep learning models.To construct an adversarial sample for the aim of augmentation while limiting overfitting, we employed the FGSM attack approach.− We bring up an innovative strategy called Inverse-FGSM, which aims to minimize loss by adjusting input data.Positive sounds were added to the model in place of adversarial noises, which enhanced performance.− Unless they have been trained to withstand attacks from adversaries or employ some sort of defense mechanism, all deep learning models are often weak to attacks.In order to make the model more resilient to future comparable attacks, we applied adversarial training-based augmentation of adversarial images to the original set in our research.
Later sections are separated into smaller units like background research on segmentation models, data augmentation, and attack models of adversarial machine learning is compiled in section 2. Section 3 provides a thorough discussion of the techniques that were employed.The dataset is described in section 4 along with an analysis of the effects of data augmentation.Section 5 concludes the essay towards the end.
In order to prevent overfitting, medical image segmentation models are modified to have fewer convolutional blocks than convolutional models due to the scarcity of training samples.The most wellknown segmentation network, UNet, was developed by Ronnerberger et al. [7] it produces exact localized higher resolution segmented pictures and can be trained on a small number of training images.Novikov et al. [15] suggested a tweak to UNet where they employed larger feature maps but with fewer parameters altering AL-dropout architectures to prevent overfitting.Hwang and Park [16] suggested a model called network-wise training of convolutional networks (NWCN) that uses a multi-stage training technique for distilled segmentation outputs with smooth boundary for the consistent usage of contextual information together with appropriate resolution.Another study by Sarker et al. [17] focused on sharp-edged, segmented dermoscopic pictures, and to reach this goal, they utilized log likelihood and end point error loss.By including some lookalike data, data augmentation tries to increase the size of the original training sample.In the study on skin lesion classification, Esteva et al. [11] showed that deep convolutional networks are extremely effective when used with a bigger dataset for medical picture analysis.This has advanced the usage of convolutional neural networks (CNNs) for related tasks including liver lesion categorization, brain scan image processing, and many more [12].It takes a lot of work to capture pictures, especially for technologies like magnetic resonance imaging (MRI) and computed tomography (CT).The lack of patient cooperation, the rarity of the illnesses, and the absence of human competence make it extra harder.Many studies on data aug-mentation have been done in an effort to reduce these problems.Modern data augmentation methods may be categorized into two groups: i) geometric transformation that flips, changes the color space, crops, rotates, or introduces noise and ii) deep learning-based (generative adversarial networks (GANs), neural style transfer, and feature space translation).Elastic deformations, patch extraction, and adjusting red, green, blue (RGB) channel intensities are only a few of the techniques used for picture categorization [18], [19].These methods essentially involve changing the level of a picture, such as by scaling, rotation, cropping, and in-depth modifications.The more recent method of data augmentation encompasses a variety of intricately modified algorithms that have been developed in a wide range of fields, including emotion classification, text recognition from scene, text localization, and human position detection [20]- [22].
Modern machine learning (ML) and deep learning (DL) models were able to deliver accurate results that were above any reasonable expectations because to improved processing capabilities and high Simply challenging a competitive high-performing model with adversarial cases might cause it to misbehave.A sample of input that causes a model to make the incorrect prediction is referred to as an adversarial example.Adversarial examples, which are deliberately prepared using unnoticeable noise injections, are used in these attack tactics to corrupt ML/DL models.The security of practical applications is seriously threatened by adversarial instances.Even an adversarial scenario that seeks to deceive model M1 frequently succeeds in deceiving model M2 all along [23].By using the transferability criterion of adversarial examples, a system may be attacked even if all parameter values are unknown.Engstrom et al. [24] deep CNN models may be made to perform misclassification by assaulting them with a few simple geometric modifications.Each dataset's performance was decreased as a result of random changes (a reduction of 26% for MNIST, 72% for CIFAR1, and 28% for ImageNet).In a different study, Ian Goodfellow and his coauthors proposed the FGSM, which generates 89.4 percent misclassification with 97.6% confidence and uses a maxout network to create adversarial samples [25].Su et al. [26] developed the one-pixel attack, which may result in 70.97% of input photos being misclassified by modifying just one pixel.Every conventional ML/DL model is stated as () =  if the provided dataset is (x; y), where x represents input, y represents label, and F is considered to be a classifier which translates input data to relevant labels.However, for adversarial machine learning, the classifier F also receives input together with a small amount of perturbation δ in limited by a threshold, 0 <  ≤ , rendering it impossible to predict original labels.The transformation is expressed as ( + ) ≠ .
A resilient model ought to be able to effectively deal with this imperceptible disruption.

PROPOSED METHOD
The fundamental concept is to enrich the tiny dataset for training with a new set of training examples produced using adversarial machine learning techniques in order to develop segmentation or classification algorithms.In the conventional approach, adversarial algorithms concentrate on the non-robust attributes of the pictures to reduce the performance of the model, but we use this strategy in the other direction to strengthen weak areas of images with fewer details.This method provides the models with extra input knowledge.Figure 1 graphic seeks to depict the entire process: i) use the original dataset to train the model for segmenting localized images; ii) attack the model using an adversarial attack method that uses model architecture and input gradients to create perturbations; and iii) add adversarial examples to the original samples to create a new training set before feeding the model for training.This can improve the outcomes of segmentation and make the simulation more resistant to attacks.This stands in stark contrast to the conventional augmentation methods formerly outlined.Although adversarial augmentations might not be instances that are likely to appear in the test set, they can strengthen areas where the learnt decision boundary is vulnerable.A novel idea that has not been well investigated and evaluated is the usefulness of adversarial training in the manner of augmentation.Although it has been demonstrated that using adversarial examples to inject noise improves performance, its use in achieving the goal of decreasing over-fitting has not been established.are also produced as a result of segmentation.The models are composed of an expanding/decoder path and a contraction/encoder path.The difference between the encoder and decoder paths is that the encoder path just consists of a mass of convolutional and maxpooling layers, while the decoder path calls for certain transposed convolutional layers to pursue the position of the context, or the "where" information, of the picture.As the depth increases in the encoder route, the dimension of the pictures steadily decreases, going from 128×128×3 to 8×8×256.The size of the picture steadily rises with decreasing depth in the decoder route, for example, from 8×8×256 to 128×128×1, which aids in producing input similar segmented resultant visuals.At each level, the feature maps from the encoder and features from transposed convolutional layers of decoder are combined for a particular localization.The architecture is shaped like a U as a result of this feature.UNet's advantage is that it only has fully convolutional layers and no thick layers, allowing it to take input pictures of any size.

Fast gradient sign method (FGSM)
We want to use adversarial machine learning approaches for improved segmentation, as per the approach.Here, we choose Goodfellow et al. [25] fast gradient sign method (FGSM), the quickest adversarial technique.The steps involved that has been followed are: i) utilize input image (x) consisting of ground mask/label (), ii) generate estimations using a machine learning algorithm and determine the loss (L(θ, x, y)), iii) estimate the gradient () of the loss w.r.t.input and identify the sign of that gradient, iv) develop noise pattern employing perturbation (σ) along with the sign of the gradient, and v) create adversarial examples   combining noise pattern/perturbations with input that maximizes loss.These actions result in the creation of adversarial samples with similar input that can trick neural networks into making the wrong predictions.We may infer how FGSM enhances the volume of loss throughout adversarial example production from Figure 2(a).Due to the model's goal of locating the highest loss following the gradient, this occurs.The mathematical form of this process is shown in (1).This approach is intended to be used for augmentation.This raises the question of how these hostile instances, which are intended to deceive the model, can function as an augmentation dataset.To do this, we want to employ adversarial training as an adversarial augmentation.Adversarial training will increase the model's resilience and make it aware of assaults.According to (2), it is based on resolving a min-max optimization issue.The outer minimization locates model parameters with minimal loss on adversarial cases, whereas the inner maximization locates the largest classification loss.As a result, by adjusting the perturbation, (ℎ 0 <  ≤ ), we get examples that are positive.The goal is to improve performance by supplementing these instances using adversarial training rather than utilizing maximum perturbation (ϵ).

Inverse FGSM
The term of FGSM served as the inspiration for this strategy.Instead of changing weights to lessen the loss, FGSM aims to change the inputs to a maximum loss through backpropagation of gradients.The inverse FGSM (InvFGSM) variation of the FGSM technique is what we suggest.In order to improve performance, our suggested InvFGSM technique utilizes an inverse strategy that involves modifying inputs to a minimized loss.Only the gradient's sign counts for adversarial noise when using the FGSM method.The inverse of the sign gives a positive adversarial noise which will help in loss minimization, much as the sign of the derivatives produces adversarial noises that are mixed with input to produce adversarial instances.The performance of the model may be improved by adding these adversarial cases with positive sounds to the data.The mathematical form of this approach is seen in (3).We may infer from Figure 2(b) that the InvFGSM approach helps to keep loss minimization rather than growing as in FGSM.With this, we may produce advantageous adversarial cases for a fresh set of augmentations.To enhance these instances, we take a similar technique as outlined in the preceding section.However, since we use a reverse strategy to locate gradients with the least amount of loss during the development of positive adversarial examples, this training may be thought of as a min-min optimization issue, according to (4).The outer minimization seeks to identify model parameters while also reducing loss on those adversarial cases.The inner minimization seeks to find the smallest classifying loss during the creation of adversarial examples throughout the domain of greatest perturbation, 0 <  ≤ .This training strategy is intended to be used for adversarial augmentation.

Experimental design and model development
We repeated experimenting multiple times with parameter tuning to find out most suitable setting.The following are the parameters for both model training with and without data augmentation: categorical cross-entropy loss function, SGD as optimizer, momentum is 0.99, learning rate is 0.1, and batch size is 16.Batch size and learning rate can be increased for faster convergence if proper GPU Power is available.

Augmentation of data through adversarial training
The impact of the suggested augmentation approach will be covered in this section.Table 1 shows the difference in the segmentation accuracy that was achieved before and after augmentation.The UNet model typically segments medical images pretty effectively.Up to epoch 30, UNet provides roughly 80% accurate segmentation.Without a doubt, data augmentation can make these results superior.Adversarial machine learning is a relatively recent method of augmentation that we used.Compared to UNet alone, FGSM and UNet perform around 3% better.However, as expected, inverse FGSM boosts this performance even more, demonstrating an increase of roughly 6%.

Effect of increased perturbation on model robustness
Adversarial machine learning attack strategies can be added to strengthen the model.In Table 2, this phenomena is illustrated.To test the model's resilience, we used random perturbation with a range of 0 to 0.

Comparison to traditional augmentations
We also compared our method's performance against several commonly used data augmentation techniques.The results can be found in Table 3.We compared our method against flipping, rotating, cropping, color jittering and GAN.Amongst all the methods our proposed InvFGSM performed the best.The second-best result was achieved by using GAN method for data augmentation.

Discussion
This study aims to combine the subject of medical image analysis with utilization of adversarial machine learning.We used one adversarial attack technique to see if it might be used to supplement medical data.Because medical pictures are often low-resolution, even little changes can have an impact on the ability to identify diseases.We have to use the attack strategy with additional caution because of this.In order to aid in augmentation without detracting from the model, we used a relatively straightforward attack method called FGSM and tweaked the parameter.Later, we put our own approach for augmentation to use.This method was influenced by the theoretical underpinnings of FGSM.However, there are still a number of effective assault methods that may have more pronounced consequences for augmentation or, alternatively, the result might be quite the reverse.Future research into this problem will help us make a more accurate assumption about how to use adversarial attacks for augmentation.

CONCLUSION
Using a dataset of colon cancer cases and CT scan images of the lumbar vertebrae, we attempted to deploy a deep learning algorithm enabling cancer cell segmentation in this study.We also developed a novel method for data augmentation for improved segmentation.Data augmentation is seen as a vital step since limited data results in the overfitting issue when utilized with deep learning models.Although it cannot serve as a complete backup for incomplete data in cases when there is no class sample, it can be used to identify overfitting.As a novel method of enhancing the data, we explored with adversarial machine learning attack strategies, which were successful in enhancing the efficiency of segmentation for this dataset.Even while model robustness is the traditional goal of adversarial machine learning, this study clearly demonstrates that it can also be utilized for data augmentation tasks.Although further research is needed to determine whether this benefits all models equally, it should be seen as a promising beginning for a novel method of data enrichment employing adversarial machine learning.
Int J Elec & Comp Eng ISSN: 2088-8708  Adversarial attack driven data augmentation for medical images (Mst.Tasnim Pervin) 6287 configuration architecture.Recent developments in adversarial machine learning, however, have this illusion.

Figure 1 .
Figure 1.Workflow of proposed approach

IntFigure 2 .
Figure 2. Effects of (a) FGSM and (b) InvFGSM on the loss curve in relation to model parameter 2.It is obvious how the model changes when the noise level rises.Even 0.2 epsilon noise reduces segmentation performance by up to 35%.Contrarily, adversarial training unquestionably assisted the model in regaining & Comp Eng, Vol. 13, No. 6, December 2023: 6285-6292 6290 performance and robustness.As optical imperceptibility is another goal in addition to strong performance for adversarial training, the degree of perturbation was set at 0.1 because a larger rate of perturbation results in visibly distorted adversarial pictures.For the Colon Cancer and Lumbar CT datasets, respectively, Figures3 and 4show some examples of Figure3(a) and 4(a) original input, Figure3(b) and 4(b) ground truth that has been used to generate, Figure3(c) and 4(c) adversarial image for augmentation using proposed InvFGSM method which helps better segmentation producing, Figure3(d) and 4(d) predicted mask for Colon Cancer and Lumbar CT dataset respectively.

Figure 3 .Figure 4 .
Figure 3. Segmentation performance on the colon cancer dataset using adversarial augmentation by InvFGSM: (a) original input, (b) ground truth/mask, (c) adversarial image, and (d) predicted mask after augmentation

Table 1 .
The models' performance throughout different epochs

Table 2 .
Effect of attacks on the model robustness with varying perturbation (ϵ) for dataset (a) colon cancer and (b) lumbar CT

Table 3 .
Performance of proposed method against different methods Adversarial attack driven data augmentation for medical images (Mst.Tasnim Pervin) 6291