key: cord-0463175-8rx27zq0 authors: Tripathi, Achyut Mani; Mishra, Ashish title: Fuzzy Unique Image Transformation: Defense Against Adversarial Attacks On Deep COVID-19 Models date: 2020-09-08 journal: nan DOI: nan sha: c0def5d83f234940d649af27ddd8648a0529ec5e doc_id: 463175 cord_uid: 8rx27zq0 Early identification of COVID-19 using a deep model trained on Chest X-Ray and CT images has gained considerable attention from researchers to speed up the process of identification of active COVID-19 cases. These deep models act as an aid to hospitals that suffer from the unavailability of specialists or radiologists, specifically in remote areas. Various deep models have been proposed to detect the COVID-19 cases, but few works have been performed to prevent the deep models against adversarial attacks capable of fooling the deep model by using a small perturbation in image pixels. This paper presents an evaluation of the performance of deep COVID-19 models against adversarial attacks. Also, it proposes an efficient yet effective Fuzzy Unique Image Transformation (FUIT) technique that downsamples the image pixels into an interval. The images obtained after the FUIT transformation are further utilized for training the secure deep model that preserves high accuracy of the diagnosis of COVID-19 cases and provides reliable defense against the adversarial attacks. The experiments and results show the proposed model prevents the deep model against the six adversarial attacks and maintains high accuracy to classify the COVID-19 cases from the Chest X-Ray image and CT image Datasets. The results also recommend that a careful inspection is required before practically applying the deep models to diagnose the COVID-19 cases. The occurrence of a novel CORONAVIRUS [1] challenges the healthcare systems of all across the world to control an exponential growth of CORONAVIRUS that first occurred in Wuhan and Hebei cities of the China [1] in December 2019 and later spared to other countries across the world. Based on the degree of spread of the virus World Health Organization (WHO) declared the disease as COVID-19 pandemic [2] . Cough, fatigue, fever, and illness in the lungs are among the earlier symptoms suggested by clinical experts for diagnosing COVID-19 cases at an initial stage. Control and prevention of the COVID-19 demand the maximum number of medical tests. Healthcare systems across the world suffer from a lack of effective testing toolkits to identify COVID-19 cases in a current situation. The early identification of COVID-19 cases would be helpful to quarantine the high-risk COVID-19 patients and also useful to break a chain of further spread of the virus in the community. In an attempt to develop a testing toolkit for the diagnosis of COVID-19, researchers from the radiology domain suggested the use of reverse transcription-polymerase chain reaction (RT-PCR) test [3] . However, the test requires long latency to iden-tify COVID-19 cases and demands highly expert radiologists [3] . The RT-PCR test also suffers from a high false-positive rate during the diagnosis of COVID-19 cases [3] , which is not acceptable. A good survey of the various image, sound, and blood test report-based datasets available for diagnosing COVID-19 cases can be found in [4] . Recent studies [5] , [6] have shown Chest X-Ray images of COVID-19 patients play a vital role in timely identification and further control of the COVID-19 cases. Inspired by the success of work on chest X-Ray and CT scan images, various methods and computer-aided systems have been proposed that combine deep learning methods and radiology expert knowledge to identify the COVID-19 cases. A comprehensive study of various deep learningbased methods for diagnosis of COVID-19 using chest X-Ray and CT Scan images can be found in [7] , [8] , [9] , [10] . The majority of the deep learning models proposed for identifying COVID-19 cases are based on transfer learning [9] , [11] , [12] , [13] , attention-based mechanism [14] , [15] , [16] , [17] , selfsupervised learning [18] , [19] and explainable deep models [20] , [21] , [22] , [23] . On the other hand, very little work has been performed towards the vulnerability of deep models against adversarial attacks [24] capable of misleading the deep model with a small perturbation in pixels of an input image. Identification of COVID-19 cases requires expert opinions over the chest X-Ray and CT scan images. It also involves the communication of the COVID-19 data through the web to receive the expert's suggestions and reports. The deep learning models have achieved new heights of state-of-the-art (SOTA) methods in object detection [25] , text mining [26] , speech recognition [27] and computer vision [28] . However, it has been well explored that the deep models are sensitive towards small perturbation in an input and easily fooled by the attacker. This paradigm is also known as Adversarial attack [24] , [29] . The study of adversarial attacks was introduced a decade ago [30] and gained huge attention from researchers of deep learning due to the increasing demand for deep learning techniques in various real-life applications. Data and models privacy and security concerns make the study of adversarial attacks popular in deep learning research. The existence of the adversarial attacks put various questions on the generalization of deep models for the diagnosis of COVID-19 using medical images. In [31] , Hirano et al. investigated the performance analysis of deep models for the diagnosis of COVID-19 cases in the presence of adversarial attacks. A previous study suggested the vulnerability as a major bottleneck for the medical image-based diagnosis [32] . Adversarial attacks on deep models can be subdivided into two major classes. The first type of attack is known as a white-box attack [30] , and the second type of attack is known as a black-box attack [30] . The white-box attacks use the full knowledge of the deep model, dataset, architecture, and parameters. However, the scenario is different in black-box attacks that only partially access the information related to deep models. The proposed method aims to provide defense against white-box attacks that are very hard to prevent in practical scenarios. Adversarial attacks are further broadly classified into two classes, targeted and untargeted attacks. The targeted attacks modify the clean images into adversarial images that make the deep model to classify the input image into a class set by the attackers. For an example, if a clean image of the non-COVID-19 case is transformed into an adversarial image with a target label set as COVID-19 case and the model classifies the images as COVID-19 instead of a normal case. On the other hand, in case of untargeted attacks, the image is transformed into an adversarial image such that the model classifies the image into labels other than the true class label of the image. For an example, the image belongs to the COVID-19 case misclassified as a normal case or pneumonia case after an untargeted adversarial attack. The work presents in this paper intents to present a defense mechanism against an untargeted class of adversarial attacks. A pioneer work that focuses on the generation of the adversarial examples was presented by Goodfellow et al. [33] . The author proposed a fast gradient-based approach to generate adversarial samples. By taking inspiration from the initial work of Goodfellow et al. [33] , various methods have been proposed to generate adversarial examples. Moosavi et al. [34] proposed a deep fool mechanism that generates perturbation until the confidence of the model decreases on the correct label for the given input. The iteration to create perturbation stops when the deep model is fooled. In [35] , the author proposed an attack mechanism that uses an Adam optimization method [36] for an adversarial attack. Sharma et al. [37] proposed a framework that uses attention feature maps to generate adversarial examples to attack the deep model. Besides the development of adversarial attack techniques, numerous defense methodologies [38] , [39] have been proposed to prevent the deep models against the adversarial attacks. The defense methodologies are further grouped into two categories black box defense and white box defense. The white box defense involves adversarial images as input to train the deep model. The adversarial images are generated by one of the adversarial attack techniques [33] , [34] mentioned above. On the contrary, the black box defense does not involve the adversarial images to train the deep model that prevents adversarial attacks. Data augmentation techniques [39] , input transformation [40] and an encryption inspired shuffling of images [41] are among the popular techniques that are well explored to perform black-box defense. A comprehensive study of various defense techniques against the adversarial attacks can be found in [38] . The white box defenses are more successful as compared to the black box defense. Still, they suffer from a high probability of failure against the attacks having a complexity greater than the adversarial attacks employed to generate the adversarial images while training the white box defense models. The black box defense is independent of the complexity of the attack mechanism thus gained more attention to develop robust and secure deep models against the adversarial attacks. The proposed fuzzy unique image transformation (FUIT) technique belongs to the black box defense category. To the best of our knowledge, a fuzzy logic-based black box defense has not been proposed to prevent the COVID-19 images from adversarial attacks. The two significant contributions of this paper are as follows. The first contribution is incorporating a fuzzy unique transformation method within the architecture of a deep model to secure the deep model against the adversarial attacks. The second contribution is to provide a comprehensive study of the performance of the proposed model to classify the COVID-19 cases under the various adversarial attacks. The organization of the paper is as follows: Section II presents the brief introduction of the adversarial attack and fuzzy set theory. Section III presents details of the methodology used to train the secure deep model using FUIT transformed images to prevent the adversarial attacks. Section IV presents experiments, results and ablation study, and finally, conclusions and future work are presented in Section V. This section presents a brief introduction of adversarial attack and fuzzy set. The major aim of adversarial attacks [24] is to modify pixel values by small amount . The changes that occur in a modified image are invisible for humans but well understood by deep learning models. If f denotes a function that represents a deep model with parameters θ learned using input image X and label y After adding small perturbation to image pixels the adversarial input image X satisfies the following condition: When the model is evaluated against adversarial image X , then y = y , that results in a degradation in the model's performance. The phenomenon of a decrease in the classification rate of the model to classify the images is known as the adversarial attack that easily fools the model to misclassify the input image modified using a small perturbation . In this paper, our primary aim is to prevent the deep model against adversarial attacks. A set whose every element have membership value is known as fuzzy set ( F ) [42] . Where ( F ) is a fuzzy set with element x and membership value µ. Here µ F (x) denotes membership value of x with respect to fuzzy set F . The value of µ always lies in between 0 to 1. U is an universe of information. This section presents details of the Fuzzy Unique Image Transformation (FUIT) technique and methodology used to build a secure deep model against the adversarial attacks. FUIT creates fuzzy sets from the given range of values of the image pixels. In an image where pixel values lie in a range (U) from 0 to 255. We create the R fuzzy sets that use a triangular membership function [42] (as shown in Eq. (5)) to compute the membership value (µ) of the given pixel. The created fuzzy sets downsample the image pixels into an interval of range in between 1 to R. The new transformed image has pixel values between 1 to R. The FUIT technique performs discretization of the values of the image pixel into an interval [1, R]. Require: Input Image (X), R-Fuzzy Here, M v [1 * R] = An array of membership values 7: end for 8: end for 11: end for 12: Return X F (Output FUIT Transformed Image) Algorithm 1 shows various steps of FUIT transformation of the image X. In this paper a triangular membership function is used to compute membership values of a pixel for the given fuzzy set. Eq. (5) shows the triangular membership function with three parameters p, q, r and input x. µ denotes triangular membership value. For an example, consider an image of size (3*3) having values [78, 61, 120, 236, 222, 40, 10, 11, 15] as shown in Fig.(1) . The image is transformed into FUIT image using the Algorithm 1. The new image created after the FUIT technique The performance of the proposed method is first evaluated on COVID-19 Chest X-Ray Image Dataset [43] . The data set includes a collection of chest X-Ray images of people belonging to Normal, Pneumonia, and COVID-19 classes. Several contributions from people belonging to different places increase the size of the dataset. At the time of this study, the dataset contains a total of 1125 images. Among the available 1125 images, 500 images belong to Normal Class, 500 images belong to people suffering from pneumonia, and the remaining 125 images belong to people infected from COVID-19. The study followed 5-fold cross-validation to evaluate the performance of the proposed framework. Fig. (5) shows sample images of the chest X-Ray of persons belong to normal, pneumonia, and COVID-19 classes. Total of nine models (M1-M9) are trained using weights initialized with three different pre-trained models i.e. Resnet-18 [44] , VGG-16 [45] and GoogLeNet [46] respectively. Table I shows details of the nine models prepared for comparison. The models (M1-M9) are further evaluated against the adver- Table II are shown in Table III . The early stop technique is used to train the models, and the maximum epoch is set as 150. The learning rate is 0.001, and the batch size is selected as 32. All experiments are conducted on Ubuntu 16.04 LTS operating system with 16 GB RAM and NVIDIA GM107M 4 GB GPU. All scripts are developed using an open-source Pytorch 1.4 library. All images are resized to a size required by the three pre-trained models used to initialize the deep model weights. The deep model is trained using an Adam optimization [36] . A loss function L is selected as cross entropy loss as shown in Eq. (6) . Here x is an input and C is class label. k is the total number of classes. As mentioned earlier for the comparative analysis total of nine models are developed. We evaluated the performance of the proposed model in two settings. Models are trained for binary and three class classification scenarios. In the case of the binary classification, images belong to COVID-19 and pneumonia classes are considered to come from the same class. Initially, M1, M2, and M3 are trained and tested on the clean chest X-Ray images. Table IV After evaluation of the performance of the models M1,M2 and M3 on the clean Chest X-Ray images, the models are tested against the adversarial images generated from six different attacks, as listed in the Table II . Table V shows the performance of the three models for binary and three class classification. Table VIII and Table IX show a comparison of the developed models with the state-of-the-art (SOTA) methods for the diagnosis of COVDI-19 cases using the chest X-Ray images. The accuracy of the proposed FUIT transformation-based model is comparable to SOTA models and provides reliable security against adversarial attacks. Fig.(6) and Fig.(7) show comparison of different models to detect the COVID-19 cases in binary and three class classification scenarios respectively. Apostolopoulos et al. [11] 92.85 Wang et al. [9] 90.60 Apart from evaluating the performance of a deep model on the FUIT processed images, the study of the performance of the deep model trained on images transformed using the typical discretization is also evaluated. Table X shows the the standard discretization-based transformation, each time pixel value is divided by L and floor value is computed to know the interval to which the pixel value belongs. For an example, if value of the L is 32, then the total number of intervals is equal to 7 when pixels value has a range between 0 to 255. In this study, we set the value of L as 32. The normal discretization is a hard assignment of intervals, and the proposed FUIT technique is a soft assignment of intervals. The model M7 shows the highest mean accuracy of 96.25% and 86.91% for the binary and three class classification, respectively. The models M7, M8, and M9 show less accuracy than the models M4, M5, and M6. The soft assignment of intervals using the FUIT technique is capable of dealing with uncertainty occurs during the assignment of the pixels into the intervals, thus resulting in higher accuracy of the model M4 compared to the model M7. Table XI shows the accuracy of the models M7, M8, and M9 for binary and three class classification in the presence of the six adversarial attacks. The models trained on images transformed using the typical discretization approach also show high accuracy to prevent the deep COVID-19 model against the adversarial attacks but show less accuracy as compared to models trained using the FUIT transformed images. It is clear from the Table VII and Table XI that the models trained using the FUIT transformed images are more secure against the adversarial attacks while diagnosis of the COVID-19 cases. All the nine models show high classification accuracy for the binary class classification and less accuracy for three class-classifications. The COVID-19 cases share similar symptoms with the pneumonia cases, which results in less classification accuracy in the case of the three-class classification. The proposed model is also evaluated on second available CT Scan Image Dataset [50] for the diagnosis of COVID-19. The dataset contains 398 images for normal patients and 399 images for the patients suffer from COVID-19. Total of nine models (M10-M18) are trained by initialize the weighted using the three pre-trained models Resnet-18 [44] , VGG-16 [45] and GoogLeNet [46] . Table XII shows a description of developed models to evaluate the performance of the proposed method on CT Image Dataset. Classification of COVID-19 cases in CT images is a problem of binary classification. The evaluation is performed by applying 5-fold cross-validation technique. Table XIII shows the accuracy of nine models developed to classify the COVID-19 cases. Fig.(8) shows sample images belong to normal and COVID-19 cases in the CT image dataset. The model M10 achieves the highest mean accuracy of 89.19%. The model M18 shows the lowest mean accuracy of 87.77%. The developed models are tested to classify the COVID-19 cases in the presence of six adversarial attacks from the Table II . The value of L is set as 32 for models M16, M17, and M18. Table XIV shows the accuracy of models to classify the COVID-19 cases under the six attacks. The models M10, M11, and M12 show degradation in classification accuracy when tested against the adversarial CT images. The BIM attack is again the most successful attack that drops the Fig.(9b) shows the adversarial image of the COVID-19 case (adversarial image of the image shown in Fig.(9a) ). In presence of PGD attack the class probability of COVID-19 decreases to 0.41. The difference between the clean COVID-19 CT image and adversarial COVID-19 CT is visually unrecognizable by humans but well recognized by the deep model. Fig.(9) shows comparison of these two images when classified by model M10 in presence of the PGD attack. Table XV shows comparison of the proposed model with SOTA methods to classify the COVID-19 cases using the CT images. Fig.(10) shows comparison of accuracy of different models to classify the COVID-19 cases in the CT image dataset. In this paper, we presented a novel fuzzy unique image transformation (FUIT) technique as a pre-processing step that prevents the COVID-19 deep model against the adversarial attacks. The FUIT technique downsamples the image pixels into an interval by using the created fuzzy sets. The FUIT technique prevents an increase in the variance of the number of unique pixels of the given image. This results in an equal number of unique pixels values in the clean and adversarial images. The deep model trained using the FUIT transformed images shows robust and secure performance against the adversarial attacks. The experiment and results on two available COVID- The study is performed using datasets with significantly fewer images, which could be one drawback of this study. In future, the models will be trained on more images collected from other publicly available repositories and nearby local hospitals. Besides, an inspection of the FUIT to develop the deep models to classify the images received from various research domains can be considered a natural extension of this study. A new coronavirus associated with human respiratory disease in china Global guidance for surgical care during the covid-19 pandemic Correlation of chest ct and rt-pcr testing in coronavirus disease 2019 (covid-19) in china: a report of 1014 cases Covid-19 open source data sets: A comprehensive survey Coronavirus disease 2019 (covid-19): a perspective from china Chest ct findings in coronavirus disease-19 (covid-19): relationship to duration of infection Automated detection of covid-19 cases using deep neural networks with x-ray images Coronet: A deep neural network for detection and diagnosis of covid-19 from chest x-ray images Covid-net: A tailored deep convolutional neural network design for detection of covid-19 cases from chest radiography images Automated detection and forecasting of covid-19 using deep learning techniques: A review Covid-19: automatic detection from x-ray images utilizing transfer learning with convolutional neural networks Automatic detection of coronavirus disease (covid-19) using x-ray images and deep convolutional neural networks Multichannel transfer learning of chest x-ray images for screening of covid-19 Accurate screening of covid-19 using attention based deep 3d multiple instance learning Prior-attention residual learning for more discriminative covid-19 screening in ct images Covid-19 detection using residual attention network an artificial intelligence approach Covidaid: Covid-19 detection using chest x-ray 4s-dt: Self supervised super sample decomposition for transfer learning with application to covid-19 detection Efficient and effective training of covid-19 classification networks with self-supervised dual-track learning to rank Deepcovidexplainer: Explainable covid-19 predictions based on chest x-ray images Explainable deep learning for pulmonary disease and coronavirus covid-19 detection from x-rays Covidscreen: Explainable deep learning framework for differential diagnosis of covid-19 using chest x-rays Jcs: An explainable covid-19 diagnosis system by joint classification and segmentation Evasion attacks against machine learning at test time Scalable object detection using deep neural networks Time series classification using deep learning for process planning: a case from the process industry A survey of deep neural network architectures and their applications Deep learning for visual understanding: A review Intriguing properties of neural networks Wild patterns: Ten years after the rise of adversarial machine learning Vulnerability of deep neural networks for detecting covid-19 cases from chest x-ray images to universal adversarial attacks Adversarial attacks on medical machine learning Explaining and harnessing adversarial examples Deepfool: a simple and accurate method to fool deep neural networks Towards evaluating the robustness of neural networks Adam: A method for stochastic optimization Attend and attack: Attention guided adversarial attacks on visual question answering models Adversarial learning targeting deep neural network classification: A comprehensive review of defenses against attacks The effectiveness of data augmentation in image classification using deep learning Countering adversarial images using input transformations Detecting adversarial examples via key-based network Fuzzy sets Covid-19 image data collection: Prospective predictions are the future Deep residual learning for image recognition Very deep convolutional networks for large-scale image recognition Going deeper with convolutions Adversarial examples in the physical world Towards deep learning models resistant to adversarial attacks Covidx-net: A framework of deep learning classifiers to diagnose covid-19 in x-ray images Covid-ct-dataset: a ct scan dataset about covid-19 Explainable-by-design approach for covid-19 classification via ct-scan