Adversarial Attacks and Defences for Skin Cancer Classification

TL;DR

This paper investigates the vulnerabilities of skin cancer classification models to adversarial attacks and evaluates the effectiveness of adversarial training as a defense, highlighting the importance of robustness in medical AI systems.

Contribution

It analyzes specific adversarial attack techniques on skin lesion classifiers and assesses adversarial training as a defense, providing insights for improving model robustness in healthcare.

Findings

Adversarial attacks significantly degrade model accuracy.

Adversarial training improves robustness against attacks.

Recommendations for enhancing neural network defenses.

Abstract

There has been a concurrent significant improvement in the medical images used to facilitate diagnosis and the performance of machine learning techniques to perform tasks such as classification, detection, and segmentation in recent years. As a result, a rapid increase in the usage of such systems can be observed in the healthcare industry, for instance in the form of medical image classification systems, where these models have achieved diagnostic parity with human physicians. One such application where this can be observed is in computer vision tasks such as the classification of skin lesions in dermatoscopic images. However, as stakeholders in the healthcare industry, such as insurance companies, continue to invest extensively in machine learning infrastructure, it becomes increasingly important to understand the vulnerabilities in such systems. Due to the highly critical nature of the tasks being carried out by these machine learning models, it is necessary to analyze techniques that could be used to take advantage of these vulnerabilities and methods to defend against them. This paper explores common adversarial attack techniques. The Fast Sign Gradient Method and Projected Descent Gradient are used against a Convolutional Neural Network trained to classify dermatoscopic images of skin lesions. Following that, it also discusses one of the most popular adversarial defense techniques, adversarial training. The performance of the model that has been trained on adversarial examples is then tested against the previously mentioned attacks, and recommendations to improve neural networks robustness are thus provided based on the results of the experiment.