Brain Tumor Classifiers Under Attack: Robustness of ResNet Variants Against Transferable FGSM and PGD Attacks

TL;DR

This study evaluates the robustness of ResNet-based brain tumor classifiers against transferable adversarial attacks, revealing significant vulnerabilities influenced by data preprocessing and model architecture, crucial for clinical MRI applications.

Contribution

It provides a comparative analysis of various ResNet variants' robustness to FGSM and PGD attacks in brain MRI classification, highlighting the impact of data preprocessing on adversarial vulnerability.

Findings

BrainNeXt models show highest robustness to black-box attacks.

Shrunk and non-augmented data reduce model resilience.

Trade-off exists between input resolution and adversarial vulnerability.

Abstract

Adversarial robustness in deep learning models for brain tumor classification remains an underexplored yet critical challenge, particularly for clinical deployment scenarios involving MRI data. In this work, we investigate the susceptibility and resilience of several ResNet-based architectures, referred to as BrainNet, BrainNeXt and DilationNet, against gradient-based adversarial attacks, namely FGSM and PGD. These models, based on ResNet, ResNeXt, and dilated ResNet variants respectively, are evaluated across three preprocessing configurations (i) full-sized augmented, (ii) shrunk augmented and (iii) shrunk non-augmented MRI datasets. Our experiments reveal that BrainNeXt models exhibit the highest robustness to black-box attacks, likely due to their increased cardinality, though they produce weaker transferable adversarial samples. In contrast, BrainNet and Dilation models are more vulnerable to attacks from each other, especially under PGD with higher iteration steps and $\alpha$ values. Notably, shrunk and non-augmented data significantly reduce model resilience, even when the untampered test accuracy remains high, highlighting a key trade-off between input resolution and adversarial vulnerability. These results underscore the importance of jointly evaluating classification performance and adversarial robustness for reliable real-world deployment in brain MRI analysis.