NSL-MHA-CNN: A Novel CNN Architecture for Robust Diabetic Retinopathy Prediction Against Adversarial Attacks

Convolution Neural Network (CNN) models have gained ground in research activities particularly in medical images used for Diabetes Retinopathy (DR) detection. X-ray, MRI, and CT scans have all been used to validate CNN models, with classification accuracy generally reaching that of trained doctors. It is mandatory to evaluate the strength of CNN models used in medical tasks against adversarial attacks especially in healthcare, that is to say, the security of such models is becoming extremely relevant to the diagnosis as this latter will guide high-stakes decision-making. However, little study has been conducted to better comprehend this issue. This paper focuses on MobileNet CNN architecture in order to investigate its vulnerability against fast gradient sign methods (FGSM) adversarial attacks. For this end, a Neural Structure Learning (NSL) and a Multi-Head Attention (MHA) have been used to effectively reduce the vulnerability against attack by end-to-end CNN training with adversarial neighbors that produce adversarial perturbations on optical coherence tomography (OCT) images. With suggested model NSL-MHA-CNN, there has been an ability to maintain model performance on adversarial attack without increasing cost of training. Through theoretical assistance and empirical validation, it was possible to examine the stability of MobileNet architecture and demonstrate its susceptibility, particularly to adversarial attack. The experiments in this paper show that indiscernible degrees of perturbation $\varepsilon < 0.01$ were sufficient to cause a task failure resulting to misclassification in majority of the time. Moreover, empirical simulation shows that the proposed approach advanced in this paper can be an effective method to defense against adversarial attack at level of CNN model testing.


I. INTRODUCTION
Deep Learning (DL) has recently delivered cutting-edge performance in a variety of applications without the guideline for manual feature extraction [1], in particular in the area of pattern recognition. Recently, multiple deep learning models, especially those CNNs achieved several human competitive results [2]. CNNs models are used in a variety of application in medical field specially in Computer Aided Diagnosis (CAD) systems for diseases prediction and classification such as: Skin cancer classification using photographic images [3], The associate editor coordinating the review of this manuscript and approving it for publication was Jinhua Sheng .
Despite that CAD high diagnostic performances [23], recent advances in adversarial examples have revealed numbers of security concerns [24], [25], mainly the CAD systems are usually fragile to adversarial attacks [26]. For example, simple perturbation of the input image makes little difference to the human eye, but it can mislead the CNNs models to have opposite conclusions. Furthermore, a common problem VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ during the data acquisition phase is image noise, which can implicitly form an adversarial attack. For example, particle contamination in dermoscopy and endoscopy, as well as metal/respiratory artifacts lenses of CT scans, significantly decreases the quality of acquired imagery. Although neural networks are locally unstable with the respect to small perturbation producing considerably distinct output [27], [28], DL models are vulnerable to adversarial attack. Nevertheless, largely focused investigations on adversarial attacks were on non-medical images, while such attacks on medical images are relatively unknown [29], [30].
In this work, the focus has been put on MobileNet CNN model and its susceptibility on adversarial attack. First, the vulnerability of the model against FGSM attacks is investigated. Second, based on the investigation results, a novel approach to train model is proposed, using adversarial neighbors by leveraging structured signals in addition to feature inputs. The signal structure is implicitly induced by adversarial perturbation by taking a small amount of carefully designed perturbation. Based on the reverse gradient direction and applying that perturbation to the original sample, a structure connecting the sample with its adversarial neighbors is obtained. On the other hand, the attention model has become an integral part of DL, leading to impressive performance in image classification of DR [31], [32] and captioning. Furthermore, attention performance has been improved by MHA [33] which appeals for the ability to receive knowledge from various representation subspaces at multiple locations simultaneously. In this paper, the proposed model incorporates MHA, which execute attention functions on distinct representation subspaces of the input sequence. As a result, multiple attention heads can collect different aspects of the input. [34], incorporate MHA mechanisms with structure signals boost the performance of the proposed models and show promising result.
The primary contributions of this work are summarized as follows: • Literature review and comparative study on existing methods to reduce vulnerability of CNN models against adversarial attacks.
• The evaluation and analysis vulnerability of MobileNet model in regard to adversarial attacks on DR images.
• The proposing of a novel defensive model (NSL-MHA-CNN) against adversarial attacks with NSL and MHA, which preserves the DR accurate prediction results.
• The examination of the novel methodology and its evaluation with different state-of-the-art techniques and verifying its effectiveness.
The remainder of the article is structured as follows: Section II reviews related work in adversarial examples, Section III present the material methods used for base model, in Section IV, we provide an explication of our experiment attack with different attack scenario and description of proposed methods to defend against adversarial vulnerability. Section V contains some results and discussion. Section VI summaries this paper and provide further perspective.

II. RELATED WORK
This section includes a review of existing work on adversarial attack methods on medical and non-medical images, meanwhile, with an inspection of important medical image analysis tasks where adversarial attacks present a major vulnerability and security challenge.
The authors in [35] studied the vulnerability of the VGG16 model for medical images including CT scans, Mammography and MRI images and for non-medical images using MNIST and CIFAR-10 Dataset. First, the paper examined the sensitivity of the VGG16 model across three methods FGSM, PGD and BIM attack with different perturbations in order to maximize classifier error, while minimizing the perturbation. The study shows that the medical image was more susceptible to adversarial perturbation thus accuracy of model on CT, Mammogram et MRI images drop using FGSM Attack with maximum perturbation size of 0.004. The study introduced some approach to defend the vulnerability by using adversarial training, with the same FGSM configuration accuracy of model on CT, Mammogram et MRI images; nevertheless, the study concluded that the approach has limited effectiveness against adversarial attacks on medical images. The detailed accuracies reached in the paper are presented in Table 1.
In the black box assault scenario, more recent works [36] suggest a genetic method for creating adversarial samples without access to the model's weights. The study aims to investigate the vulnerability of several ML models such as CNN, MPL, SVM and others to adversarial examples, using Keras Library with MNIST Data Set and DEAP library to implement genetic algorithms. The experiment revealed that most of models either deep or shallow are affected by vulnerability to adversarial attacks, that are likely to be shared by several other models.
In the paper [37], the authors investigate the vulnerability of different DNN models based on three medical images classification skin cancer, referable diabetic retinopathy and pneumonia classification, using various models' architecture VGG16, VGG19, ResNet50, Inception ResNetV2, DenseNet 121, and DenseNet 169 with universal adversarial perturbation with and without target attack. In order to evaluate the vulnerability of DNN, the inception v3 model is used for Skin    lesion, OCT, Chest X-ray. The Fooling rate (Rf) and Success rate (Rs) metric are used with perturbation (p) equal to 2.
To improve the resilience of the DNN against any attack, the paper proposed adversarial retraining with fine tuning. However, the impact was limited to non-target UAPs, and while the target UAP's vulnerability was mitigated, it was not completely avoided. Unfortunately, retraining the adversarial requires expensive calculations.
The authors in [38] present a medical adversarial attack approach based on three oncology medical images including diabetic retinopathy grading, artifact detection, and lung segmentation. To classify fundus images, they used ResNet-50 integrated with graph convolutional network and Unet for segmentation. With the aim to improve the attack   performance of the deviation loss, the suggested Stabilized Medical Image Attack (SMIA) incorporates a stabilization loss term.
Many research addressed the security of DL models however, few studies have poorly evaluated the strength of CNN models used in medical tasks. For that reason, this present paper proposes NSL-MHA-CNN approach and evaluates it in terms of complexity, light weight and accuracy against adversarial attack.

III. MATERIALS AND METHODS
This section will showcase several strategies and datasets used to accomplish diabetic retinopathy classification using a CNN model in the setting of an adversarial attack.

A. DATASET
There are 207.130 OCT images divided into two sets with 42823 training images were collected from 4.686 patients and 1.000 testing images were collected from 633 patients (250 images from each category) [4]. Fig.1 demonstrates various DR recorded in OCT images and classified.

B. CONVOLUTIONAL NEURAL NETWORK (CNN)
Convolutional Neural Networks (CNNs) are similar to regular Neural Networks in that they are most typically used to VOLUME 10, 2022  analyze visual vision such as handwriting [28] and classification [29] with specific convolution and pooling operations for automated feature recognition and extraction.

C. NETWORK IN NETWORK
Increasing number of parameters and feature maps in depth CNN models resulting in a performance reduction, to address this issue, a Network-in-Network approach presented in [30] to minimize dimensionality and the number of feature mappings.
Inception is one of the network architectures which employs this technique [31].

D. FINE TUNING
In general, fine-tuning means making minor changes to a process in the interest to get the high performance with desire output [32]. Training a neural network from scratch is time and resource consuming; with insufficient data the fine-tuning method can be an effective solution, thus, most of the data can be integrated from previous models. With finetuning, it is possible to provide ease of transferring knowledge by not restricted to retraining the classifier stage (the fully connected layers), but retrain also the feature extraction stage (the convolutional and pooling layers).

E. MobileNet ARCHITECTURE
To minimize the number of parameters in CNN models built for mobile and embedded vision applications, depth wise convolution and pointwise convolution are used to construct the MobileNet CNN.

F. FAST GRADIENT SIGN METHOD (FGSM)
The Fast Gradient Sign Method (FGSM) is a simple algorithm to generate adversarial images proposed by [16] in  their paper to enhance a neural network robustness against input perturbation. The goal is to determine the amount that each pixel in the image contributes to the loss value and add appropriate perturbations in order to create a new image called adversarial image which maximizes the loss. The fast gradient sign method will be given by: where:

G. NEURAL STRUCTURE LEARNING NSL
The consistent development achieved in the field of computer vision has resulted in some spectacular accomplishments across several disciplines. Despite these incredible accomplishments, multiple studies have shown how sensitive these models are, to even imperceivable small changes during collections of input data as result of camera misalignment, vibration or out of sample example that can mislead the models.     In order to overcome those problems and generally improve models against corrupted and perturbed data, a form of neural structure learning called adversarial regularization has been adopted [38]. Forming structure learning dynamically is done by creating adversarial neighbors that VOLUME 10, 2022 represent the similarity among all the images. The adversarial neighbors are generated [39] by taking a small amount of designed perturbation based on the reverse gradient direction and applying that perturbation to the original sample.
After the adversarial neighbor sample is generated, an edge is added to connect the sample with its adversarial neighbor to dynamically construct the structure in order to be used in the neural network. The neural network learns to maintain a structure by keeping the similarity between a sample and its neighbors and won't be confused by the small perturbation.

H. MULTI-HEAD ATTENTION MECHANISM
Attention mechanism has recently contributed to impressive result in the area of deep learning, which were initially developed in end to end machine translation applications [40], [41] using recurrent neural networks (RNN), image captioning and speech recognition tasks.
It is a powerful method that can assist models in achieving better classification result by selecting essential features. Recently, attention performance has been further improved by multi-head mechanism [33] according to current studies show that MHA is more effective than the single attention function [42], for its capacity to mutually receive information from several representation subspaces in an effort to obtain strong feature representation.

IV. PROPOSED ARCHITECTURE
The suggested attack architecture for both base model and NSL-MHA-CNN model are described in this section, as well as the suggested defensive architecture for enhancing security and defense against adversarial attacks.

B. AN OVERALL VIEW OF THE PROPOSED ARCHITECTURE
In this section, the approach to defense against adversarial attack is presented, by detailing different component for robust DR prediction. Fine tuning (FT) is a process that aims to update the weights of a previously model and correctly retrained to a specific task, which is prediction of DR. Moreover, this CNN architecture denoted NSL-MHA-CNN model employed for DR classification is a novel approach based on  the modification of MobileNet architecture with fine-tuning combined with a neural structure signal and Multi Head attention mechanism.
The last fully connected layer was restituted with a Multi-Head Attention, combined with end-to-end training with neural structure learning called Adversarial regularization by forming structure learning dynamically by creating adversarial neighbors. In this manner, 6.555.478 trainable parameters in the NSL-MHA-CNN model have been achieved.

A. METRICS FOR PERFORMANCE EVALUATION
There has been an identification of the measures most frequently used to assess CNN performance: the mean clues included in the evaluation are accuracy, precision, recall additionally to confusion matrix and ROC (Receiver Operating Curve) to provide a helpful evaluation of the model's classification performance.

1) ROC (RECEIVER OPERATING CURVE)
The ability to distinguish between classes is one of the statistical measures used to evaluate model performance. The Area Under Curve (AUC) of an optimal classifier is close to 1, if it is close to 0.5, the result is equivalent to random guessing [43].

2) CONFUSION MATRIX
Confusion matrix is a well-known metric of visualizing the performance of prediction model used while solving binary as well as for multiclass classification problems. It presents very simple, yet efficient performance measures [44] B. EXPERIMENTAL RESULTS

1) BASE MODEL TRAINING
After training the base model as shown in Fig 10 and Fig 11, the model reaches optimal performance within 8 epochs.

2) NSL-MHA-CNN TRAINING
After training our NSL-MHA-CNN architecture with end-toend training with Adversarial loss as shown in Fig12.

3) PERFORMANCE EVALUATION WITHOUT ATTACK a: BASE MODEL
The performance evaluation of the base model is described in Section 3.1, and in order to present more about the model's efficiency and performance, the testing scores are presented in Table 6, the confusion matrix and roc curve are used. The Accuracy achieved by base model reach 99%, and as shown in Fig 14, the DME class obtains the highest ROC (area = 1).
Fig.14 presents evaluation results with regard to Receiver Operating Characteristic performance for the testing DR dataset.

b: NSL-MHA-CNN MODEL
The NSL-MHA-CNN model was tested by using the testing set with the same configuration as previous, Table 7 summarize the performance metrics. Fig. 15 shows the results of four class predictions on the confusion matrix of the test DR dataset.
NSL-MHA-CNN attained 99% accuracy, and as shown in Fig.16 the classes DME, DRUSEN and NORMAL achieved 100% area under curve.

4) PERFORMANCE EVALUATION WITH ATTACK a: BASE MODEL
In this part, the base model vulnerability is highlighted and the way this model may easily be misled by a FGSM attack.

1) Example of attack with perturbation epsilon (ε = 0.01) 2) Overview of attack with different perturbation
The performance of base model was investigated according to different perturbation; in order to emphasize the vulnerability of base model to adversarial attack, the performance metric was calculated by taking the average performance of four classes CNV, DME, DRUSEN and NORMAL.  From Table 9 and Fig. 19, there can be deduced that as the perturbation increases, the performance consistently decreases. The drop in accuracy and F1-score from 0.99, to 0.84 respectively with only small perturbation epsilon = 0.01; this performance drop indicates the effectiveness of the advanced approach in this paper to highlight the vulnerability of base model.

2) Overview of the attack with different perturbations values
Based on this view, it can be observed that incorporating NSL with MHA can help improve the robustness of CNN model against adversarial attack. In particular, it can also be noticed that even if perturbation values increase, the performance metrics are still higher, and that may result in improved generalization, as evidenced by increased test set accuracy.  performance between base model and proposed model. According to the experiments, the suggested approach in this paper shows promising result against adversarial attack and get stable performance with different epsilon perturbation.

6) THE EXECUTION TIME RESULTS
Training a CNN on a large DR image is a challenging and expensive task that can take many hours to days to complete. Both the quality of the training data and the choice of the algorithm are central to the model training phase. Table 12 presents the runtimes and time by epoch for both base model and our NSL-MHA-CNN model.
As shown in Table 12, the training time of NSL-MHA-CNN increased and that due to Adam optimizer, that optimize each independent variable in the objective function in the case of NSL four variables: Accuracy, Loss, Adversarial loss  and Cross Entropy-instead of two variables in base model accuracy and loss which have its own learning rate.

7) DISCUSSION
A Novel CAD system for robust diabetes retinopathy detection based on NSL and MHA approach proposed in this research. The goal is to investigate the vulnerability of base model especially in medical images task by using different attack perturbation. Based on those investigations, an NSL-MHA-CNN model as well as a comparative performance conducted with the base model are proposed.
In order to emphasize this study, a further comparison with state of the art work are presented in Table 13.
Despite the fact that the results of this paper seem promising, there have been many challenges such as lack of studies about vulnerability in medical CNN specially in DR prediction as well as computation complexity of training different models with Cloud GPUs has expensive cost. Further VOLUME 10, 2022 investigation of the NSL-MHA-CNN model in the IOT environment will be considered for future works.

VI. CONCLUSION AND PERSPECTIVES
Machine Learning security is one of the most-debated academic areas, as it continues to generate a number of security concerns. Hence, it worked as a motive to evaluate and analyze vulnerability of MobileNet model in regard to adversarial attacks on DR images. Considering that the base model cannot defense against adversarial attack, the experiments presented in the paper show that indiscernible degrees of perturbation ε < 0.01 were sufficient to cause a task failure resulting to misclassification in majority of the time.
This paper proposes a novel NSL-MHA-CNN DR classification model by introducing neural structure learning with multi head attention, the strategy is to fine-tune Mobile-Net with multi head attention with end-to-end neural structure learning. The FGSM Attack is used to demonstrate the efficacy of the suggested solution against adversarial attack. The proposed models show promising results by achieving 98% accuracy with 0.05 epsilon perturbation. With this proposed novel approach, it is possible to maintain the model performance on adversarial attack without increasing cost of training. Hopefully, this work will give a complete technique for constructing safe, resilient and private CNN systems.