Vulnerability In Deep Transfer Learning models to Adversarial Fast Gradient Sign Attack for COVID-19 prediction from Chest Radiography Images (Preprint)
BACKGROUND COVID-19 pandemic requires quick isolation of infected patients. Thus high sensitivity of radiology images could be a key technique to diagnose symptoms besides the PCR approach. Pre-trained deep learning algorithms are proposed in several studies to detect COVID-19 symptoms due to the success in radiology image classification, cost efficiency, lack of expert radiologists and faster processing requirement in pandemic area. Such open-source models, parameters, data sharing to generate big data repository for rare diseases and lack of variation in the radiology image-capturing environment makes the diagnosis system vulnerable to adversarial attacks like Fast Gradient Sign Method based attack. OBJECTIVE This study aims to explore the potential vulnerability in the state of the art deep transfer learning models for COVID-19 classification from chest radiography image, to Fast Gradient Sign Method based adversarial attack. METHODS Firstly, we developed two transfer learning models for X-ray and CT image based COVID-19 classification from frequently used VGG16 and InceptionV3 Convolutional Neural Network architecture. We analyzed the performance extensively in terms of accuracy, precision, recall, and AUC. Secondly, we crafted the FGSM attack for these prediction models and illustrated the adversarial perturbation variation effect for this attack on the visual perceptibility of the radiography images through proper visualization. Thirdly, we computed the decrement in overall accuracy, correct classification probability score and total misclassified samples to quantify the performance drop of these models. The experiments were validated using publicly available COVID-19 patient data. RESULTS We collected publicly available, labeled 268 Xray and 746 CT images. The performance of the developed transfer learning models reached above 95% accuracy with F1 and AUC score close to 1 for both X-ray and CT image based COVID-19 classification before the attack. Then our study illustrates that the misclassification can occur with a very minor perturbation of 0.009 and 0.003 for the FGSM attack in these models for Xray and CT images respectively without any effect on the visual perceptibility of these images. In addition, we demonstrated that successful FGSM attack can decrease the accuracy by 16.67% and 55% for Xray images and 70% and 40% for CT images while classifying using VGG16 and InceptionV3 respectively. Finally, the correct class probability of any test image is found to drop from 1 to 0.24 and 0.17 for VGG16 model for Xray and CT images respectively. CONCLUSIONS Frequently used chest radiology based COVID-19 detection models like VGG16 and InceptionV3 can significantly suffer from FGSM attack. Extensive analysis of probability score, misclassifications, perturbation effect on visual perception clearly illustrates the vulnerability. The InceptionV3 model is found to be more robust than VGG16 although FGSM can make them vulnerable. Thus despite the need for data sharing and automated diagnosis, practical deployment of such program asks for more robustness.