Adversarial Attacks on Hybrid Attention Integrated Transfer Learning for Lung Cancer CT Classification
Article Sidebar
Main Article Content
Abstract
Deep learning–based classification of lung cancer from CT images can achieve high accuracy but is vulnerable to adversarial attacks that introduce imperceptible perturbations, potentially leading to misdiagnoses. Paying attention to neural networks in transfer learning could improve both the effectiveness and resistance to change. In this paper, we propose a hybrid framework that combines a MobileNetV2 backbone with channel–spatial attention modules and white‑box adversarial testing via the fast‑focused gradient sign method (FFGSM) and projected gradient descent under an L₂ norm constraint (PGDL₂). The model was trained end‑to‑end on a stratified CT dataset of 3,451 images (normal, benign, malignant) with adversarial examples injected during training (ε=4/255; PGDL₂: α=1/255, 7 steps). The evaluation of the performance was based on accuracy and precision, recall, the F1- score and the reduction in model performance due to adversarial attacks. For clean inputs, the attention‑augmented model achieved 86% accuracy (FFGSM) and 95% accuracy (PGDL₂), with balanced F1‑scores >0.90 across classes. Under adversarial attack, the accuracy decreases to 78% (FFGSM) and 86% (PGDL₂), indicating a smaller robustness drop for PGDL₂‑augmented training. Having attention modules in the model significantly enhanced the ability to discern features, saving up to 9% in performance compared with the models without attention. These methods made it clear that the model was more focused on clinically important parts. Incorporating hybrid channel–spatial attention into transfer‑learning pipelines substantially improve the accuracy and resilience of lung cancer CT classification to strong adversarial attacks. The results of our study can help guide the development of strong AI tools for examining medical images.
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution 4.0 International License.
How to Cite
References
[1] M. A. Thanoon et al., “A review of deep learning techniques for lung cancer screening and diagnosis based on CT images,” Diagnostics, vol. 13, no. 16, art. 2617, 2023.
[2] M. Rawashdeh, M. A. Obaidat, M. Abouali, D. E. Salhi, and K. Thakur, “An effective lung cancer diagnosis model using pre-trained CNNs,” C. – Comput. Model. Eng. Sci., vol. 143, no. 1, pp. 1129–1155, 2025, doi: 10.32604/cmes.2025.063765.
[3] I. S. Ahmad, J. Dai, Y. Xie, and X. Liang, “Deep learning models for CT image classification: a comprehensive literature review,” Quant. Imaging Med. Surg., 2024. [Online]. Available: https://qims.amegroups.org/article/view/132929
[4] H. E. Kim, A. Cosa-Linan, N. Santhanam, M. Jannesari, M. E. Maros, and T. Ganslandt, “Transfer learning for medical image classification: a literature review,” BMC Med. Imaging, vol. 22, no. 1, p. 69, 2022, doi: 10.1186/s12880-022-00793-7.
[5] H. Liang, M. Hu, Y. Ma, L. Yang, J. Chen, L. Lou, C. Chen, and Y. Xiao, “Performance of deep-learning solutions on lung nodule malignancy classification: a systematic review,” Life (Basel), vol. 13, no. 9, p. 1911, Sep. 14, 2023, doi: 10.3390/life13091911.
[6] R. Schäfer et al., “Overcoming data scarcity in biomedical imaging with a foundational multi-task model,” Nat. Comput. Sci., vol. 4, pp. 495–509, 2024.
[7] S. Soffer, A. Ben-Cohen, O. Shimon, M. M. Amitai, H. Greenspan, and E. Klang, “Convolutional neural networks for radiologic images: A radiologist’s guide,” Radiology, vol. 290, no. 3, pp. 590–606, 2019.
[8] A. Esteva, A. Robicquet, B. Ramsundar, V. Kuleshov, M. DePristo, K. Chou, et al., “A guide to deep learning in healthcare,” Nat. Med., vol. 25, no. 1, pp. 24–29, 2019.
[9] V. Sorin, Y. Barash, E. Konen, and E. Klang, “Creating artificial images for radiology applications using generative adversarial networks (GANs) – a systematic review,” Acad. Radiol., vol. 27, no. 8, pp. 1175–1185, 2020.
[10] Y. A. Hamad, J. Kadum, A. A. Rashid, A. H. Mohsen, and A. Safonova, “A deep learning model for segmentation of COVID-19 infections using CT scans,” in AIP Conf. Proc., vol. 2398, no. 1, art. no. 050005, Dec. 2022, doi: 10.1063/5.0093739.
[11] B. T. Al-Nuaimi, R. A. Suhail, S. A. Abbas, and E.-S. M. El-Kenawy, “Adaptive feature selection based on machine learning algorithms for lung tumors diagnosis and the COVID-19 index,” J. Intell. Syst. Internet Things, vol. 11, no. 2, pp. 42–51, 2024, doi: 10.54216/JISIoT.110204.
[12] E. Klang, “Deep learning and medical imaging,” J. Thorac. Dis., vol. 10, no. 3, pp. 1325–1328, 2018.
[13] M. D. McCradden, E. A. Stephenson, and J. A. Anderson, “Clinical research underlies ethical integration of healthcare artificial intelligence,” Nat. Med., vol. 26, no. 9, pp. 1325–1326, 2020.
[14] X. Liu, S. Cruz Rivera, D. Moher, M. J. Calvert, A. K. Denniston, A.-W. Chan, et al., “Reporting guidelines for clinical trial reports for interventions involving artificial intelligence: the CONSORT-AI extension,” Nat. Med., vol. 26, no. 9, pp. 1364–1374, 2020.
[15] N. Bhatia, H. Trivedi, N. Safdar, and M. E. Heilbrun, “Artificial intelligence in quality improvement: reviewing uses of artificial intelligence in noninterpretative processes from clinical decision support to education and feedback,” J. Am. Coll. Radiol., vol. 17, no. 11, pp. 1382–1387, 2020.
[16] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” arXiv preprint arXiv:1412.6572, 2014. [Online]. Available: http://arxiv.org/abs/1412.6572
[17] B. Biggio and F. Roli, “Wild patterns: Ten years after the rise of adversarial machine learning,” Pattern Recogn., vol. 84, pp. 317–331, 2018.
[18] B. Badjie, J. Cecilio, and A. Casimiro, “Adversarial attacks and countermeasures on image classification-based deep learning models in autonomous driving systems: A systematic review,” ACM Comput. Surv., vol. 57, no. 1, Oct. 2024, doi: 10.1145/3691625.
[19] Y. L. Khaleel, M. A. Habeeb, and H. Alnabulsi, “Adversarial attacks in machine learning: Key insights and defense approaches,” Applied Data Science and Analysis, vol. 2024, pp. 121–147, Aug. 2024, doi: 10.58496/ADSA/2024/011.
[20] M. Macas, C. Wu, and W. Fuertes, “Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systems,” Expert Syst. Appl., vol. 238, p. 122223, 2024, doi: 10.1016/j.eswa.2023.122223.
[21] E. Wong, L. Rice, and J. Z. Kolter, “Fast is better than free: Revisiting adversarial training,” in Proc. Int. Conf. Learn. Represent. (ICLR), 2020.
[22] A. Chakraborty, M. Alam, V. Dey, A. Chattopadhyay, and D. Mukhopadhyay, “Adversarial attacks and defences: A survey,” CoRR, vol. abs/1810.0, 2018. [Online]. Available: http://arxiv.org/abs/1810.00069
[23] F. Croce and M. Hein, “Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks,” CoRR, vol. abs/2003.01690, 2020. [Online]. Available: https://arxiv.org/abs/2003.01690
[24] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 2017, pp. 39–57, doi: 10.1109/SP.2017.49.
[25] G. Papanastasiou et al., “Is attention all you need in medical image analysis? A review,” arXiv, Jul. 2023. [Online]. Available: https://arxiv.org
[26] R. Gu et al., “CA-Net: Comprehensive attention convolutional neural networks for explainable medical image segmentation,” IEEE Trans. Med. Imaging, vol. 40, no. 2, pp. 699–711, Feb. 2021, doi: 10.1109/TMI.2020.3035253.
[27] C. Hu, N. Cao, H. Zhou, and B. Guo, “Medical image classification with a hybrid SSM model based on CNN and Transformer,” Electronics, vol. 13, no. 15, 2024, doi: 10.3390/electronics13153094.
[28] O. Bin Naeem and Y. Saleem, “CSA-Net: Channel and spatial attention-based network for mammogram and ultrasound image classification,” J. Imaging, vol. 10, no. 10, 2024, doi: 10.3390/jimaging10100256.
[29] V. Kumar, C. Prabha, P. Sharma, et al., “Unified deep learning models for enhanced lung cancer prediction with ResNet-50–101 and EfficientNet-B3 using DICOM images,” BMC Med. Imaging, vol. 24, no. 63, 2024. [Online]. Available: https://doi.org/10.1186/s12880-024-01241-4
[30] P. M. Bruntha, S. I. A. Pandian, J. Anitha, S. S. Abraham, and S. N. Kumar, “A novel hybridized feature extraction approach for lung nodule classification based on transfer learning technique,” J. Med. Phys., vol. 47, no. 1, pp. 1–9, Jan.–Mar. 2022, doi: 10.4103/jmp.jmp_61_21.
[31] M. Romero, Y. Interian, T. Solberg, and G. Valdes, “Targeted transfer learning to improve performance in small medical physics datasets,” Med. Phys., vol. 47, no. 12, pp. 6246–6256, Dec. 2020, doi: 10.1002/mp.14507.
[32] M. Hammad, M. ElAffendi, A. A. A. El-Latif, et al., “Explainable AI for lung cancer detection via a custom CNN on CT images,” Sci. Rep., vol. 15, p. 12707, 2025, doi: 10.1038/s41598-025-97645-5.
[33] S. Woo, J. Park, J.-Y. Lee, and I. S. Kweon, “CBAM: Convolutional block attention module,” 2018. [Online]. Available: https://arxiv.org/abs/1807.06521
[34] C. B. Vanaja and P. Prakasam, “Convolutional block attention gate-based U-Net framework for microaneurysm segmentation using retinal fundus images,” BMC Med. Imaging, vol. 25, p. 83, 2025, doi: 10.1186/s12880-025-01625-0.
[35] Z. UrRehman, Y. Qiang, L. Wang, Y. Shi, Q. Yang, S. U. Khattak, R. Aftab, and J. Zhao, “Effective lung nodule detection using deep CNN with dual attention mechanisms,” Sci. Rep., vol. 14, no. 1, p. 3934, Feb. 2024, doi: 10.1038/s41598-024-51833-x.
[36] J. Zhao, L. Xie, S. Gu, et al., “Universal attention guided adversarial defense using feature pyramid and non-local mechanisms,” Sci. Rep., vol. 15, p. 5237, 2025, doi: 10.1038/s41598-025-89267-8.
[37] R. Paul, M. Schabath, R. Gillies, L. Hall, and D. Goldgof, “Mitigating adversarial attacks on medical image understanding systems,” in 2020 IEEE 17th International Symposium on Biomedical Imaging (ISBI), 2020, pp. 1517–1521.
[38] M. Z. Joel, S. Umrao, E. Chang, R. Choi, D. X. Yang, J. S. Duncan, A. Omuro, R. Herbst, H. M. Krumholz, and S. Aneja, “Using adversarial images to assess the robustness of deep learning models trained on diagnostic images in oncology,” JCO Clin. Cancer Inform., vol. 6, p. e2100170, Feb. 2022, doi: 10.1200/CCI.21.00170.
[39] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in Proc. Int. Conf. Learn. Represent. (ICLR), Banff, AB, Canada, Apr. 14–16, 2014.
[40] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR), Boston, MA, USA, Jun. 7–12, 2015.
[41] J. Su, D. V. Vargas, and K. Sakurai, “One-pixel attack for fooling deep neural networks,” IEEE Trans. Evol. Comput., vol. 23, pp. 828–841, 2019.
[42] D. V. Vargas and J. Su, “Understanding the one-pixel attack: propagation maps and locality analysis,” in CEUR Workshop Proc., vol. 2640, 2020.
[43] H. Javed, S. El-Sappagh, and T. Abuhmed, “Robustness in deep learning models for medical diagnostics: security and adversarial challenges towards robust AI applications,” Artif. Intell. Rev., vol. 58, p. 12, 2025, doi: 10.1007/s10462-024-11005-9.
[44] N. E. H. Sayah Ben Aissa, A. Korichi, A. Lakas, C. A. Kerrache, and C. T. Calafate, “Assessing robustness to adversarial attacks in attention-based networks: Case of EEG-based motor imagery classification,” SLAS Technol., vol. 29, no. 4, p. 100142, 2024, doi: 10.1016/j.slast.2024.100142.
[45] alyasriy, hamdalla, and Muayed AL-Huseiny, “The IQ-OTHNCCD lung cancer dataset,” Mendeley Data, v2, 2021, doi: 10.17632/bhmdr45bh2.2.
[46] S. Das, “IQ-OTH/NCCD Lung Cancer Dataset (Augmented),” Kaggle. [Online]. Available: https://www.kaggle.com/datasets/subhajeetdas/iq-othnccd-lung-cancer-dataset-augmented. [Accessed: May 08, 2025].