Robustness of SEViT and MedViTV2 models under MI-FGSM attacks and the effect of adversarial training

Abstract

Although deep learning-based classification models in the field of medical imaging often achieve high accuracy rates, they still pose significant security risks in clinical applications. This indicates that such models remain vulnerable to adversarial attacks. This study systematically investigates the performance of SEViT and MedViTV2 models under the Momentum Iterative Fast Gradient Sign Method (MI-FGSM) attack and examines the change in the robustness of these models following MI-FGSM-based adversarial training. The experiments show that the SEViT model achieved an accuracy rate of 90.00% on clean data, while the MedViTV2 model achieved an accuracy rate of 86.76%. However, when the MI-FGSM attack was applied, the accuracy rates of both models dropped sharply, even decreasing to 0%, rendering them almost non-functional. This clearly demonstrates how vulnerable deep learning models trained with conventional methods are to iterative adversarial attacks. After adversarial training with MI-FGSM, the defended models were again subjected to the MI-FGSM attack. In this case, the robustness of both models increased significantly. The accuracy rate increased noticeably for both SEViT and MedViTV2 models. However, although a decrease in accuracy was observed as the epsilon value increased, there was not a dramatic collapse as seen in the undefended models. In particular, the SEViT model demonstrated higher performance than the MedViTV2 model under the MI-FGSM attack after adversarial training, with an accuracy of 81.33%. The findings obtained indicate that adversarial training is an effective method for enhancing the security and robustness of models such as SEViT and MedViTV2 for clinical applications.