Brain Tumor Classifiers Under Attack: Robustness of ResNet Variants Against Transferable FGSM and PGD Attacks

Adversarial robustness in deep learning models for brain tumor classification remains an underexplored yet critical challenge, particularly for clinical deployment scenarios involving MRI data. In this work, we investigate the susceptibility and resilience of several ResNet-based architectures, referred to as BrainNet, BrainNeXt and DilationNet, against gradient-based adversarial attacks, namely FGSM and PGD. These models, based on ResNet, ResNeXt, and dilated ResNet variants respectively, are evaluated across three preprocessing configurations (i) full-sized augmented, (ii) shrunk augmented and (iii) shrunk non-augmented MRI datasets. Our experiments reveal that BrainNeXt models exhibit the highest robustness to black-box attacks, likely due to their increased cardinality, though they produce weaker transferable adversarial samples. In contrast, BrainNet and Dilation models are more vulnerable to attacks from each other, especially under PGD with higher iteration steps and $α$ values. Notably, shrunk and non-augmented data significantly reduce model resilience, even when the untampered test accuracy remains high, highlighting a key trade-off between input resolution and adversarial vulnerability. These results underscore the importance of jointly evaluating classification performance and adversarial robustness for reliable real-world deployment in brain MRI analysis.

💡 Research Summary

This paper investigates the adversarial robustness of three deep‑learning architectures for brain‑tumor classification on MRI scans: BrainNet (a ResNet‑101‑based model), BrainNeXt (ResNeXt‑50/101/152 variants), and DilationNet (ResNet with dilated convolutions). All models were trained on the same publicly available dataset of 4,023 colored MRI images covering glioma, meningioma, and pituitary tumors. The authors evaluated three preprocessing pipelines: (i) full‑size (512 × 512) images with data augmentation, (ii) shrunk (160 × 160) images with augmentation, and (iii) shrunk images without augmentation. Training used identical hyper‑parameters (learning rate = 1e‑4, batch size = 10, Adam optimizer, up to 150 epochs, early stopping after 6 stagnant epochs) and was performed on an RTX 4090 GPU with early stopping to avoid over‑fitting.

Adversarial attacks were limited to two widely used gradient‑based methods: Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD). For FGSM, epsilon values of 0.02, 0.03, 0.04, and 0.05 were tested. PGD employed the same epsilon range with two step‑size strategies (α = ε/4 and α = ε/iterations) and up to 40 iterations. The threat model assumes a black‑box scenario: adversarial examples are generated on a surrogate model and then transferred to the target model without any knowledge of its architecture or parameters.

Key findings include:

1. Baseline performance – With full‑size augmented data, all models achieve >92 % clean test accuracy. Shrunk or non‑augmented data reduces accuracy modestly to ~88 %.
2. White‑box attack impact – FGSM with ε = 0.04 drops accuracy to below 30 % for all models; PGD with the same ε and 30 iterations reduces accuracy to under 10 %.
3. Transferability – BrainNet and DilationNet exhibit the highest cross‑model transfer success (≈70 % of adversarial examples generated on one cause misclassification on the other). This is attributed to their similar residual‑block structures and shared ImageNet pre‑training. BrainNeXt shows markedly lower transferability (≈40 % or less) because its increased cardinality distributes gradient information across parallel paths, making the perturbations less effective on other architectures.
4. Effect of preprocessing – Shrinking the input resolution and removing augmentation dramatically increases vulnerability. Even with modest ε values, the reduced spatial granularity amplifies the perceptual impact of perturbations, leading to >85 % transfer success across all model pairs under strong PGD settings.
5. Model complexity vs. robustness – Despite differences in parameter count and training time (all models train within ~15 minutes and infer in ~3 seconds), robustness differences are primarily driven by architectural design (cardinality vs. dilation) and data preprocessing rather than raw computational cost.

The authors conclude that (a) ResNeXt‑based models (BrainNeXt) provide superior black‑box robustness at the cost of weaker transferable attacks, (b) ResNet‑based models are mutually vulnerable, especially when dilated convolutions are added, and (c) high‑resolution, augmented training data is essential for mitigating adversarial risk in clinical settings. These insights highlight the necessity of jointly evaluating classification accuracy and adversarial resilience when deploying AI systems for medical imaging.