ML Security PapersLayer-wise Noise Guided Selective Wavelet Reconstruction for Robust Medical Image Segmentation
Yuting Lu 1, Ziliang Wang 1, Weixin Xu 1, Wei Zhang 1, Yongqiang Zhao 2, Yang Yu 2, Xiaohong Zhang 2
Published on arXiv
2511.16162
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
LNG-SWR significantly reduces Dice/IoU performance drop under PGD-L∞/L₂ and SSAH attacks while maintaining clean accuracy, with additive gains when combined with adversarial training
LNG-SWR (Layer-wise Noise-Guided Selective Wavelet Reconstruction)
Novel technique introduced
Clinical deployment requires segmentation models to stay stable under distribution shifts and perturbations. The mainstream solution is adversarial training (AT) to improve robustness; however, AT often brings a clean--robustness trade-off and high training/tuning cost, which limits scalability and maintainability in medical imaging. We propose \emph{Layer-wise Noise-Guided Selective Wavelet Reconstruction (LNG-SWR)}. During training, we inject small, zero-mean noise at multiple layers to learn a frequency-bias prior that steers representations away from noise-sensitive directions. We then apply prior-guided selective wavelet reconstruction on the input/feature branch to achieve frequency adaptation: suppress noise-sensitive bands, enhance directional structures and shape cues, and stabilize boundary responses while maintaining spectral consistency. The framework is backbone-agnostic and adds low additional inference overhead. It can serve as a plug-in enhancement to AT and also improves robustness without AT. On CT and ultrasound datasets, under a unified protocol with PGD-$L_{\infty}/L_{2}$ and SSAH, LNG-SWR delivers consistent gains on clean Dice/IoU and significantly reduces the performance drop under strong attacks; combining LNG-SWR with AT yields additive gains. When combined with adversarial training, robustness improves further without sacrificing clean accuracy, indicating an engineering-friendly and scalable path to robust segmentation. These results indicate that LNG-SWR provides a simple, effective, and engineering-friendly path to robust medical image segmentation in both adversarial and standard training regimes.
Key Contributions
- Layer-wise noise injection during training to learn a frequency-bias prior that steers representations away from noise-sensitive directions
- Prior-guided selective wavelet reconstruction that suppresses noise-sensitive frequency bands and enhances structural/boundary cues
- Backbone-agnostic plug-in framework that complements adversarial training with additive robustness gains and reduced clean-robustness tradeoff
🛡️ Threat Analysis
Defends against adversarial perturbations (PGD-L∞/L₂, SSAH attacks) at inference time on image segmentation models; proposes LNG-SWR as a frequency-domain defense that suppresses noise-sensitive bands to reduce adversarial performance degradation.