Next Article in Journal
SETJiP: Spatial and Extra Temporal Jigsaw Puzzles for Video Anomaly Detection
Next Article in Special Issue
Fall-from-Bed Risk Prediction Using Physics-Based Bed Simulation
Previous Article in Journal
Precision Gas Sensing Interface Circuit with Digital Potentiometer-Based Dynamic Gain Control
Previous Article in Special Issue
AI-Guided Remission: Protocol for a Conversational Agent (Chatbot) for Dosing Activity and Footwear Progression After Diabetic Limb Reconstruction
 
 
Article
Peer-Review Record

Evaluating the Adversarial Robustness and Clinical Safety of Quantized Hierarchical Transformers for Edge-Based Malaria Microscopy

Sensors 2026, 26(9), 2888; https://doi.org/10.3390/s26092888
by Umar Hasan 1, Turki G. Alghamdi 2 and Muhammad Ali Nayeem 3,*
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Sensors 2026, 26(9), 2888; https://doi.org/10.3390/s26092888
Submission received: 1 April 2026 / Revised: 24 April 2026 / Accepted: 26 April 2026 / Published: 5 May 2026

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

- The first thing that stands out is that the contribution is not clearly convincing. The paper introduces a method that sounds complex, but when you strip it down, it’s mostly a combination of already known techniques. There isn’t a clear moment where you can say, “this is the key new idea.” Instead, it feels like incremental tweaking presented as a bigger breakthrough than it actually is.

-The method section doesn’t build confidence either. It explains the components, but not the reasoning behind them. You’re left wondering why these specific design choices were made. It feels more like “this works” rather than “this is why it should work.” That’s a problem, especially for a journal-level paper.

-Then there’s the experimental side, which is where things really start to weaken. The results look decent on the surface, but they’re not backed up properly. There’s no discussion of variability, no repeated runs, no statistical validation. It feels like the best numbers were reported without showing how stable or reliable they are.

-The comparisons are also not fully convincing. Either the baselines are not strong enough, or it’s unclear if they were implemented fairly. Without strong, up-to-date comparisons, it’s hard to trust any claim of superiority.

-Another issue is that the paper doesn’t answer the most important question: what actually makes this model work? There are multiple components, but no clear ablation that isolates their contributions. So you’re left guessing whether the improvement comes from one key idea or just from stacking more complexity.

-The paper also tends to oversell its impact. It uses strong language about effectiveness and applicability, but the evidence doesn’t fully support those claims. There’s little discussion of limitations, failure cases, or where the method might struggle.

-On the positive side, the problem itself is relevant, and the authors clearly put effort into building and testing a system. But right now, it feels more like a solid experiment than a strong scientific contribution.

-The authors need to tighten the story, be more honest about what’s actually new, strengthen the experiments, and show real insight instead of just reporting numbers.

  • Add SOTA DL-based papers:
  • https://arxiv.org/abs/2603.28110
  • https://www.sciencedirect.com/science/article/pii/S0952197625027733

Author Response

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corresponding revisions and corrections highlighted in the re-submitted files. We appreciate your constructive feedback, which has helped us significantly strengthen the clarity, statistical rigor, and methodological framing of our study.

1. Point-by-point response to Comments and Suggestions for Authors

Comments 1: The first thing that stands out is that the contribution is not clearly convincing. The paper introduces a method that sounds complex, but when you strip it down, it’s mostly a combination of already known techniques. There isn’t a clear moment where you can say, “this is the key new idea.” Instead, it feels like incremental tweaking presented as a bigger breakthrough than it actually is.
Response 1: Thank you for pointing this out. We agree with this comment. Therefore, we have revised the Introduction (Section 1) [Page 3, Paragraph 1, Lines 70–75] to explicitly clarify that this study is fundamentally an investigative security audit and empirical benchmarking analysis, rather than the proposal of a novel defensive architecture. Our contribution lies in the comprehensive cross-evaluation of integer discretization, hardware efficiency, and multi-step adversarial vulnerability in a clinical edge context, exposing the limitations of the assumed “Quantization Shield.”

Comments 2: The method section doesn’t build confidence either. It explains the components, but not the reasoning behind them. You’re left wondering why these specific design choices were made.
Response 2: Agree. We have, accordingly, expanded Section 3.3 (Model Architectures and Computational Profiles) [Page 9, Paragraph 2, Lines 324–332] to explicitly justify our baselines. We clarify that MobileNetV3 was selected as the industry standard for raw hardware efficiency (depthwise convolutions), while the Swin Transformer represents the state-of-the-art in robust accuracy (hierarchical attention). This allows for a direct comparison of how continuous convolutional operations versus discrete attention patches react to PTQ and gradient manipulations.

Comments 3: Then there’s the experimental side, which is where things really start to weaken. The results look decent on the surface, but they’re not backed up properly. There’s no discussion of variability, no repeated runs, no statistical validation.
Response 3: Thank you for pointing this out. We agree with this comment. Therefore, we have significantly strengthened the statistical rigor of our results. We have added empirical 95% Confidence Intervals to all accuracy metrics in Table 3 [Page 14], calculated via 1,000 iterations of bootstrap resampling. Additionally, we direct attention to Section 4.2 [Page 15, Paragraph 2, Lines 493–499], where we had already utilized McNemar’s statistical test (p=0.0918) to formally validate the clinical equivalence of the INT8 and FP32 models under OOD conditions.

Comments 4: The comparisons are also not fully convincing. Either the baselines are not strong enough, or it’s unclear if they were implemented fairly.
Response 4: Agree. As clarified in our response to Comment 2, we have, accordingly, updated Section 3.3 [Page 9, Paragraph 2, Lines 324–332] to state that our baselines were purposefully selected to represent the extreme ends of the edge-deployment spectrum (maximum efficiency vs. maximum architectural robustness). All models were trained and quantized using the exact same pipeline and datasets to ensure a fair, standardized comparison.

Comments 5: Another issue is that the paper doesn’t answer the most important question: what actually makes this model work? There are multiple components, but no clear ablation that isolates their contributions.
Response 5: Thank you for pointing this out. We apologize if the ablation study was difficult to locate. Therefore, we have renamed Section 4.4 to “Ablation Study: Isolating the Impact of Architecture vs. Quantization” [Page 17, Paragraph 2, Line 518] to make this analysis explicitly clear in the manuscript structure. This section directly isolates the effect of the Swin architecture from the effect of INT8 quantization by introducing a standard ViT-Tiny ablation baseline.

Comments 6: The paper also tends to oversell its impact. It uses strong language about effectiveness and applicability, but the evidence doesn’t fully support those claims. There’s little discussion of limitations, failure cases, or where the method might struggle.
Response 6: Agree. We have, accordingly, softened the language throughout the manuscript, changing phrases like “Total Model Collapse” to more objective terms like “severe performance degradation.” Furthermore, we have entirely rewritten Section 5.5 (Limitations) [Page 23, Paragraph 1, Lines 650–663] to explicitly discuss critical failure cases, including the vulnerability to physical-world attacks (e.g., printed adversarial patches on slides) and the potential for unforeseen quantization bugs caused by hardware-specific NPU kernels.

Comments 7: The authors need to tighten the story, be more honest about what’s actually new, strengthen the experiments, and show real insight instead of just reporting numbers.
Response 7: Thank you for this guidance. We agree with this comment. Therefore, we have thoroughly reviewed the manuscript to tighten the narrative, focusing on the empirical insights regarding gradient masking. We trust that the clarified contributions, the added bootstrapped confidence intervals, and the expanded limitations section satisfy this requirement.

Comments 8: Add SOTA DL-based papers: [Ullah et al. 2026], [Ullah et al. 2025].
Response 8: Agree. We have, accordingly, incorporated the suggested literature into Section 2.1 (Deep Learning in Malaria Diagnostics) [Page 4, Paragraph 4, Lines 131–140]. These references elegantly support our discussion on the necessity of enforcing structural and anatomical consistency in complex medical imaging, which highlights the trade-offs required when compressing such sophisticated frameworks for mobile devices.

2. Response to Comments on the Quality of English Language

Point 1: The English could be improved to more clearly express the research.
Response 1: Thank you for the feedback. We agree and have thoroughly revised the manuscript for clarity and narrative flow. By sharpening the problem statement, explicitly justifying baseline choices, and improving transitions throughout the text, we have addressed the structural and logical progression of the arguments to ensure the research is expressed clearly.

3. Additional clarifications

None.

Reviewer 2 Report

Comments and Suggestions for Authors

This manuscript presents a comprehensive study on the adversarial robustness and clinical safety of quantized hierarchical ViT for edge-based malaria microscopy. The adversarial security audit demonstrate training quantization does not provide inherent adversarial defense, and may introduce gradient masking artifacts, Overall, the work is technically sound and suitable for publication. Several aspects could be further improved, as detailed below.

  1. The abstract is overly detailed and lacks a clear, concise summary of the work. It should be streamlined to better highlight the problem, main contributions, and key findings while reducing unnecessary technical details.
  2. The claim of gradient masking is only supported by empirical comparisons between FGSM and PGD attacks. It is suggested to provide mathematical derivation or visualization of how INT8 quantization disrupts gradient continuity.
  3. The manuscript would benefit from additional justification of key hyperparameters, such as the choice of PGD attack steps, step size, and perturbation bounds. Providing rationale or references would improve reproducibility and strengthen methodological rigor.
  4. The results of the iterative PGD attack are only reported for INT8 and FP32 models. It is recommended to include additional quantization settings (e.g., INT16, INT32) to provide a more comprehensive evaluation and to better support the claim of a robust compressed neural network under adversarial attacks.
  5. Does an accuracy of 0.00% imply a simple inversion of predictions, which would then correspond to 100% accuracy under a reversed labeling? Intuitively, an accuracy of 50% appears to reflect random guessing and thus a truly failed model.
  6. The paper does not clearly describe how the adversarial robustness shown in Fig. 12 is computed. It is recommended to explicitly specify the evaluation protocol and metric used for calculating adversarial robustness.

Author Response

Thank you very much for taking the time to review this manuscript. Please find the detailed responses below and the corresponding revisions and corrections highlighted in the re-submitted files. We deeply appreciate your technical insights, which have helped us improve the methodological rigor and clarity of our evaluations.

1. Point-by-point response to Comments and Suggestions for Authors

Comments 1: The abstract is overly detailed and lacks a clear, concise summary of the work. It should be streamlined to better highlight the problem, main contributions, and key findings while reducing unnecessary technical details.
Response 1: Thank you for pointing this out. We agree with this comment. Therefore, we have heavily revised the abstract [Page 1, Paragraph 1, Lines 2–18] to ensure it is concise (within 200 words) while retaining only the most critical quantitative findings. The focus has been shifted to clearly articulate the problem, the testing of the “Quantization Shield” hypothesis, and the core findings regarding single-step versus multi-step adversarial attacks.

Comments 2: The claim of gradient masking is only supported by empirical comparisons between FGSM and PGD attacks. It is suggested to provide mathematical derivation or visualization of how INT8 quantization disrupts gradient continuity.
Response 2: Agree. This is an excellent suggestion. We have, accordingly, added a mathematical derivation in Section 5.2 [Page 21, Paragraph 2, Lines 588–598]. We now explicitly show that the derivative of the discrete integer rounding function (used in INT8 mapping) is zero almost everywhere. We explain that this discontinuous derivative is exactly what shatters the gradient trajectory for single-step attacks like FGSM, effectively creating the illusion of robustness.

Comments 3: The manuscript would benefit from additional justification of key hyperparameters, such as the choice of PGD attack steps, step size, and perturbation bounds. Providing rationale or references would improve reproducibility and strengthen methodological rigor.
Response 3: Thank you for pointing this out. We agree with this comment. Therefore, we have updated Section 3.6 [Page 12, Paragraph 7, Lines 453–459] to justify our hyperparameter selection. We now explicitly cite the foundational work by Madry et al. (2018) to support our use of 20 steps, a step size of 2/255, and varying perturbation bounds, explaining that these represent a standardized, maximum-threat scenario suitable for rigorous security auditing.

Comments 4: The results of the iterative PGD attack are only reported for INT8 and FP32 models. It is recommended to include additional quantization settings (e.g., INT16, INT32) to provide a more comprehensive evaluation and to better support the claim of a robust compressed neural network under adversarial attacks.
Response 4: Agree. We have, accordingly, added a new paragraph to the end of Section 3.4 [Page 11, Paragraph 1, Lines 393–400] to justify our exclusive focus on INT8. Modern edge hardware accelerators (such as mobile NPUs and microcontrollers) are physically architected around optimized 8-bit Arithmetic Logic Units. Formats like INT16 or INT32 fail to yield the necessary power and memory savings required to resolve the strict thermal and operational limits of point-of-care devices.

Comments 5: Does an accuracy of 0.00% imply a simple inversion of predictions, which would then correspond to 100% accuracy under a reversed labeling? Intuitively, an accuracy of 50% appears to reflect random guessing and thus a truly failed model.
Response 5: Thank you for pointing this out. The reviewer makes a highly astute observation regarding binary classification. We agree with this comment. Therefore, we have clarified this exact point in Section 4.5 [Page 19, Paragraph 1, Lines 538–546]. We explain that 0.00% does not imply random guessing (50%), but rather indicates a complete, deterministic subversion of the decision boundary by the adversary. The attacker successfully forces the model to invert every single prediction (diagnosing parasitized cells as uninfected and vice versa), representing the worst-case scenario in a clinical setting.

Comments 6: The paper does not clearly describe how the adversarial robustness shown in Fig. 12 is computed. It is recommended to explicitly specify the evaluation protocol and metric used for calculating adversarial robustness.
Response 6: Agree. We apologize for the ambiguity. We have, accordingly, rewritten the first paragraph of Section 4.6 [Page 20, Paragraph 1, Lines 554–563] to explicitly detail the black-box transfer protocol. We clarify that adversarial examples are generated completely offline using the gradients of the FP32 MobileNetV3 surrogate. These fixed images are then fed directly into the target Swin-Tiny models for standard inference, ensuring no gradient computation or architectural knowledge of the target is utilized.

2. Response to Comments on the Quality of English Language

Point 1: The English is fine and does not require any improvement.
Response 1: We sincerely thank the reviewer for this positive feedback regarding the clarity and quality of the English language in our manuscript.

3. Additional clarifications

None.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors have addressed all the comments thoroughly, Thanks

Back to TopTop