A Study of Adversarial Attacks and Detection on Deep Learning-Based Plant Disease Identification

Abstract

Transfer learning using pre-trained deep neural networks (DNNs) has been widely used for plant disease identification recently. However, pre-trained DNNs are susceptible to adversarial attacks which generate adversarial samples causing DNN models to make wrong predictions. Successful adversarial attacks on deep learning (DL)-based plant disease identification systems could result in a significant delay of treatments and huge economic losses. This paper is the first attempt to study adversarial attacks and detection on DL-based plant disease identification. Our results show that adversarial attacks with a small number of perturbations can dramatically degrade the performance of DNN models for plant disease identification. We also find that adversarial attacks can be effectively defended by using adversarial sample detection with an appropriate choice of features. Our work will serve as a basis for developing more robust DNN models for plant disease identification and guiding the defense against adversarial attacks.

1. Introduction

On a global scale, pathogens and pests are one major reason that reduces the yield and quality of agricultural production. According to the study of [1], estimated yield losses of five major crops (wheat, rice, maize, potato, and soybean) due to pathogens and pests range from $10.1\%$ to $41.1\%$ globally. Identifying plant diseases in an early time can prevent further yield losses of production by informing farmers of appropriate treatment processes regarding the diagnosis. Advanced lab-based methods for plant disease diagnosis such as DNA-based and serological methods, are accurate and authentic [2]. However, these methods are either more time-consuming or more costly than those based on the visual observation of symptoms shown on the organs of species. Traditionally the visual observations are performed by experienced experts or producers which are labor intensive and not reliable [3,4]. In recent years, due to the advancement of information and communication technologies (ICT), acquiring images from farms can be done easily by human observers using mobile devices [5] or automated sensing technologies such as unmanned aerial vehicles (UAVs) [6]. Thus, automatic identification of plant diseases using plant leaf images becomes more and more popular [7].

The automation of plant disease identification methods is achieved through predictive models built with machine learning algorithms. Traditional machine learning algorithms such as k-nearest neighbor (KNN) [8], artificial neural network (ANN) [9], support vector machine (SVM) [10], and random forest [11] have been widely applied for the problem. These algorithms rely heavily on features generated from plant leaf images, which require advanced image processing techniques and extensive involvement of domain experts. Recently, deep learning (DL) has emerged as a promising solution for many computer vision applications including image-based plant disease identification [12]. Instead of relying on advanced image processing techniques and domain experts, DL-based methods use deep neural networks (DNNs) that are capable of automatically extracting image features from raw data [13]. In addition, it has been shown that DL offers significantly better detection performance than traditional machine learning algorithms [3,5,12,14,15]. The major challenge associated with DL-based methods is the need for large amounts of data and vast computing resources to train DNN models. Fortunately, transfer learning solves this problem by using a pre-trained model from a similar domain instead of starting the model training from scratch [16,17]. Majority of DL-based plant disease identification models were built based on pre-trained DNN models such as VGGNet [18], ResNet [19], Inception [20], and DenseNet [21].

Although DL models have shown superior performance in many applications, they are susceptible to carefully crafted adversarial attacks. Adversaries can easily perturb normal samples to produce adversarial samples which cause DL models to make wrong predictions [22]. Adversarial attacks against DL can be categorized as white-box, gray-box, and black-box attacks of which the difficulties increase in order [23]. The pre-trained model used in transfer learning is usually publicly available to both normal users and adversaries. Based on this vulnerability, an adversary can generate adversarial samples solely with the knowledge of the pre-trained model to launch an effective and efficient white-box attack [24]. Recently web-based plant disease identification systems with DL have been proposed which use leaf images uploading from smartphones [25,26]. Adversaries can intercept uploaded normal images and apply white-box attacks to convert them to adversarial images. In the end, the misdiagnosis of plant diseases by the systems could result in a significant delay of treatments and huge economic losses. In this paper, we conduct a comprehensive study of the effects of popular white-box adversarial attacks on pre-trained DNN models widely used in plant disease identification. We also investigate the effectiveness of different adversarial sample detection methods on defending adversarial attacks. To the best of our knowledge, our work is the first attempt to investigate adversarial attacks and detection on DL-based plant disease identification.

The rest of this paper is organized as follows. In Section 2, the popular pre-trained DNN models for plant disease identification are introduced followed by the description of white-box adversarial attacks and adversarial sample detection methods. The experiments and results of adversarial attacks and detection on DL-based plant disease identification are presented in Section 3. Finally, we conclude the paper in Section 4.

2. Methods

In this section, we first describe the problem of plant disease identification. Popular pre-trained DNN models for plant disease identification are then introduced. After that, white-box adversarial attacks and adversarial sample detection methods adopted in this paper are presented.

2.1. Plant Disease Identification Problem

Plant disease identification is a classification problem that can be either 2-class or multi-class. A 2-class model classifies a plant leaf image as healthy or diseased while a multi-class model does a more fine-grained classification to predict the input image as healthy or a certain type of disease. Figure 1 shows the system architecture adopted in this paper that applies a DL model for plant disease identification. To alleviate the problem of insufficient training data for a DL model, the system transfers knowledge from the source domain of ImageNet [27] to the target domain of plant disease detection. This process first employs the partial network from the source domain to serve as a feature extractor of the new network and then replaces the final output layer of the source domain network with a new dense layer followed by a SoftMax function corresponding to the plant disease dataset. Finally, the new network is fine-tuned by using the plant disease dataset. Fine-tuning can optimize network parameters wholly or partially [28]. The shallow training of our work fine-tunes all network parameters.

Figure 1. Architecture of a DL-based plant disease identification system.

2.2. Pre-Trained DNN Models for Plant Disease Identification

In this study, we consider four pre-trained DNN models that have been widely applied for plant disease identification: VGGNet [3,5,17,29,30,31,32], ResNet [17,29,33], Inception [17,33,34] and DenseNet [4,17,35].

2.2.1. VGGNet

VGGNet is a deep convolutional neural network (CNN) model proposed for the ILSVRC-2014 challenge [18]. The input of the model is a fixed-size $224\times 224$ image, which passes through a stack of convolutional layers with $3\times 3$ filter. The model also uses $2\times 2$ max-pooling layer following some convolutional layers for down-sampling which reduces the input size of later layers. The end of the network consists of two fully connected layers with 4096 neurons each followed by a SoftMax layer. Depending on the number of convolutional layers of the network, there are two VGGNet architectures: VGG-16 and VGG-19. VGG-16 is considered in our study.

2.2.2. ResNet

Deep residual networks (ResNet) were proposed by He et al. in [19], which have shown compelling performance and good convergence behaviors. The ResNet architecture accepts a $224\times 224$ image as input. It consists of a stack of residual blocks, which are feed-forward neural networks with shortcuts (or skip connections). Shortcuts are connections skipping over some layers which are used to deal with the problem of vanishing-gradients as the network goes deeper. The ResNet architecture considered in this paper is ResNet-101.

2.2.3. Inception

The idea of Inception was first introduced in [20] as a module for the GoogleNet architecture, which approximates an optimal local sparse structure of a convolutional network by dense components. An Inception Module is a stack of a max-pooling layer and convolution layers, which is the basic module to construct the Inception network. Inception V3 proposed in [36] is considered in this paper, which is the 3rd version of Inception architecture. Inception V3 inherits the basic idea of “Inception Module” and the batch normalization introduced in Inception V2 [37]. In addition, three new features are added to Inception V3 including convolution factorization, efficient grid size reduction, and auxiliary classifier [36]. The input of Inception V3 is a fixed-size $299\times 299$ image.

2.2.4. DenseNet

DenseNet was introduced by Huang et al. in [21], which maximizes the information flow between layers by connecting a layer to other layers in a feed-forward manner. The inputs of a layer in DenseNet are features maps of all preceding layers. The feature maps of a layer will then be used as inputs of all subsequent layers. DenseNet requires significantly fewer parameters than traditional deep CNNs [21]. It also provides other benefits including alleviating the vanishing-gradient problem, strengthening feature propagation, and encouraging feature reuse [21]. In this paper, DenseNet-121 is considered to be the DenseNet architecture, which accepts a fixed-size $224\times 224$ image as input.

2.3. Adversarial Attacks

The idea of using adversarial samples to cause the misclassification of a DL model was first explored by Szegedy et al. [22]. There are two kinds of adversarial samples that can be crafted. Given a dataset $(\mathit{x},y)$ where $\mathit{x}=(x_1,x_2,\dots ,x_n)$ is a normal sample and $y=f\left(\mathit{x}\right)$ is the corresponding label of the sample, an untargeted adversarial sample ${\mathit{x}}^{\prime }$ is crafted to make $f\left(\right\{x\ne y$ yet $\mathit{x}$ and ${\mathit{x}}^{\prime }$ are close according to certain metric. Another more powerful but harder attack uses targeted adversarial samples. Given a normal sample $\mathit{x}$ and a target label $y^{\prime }\ne f\left(\mathit{x}\right)$, the attacking algorithm searches for an adversarial sample ${\mathit{x}}^{\prime }$ such that $f\left({\mathit{x}}^{\prime }\right)=y^{\prime }$ where $\mathit{x}$ and ${\mathit{x}}^{\prime }$ are close. To measure the similarity between $\mathit{x}$ and ${\mathit{x}}^{\prime }$, $L_0,L_2,L_{\infty }$ are the three most widely used distance metrics among all $L_p$-norms for generating adversarial samples [38]. The $L_p$ distance is also written as $\Vert \mathit{x}-{\mathit{x}}^{\prime }{\Vert }_p$, where $\Vert ·{\Vert }_p$ of $\mathit{x}$ is defined as

$${\Vert \mathit{x}\Vert }_p=\left(\right|x_1{|}^p)+|x_2{|}^p+\cdots +|x_n{{|}^p)}^{1/p}$$

(1)

For the three distance metrics, $L_0$ norm measures the number of points that differ between $\mathit{x}$ and ${\mathit{x}}^{\prime }$, $L_2$ norm is the standard Euclidean distance, and $L_{\infty }$ norm measures the maximum change to any of the points. Although all three distance metrics approximate to the human perceptual similarity, $L_{\infty }$, also known as max-norm, is the most commonly used one due to its better consistency to human perception [39].

There are three types of adversarial attacks: white-box, gray-box, and black-box attacks. In this work, we focus on untargeted white-box attacks under the $L_{\infty }$ norm distance metric. White-box attacks require attackers have the highest-level knowledge of the model among the three types of attacks, which then have a greater impact on the performance of DL-based models than other two types of attacks. Since many DL-based plant disease identification schemes are built based on pre-trained DNN models, adversarial samples generated in the white-box manner against a fine-tuned model based on a pre-trained DNN model can be successfully transferred to the target model [24]. In the following, we describe four popular white-box attacks considered in this study: fast gradient sign method (FGSM) [40], basic iterate method (BIM) [41], projected gradient descent (PGD) [39], and Carilini and Wagner attack (CW) [38].

2.3.1. FGSM

FGSM is a popular untargeted white-box attack introduced by Goodfellow et al. [40], which perturbs one-step along the gradient direction of the adversarial loss $J(\mathit{\theta },\mathit{x},y)$ with a max-norm constraint of $ϵ$:

$${\mathit{x}}^{\prime }=\mathit{x}+ϵ·\mathrm{sign}\left({\nabla }_{\mathit{x}}J(\mathit{\theta },\mathit{x},y)\right)$$

(2)

2.3.2. BIM

BIM was proposed in [41] which extends FGSM as an iterative method. BIM perturbs the input $\mathit{x}$ iteratively with a step size $\alpha$ under the max-norm $ϵ$.

$${\mathit{x}}_{\mathbf{0}}^{\prime }=\mathit{x},{\mathit{x}}_{\mathbf{t}}^{\prime }=Cli{p}_{\mathit{x},ϵ}({\mathit{x}}_{\mathbf{t}-\mathbf{1}}^{\prime }+\alpha ·\mathrm{sign}\left({\nabla }_{x}J(\mathit{\theta },{\mathit{x}}_{\mathbf{t}-\mathbf{1}}^{\prime },y)\right))$$

(3)

where ${\mathit{x}}_{\mathbf{t}}^{\prime }$ is the adversarial sample generated at t-th step, $J(\mathit{\theta },\mathit{x},y)$ is the optimization loss of adversarial attack in which $\mathit{\theta }$ represents the weights of model. The number of perturbation steps, T, is chosen heuristically [41]. The step size is usually set to $ϵ/T\le \alpha <ϵ$. $Cli{p}_{\mathit{x},ϵ}\left({\mathit{x}}^{\prime }\right)$ is defined as following.

$$Cli{p}_{\mathit{x},ϵ}\left({\mathit{x}}^{\prime }\right)=\min \{\mathrm{img}\_\max ,\mathit{x}+ϵ,\max \{\mathrm{img}\_\min ,\mathit{x}-ϵ,{\mathit{x}}^{\prime }\}\}$$

(4)

where $img\_max$ and $img\_min$ are the maximum and minimum of image range, e.g., 1 and 0 for images in the range [0,1].

2.3.3. PGD

PGD attack was proposed by Madry et al. [39] to find adversarial samples. PGD perturbs a normal sample $\mathit{x}$ for a total of T steps where each step perturbs $\mathit{x}$ in the gradient direction of the adversarial loss with a projection constraint, which is a set of allowed perturbations denoted as $S\subseteq {\mathbb{R}}^d$.

$${\mathit{x}}_{\mathbf{t}}^{\prime }={\Pi }_{\mathit{x}+S}({\mathit{x}}_{\mathbf{t}-\mathbf{1}}^{\prime }+\alpha ·\mathrm{sign}\left({\nabla }_{\mathit{x}}J(\mathit{\theta },{\mathit{x}}_{\mathbf{t}-\mathbf{1}}^{\prime },y)\right))$$

(5)

where $\alpha$ is the step size, and $\Pi (·)$ is the projection function which projects the intermediate perturbation into the valid data range and the $L_{\infty }$-ball around the normal sample $\mathit{x}$. PGD is similar to BIM with the differences of the projection step and random start.

2.3.4. CW

CW attack is an optimization-based adversarial attack [38], which achieves a perfect attack success rate against defensive distillation, an efficient approach hardening neural networks against adversarial samples [42]. CW attack creates an adversarial sample ${\mathit{x}}^{\prime }$ from a normal sample $\mathit{x}\in [0,1]$ by minimizing $\Vert \delta \Vert p+c·f(\mathit{x}+\delta )$ such that $\mathit{x}+\delta \in {[0,1]}^n$, where $\delta$ is the pixel-wise difference between $\mathit{x}$ and ${\mathit{x}}^{\prime }$, p denotes the $L_p$ norm distance metric ($L_{\infty }$ in our study). The box constraints of CW attack uses the idea of change of variables instead of projected gradient descent and clipped gradient descent used in PGD and BIM, respectively [38], which introduces and optimizes over a new variable w to smooth the box constraint process as follows:

$$\delta =\frac{1}{2}[\tanh \left(w\right)+1]-x$$

(6)

2.4. Detection of Adversarial Samples

Several adversarial defenses have been proposed in recent years for DL models such as adversarial training [22,40], input data compression [43], gradient regularization [44], and defensive distillation [42]. However, those defenses were proved later that do not work partially or wholly [45]. Therefore, recent research has more focused on detection-based defenses [46,47,48] that detect adversarial samples using features extracted from trained DL models. In the following, we describe adversarial sample detection methods investigated in our study.

2.4.1. Kernel Density (KD) and Bayesian Uncertainty (BU)

KD estimation was proposed in [46] as a measure to submanifold in the feature space of the last hidden layer. The assumption is that an adversarial sample lies far from the normal data manifold. Given a sample $\mathit{x}$ and a training set ${\mathit{X}}_{\mathit{t}}$ of class t, the KD estimation of $\mathit{x}$ based on Gaussian distribution is calculated as:

$$KD\left(\mathit{x}\right)=\frac{1}{|{\mathit{X}}_{\mathit{t}}|}\sum _{{\mathit{x}}_{\mathit{i}}\in {\mathit{X}}_{\mathit{t}}}\exp \left(\Vert {\mathit{x}}_{\mathit{i}}-\mathit{x}{\Vert }^2/{\sigma }^2\right)$$

(7)

where $\sigma$ is the bandwidth of the kernel. $\sigma$ controls the smoothness of the density estimation which we heuristically set it to $1.2$. BU, the second detection method proposed in [46], is based on an approximation from dropout mechanism in DNNs to the deep Gaussian process. The uncertainty is the additional information to the label prediction which gives a confidence interval to the prediction. Features extracted with KD and BU can be used as the input of a machine learning-based detector.

2.4.2. LID

LID models dimensional characteristics of adversarial subspaces based on the distance distribution amid adversarial samples [48]. The argument of [48] is that KD can fail to differentiate adversarial samples from normal samples which are differentiable in high-dimension manifold but not in low-dimension manifold. Given a sample $\mathit{x}$, the maximum likelihood estimator of LID uses its distances to k nearest neighbors:

$$\widehat{LID}\left(\mathit{x}\right)=-\left(\frac{1}{k}\stackrel{k}{\sum _{i=1}}\log \frac{r_i\left(\mathit{x}\right)}{r_k\left(\mathit{x}\right)}\right)$$

(8)

where $r_i$ is the distance between $\mathit{x}$ and its i-th nearest neighbor, $r_k\left(\mathit{x}\right)$ is the distance between $\mathit{x}$ and $\mathit{x}$’s furthest neighbor of k nearest neighbors. A LID-based detector is built based on LID computed from each layer of the DNN under a mini-batch manner for given training samples.

2.4.3. SafetyNet

Lu et al. [47] proposed an adversarial sample detection architecture called SafetyNet which uses RBF-SVM as the adversarial detector with features extracted from the outputs of later activation layers. The hypothesis of the method is that adversarial samples produce different patterns of activation in late stage than those produced by normal samples. There are two different kinds of features used in [47]: raw features extracted directly from activation denoted as DeepF and discrete features obtained by quantizing activation as discrete levels denoted as DiscF. DiscF forces the attacker to solve a hard discrete optimization problem [47]. Both DeepF and DiscF are considered in our study.

3. Experiments and Results

In this section, the efficacy of adversarial attacks (FGSM, BIM, PGD, and CW) against four popular DNN models (VGG-16, ResNet-101, Inception V3, and DenseNet-121) for plant disease identification is investigated. The effectiveness of adversarial sample detection methods against adversarial attacks is also studied. Without loss of generality, we present the results of apple leaf disease identification for which several DL models have been developed [30,35]. Although we only report the results of apple leaf disease identification, our unreported experiments obtained similar results from other leaf disease datasets.

3.1. Datasets

We use a publicly available apple leaf disease dataset which is a subset of the PlantVillage dataset [49]. Table 1 shows the details of the dataset including classes of apple leaf images and the number of images for each class. The dataset can be directly used to build multi-class disease identification models that a leaf image is labeled as one of the four classes (healthy or one of the three diseases). To build 2-class disease identification models, all images of three disease classes are labeled as “diseased” which are combined with healthy images to form the dataset.

Table 1. Apple leaf disease dataset.

Class	Number of Images
Scab	630
Black Rot	621
Cedar Apple Rust	275
Healthy	1645
Total	3171

3.2. Performance of Fine-Tuned DNN Models without Adversarial Attacks

To evaluate the performance of different DNN models without adversarial attacks, the apple leaf disease dataset (2-class or multi-class) is divided as a training set and a testing set with an $80/20$ ratio. For each DNN model, a leaf image is resized as the standard input size required by a pre-trained DNN model. In the fine-tuning phase, each DNN model is fine-tuned from weights pre-trained using ImageNet dataset [27]. The models are trained with a stochastic gradient descent (SGD) optimizer with an initial learning rate of 0.001 and momentum of 0.9. The learning rate decays with a rate of 0.1 every 7 epochs. Our shallow training has 100 epochs with an early stopping of 7-epoch tolerance. The test accuracy of the four fine-tuned DNN models are presented in Table 2. It can be seen that without adversarial attacks all models perform very well on both 2-class and multi-class disease identification.

Table 2. Performance of fine-tuned DNN models without adversarial attacks.

DNN Model	Dataset	Test Accuracy
VGG-16	2-class	100%
VGG-16	multi-class	99.67%
ResNet-101	2-class	99.84%
ResNet-101	multi-class	100%
Inception V3	2-class	100%
Inception V3	multi-class	100%
DenseNet-121	2-class	100%
DenseNet-121	multi-class	100%

3.3. Efficacy of Adversarial Attacks

To investigate the efficacy of adversarial attacks, we perturb the testing set used in Section 3.2. Each of the four adversarial attacks of Section 2.3 is applied to generate adversarial samples from randomly selected 50% of the test samples. The generated adversarial samples are combined with another half of normal samples as the testing set for adversarial attacks. Please note that all four attacks are bounded by a pre-defined maximum perturbation size $ϵ$ with respect to the $L_{\infty }$ norm. We generate different testing sets by varying $ϵ$ from $0.2/255$ to $4/255$. Examples of adversarial images generated by the four attacks and their corresponding normal images under $ϵ=1/255$ for fine-tuned 2-class and multi-class VGG-16 models are shown in Figure 2 and Figure 3, respectively. It can be seen that adversarial images generated by the four attacks under small perturbations are hard to distinguish from original images by human eyes.

Figure 2. Examples of normal images and adversarial images generated by different attacks (VGG-16, 2-class, $ϵ=1/255$).

Figure 3. Examples of normal images and adversarial images generated by different attacks (VGG-16, multi-class, $ϵ=1/255$).

Figure 4 and Figure 5 show the results of applying adversarial attacks on fine-tuned 2-class and multi-class DNN models, respectively. It can be observed that the results of 2-class and multi-class models are similar. For all models, the accuracy of disease identification drops significantly as $ϵ$ increases which demonstrates the efficacy of the attacks. One can find that three iterative perturbation attacks (BIM, PGD, and CW) are more efficient than the only one-step perturbation attack, FGSM. Another interesting finding is that VGG-16 is the most robust one against adversarial attacks among the four DNN models although its performance is still significantly degraded under attacks.

Figure 4. Performance comparison of four adversarial attacks on 2-class DNN models under different $ϵ$.

Figure 5. Performance comparison of four adversarial attacks on multi-class DNN models under different $ϵ$.

3.4. Results of Adversarial Sample Detection

The testsets generated for adversarial attacks with $ϵ=1/255$ in Section 3.3 are used as the datasets for evaluating the performance of adversarial sample detection methods. Detection features are extracted from the fine-tuned DNN models of Section 3.2. The KD and BU features are estimated from the second-last layer and the SoftMax layer of the network, respectively. The LID features are calculated from the outputs of all layers of the network with a min-batch size of 100. $DeepF$ and $DiscF$ features are obtained from the second-last layer of the network. According to [46,48], logistic regression classifier is used for KD + BU and LID features. RBF-SVM classifier is used for $DeepF$ and $DiscF$ features based on the SafetyNet architecture [47]. We apply a 5-fold cross-validation to evaluate the performance of different adversarial sample detection methods.

Table 3 and Table 4 show the results of adversarial sample detection for fine-tuned 2-class and multi-class DNN models, respectively. The results show that KD + BU features achieve significantly better performance than other features with a nearly perfect detection rate. This demonstrates that adversarial attacks on DL-based plant disease identification models can be effectively defended by using adversarial sample detection with an appropriate choice of features. Surprisingly, LID features are the worst performed ones which were shown superior performance over KD + BU features on three benchmark image datasets: MNIST, CIFAR-10, and SVHN in [48]. This implies that the intrinsic characteristics of leaf images used for plant disease identification are different from those of benchmark images.

Table 3. Adversarial sample detection results for 2-class DNN models using different features.

DNN Model	Features	FGSM	BIM	PGD	CW
VGG-16	KD + BU	0.998	1	1	0.998
	LID	0.738	0.666	0.633	0.637
	DeepF	0.882	0.899	0.902	0.732
	DiscF	0.918	0.921	0.92	0.737
ResNet-101	KD + BU	1	1	1	1
	LID	0.736	0.698	0.607	0.807
	DeepF	0.94	0.948	0.957	0.945
	DiscF	0.946	0.968	0.956	0.91
Inception-V3	KD + BU	1	1	0.998	0.998
	LID	0.754	0.74	0.705	0.587
	DeepF	0.942	0.907	0.912	0.839
	DiscF	0.954	0.905	0.885	0.838
DenseNet-121	KD + BU	1	1	1	1
	LID	0.738	0.606	0.571	0.666
	DeepF	0.962	0.942	0.948	0.94
	DiscF	0.967	0.984	0.967	0.916

Table 4. Adversarial sample detection results for multi-class DNN models using different features.

DNN Model	Features	FGSM	BIM	PGD	CW
VGG-16	KD + BU	0.987	1	1	0.987
	LID	0.728	0.674	0.641	0.612
	DeepF	0.867	0.785	0.782	0.696
	DiscF	0.91	0.864	0.889	0.756
ResNet-101	KD + BU	1	1	1	1
	LID	0.7	0.626	0.639	0.793
	DeepF	0.844	0.801	0.756	0.874
	DiscF	0.926	0.896	0.912	0.913
Inception V3	KD + BU	0.998	1	1	0.997
	LID	0.74	0.719	0.663	0.675
	DeepF	0.872	0.73	0.733	0.741
	DiscF	0.948	0.864	0.875	0.825
DenseNet-121	KD + BU	1	1	1	1
	LID	0.691	0.629	0.604	0.675
	DeepF	0.898	0.855	0.871	0.784
	DiscF	0.957	0.946	0.951	0.894

Finally, we investigate the transferability of detection models built with KD + BU features. The detection model for a DNN model is trained with a testset generated in Section 3.3 that consists of normal samples and adversarial samples generated by one of the four attacks. The model is then applied for detecting adversarial samples generated by other three attacks. Table 5 and Table 6 show the detection performance in terms of accuracy for 2-class and multi-class DNN models, respectively. It can be seen that detection models for 2-class and multi-class DNN models have comparable transferability. Detection models trained with adversarial samples generated by CW attack have the best transferability which can perfectly detect adversarial samples generated by other three attacks except one case (Inception V3, 2-class).

Table 5. Results of detection model transferability for 2-class DNN models.

Model	Source	FGSM	BIM	PGD	CW
VGG-16	FGSM	–	1	1	0.768
	BIM	0.846	–	0.861	0.622
	PGD	0.988	0.994	–	0.746
	CW	1	1	1	–
ResNet-101	FGSM	–	1	1	0.994
	BIM	1	–	1	0.994
	PGD	1	1	–	0.995
	CW	1	1	1	–
Inception V3	FGSM	–	1	1	0.840
	BIM	0.997	–	1	0.819
	PGD	0.997	1	–	0.820
	CW	0.983	1	1	–
DenseNet-121	FGSM	–	1	1	0.957
	BIM	1	–	1	0.961
	PGD	1	1	–	0.957
	CW	1	1	1	–

Table 6. Results of detection model transferability for multi-class DNN models.

Model	Source	FGSM	BIM	PGD	CW
VGG-16	FGSM	–	1	1	0.802
	BIM	1	–	1	0.805
	PGD	0.998	1	–	0.802
	CW	1	1	1	–
ResNet-101	FGSM	–	1	1	0.976
	BIM	1	–	1	0.986
	PGD	1	1	–	0.978
	CW	1	1	1	–
Inception V3	FGSM	–	1	1	0.826
	BIM	1	–	1	0.824
	PGD	0.999	0.999	–	0.800
	CW	1	1	1	–
DenseNet-121	FGSM	–	1	1	0.953
	BIM	1	–	1	0.957
	PGD	1	1	–	0.957
	CW	1	1	1	–

4. Conclusions

Pre-trained DNN models have been widely used in machine learning and computer vision applications including plant disease identification. In this paper, the vulnerabilities of DL-based plant disease identification models under four popular white-box adversarial attacks are investigated. Our results show that all attacks can significantly affect the performance of DNN models for plant disease identification. A small number of perturbations introduced by the attacks on acquired leaf images can lead to a significant degradation of disease identification performance. It is found that VGG-16 is more robust against attacks than other DNN models. We then study the effectiveness of adversarial sample detection methods based on features extracted from fine-tuned DNN models. The results show that attacks can be effectively detected with an appropriate choice of features such as KD + BU. The findings of this paper will serve as a basis for developing more robust DNN models for plant disease identification and guiding the defense against adversarial attacks.