Fruit-classification model resilience under adversarial attack

An accurate and robust fruit image classifier can have a variety of real-life and industrial applications including automated pricing, intelligent sorting, and information extraction. This paper demonstrates how adversarial training can enhance the robustness of fruit image classifiers. In the past, research in deep-learning-based fruit image classification has focused solely on attaining the highest possible accuracy of the model used in the classification process. However, even the highest accuracy models are still susceptible to adversarial attacks which pose serious problems for such systems in practice. As a robust fruit classifier can only be developed with the aid of a fruit image dataset consisting of fruit images photographed in realistic settings (rather than images taken in controlled laboratory settings), a new dataset of over three thousand fruit images belonging to seven fruit classes is presented. Each image is carefully selected so that its classification poses a significant challenge for the proposed classifiers. Three Convolutional Neural Network (CNN)-based classifiers are suggested: 1) IndusNet, 2) fine-tuned VGG16, and 3) fine-tuned MobileNet. Fine-tuned VGG16 produced the best test set accuracy of 94.82% compared to the 92.32% and the 94.28% produced by the other two models, respectively. Fine-tuned MobileNet has proved to be the most efficient model with a test time of 9 ms/step compared to the test times of 28 ms/step and 29 ms/step for the other two models. The empirical evidence presented demonstrates that adversarial training enables fruit image classifiers to resist attacks crafted through the Fast Gradient Sign Method (FGSM), while simultaneously improving classifiers’ robustness against other noise forms including ‘Gaussian’, ‘Salt and pepper’ and ‘Speckle’. For example, when the amplitude of the perturbations generated through the Fast Gradient Sign Method (FGSM) was kept at 0.1, adversarial training improved the fine-tuned VGG16’s performance on adversarial images by around 18% (i.e., from 76.6% to 94.82%), while simultaneously improving the classifier’s performance on fruit images corrupted with ‘salt and pepper’ noise by around 8% (i.e., from 69.82% to 77.85%). Other reported results also follow this pattern and demonstrate the effectiveness of adversarial training as a means of enhancing the robustness of fruit image classifiers.


Introduction
Fruit image classification is a challenging problem as fruits come in a variety of different shapes, colors, sizes, and textures. For example, fruits of different species can appear very similar and so be hard to distinguish from one another. It is also possible for fruits of the same species to look very different from each other and so appear to belong to different species. Such properties of fruit images make precise fruit image classification a significant challenge [1]. However, an efficient, accurate as well as robust fruit image classification system can have a variety of real-world applications despite such inherent problems in accurate identification. One possible and much needed application of such a system is fruit price determination at supermarkets, grocery stores, etc. In such scenarios, a fruit image classification system may be integrated with a camera and a weighing machine to automatically calculate the price to be paid. Another possible utility of such a system is in a smartphone 'app' that enables users to capture fruit images. Such an app would then recognize the fruit type and provide dietary advice to the user based upon his/her health condition and the nutritional content of the fruit [1]. Robust and efficient fruit classification models may also be incorporated into robots that perform tasks such as harvesting, fruit sorting, etc.
In recent years, deep learning has been exploited by researchers as a means of fruit image classification and their results have been impressive [1-5, 44, 45, 50-56]. Relevant literature [2,3] indicates that a CNN-based deep learning approach produces significantly better results than previously applied shallow-learning techniques [6][7][8]. CNNs provide high levels of abstraction and enable automatic feature learning [10]. Since CNNs can 'learn' features by themselves, they normally require far less data preprocessing, i.e., they do not require the hand-crafted features that shallow-learning techniques require. Moreover, higher levels of abstraction enhance the discriminative features of images and suppress irrelevant variations enabling CNNs to produce better classification results. However, despite achieving remarkable accuracies, CNNs are highly susceptible to adversarial attacks [15][16][17]. Such attacks typically involve the addition of small perturbations to original images. Although such perturbations are usually almost imperceptible to the human eye, they can cause a CNN to misclassify input images. Therefore, CNN models should also be resilient enough to withstand such adversarial attacks.
The paper demonstrates the vulnerability of fruit image classification models in case of adversarial attacks. It also experimentally proves that adversarial training can enhance the robustness of deep-learning-based fruit image classifiers. The empirical evidence presented in this paper strongly suggests that adversarial training not only enables fruit image classifiers to resist adversarial attacks, in particular those crafted through FGSM, it also improves classifiers' robustness against other noise forms, i.e., 'Gaussian' , 'Salt and pepper' and 'Speckle' . Besides, a publicly available dataset of challenging fruit images, called IndusFruits, is also introduced which contains fruit images from a wide variety of realistic settings. The dataset can be easily extended to include more fruit classes as well as more challenging fruit images to classify.
The contributions of this paper are as follows: 1. A publicly available dataset of 3640 fruit images belonging to 7 fruit classes. The images in the dataset are specifically chosen so that their classification poses a challenge for the proposed CNN models. The dataset is called IndusFruits.

Three proposed CNN architectures for classifying
IndusFruits images. Two of the proposed CNN architectures are based on ImageNet pre-trained CNNs while the third CNN is custom designed and is called Indus-Net. The performance and efficiency of these CNNs on IndusFruits images are compared and analyzed. 3. The performance of the three CNNs when subjected to adversarial attacks is analyzed. All adversarial examples are generated using FGSM [18]. 4. Adversarial training of the three proposed CNNs is performed and the performance of the resulting models on regular and adversarial images is presented and it is shown empirically that adversarial training can improve the resilience of fruit-classification models against FGSM-based attacks. 5. In addition, the performance of fruit-classification models on fruit images corrupted with random noise is presented. The three different random noise forms exploited are: 'Gaussian noise' , 'Salt and pepper noise' and 'Speckle noise' . Empirical evidence suggests that adversarial training not only provides robustness against adversarial attacks but can also help improve a model's resilience on images corrupted with random noise.
The structure of the remaining paper is as follows. Section 2 presents the literature review. Section 3 presents the IndusFruits dataset together with the techniques and the methodology exploited in the research work undertaken. Section 4 presents and analyzes the results obtained. Finally, Sect. 5 briefly discusses the key findings and limitations of the research study along with some associated directions for future work.

Related work
This section explores how deep learning has been exploited to solve the fruit image classification problem. A research study by Zhang et al. [2] involved the construction of a 13-layer deep CNN for classifying fruit images. The dataset size was 3600 images of 18 fruit types. The images were 'cleaned' by moving the fruit to the center of each image and also by removing the background from each image. The model's accuracy was 94.94% which was significantly higher than the shallow-learning techniques previously applied on the same dataset [6][7][8]. Wang and Chen [3] have tried to improve the work presented in [2] by incorporating two major changes: (1) parametric rectified linear units were used instead of plain rectified linear units, and (2) a dropout layer was placed before each fully connected layer to help overcome overfitting. Their CNN consisted of 17 layers of which 8 had trainable weights and biases. The same dataset of [2] was also used in [3]. The model of [3] produced an accuracy rate of 95.67% which was 0.73% better than the accuracy rate reported for the model in [2]. Hossain et al. [1] proposed two different deep learning architectures for fruit image classification. The first was a light model consisting of six convolutional layers designed by Hossain et al. [1] themselves. The second was a fine-tuned VGG16 pre-trained model. The dataset exploited consisted of 2633 fruit images (with simple and clear backgrounds) belonging to 15 different fruit classes. The same dataset was used in [11,12]. The performance of both the proposed models of [1] was better than the previous systems [11,12] evaluated on the same dataset. In [4], Siddiqi presented fourteen different deep learning models for fruit image classification. Thirteen of those models were based on an ImageNet pre-trained network and only one called FruitNet was custom designed. The dataset used was Fruits 360 [13,14] which comprises of 69,802 fruit images with 101 different fruit classes. The fine-tuned VGG16 model achieved the best validation accuracy rate of 99.8%. No test set accuracy rate was reported for the models evaluated in [4] whose main limitation was that fruit images were very simple with clear, homogeneous backgrounds. In [5], Ponce et al. evaluated six different CNN architectures for olive fruit variety classification. The dataset used consisted of 2800 images belonging to seven different olive varieties (400 per each of the seven varieties). All the six CNN architectures exploited were based on ImageNet pre-trained models. The best test set accuracy rate of 95.91% was produced when using the Inception-ResNetV2 architecture.
Rojas-Aranda et al. in [44] have attempted to create a lightweight CNN-based fruit image classifier by exploiting transfer learning and the MobileNetV2 pre-trained model. The use of additional input features like the single RGB color, the RGB histogram, and the RGB centroid using K-Means is also evaluated in [44]. These additional features are fed to the model besides the original fruit image. The models are trained and evaluated on a self-created dataset of 1067 images belonging to three different fruit classes: 'apple' , 'orange' , and 'banana' . In all cases, the fruits were placed over a stainless steel sheet and the images were taken from above. In some cases, fruits were kept inside a transparent plastic bag while in others there was no plastic bag. The CNN model that exploited a single RGB color as an additional input feature reported the best classification accuracy of 95% on fruit images without a plastic bag and 93% on images where fruits were imaged inside a plastic bag.
Katarzyna and Pawel [45] have proposed a double-track method based on two nine-layer CNNs for the classification of fruit varieties. The first CNN classifies the original fruit image 1 with background and the second CNN classifies the Region of Interest (ROI) images that consist of a single fruit. An ROI image is obtained using an object detection technique that identifies a single fruit in the original image. Subsequently, the classification results from the two tracks are aggregated using proposed weights and the predicted class is returned with a Certainty Factor (CF). The dataset used consisted of six apple varieties with each image showing one or more apples of a particular variety placed on a silver tray, with the lighting condition varying from image to image. Very high classification accuracy of 99.78% has been reported in [45].
Considerable related research work has also addressed the process of fruit grading [50][51][52][53]. In [50], the classification of sour lemons was performed by exploiting data augmentation and a stochastic pooling mechanism in CNN. The dataset consisted of two classes: 'healthy' and 'damaged' . The total dataset size was 341 sour lemon images (185 in the 'healthy' category and 156 in the 'damaged' category). The dataset size was inflated to 5456 images using data augmentation. Data preprocessing involved: 1) deleting the image background, and 2) resizing images to lower resolutions. Simulation results indicate that the CNN with stochastic pooling layers can classify sour lemons with 100% accuracy. This performance was much better than the performances of other classification algorithms on the same sour lemon dataset. In [51], classification of cherry fruit images into one of two classes, i.e., 'regular shape' and 'irregular shape' , was performed via a CNN containing hybrid pooling layers. The hybrid pooling approach produced better accuracy of 99.4%, higher than the accuracies of all the other algorithms evaluated on the same dataset. The cherry fruit dataset consisted of 719 cherry images (307 'regular shape' images and 412 'irregular shape'). All the images were cleaned and resized to lower resolutions. As in [50], the cherry fruit dataset was also inflated using data augmentation techniques. In [52], white and red mulberry fruit images were classified into one of the three maturity stages: 'unripe' , 'ripe' and 'overripe' . For each image, the mulberry area was segmented to eliminate the fruit stem. The geometrical, color, and texture features of each segmented mulberry were extracted. Dimension reduction was done using a feature reduction method and the reduced features were passed as input to an Artificial Neural Network (ANN) or a The image and weight of fruits and vegetables were obtained using a prototype apparatus specifically designed to simulate supermarket self-checkout. The fruit/vegetable weight is exploited for coarse classification from 15 classes down to three. The three classes are then used for AdaBoostbased optimization of CNNs for fine classification. The weights of the training samples for each coarse class were iteratively adjusted during the training process as per the AdaBoost optimization technique. GoogleNet (i.e., a deep CNN), MobileNet (i.e., a lightweight CNN) and a custom CNN (i.e., a weak classifier) have been optimized using the AdaBoost optimization technique. AdaBoost optimized custom CNN proved to be most effective and most efficient producing the best test set accuracy of 93.97%. In [56], Hameed et al. note that intra-class variations and inter-class similarities limit the CNN's ability to estimate complex hyper-planes for fruit and vegetable classification. To resolve this issue, a class distribution-aware adaptive margins approach with cluster embedding has been proposed in [56]. The introduction of the proposed approach has resulted in significant improvements in classification and clustering effectiveness. Table 1 summarizes the related work [1-5, 44, 45, 50-56].
Having briefly described recent research in fruit image classification [1-5, 44, 45, 50-56], it is important to highlight the overall limitations of the approaches used and to identify areas of research not present in the relevant literature. For this purpose, two specific short-comings in the research work outlined above have been identified: 1. All the referenced fruit image classification systems have only been trained and evaluated on simple fruit images with clear, homogenous background (as in [1][2][3][4][5][50][51][52][53][54][55][56]) or fruit images with limited complexity photographed in a controlled laboratory setting (as in [44,45] The research study presented in this paper attempts to overcome these two shortcomings.

Materials and methods
This section presents the dataset and the methodology used and is further sub-divided into five sub-sections. Details about the IndusFruits dataset are presented in Sect. 3.1. The three proposed CNNs are presented in Sect. 3.2. Section 3.3 overviews how adversarial samples are generated using FGSM. Section 3.4 presents adversarial training as a potential technique to withstand adversarial attacks. Finally, Sect. 3.5 indicates how the effectiveness of adversarial training on the overall robustness of the models will be evaluated.

IndusFruits dataset
IndusFruits is a self-created, publicly available 3 dataset. The images of the dataset are collected from the internet. The total number of images in this dataset is 3640, distributed among 7 classes. The 7 fruit classes exploited are: 'apple' , 'banana' , 'grape' , 'mango' , 'orange' , 'strawberry' and 'watermelon' . The dataset is sub-divided into 'train' , 'validation' , and 'test' subsets. The images are randomly sub-divided into the three subsets. Table 2 gives the distribution of images in the dataset. The images are resized to a 100X100 matrix. Each image is manually labeled to one of the 7 fruit types. Table 3 shows various varieties exploited for each of the fruit classes found in the dataset. The purpose of using multiple varieties for the same fruit class is to train the classifiers for variations in color, shape, etc. found within a given fruit type. For example, 'Crimson Sweet' and 'Charleston Gray' are two varieties of watermelon included in the dataset. Figure 1 depicts a sample image for each of the two varieties. The variation in color, shape, and size may easily be noted. A classifier trained on such data will be more resilient in practical scenarios.
The dataset images have been carefully chosen to provide a challenge to the proposed fruit image classifiers. The dataset includes images that contain fruits hanging from trees with leaves and other tree parts appearing as background. It also contains images showing piles of fruits, fruits cut in half, sliced fruits, partially occluded fruits, decaying fruits, peeled fruits, etc. In many images, the fruits are inside plastic bags or some other form of packaging. Most of the images in the dataset have complicated non-homogenous backgrounds. Figure 2 shows      ) and (x) depict piles of fruits. Thus, IndusFruits is a diversified collection of challenging fruit images. It is also important to note that each image in the dataset belongs to only a single fruit class. So if there are multiple fruits in an image, they all are of a single fruit type. Since the dataset is publicly available, it may also be exploited for benchmarking purposes in future research works.

Proposed image classifiers for indusfruits dataset
Three CNNs are proposed for the classification of Indus-Fruits dataset images, i.e.: 1. IndusNet-a custom designed CNN 2. Fine-tuned VGG16 3. Fine-tuned MobileNet Figure 3 depicts the structure that is common in all the three proposed CNNs, i.e., each CNN comprises of two components: a feature extractor and a classifier. For all the three CNNs, the classifier consists of two dense layers and a drop out layer after the first dense layer. 4 However, the architecture of the feature extractor is different for each of the three proposed CNNs. For the two fine-tuned CNNs, the pre-trained feature extractors of VGG16 and MobileNet are exploited, respectively. For IndusNet, the feature extractor is custom-designed.
The proposed CNNs are described in some more detail in Sects. 3

IndusNet
IndusNet is a customized, sequential CNN of twenty layers. As stated earlier, IndusNet is composed of two main components: 1) a feature extractor and 2) a classifier. The feature extractor consists of a sequence of convolutional and pooling layers. It is followed by the classifier that consists of densely connected layers. In total, the IndusNet's feature extractor consists of sixteen layers while the classifier is made up of four layers. The sixteen layers of the feature extractor may be sub-divided into three convolutional blocks with each convolutional block consisting of a few convolutional layers followed by a 2 × 2 max-pooling layer and a dropout layer. Dropout layers are added to prevent overfitting.
Out of the IndusNet's twenty layers, only twelve layers have parameters, i.e., only convolutional layers and fully connected layers have learnable weights and biases. Pooling layers and dropout layers have no parameters. In total, IndusNet has approximately 4 million parameters. Table 4 provides details of IndusNet's structure.
IndusNet has been designed to prevent both underfitting and overfitting. Initial experiments exploited lighter architectures for IndusNet, i.e., the number of convolutional layers and the number of filters per layer were kept low. To improve test set accuracy, the number of convolutional layers and the filters per layer were gradually increased. The structure presented in Table 4 produced the best test set accuracy. Increasing the network capacity further does not provide any improvement in accuracy.

Fine-tuned VGG16
VGG16 [20] is a pre-trained CNN that is exploited to classify IndusFruits images. VGG16 network has a relatively simple architectural design: 3 × 3 convolutional layers are stacked on top of each other. In total, the original VGG16 network has 16 weight layers (13 convolutional layers and 3 fully connected layers). Convolutional layers are grouped into convolutional blocks with each block containing 2 or 3 convolutional layers. Each convolutional block is followed by a 2 × 2 max-pooling layer. VGG16 network has been originally trained on a large image dataset called ImageNet [21] consisting of 1.4 million labeled images and 1000 different classes. The VGG16 network is repurposed and fine-tuned for the IndusFruits image classification task. To achieve this, the techniques of transfer learning [22] and fine-tuning [19] are exploited. The resulting fine-tuned VGG16 network has around 14.8 million parameters, i.e., the number of parameters for this network is much higher than the other two proposed networks. This results in higher computational costs, in terms of both time and space.

Fine-tuned MobileNet
MobileNet is an efficient, lightweight pre-trained model that is suitable for mobile vision applications [23]. MobileNet's architecture is based on depth-wise separable convolutions that enable a reduction in the model's size and its parameters. Like VGG16, MobileNet has also been originally trained on ImageNet [21] dataset. Despite MobileNet's much smaller size and efficient architecture, its accuracy rates on ImageNet are comparable to the VGG16's accuracy rates on the same dataset, i.e., MobileNet is more efficient with comparable effectiveness.
For the research presented in this paper, the MobileNet network is repurposed and fine-tuned for the IndusFruits image classification task. Unlike the fine-tuned VGG16 network (see Sect. 3.2.2), the fine-tuned MobileNet network has approximately 3.5 million parameters.

Training of the proposed models
All the three proposed CNNs are trained and tested on a Windows PC with Intel Core i7 7700HQ processor and 16 GB RAM. NVIDIA's GeForce GTX 1050 Ti is used as the Graphics Processing Unit. Software development for the research undertaken exploits the TensorFlow version 2.3.0 library.
IndusFruits image classification is a multiclass, singlelabel classification problem. Thus, the training of all the three proposed CNNs was performed using 'categorical cross entropy' as the loss function and 'softmax' as the last layer activation. 'Adam' is used as the optimizer because it works faster and more effectively than other stochastic optimization methods [24,25].
IndusNet training differs from the training of the other two CNNs. Since IndusNet is a custom designed CNN with all its weights randomly initialized, it needs to be trained from scratch. For this reason, all the IndusNet layers are kept unfrozen during training. Glorot uniform initializer [26] is used to initialize the weights of IndusNet. The network is trained for 400 epochs with a learning rate of 1e-4. 5 Figure 4 depicts IndusNet's training and validation accuracy curves with respect to the training epochs. The two curves do not demonstrate significant divergence, i.e., the two curves stay close together throughout the 400 training epochs. This indicates that overfitting is well-contained even though IndusFruits is a relatively small dataset. Both the fine-tuned CNNs are assembled by adding an untrained classifier to a pre-trained feature extractor. The untrained classifier is first trained by keeping all the layers of the feature extractor frozen. This is done for 200 epochs with a learning rate of 1e-4. The network is then fine-tuned by unfreezing several latter layers of feature extractor and training the network for another 200 epochs with a lower learning rate of 5e-5. The reason for only unfreezing the latter layers is that the initial layers represent general features and are more transferable to another problem [27] similar to IndusFruits image classification. The latter layers, however, are meant to represent more abstract, taskspecific features [27] and therefore require fine-tuning. Figures 5 and 6 depict the training and validation accuracy curves that are generated when VGG16 and MobileNet are fine-tuned, respectively. The training and validation curves stay close together in both cases indicating that there is no significant overfitting during the fine-tuning process.
Data augmentation has also been exploited during the training of all the three proposed CNNs. It helps to artificially inflate the training set and therefore helps to improve the generalization power of deep learning models [28,29]. To train the three proposed CNNs, new training images are generated from existing images by applying transformations [30] to existing images. The following transformations have been exploited in the generation of new training images:

Generation of adversarial samples
Despite their high accuracy, deep learning models are vulnerable to adversarial attacks [31,32]. In order to evaluate   Adversarial attacks differ in terms of their attack scenarios as well as their capabilities [31]. An adversary may launch an attack during the testing phase, i.e., an evasion attack [33]. This can be done by crafting adversarial samples and testing the CNN on such samples. However, an adversarial attack may also occur at train(ing) time. Such an attack is called a poisoning attack. Poisoning attacks are achieved by contaminating the training data and as a result, this affects the model's learning process.
In terms of adversarial capabilities, adversarial attacks are classified into white-box and black-box attacks. In a white-box attack, an adversary has total knowledge about the model and its parameters. On the contrary, an adversary has no knowledge about the model in a black-box attack.
For the research undertaken, the three proposed CNNs are subjected to white-box attacks. Since the adversary can access model weights during these attacks, the attacks are considered very strong [31]. Moreover, these attacks take place during the testing phase, i.e., they are evasion attacks. The adversarial goal is to change the predicted class of an input sample to any class different from the original class. For example, the adversary will attempt to cause a 'grape' image to be predicted as any other class different from the 'grape' class.
The method of adversarial sample generation is now described. The adversary generates an adversarial sample X' by adding a perturbation δX to the original sample X: If F is the proposed model under consideration, then F(X') ≠ F(X). δX is generated using a two-step process: 1. Direction Sensitivity Estimation The sensitivity of a class change with respect to each feature of X is evalu- ated. This involves identifying directions in the data manifold around X where F is most sensitive and will likely result in misclassification.

Perturbation Selection
The direction sensitivity information is then exploited to select δX among the input dimensions. δX needs to be as small as possible so that the perturbed sample X' closely resembles the original sample X.
To generate adversarial samples for the three proposed CNNs, an efficient technique called Fast Gradient Sign Method (FGSM) [18] is exploited. FGSM can efficiently perform the two-step perturbation generation process mentioned above. More precisely, it involves calculating the gradient of the cost function with respect to the network input. The adversarial samples are generated based on the following equation: In this equation, J is the cost function, ∇ x is the gradient of the cost function with respect to a normal input sample X with the true label y true and ∈ denotes the perturbation's amplitude. Figure 7 and Fig. 8 depict some sample adversarial images generated via FGSM. The first image in both the figures is an original fruit image from the IndusFruits dataset. Each of the adversarial samples corresponds to some ∈ value. For the research undertaken, four ∈ values have been exploited: 0.05, 0.1, 0.15, and 0.2. ∈ helps to scale down the magnitude of perturbation added to an image.

Adversarial training
The robustness of CNNs against adversarial samples can be improved with adversarial training [17,18]. Adversarial training is based on using adversarial images in addition to clean images for training deep learning models. Adversarial training is often accepted as the first line of defense against adversarial attacks [17,18,34]. It has been established in relevant literature [35] that adversarial training X � = X+ ∈ * sign(∇ x J(X, y true )) Adversarial training of the three proposed CNNs has been performed to improve their robustness. This is achieved by fine-tuning the proposed models on a training set that includes both adversarial images and clean images. The number of adversarial images and clean images exploited is equal in each case.

Robustness of the proposed models on other noise forms
Once adversarial training has been performed, the resulting CNN models are also evaluated on images that have been degraded using other forms of noise. This helps to demonstrate improvements in the overall robustness of the proposed CNNs as a result of adversarial training. Three different random noise models are selected for this purpose: 1. Gaussian-distributed additive noise Gaussian noise has a probability distribution function (PDF) equal to that of the normal distribution [39]. More precisely, PDF for Gaussian noise is given as: In this function, 'z' is the Gaussian random variable, 'µ' is the mean value and 'σ' is the standard deviation. The value of σ is directly proportional to the magnitude of Gaussian noise added. For the work presented in this paper, the σ value of 0.1 has been used to generate noisy images. Gaussian noise in digital images may arise during image acquisition (due to poor illumination, high temperature, etc.) and/ or during image transmission (due to electromagnetic interferences) [40]. Each noisy image f(i, j) is the sum of the original image s(i, j) and the Gaussian noise n(i, j): f (i, j) = s(i, j) + n(i, j)

Salt and pepper noise
This type of noise results in image degradation by replacing some random pixels of the image with 1 or 0 (i.e., black or white dots) [41]. The proportion of image pixels to replace with noise may vary. For the experiments presented in this paper, the proportion of noisy pixels is kept at 0.05 i.e., 5%. Out of all the noisy pixels in a degraded image, 50% are white dots (i.e., 'salt'), while the remaining 50% are black dots (i.e., 'pepper'). A possible cause of 'salt and pepper' noise is highamplitude intermittent electrical interference during image transmission.
3. Speckle noise This type of noise arises in digital images during image acquisition [42]. This is mainly due to the effect of environmental conditions on imaging sensors. Speckle noise is modeled as multiplicative noise [43], i.e., each noisy image f(i, j) is the sum of the original image s(i, j) and the product of the original image s(i, j) and the Gaussian noise n(i, j): For the work presented in this paper, the Gaussian noise has zero-mean and the σ is 0.1. Figure 9 shows an original 'banana' class image from the IndusFruits dataset. Three corresponding noisy images are also shown together with the original image. Each of the noisy images contains one of the noise forms described above.

Performance on clean images
The performance of the three proposed CNNs on the original images of IndusFruits dataset is given in Table 5. First, we consider how test set accuracy and one-vs-one Receiver Operating Characteristics (ROC) Area Under Curve (AUC) score have been calculated. Test set accuracy is computed using the following formula: where C is the number of correctly classified test samples and N is the total number of test samples. One-vs-one ROC AUC is computed based on the algorithm defined in [36]. The algorithm of [36] computes the average AUC of all possible pairwise combinations of classes. This is done using the following formula: where c is the number of classes and AUC(j|k) is the AUC with class j as the positive class and class k as the negative class. The higher the one-vs-one ROC AUC score, the better the classifier.
Fine-tuned VGG16 is the best performing CNN with an accuracy rate of 0.9482 and a one-vs-one ROC AUC score of 0.9693. Despite having the highest accuracy rate, finetuned VGG16 is also the 'heaviest' model due to its significantly large number of parameters. IndusNet, on the other hand, has produced the lowest test set accuracy as well as the lowest ROC AUC score. The performance of the other two CNNs is noticeably better than IndusNet's performance. As already stated in Sect. 3.2, the main difference between IndusNet and the other two models is that the fine-tuned models are based on transfer learning (and subsequent fine-tuning) while IndusNet is trained from scratch. It has been empirically shown [27] that transferring features normally results in a more effective model. This phenomenon is particularly true where the target dataset (e.g. IndusFruits) is much smaller than the base dataset (e.g. ImageNet). In such cases, transfer learning is a useful tool to help prevent overfitting. This explains the reason behind the relatively inferior performance of IndusNet. Table 5 also presents the time taken to evaluate each of the three CNNs on the IndusFruits test set. To be more precise, there are 560 images in the test set, and in each  step of the evaluation process, 8 images are used, i.e., a batch size of 8 was used. So, the test time given in Table 5 is the time taken by a particular model to make class predictions for a single batch, i.e., 8 images. It can be easily inferred from Table 5 that the fine-tuned MobileNet is much more efficient than the other two CNNs. The key reason behind this efficiency is the use of depth-wise separable convolutions in the fine-tuned MobileNet CNN. Contrary to this, IndusNet and the fine-tuned VGG16 CNNs are entirely based on normal convolutions. Siddiqi [37] has demonstrated the efficiency of depth-wise separable convolutions over normal convolution by comparing the total number of multiplications required by the two convolution types. The ratio of the required multiplications is given as: N is the number of output channels and n k is the kernel size. So if N is 256 and n k is 3, R will be 0.115, i.e., there will be approximately 8.7 times more multiplications in the case of normal convolution when compared with a depthwise separable convolution of the same configuration. In addition, Guo et al. [38] have also mathematically proven that depth-wise separable convolutions can approximate a normal convolution which in turn explains why the finetuned MobileNet CNN is reasonably effective despite having much fewer parameters.
Class predictions made by the three proposed models for some sample images of the dataset are given in Figs images along with the predicted class and the true class for each image. An example of misclassification is included in each figure to illustrate the limitations of the proposed models. For example, the 'grape' image of Fig. 10(b) is misclassified as 'strawberry' by IndusNet. This may probably be due to the red label(s) on the plastic packaging of grapes. Confusion matrices, given in Fig. 13 below, illustrate the class-wise performance of the three proposed CNN models. Overall, the three classifiers seem to be least effective at correctly classifying 'mango' images while being most effective at recognizing 'strawberry' images. A lower recognition rate for a particular class is arguably due to relatively higher intra-class variations or more inter-class similarities present in images. It may also be due to some underlying limitations of a particular CNN model. Indeed, some classes are better recognized by a particular model. For example, 'watermelon' class images are most correctly recognized by IndusNet while 'orange' images are best recognized by fine-tuned VGG16. However, a subtle but important point to consider here is that while IndusNet has correctly classified 79 out of 80 'watermelon' images, it has also produced 9 false positives for the 'watermelon' class. This indicates that the model is slightly biased toward the 'watermelon' class. A similar phenomenon can also be observed for the fine-tuned VGG's recognition of the 'orange' class images. The model correctly classifies 79 out of 80 'orange' class images but there are 5 false positives as well.

Performance on adversarial images
As indicated in the relevant research literature [31,32] and also in Sect. 3.3, deep learning models are susceptible to adversarial attacks e.g. attacks based on FGSM [18]. Figure 14 demonstrates examples of adversarial attacks on the three proposed CNN models. All of the three models correctly recognize the original, clean images with high confidence. After adding perturbations to the original images, the perturbed images are misclassified with high confidence by the three models. All the attacks of Fig. 14 exploited FGSM and an ∈ value of 0.1. Table 6 summarizes the performance of the three proposed CNN models on adversarial images when no adversarial training of the networks has been performed. Four different magnitudes of perturbation (i.e., four different ∈ values) are exploited. It can be easily seen that for each proposed model, the accuracy rate declines with the increasing ∈ value of perturbation. This is an expected trend. Moreover, fine-tuned VGG16 and IndusNet appear to be relatively more resilient to the added perturbations. However, finetuned MobileNet's performance appears to be much more degraded. For example, at ∈= 0.2 , fine-tuned MobileNet's accuracy rate is 20% less compared to the fine-tuned VGG16. This may be due to the use of depthwise separable convolutions in MobileNet. The number of parameters in such a convolution is much lower than a normal convolution which in turn results in a more fragile model.

Impact of adversarial training on the robustness of the CNN models
Adversarial training involves fine-tuning the proposed models with a training set that consists of both the original, clean images as well as the generated adversarial images. For each original image of the IndusFruits dataset, four adversarial images are generated corresponding to the four ∈ values. In this way, there are four new training sets each one consisting of the original, clean images as well as the newly generated adversarial images of a particular ∈ value. Once adversarial training has been   Tables 7 and 8. Table 7 indicates that the performance of the resulting CNN models on the original, clean test images is comparable to the performance of the corresponding models with no adversarial training (see Table 5 for performance when no adversarial training has been performed). This means that even after adversarial training, the resulting CNN models can recognize the original, clean images with reasonable effectiveness. Moreover, Table 8 shows that the resulting CNN models can now also recognize perturbed images with much higher accuracy rates (see Table 6 for the performance before adversarial training). After adversarial training, finetuned VGG16 models are best at recognizing perturbed images. For the other two categories of models, i.e., Indus-Net and fine-tuned MobileNet, the accuracy rates on the perturbed images are lower and gradually decline further with increasing ∈ value. After proving that adversarial training is an effective defense mechanism against FGSM attacks, it is also worth evaluating the impact of adversarial training on model performance against fruit images containing random noise. Three random noise models are exploited for this purpose, i.e., 'Gaussian' , 'Salt and Pepper' , and 'Speckle' noise. These noise models are briefly overviewed in Sect. 3.5 and are selected because they are very common and normally arise in images during image acquisition and/or transmission [39][40][41][42][43]. Tables 9, 10, 11 demonstrate that the performance of the proposed models significantly improves on random noise images as a result of adversarial training. However, the degree of performance improvement is not consistent and varies from case to case. For example, the accuracy rate of the fine-tuned MobileNet against 'Gaussian' noise images has improved by around 12% as a result of adversarial training (see Table 9). Contrary to this, fine-tuned VGG16 has only improved by around 2.3% on 'Speckle' noise images as a result of adversarial training (see Table 11). Nevertheless, there is performance improvement on noisy images in all the cases after adversarial training has been performed, i.e., adversarial training not only improves model robustness on adversarial images, it also enhances robustness on images containing random noise.

Validation of the effectiveness of adversarial training using fruits 360 dataset
It is critical to validate the key findings of this paper on a state-of-the-art dataset like Fruits 360 [13,14]. Fruits 360 is a large dataset of fruit and vegetable images comprising 131 classes and 90,483 images in total. 67,692 of these images belong to the train set, while the test set consists of   Figure 16 summarizes the results of evaluating the three models on clean and adversarial images of the test set. Figure 16a shows that as the magnitude of the perturbation is increased the performance of all three models declines. However, the performance of the fine-tuned MobileNet seems to be most affected as a result of the FGSM attacks, while the fine-tuned VGG16 and IndusNet demonstrated more resilience (see Fig. 16a). It should be noted that the performance of the three models was almost 100% on the original, unperturbed test images. This must be because the Fruits 360 images are much simpler than the IndusFruits images (compare Fig. 2 with Fig. 15). Figure 16b and Fig. 16c depict performance after adversarial training. The two graphs validate that adversarial training significantly improves performance on adversarial images (see Fig. 16c) while keeping the performance on clean images at reasonable levels (see Fig. 16b). More research is required to further improve the effectiveness of adversarial training.

Discussion
This paper presents a publicly available dataset of challenging fruit images, called IndusFruits. The dataset contains fruit images from a wide variety of realistic settings. Unlike the datasets used in past studies [1-9, 44, 45, 50-56], most fruit images in IndusFruits have a complex, heterogeneous background. Three CNN models are proposed for the dataset. The fine-tuned VGG16 model has proved to be the most accurate, while the fine-tuned MobileNet has turned out to be the most efficient. The vulnerability of the proposed models in the case of FGSM attacks and the effectiveness of adversarial training as a countermeasure has been empirically demonstrated. These findings have also been validated on a much larger fruit image dataset called Fruits 360. Besides, it has also been experimentally proven that adversarial training is not just an effective countermeasure against adversarial attacks, it also improves model resilience against random noise. No past study [1-9, 44, 45, 50-56] has considered the possibility of adversarial attacks and relevant countermeasures for fruit image classification models. Therefore, this study should encourage researchers to focus more on the security of such models rather than just focusing on model accuracy and/or efficiency. The research study presented in this paper has some limitations as well. These limitations can form the basis for future research work. The following are the limitations identified, along with the associated directions for future work: 1. There may still be a possibility of achieving higher accuracy rates on the unperturbed, clean images of IndusFruits. A possible solution might be to use a different optimization technique, like AdaBoostbased optimization [55], to further reduce overfitting. Another possible solution may be to find a more optimal network architecture. 2. Very little preprocessing is done on the dataset images in this study. One possible preprocessing step that may be added to the classification process and that may help improve model accuracy is the separation of complex, heterogeneous background from the actual fruit in the image, i.e., background removal from the image. In this way, the image may be cleaned before it is fed into the CNN. This may be achieved through object detection [60] or semantic segmentation [61].
3. Adversarial training as a defense strategy has its own limitations as indicated in [46,47]. To address such limitations, Tramèr et al. [47] have introduced a better and more refined form of adversarial training called Ensemble Adversarial Training which has the potential to further improve model resilience by enabling more effective adversarial training. 4. It is also important to recognize that apart from FGSM there are numerous other types of adversarial attacks e.g. Jacobian-based Saliency Map Attack (JSMA) [48] and One Pixel Attack [49], whose effectiveness and countermeasures in the context of fruit image classification need to be investigated. 5. The study only considers untargeted evasion attacks.
Many other attack scenarios exist including friend-safe evasion attacks [57], multi-targeted evasion attacks [58], multi-targeted backdoor attacks [59] etc. Future research work on the security of fruit image classification models should consider these other attack scenarios. 6. Finally, this study is limited to adversarial examples that are only effective in the digital domain, i.e., adversarial examples generated through FGSM are only capable of deceiving a model in the digital domain. However, it is also possible to generate robust adversarial examples for the physical world [16,62]. In such an adversarial sample, the created perturbation is limited to a certain image area and the perturbation usually consists of inconspicuous colors. Future research work should consider physical world attacks in the context of fruit image classification.