Xiaoqing Chen,Lubin Meng,Yifan Xu,Dongrui Wu

DOI: https://doi.org/10.1088/1741-2552/ad8964

2024-10-30

Abstract:Objective. machine learning has achieved significant success in electroencephalogram (EEG) based brain-computer interfaces (BCIs), with most existing research focusing on improving the decoding accuracy. However, recent studies have shown that EEG-based BCIs are vulnerable to adversarial attacks, where small perturbations added to the input can cause misclassification. Detecting adversarial examples is crucial for both understanding this phenomenon and developing effective defense strategies.Approach. this paper, for the first time, explores adversarial detection in EEG-based BCIs. We extend several popular adversarial detection approaches from computer vision to BCIs. Two new Mahalanobis distance based adversarial detection approaches, and three cosine distance based adversarial detection approaches, are also proposed, which showed promising performance in detecting three kinds of white-box attacks.Main results. we evaluated the performance of eight adversarial detection approaches on three EEG datasets, three neural networks, and four types of adversarial attacks. Our approach achieved an area under the curve score of up to 99.99% in detecting white-box attacks. Additionally, we assessed the transferability of different adversarial detectors to unknown attacks.Significance. through extensive experiments, we found that white-box attacks may be easily detected, and differences exist in the distributions of different types of adversarial examples. Our work should facilitate understanding the vulnerability of existing BCI models and developing more secure BCIs in the future.

Yunhuan Li,Xi Yu,Shujian Yu,Badong Chen

DOI: https://doi.org/10.1109/mlsp55214.2022.9943479

2022-01-01

Abstract:Electroencephalogram (EEG) based brain-computer interfaces (BCIs) are becoming popular in clinical diagnosis applications. However, this raises a new issue on the robustness of deep neural networks-based BCIs against environmental noise and adversarial attacks. Unfortunately, there is no adversarial defense approach tailored for EEG adversarial robustness so far. In this work, we systematically evaluate the performance of 5 popular adversarial training (AT)-based defense approaches on three large-scale and real-world EEG datasets with 3 popular EEG classification models, under 3 different white-box attacks. Through extensive experiments, we demonstrate that the naïve AT is a promising adversarial defense approach in EEG-based BCIs. However, existing regularization terms originated from vision tasks do not generalize well to EEG signals. Our results shed light on the future development of the EEG adversarial defense approach.

Lubin Meng,Xue Jiang,Xiaoqing Chen,Wenzhong Liu,Hanbin Luo,Dongrui Wu

DOI: https://doi.org/10.1016/j.inffus.2024.102316

2024-12-10

Abstract:A brain-computer interface (BCI) enables direct communication between the brain and an external device. Electroencephalogram (EEG) is a common input signal for BCIs, due to its convenience and low cost. Most research on EEG-based BCIs focuses on the accurate decoding of EEG signals, while ignoring their security. Recent studies have shown that machine learning models in BCIs are vulnerable to adversarial attacks. This paper proposes adversarial filtering based evasion and backdoor attacks to EEG-based BCIs, which are very easy to implement. Experiments on three datasets from different BCI paradigms demonstrated the effectiveness of our proposed attack approaches. To our knowledge, this is the first study on adversarial filtering for EEG-based BCIs, raising a new security concern and calling for more attention on the security of BCIs.

Human-Computer Interaction,Machine Learning

Xiaoqing Chen,Ziwei Wang,Dongrui Wu

DOI: https://doi.org/10.1109/tnsre.2024.3391936

IF: 4.9

2024-05-01

IEEE Transactions on Neural Systems and Rehabilitation Engineering

Abstract:Machine learning has achieved great success in electroencephalogram (EEG) based brain-computer interfaces (BCIs). Most existing BCI studies focused on improving the decoding accuracy, with only a few considering the adversarial security. Although many adversarial defense approaches have been proposed in other application domains such as computer vision, previous research showed that their direct extensions to BCIs degrade the classification accuracy on benign samples. This phenomenon greatly affects the applicability of adversarial defense approaches to EEG-based BCIs. To mitigate this problem, we propose alignment-based adversarial training (ABAT), which performs EEG data alignment before adversarial training. Data alignment aligns EEG trials from different domains to reduce their distribution discrepancies, and adversarial training further robustifies the classification boundary. The integration of data alignment and adversarial training can make the trained EEG classifiers simultaneously more accurate and more robust. Experiments on five EEG datasets from two different BCI paradigms (motor imagery classification, and event related potential recognition), three convolutional neural network classifiers (EEGNet, ShallowCNN and DeepCNN) and three different experimental settings (offline within-subject cross-block/-session classification, online cross-session classification, and pre-trained classifiers) demonstrated its effectiveness. It is very intriguing that adversarial attacks, which are usually used to damage BCI systems, can be used in ABAT to simultaneously improve the model accuracy and robustness.

engineering, biomedical,rehabilitation

Xiao Zhang,Dongrui Wu

DOI: https://doi.org/10.48550/arXiv.1904.01002

2019-03-31

Abstract:Deep learning has been successfully used in numerous applications because of its outstanding performance and the ability to avoid manual feature engineering. One such application is electroencephalogram (EEG) based brain-computer interface (BCI), where multiple convolutional neural network (CNN) models have been proposed for EEG classification. However, it has been found that deep learning models can be easily fooled with adversarial examples, which are normal examples with small deliberate perturbations. This paper proposes an unsupervised fast gradient sign method (UFGSM) to attack three popular CNN classifiers in BCIs, and demonstrates its effectiveness. We also verify the transferability of adversarial examples in BCIs, which means we can perform attacks even without knowing the architecture and parameters of the target models, or the datasets they were trained on. To our knowledge, this is the first study on the vulnerability of CNN classifiers in EEG-based BCIs, and hopefully will trigger more attention on the security of BCI systems.

Machine Learning,Cryptography and Security

Jianfeng Yu,Kai Qiu,Pengju Wang,Caixia Su,Yufeng Fan,Yongfeng Cao

DOI: https://doi.org/10.1186/s12911-023-02212-5

IF: 3.298

2023-07-07

BMC Medical Informatics and Decision Making

Abstract:Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learning-based brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to white-box attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAM-DE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMs-based adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHB-MIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAM-based adversarial samples produced by the proposed methods in this paper are aggressive to BEAM-related victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEG-related victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAM-related models up to 0.8 while the top success rate of attacking EEG-related models only 0.01; (2) GPBEAM-DE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAM-DE will make it have aggressiveness to both BEAMs-related and EEG-related models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design.

medical informatics

Bibek Upadhayay,Vahid Behzadan

DOI: https://doi.org/10.48550/arXiv.2211.10033

2022-11-18

Abstract:Machine learning models are known to be vulnerable to adversarial perturbations in the input domain, causing incorrect predictions. Inspired by this phenomenon, we explore the feasibility of manipulating EEG-based Motor Imagery (MI) Brain Computer Interfaces (BCIs) via perturbations in sensory stimuli. Similar to adversarial examples, these \emph{adversarial stimuli} aim to exploit the limitations of the integrated brain-sensor-processing components of the BCI system in handling shifts in participants' response to changes in sensory stimuli. This paper proposes adversarial stimuli as an attack vector against BCIs, and reports the findings of preliminary experiments on the impact of visual adversarial stimuli on the integrity of EEG-based MI BCIs. Our findings suggest that minor adversarial stimuli can significantly deteriorate the performance of MI BCIs across all participants (p=0.0003). Additionally, our results indicate that such attacks are more effective in conditions with induced stress.

Cryptography and Security,Machine Learning,Signal Processing

Bo-Qun Ma,He Li,Wei-Long Zheng,Bao-Liang Lu

DOI: https://doi.org/10.1007/978-3-030-36708-4_3

2019-01-01

Abstract:A major obstacle in generalizing brain-computer interface (BCI) systems to previously unseen subjects is the subject variability of electroencephalography (EEG) signals. To deal with this problem, the existing methods focus on domain adaptation with subject-specific EEG data, which are expensive and time consuming to collect. In this paper, domain generalization methods are introduced to reduce the influence of subject variability in BCI systems without requiring any information from unseen subjects. We first modify a deep adversarial network for domain generalization and then propose a novel adversarial domain generalization framework, DResNet, in which domain information is utilized to learn two components of weights: unbiased weights that are common across subjects and biased weights that are subject-specific. Experimental results on two public EEG datasets indicate that our proposed methods can achieve a performance comparable to and more stable than that of the state-of-the-art domain adaptation method. In contrast to existing domain adaptation methods, our proposed domain generalization approach does not require any data from test subjects and can simultaneously generalize well to multiple test subjects.

Zihan Liu,Lubin Meng,Xiao Zhang,Weili Fang,Dongrui Wu

DOI: https://doi.org/10.1088/1741-2552/ac0f4c

IF: 5.043

2021-07-15

Journal of Neural Engineering

Abstract:<span><i>Objective</i>. Multiple convolutional neural network (CNN) classifiers have been proposed for electroencephalogram (EEG) based brain-computer interfaces (BCIs). However, CNN models have been found vulnerable to universal adversarial perturbations (UAPs), which are small and example-independent, yet powerful enough to degrade the performance of a CNN model, when added to a benign example. <i>Approach</i>. This paper proposes a novel total loss minimization (TLM) approach to generate UAPs for EEG-based BCIs. <i>Main results</i>. Experimental results demonstrated the effectiveness of TLM on three popular CNN classifiers for both target and non-target attacks. We also verified the transferability of UAPs in EEG-based BCI systems. <i>Significance</i>. To our knowledge, this is the first study on UAPs of CNN classifiers in EEG-based BCIs. UAPs are easy to construct, and can attack BCIs in real-time, exposing a potentially critical security concern of BCIs.</span>

engineering, biomedical,neurosciences

Hangjie Yi,Yuhang Ming,Dongjun Liu,Wanzeng Kong

2024-07-01

Abstract:EEG-based brainprint recognition with deep learning models has garnered much attention in biometric identification. Yet, studies have indicated vulnerability to adversarial attacks in deep learning models with EEG inputs. In this paper, we introduce a novel adversarial attack method that jointly attacks time-domain and frequency-domain EEG signals by employing wavelet transform. Different from most existing methods which only target time-domain EEG signals, our method not only takes advantage of the time-domain attack's potent adversarial strength but also benefits from the imperceptibility inherent in frequency-domain attack, achieving a better balance between attack performance and imperceptibility. Extensive experiments are conducted in both white- and grey-box scenarios and the results demonstrate that our attack method achieves state-of-the-art attack performance on three datasets and three deep-learning models. In the meanwhile, the perturbations in the signals attacked by our method are barely perceptible to the human visual system.

Cryptography and Security

Rui Bian,Lubin Meng,Dongrui Wu

DOI: https://doi.org/10.1007/s11432-022-3440-5

2022-03-14

Science China Information Sciences

Abstract:Electroencephalogram (EEG) based brain-computer interfaces (BCIs) have attracted wide attention in recent years. Steady-state visual evoked potential (SSVEP) is one of the most popular BCI paradigms, which has high information transmission rate and short user calibration time. Recent research has shown that EEG-based BCIs are under the threat of adversarial examples. However, existing attack approaches are very difficult to implement in a real-world system. Considering SSVEP's dependency on the frequency information, this paper proposes to use square wave signals as adversarial perturbations to attack SSVEP-based BCIs, which are easy to generate and apply in practice. EEG trials contaminated by the square wave perturbation can be classified into any target class specified by the attacker. Compared with previous approaches, our perturbation can be implemented much more easily. Experiments on two SSVEP datasets demonstrated the efficiency and robustness of the proposed approach in attacking two SSVEP classifiers based on canonical correlation analysis, exposing a critical security problem in SSVEP-based BCIs.

computer science, information systems,engineering, electrical & electronic

Byeong-Hoo Lee,Byoung-Hee Kwon,Seong-Whan Lee

2023-11-15

Abstract:Deep learning has shown promise in decoding brain signals, such as electroencephalogram (EEG), in the field of brain-computer interfaces (BCIs). However, the non-stationary characteristics of EEG signals pose challenges for training neural networks to acquire appropriate knowledge. Inconsistent EEG signals resulting from these non-stationary characteristics can lead to poor performance. Therefore, it is crucial to investigate and address sample inconsistency to ensure robust performance in spontaneous BCIs. In this study, we introduce the concept of sample dominance as a measure of EEG signal inconsistency and propose a method to modulate its effect on network training. We present a two-stage dominance score estimation technique that compensates for performance degradation caused by sample inconsistencies. Our proposed method utilizes non-parametric estimation to infer sample inconsistency and assigns each sample a dominance score. This score is then aggregated with the loss function during training to modulate the impact of sample inconsistency. Furthermore, we design a curriculum learning approach that gradually increases the influence of inconsistent signals during training to improve overall performance. We evaluate our proposed method using public spontaneous BCI dataset. The experimental results confirm that our findings highlight the importance of addressing sample dominance for achieving robust performance in spontaneous BCIs.

Machine Learning,Artificial Intelligence,Signal Processing

Dai Wang,Aiping Liu,Bo Xue,Le Wu,Xun Chen

DOI: https://doi.org/10.1016/j.medntd.2023.100213

2023-01-01

Medicine in Novel Technology and Devices

Abstract:Brain-computer interface (BCI) based on Steady-State Visual Evoked Potentials (SSVEP) provides an effective method for human-computer communication. In practical application scenarios, SSVEP-BCI systems are easily interfered by physiological noises such as electromyography (EMG) and electrooculography (EOG). The performance of traditional SSVEP recognition methods will degrade in such a noisy environment, which limits their real-world applications. To alleviate the interference of noise, existing works either require additional reference electrodes or are designed for removing background noise such as trend terms rather than physiological noises. In this study, we utilize adversarial training (AT) and neural networks (NNs) to construct a robust recognition method for SSVEP contaminated by physiological noise. During model training, we generate adversarial noises which are most harmful to the current model according to gradients and enforce the model to overcome them. In this way, we strengthen the robustness of the model to potential noises, such as physiological noises. In this study, we recorded a real-world speaking SSVEP dataset and simulated various noisy datasets to conducted comparison experiments on two benchmark models named EEGNet and DeepConvNet. The experimental results demonstrated that AT strategies can help the neural networks get better performance on SSVEP data contaminated by EMG and EOG. We also verified that introducing AT can slightly improve the performance of models under a cross-subject scenario. Our method can be integrated into existing deep learning methods efficiently and will contribute to the real-world applications of SSVEP.

Xiaoyong Yuan,Pan He,Qile Zhu,Xiaolin Li

DOI: https://doi.org/10.1109/tnnls.2018.2886017

IF: 14.255

2019-09-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:With rapid progress and significant successes in a wide spectrum of applications, deep learning is being applied in many safety-critical environments. However, deep neural networks (DNNs) have been recently found vulnerable to well-designed input samples called adversarial examples. Adversarial perturbations are imperceptible to human but can easily fool DNNs in the testing/deploying stage. The vulnerability to adversarial examples becomes one of the major risks for applying DNNs in safety-critical environments. Therefore, attacks and defenses on adversarial examples draw great attention. In this paper, we review recent findings on adversarial examples for DNNs, summarize the methods for generating adversarial examples, and propose a taxonomy of these methods. Under the taxonomy, applications for adversarial examples are investigated. We further elaborate on countermeasures for adversarial examples. In addition, three major challenges in adversarial examples and the potential solutions are discussed.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Nour El Houda Sayah Ben Aissa,Ahmed Korichi,Abderrahmane Lakas,Chaker Abdelaziz Kerrache,Carlos T Calafate

DOI: https://doi.org/10.1016/j.slast.2024.100142

Abstract:The classification of motor imagery (MI) using Electroencephalography (EEG) plays a pivotal role in facilitating communication for individuals with physical limitations through Brain-Computer Interface (BCI) systems. Recent strides in Attention-Based Networks (ATN) have showcased remarkable performance in EEG signal classification, presenting a promising alternative to conventional Convolutional Neural Networks (CNNs). However, while CNNs have been extensively analyzed for their resilience against adversarial attacks, the susceptibility of ATNs in comparable scenarios remains largely unexplored. This paper aims to fill this gap by investigating the robustness of ATNs in adversarial contexts. We propose a high-performing attention-based deep learning model specifically designed for classifying Motor Imagery (MI) brain signals extracted from EEG data. Subsequently, we conduct a thorough series of experiments to assess various attack strategies targeting ATNs employed in EEG-based BCI tasks. Our analysis utilizes the widely recognized BCI Competition 2a dataset to demonstrate the effectiveness of attention mechanisms in BCI endeavors. Despite achieving commendable classification results in terms of accuracy (87.15%) and kappa score (0.8287), our findings reveal the vulnerability of attention-based models to adversarial manipulations (accuracy: 9.07%, kappa score: -0.21), highlighting the imperative for bolstering the robustness of attention architectures for EEG classification tasks.

Hossein Ahmadi,Ali Kuhestani,Luca Mesin

DOI: https://doi.org/10.1109/access.2024.3376657

IF: 3.9

2024-03-19

IEEE Access

Abstract:In the rapidly evolving domain of brain-to-brain communication, safeguarding the transmission of information against adversarial threats is paramount. This study introduces an advanced approach to enhance the resilience and security of brain-to-brain communication systems utilizing electroencephalogram data against such threats through adversarial neural network training. Concentrating on event-related potentials and employing a diverse collection of eight datasets, our research rigorously evaluates and optimizes the system's defense mechanisms against adversarial manipulations. We specifically target the optimization of trial durations and sampling rates to bolster system security. Our findings reveal a marked improvement in the system's defensive capabilities, demonstrated by a significant increase in adversarial accuracy by 17% and enhancement in the area under the receiver operating characteristic curve by 0.12 points. These results underscore the efficacy of our approach in fortifying brain-to-brain communication systems against sophisticated cyber threats, marking a significant step forward in the secure and robust transmission of neural signals.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ruyi Li,Ming Ke,Zhanguo Dong,Lubin Wang,Tielin Zhang,Minghua Du,Gang Wang

DOI: https://doi.org/10.3390/electronics13132566

IF: 2.9

2024-06-30

Electronics

Abstract:Deep convolutional neural networks (DCNNs) have achieved impressive performance in image recognition, object detection, etc. Nevertheless, they are susceptible to adversarial attacks and interferential noise. Adversarial attacks can mislead DCNN models by manipulating input data with small perturbations, causing security risks to intelligent system applications. Comparatively, these small perturbations have very limited perceptual impact on humans. Therefore, the research on brain-inspired adversarial robust models has gained increasing attention. Beginning from the adversarial attack concepts and schemes, we present a review of the conventional adversarial attack and defense methods and compare the advantages and differences between brain-inspired robust neural networks and the conventional adversarial defense methods. We further review the existing adversarial robust DCNN models, including methods inspired by the early visual systems and supervised by neural signals. Representative examples have validated the efficacy of brain-inspired methods for designing adversarial robust models, which may benefit the further research and development of brain-inspired robust deep convolutional neural networks and the intelligent system applications.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xingchen Li,Xianlun Tang,Sichao Qiu,Xin Deng,Huiming Wang,Yin Tian

DOI: https://doi.org/10.1109/tetci.2023.3301385

2024-01-01

IEEE Transactions on Emerging Topics in Computational Intelligence

Abstract:Motor imagery Electroencephalogram (EEG) signals have been widely used in the field of brain-computer interface (BCI) due to their advantage of non-invasiveness and easy acquisition. However, due to distortions in the temporal and local information of the EEG signal and inter-subject variability, it is very time-consuming to perform a calibration procedure designed in a subject-specific manner, which requires a large number of labeled samples. To this end, we construct EEG brain graph based on EEG electrode distribution and propose a new subdomain adversarial network for learning domain-invariant features to achieve cross-domain classification of motor imagery EEG signals. Specifically, the proposed method constructs a brain graph based on the spatial distribution of electrodes and their functional connections, and builds EEG graph data. The subdomain adversarial network aligns data distributions under the same class domain and improves the classification performance of the target domain using source domain labeled samples. We have conducted extensive experiments on two publicly available datasets to verify the effectiveness of the proposed method. In addition, we have done ablation study and visualization analysis to explain the contribution of each component to cross-domain classification.

Qifei Zhou,Rong Zhang,Bo Wu,Weiping Li,Tong Mo

DOI: https://doi.org/10.1007/978-3-030-59013-0_8

2020-01-01

Abstract:The safety of artificial intelligence systems has aroused great concern due to the vulnerability of deep neural networks. Studies show that malicious modifications to the inputs of a network classifier, can fool the classifier and lead to wrong predictions. These modified inputs are called adversarial samples. In order to resolve this challenge, this paper proposes a novel and effective framework called Detection by Attack (DBA) to detect adversarial samples by Undercover Attack. DBA works by converting the difficult adversarial detection problem into a simpler attack problem, which is inspired by the espionage technique. It appears to be attacking the system, but it is actually defending the system. Reviewing the literature shows that this paper is the first attempt to introduce a detection method that can effectively detect adversarial samples in both images and texts. Experimental results show that the DBA scheme yields state-of-the-art detection performances in both detector-unaware (\(95.66\%\) detection accuracy on average) and detector-aware (\(2.10\%\) attack success rate) scenarios. Furthermore, DBA is robust to the perturbation size and confidence of adversarial samples. The code is available at https://github.com/Mrzhouqifei/DBA.

Mesut Ozdag

DOI: https://doi.org/10.1016/j.procs.2018.10.315

2018-01-01

Procedia Computer Science

Abstract:Deep learning has achieved great successes in various types of applications over recent years. On the other hand, it has been found that deep neural networks (DNNs) can be easily fooled by adversarial input samples. This vulnerability raises major concerns in security-sensitive environments. Therefore, research in attacking and defending DNNs with adversarial examples has drawn great attention. The goal of this paper is to review the types of adversarial attacks and defenses, describe the state-of-the-art methods for each group, and compare their results. In addition, we present some of the top-scored competition submissions for Neural Information Processing Systems (NIPS) in 2017, their solution models, and demonstrate their results. This adversary competition was organized by Google Brain for research scientists to come up with novel solutions that generate adversarial examples and also defend against them. Its contribution is significant on this era of machine learning and DNNs.