No Access

Multi-Target Smooth Universal Adversarial Perturbations for CNNs in Electroencephalogram-Based Brain–Computer Interface Systems

School of Information and Intelligent Engineering, Guangzhou Xinhua University, Guangzhou, Guangdong 510000, P. R. China

E-mail Address: zhangjie@xhsysu.edu.cn

Corresponding author.

Search for more papers by this author

and

Xiaowen Zhong

Tsinghua International School Daoxiang Lake, Beijing 100000, P. R. China

E-mail Address: rositazhong@thisdl.cn

Search for more papers by this author

https://doi.org/10.1142/S0218126625501075Cited by:0 (Source: Crossref)

Abstract

EEG-based brain–computer interface systems have demonstrated impressive capability in the context of the broad use of deep learning. However, serious security flaws have been shown by their vulnerability to adversarial sample attacks. It is not possible to directly apply traditional attack strategies from the image domain to EEG signals because of their unique visualization and dynamic features. A unique multi-target smooth universal adversarial perturbation (MS-UAP) approach designed specifically for EEG data is presented in this paper to address this difficulty. We define a loss function and optimize parameters based on UAP for both target and nontarget class samples, respectively, to address the temporal nature of the EEG signal and the attack’s flexibility. Additionally, this research generates a smoothed adversarial sample by convolution operations, yielding a more disorienting effect, to avoid the introduction of physiologically untrustworthy square wave distortions caused by typical visual attack approaches. Three public EEG datasets were used for extensive testing and assessments, and the results show that MS-UAP successfully targets convolutional neural network (CNN) classifiers and launches simultaneous attacks on several classes, exhibiting strong model transferability. To ensure accurate attacks that go undetected, MS-UAP creates a single disturbance that is targeted at target classes and has the least negative effect on other classes. In order to facilitate effective real-time attacks, MS-UAP, an offline-generated universal perturbation template, can be smoothly incorporated into EEG data. The study is significant since it emphasizes how important it is to improve BCI system security and promote the creation of stronger defenses.

This paper was recommended by Regional Editor Takuro Sato.

Keywords:

References

1. L. Tan, K. Yu, A. K. Bashir, X. Cheng, F. Ming, L. Zhao and X. Zhou , Toward real-time and efficient cardiovascular monitoring for COVID-19 patients by 5G-enabled wearable medical devices: A deep learning approach, Neural Comput. Appl. 35 (2023) 13921–13934, https://doi.org/10.1007/s00521-021-06219-9. Crossref, Web of Science, Google Scholar
2. K. Yu, L. Quan, C. Chakraborty, Y. Shen, Z. Guo, O. Alfarraj and A. Tolba , Multiview deep learning-based efficient medical data management for survival time forecasting, IEEE J. Biomed. Health Inf. 39 (2024) 1–12, https://doi.org/10.1109/JBHI.2024.3422180. Google Scholar
3. V. J. Lawhern, A. J. Solon, N. R. Waytowich, S. M. Gordon, C. P. Hung and B. J. Lance , EEGNet: A compact convolutional neural network for EEG-based brain computer interfaces, J. Neural Eng. 15 (2018) 056013. Crossref, Web of Science, Google Scholar
4. R. T. Schirrmeister et al., Deep learning with convolutional neural networks for EEG decoding and visualization, Hum. Brain Mapp. 38 (2017) 5391–5420. Crossref, Web of Science, Google Scholar
5. Y. R. Tabar and U. Halici , A novel deep learning approach for classification of EEG motor imagery signals, J. Neural Eng. 14 (2017) 016003. Crossref, Web of Science, Google Scholar
6. Z. Tayeb et al., Validating deep neural networks for online decoding of motor imagery movements from EEG signals, Sensors 19 (2019) 210. Crossref, Web of Science, Google Scholar
7. C. Szegedy, W. Zaremba and I. Sutskever, Intriguing properties of neural networks, arXiv:1312.6199 (2013). Google Scholar
8. X. Zhang and D. Wu , On the vulnerability of CNN classifiers in EEG-based BCIs, IEEE Trans. Neural Syst. Rehabil. Eng. 27 (2019) 814–825. Crossref, Web of Science, Google Scholar
9. D. Wu, J. Xu, W. Fang, Y. Zhang, L. Yang, X. Xu, H. Luo and X. Yu, Adversarial attacks and defenses in physiological computing: A systematic review, arXiv:2102.02729 (2021). Google Scholar
10. H. I. Fawaz, G. Forestier, J. Weber, L. Idoumghar and P. A. Muller , Adversarial attacks on deep neural networks for time series classification, 2019 Int. Joint Conf. Neural Networks (IJCNN), Budapest, Hungary, 14–19 July 2019, pp. 1–8. Google Scholar
11. F. Karim, S. Majumdar and H. Darabi , Adversarial attacks on time series, IEEE Trans. Pattern Anal. Mach. Intell. 43 (2020) 3309–3320. Crossref, Google Scholar
12. S. Harford, F. Karim and H. Darabi , Generating adversarial samples on multivariate time series using variational autoencoders, IEEE/CAA J. Autom. Sin. 8 (2021) 1523–1538. Crossref, Web of Science, Google Scholar
13. Z. Liu et al., Universal adversarial perturbations for CNN classifiers in EEG-based BCIs, J. Neural Eng. 18 (2021) 0460a4. Crossref, Web of Science, Google Scholar
14. S. M. Moosavi-Dezfooli et al., Universal adversarial perturbations, IEEE Conf. Computer Vision and Pattern Recognition, Honolulu, HI, 21–26 July 2017, pp. 1765–1773. Google Scholar
15. A. Aminifar , Universal adversarial perturbations in epileptic seizure detection, 2020 Int. Joint Conf. Neural Networks (IJCNN), Glasgow, UK, 19–24 July 2020, pp. 1–6. Google Scholar
16. X. Zhang et al., Tiny noise, big mistakes: Adversarial perturbations induce errors in brain-computer interface spellers, Nat. Sci. Rev. 8 (2021) 233–246. Crossref, Web of Science, Google Scholar
17. R. Bian, L. B. Meng and D. R. Wu , SSVEP-based brain-computer interfaces are vulnerable to square wave attacks, Sci. China Inf. Sci. 65 (2022) 140406. Crossref, Web of Science, Google Scholar
18. C. Zhang et al., Cd-uap: Class discriminative universal adversarial perturbation, Proc. AAAI Conf. Artificial Intelligence, (2020), pp. 6754–6761. Crossref, Google Scholar
19. H. Chen et al., Ecgadv: Generating adversarial electrocardiogram to misguide arrhythmia classification system, Proc AAAI Conf. Artif. Intell. 34 (2020) 3446–3453. Google Scholar
20. X. Han et al., Deep learning models for electrocardiograms are susceptible to adversarial attack, Nat. Med. 26 (2020) 360–363. Crossref, Web of Science, Google Scholar
21. M. Tangermann et al., Review of the BCI competition IV, Front. Neurosci. 6 (2012) 55. Crossref, Web of Science, Google Scholar
22. T. M. Ingolfsson et al., EEG-TCNet: An accurate temporal convolutional network for embedded motor-imagery brain-machine interfaces, 2020 IEEE Int. Conf. Systems, Man, and Cybernetics (SMC), Toronto, Ontario, 11–14 October 2020, pp. 2958–2965. Google Scholar
23. A. Salami, J. Andreu-Perez and H. Gillmeister , EEG-ITNet: An explainable inception temporal convolutional network for motor imagery classification, IEEE Access 10 (2022) 36672–36685. Crossref, Web of Science, Google Scholar
24. M. Nakanishi, Y. Wang, Y. T. Wang and T. P. Jung , A comparison study of canonical correlation analysis based methods for detecting steady-state visual evoked potentials, PLoS One 10 (2015) e0140703. Crossref, Web of Science, Google Scholar
25. Y. Pan et al., An efficient CNN-LSTM network with spectral normalization and label smoothing technologies for SSVEP frequency recognition, J. Neural Eng. 19 (2022) 056014. Crossref, Web of Science, Google Scholar
26. A. Ravi et al., Comparing user-dependent and user-independent training of CNN for SSVEP BCI, J. Neural Eng. 17 (2020) 026028. Crossref, Web of Science, Google Scholar
27. Y. J. Wang et al., A benchmark dataset for SSVEP-based brain-computer interfaces, IEEE Trans. Neural Syst. Rehabil. Eng. 25 (2017) 1746–1752. Crossref, Web of Science, Google Scholar
28. J. Lee et al., FBRNN: Feedback recurrent neural network for extreme image super-resolution, IEEE/CVF Conf. Computer Vision and Pattern Recognition Workshops, Seattle, WA, 14–19 June 2020, pp. 488–489. Google Scholar
29. X. Li et al., TFF-Former: Temporal frequency fusion transformer for zero-training decoding of two BCI tasks, Proc. 30th ACM Int. Conf. Multimedia, October 10–14, 2022, Lisboa, Portugal, pp. 51–59. Google Scholar