EEG-Based Brain-Computer Interfaces Are Vulnerable to Backdoor Attacks

Meng, L; Huang, J; Zeng, Z; Jiang, X; Yu, S; Jung, T-P; Lin, C-T; Chavarriaga, R; Wu, D

EEG-Based Brain-Computer Interfaces Are Vulnerable to Backdoor Attacks

Meng, L Huang, J Zeng, Z Jiang, X Yu, S Jung, T-P Lin, C-T Chavarriaga, R Wu, D

Permalink

Publisher:: Research Square
Publication Type:: Journal Article
Citation:: 2021
Issue Date:: 2021-01-26

Open Access

Copyright Clearance Process

Recently Added
In Progress
Open Access

This item is open access.

Adobe PDF

Download Published VersionAdobe PDF (693.66 kB)

View on publisher's site

View statistics

Full metadata record

Field	Value	Language
dc.contributor.author	Meng, L
dc.contributor.author	Huang, J
dc.contributor.author	Zeng, Z
dc.contributor.author	Jiang, X
dc.contributor.author	Yu, S
dc.contributor.author	Jung, T-P
dc.contributor.author	Lin, C-T
dc.contributor.author	Chavarriaga, R
dc.contributor.author	Wu, D
dc.date.accessioned	2021-03-16T00:44:17Z
dc.date.available	2021-03-16T00:44:17Z
dc.date.issued	2021-01-26
dc.identifier.citation	2021
dc.identifier.uri	http://hdl.handle.net/10453/147211
dc.description.abstract	<jats:title>Abstract</jats:title> <jats:p>Research and development of electroencephalogram (EEG) based brain-computer interfaces (BCIs) have advanced rapidly, partly due to the wide adoption of sophisticated machine learning approaches for decoding the EEG signals. However, recent studies have shown that machine learning algorithms are vulnerable to adversarial attacks, e.g., the attacker can add tiny adversarial perturbations to a test sample to fool the model, or poison the training data to insert a secret backdoor. Previous research has shown that adversarial attacks are also possible for EEG-based BCIs. However, only adversarial perturbations have been considered, and the approaches are theoretically sound but very difficult to implement in practice. This article proposes to use narrow period pulse for poisoning attack of EEG-based BCIs, which is more feasible in practice and has never been considered before. One can create dangerous backdoors in the machine learning model by injecting poisoning samples into the training set. Test samples with the backdoor key will then be classified into the target class specified by the attacker. What most distinguishes our approach from previous ones is that the backdoor key does not need to be synchronized with the EEG trials, making it very easy to implement. The effectiveness and robustness of the backdoor attack approach is demonstrated, highlighting a critical security concern for EEG-based BCIs.</jats:p>
dc.language	en
dc.publisher	Research Square
dc.relation.isbasedon	10.21203/rs.3.rs-108085/v1
dc.rights	info:eu-repo/semantics/openAccess
dc.title	EEG-Based Brain-Computer Interfaces Are Vulnerable to Backdoor Attacks
dc.type	Journal Article
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	/University of Technology Sydney/Strength - AAII - Australian Artificial Intelligence Institute
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	open_access	*
dc.date.updated	2021-03-16T00:44:16Z

Abstract:

Abstract Research and development of electroencephalogram (EEG) based brain-computer interfaces (BCIs) have advanced rapidly, partly due to the wide adoption of sophisticated machine learning approaches for decoding the EEG signals. However, recent studies have shown that machine learning algorithms are vulnerable to adversarial attacks, e.g., the attacker can add tiny adversarial perturbations to a test sample to fool the model, or poison the training data to insert a secret backdoor. Previous research has shown that adversarial attacks are also possible for EEG-based BCIs. However, only adversarial perturbations have been considered, and the approaches are theoretically sound but very difficult to implement in practice. This article proposes to use narrow period pulse for poisoning attack of EEG-based BCIs, which is more feasible in practice and has never been considered before. One can create dangerous backdoors in the machine learning model by injecting poisoning samples into the training set. Test samples with the backdoor key will then be classified into the target class specified by the attacker. What most distinguishes our approach from previous ones is that the backdoor key does not need to be synchronized with the EEG trials, making it very easy to implement. The effectiveness and robustness of the backdoor attack approach is demonstrated, highlighting a critical security concern for EEG-based BCIs.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/147211