Abstract
Transfer learning (TL) has been widely used in electroencephalogram (EEG)-based brain-computer interfaces (BCIs) for reducing calibration efforts. However, backdoor attacks could be introduced through TL. In such attacks, an attacker embeds a backdoor with a specific pattern into the machine learning model. As a result, the model will misclassify a test sample with the backdoor trigger into a prespecified class while still maintaining good performance on benign samples. Accordingly, this study explores backdoor attacks in the TL of EEG-based BCIs, where source-domain data are poisoned by a backdoor trigger and then used in TL. We propose several active poisoning approaches to select source-domain samples, which are most effective in embedding the backdoor pattern, to improve the attack success rate and efficiency. Experiments on four EEG datasets and three deep learning models demonstrate the effectiveness of the approaches. To our knowledge, this is the first study about backdoor attacks on TL models in EEG-based BCIs. It exposes a serious security risk in BCIs, which should be immediately addressed.
Similar content being viewed by others
References
Graimann B, Allison B, Pfurtscheller G. Brain-computer interfaces: a gentle introduction. In: Brain-Computer Interfaces. Berlin: Springer, 2010. 1–27
Nicolas-Alonso L F, Gomez-Gil J. Brain computer interfaces, a review. Sensors, 2012, 12: 1211–1279
Pfurtscheller G, Neuper C. Motor imagery and direct brain-computer communication. Proc IEEE, 2001, 89: 1123–1134
Zhou Z T, Yin E W, Liu Y, et al. A novel task-oriented optimal design for P300-based brain-computer interfaces. J Neural Eng, 2014, 11: 056003
Jin J, Wang Z Q, Xu R, et al. Robust similarity measurement based on a novel time filter for SSVEPs detection. IEEE Trans Neural Netw Learn Syst, 2021, doi: https://doi.org/10.1109/TNNLS.2021.3118468
Ji B W, Liang Z K, Yuan X C, et al. Recent advances in wireless epicortical and intracortical neuronal recording systems. Sci China Inf Sci, 2022, 65: 140401
Gu C, Jiang J J, Tao T H, et al. Long-term flexible penetrating neural interfaces: materials, structures, and implantation. Sci China Inf Sci, 2021, 64: 221401
Chen K Q, Chen M Y, Cheng L L, et al. A 124 dB dynamic range sigma-delta modulator applied to non-invasive EEG acquisition using chopper-modulated input-scaling-down technique. Sci China Inf Sci, 2022, 65: 140402
Hao Y, Xiang S Y, Han G Q, et al. Recent progress of integrated circuits and optoelectronic chips. Sci China Inf Sci, 2021, 64: 201401
Makeig S, Kothe C, Mullen T, et al. Evolving signal processing for brain-computer interfaces. Proc IEEE, 2012, 100: 1567–1584
Jin J, Miao Y Y, Daly I, et al. Correlation-based channel selection and regularized feature optimization for MI-based BCI. Neural Netw, 2019, 118: 262–270
Jin J, Xiao R C, Daly I, et al. Internal feature selection method of CSP based on L1-norm and dempster-shafer theory. IEEE Trans Neural Netw Learn Syst, 2021, 32: 4814–4825
Lotte F, Bougrain L, Cichocki A, et al. A review of classification algorithms for EEG-based brain-computer interfaces: a 10 year update. J Neural Eng, 2018, 15: 031005
Saha S, Ahmed K I U, Mostafa R, et al. Evidence of variabilities in EEG dynamics during motor imagery-based multiclass brain-computer interface. IEEE Trans Neural Syst Rehabil Eng, 2018, 26: 371–382
Wu D R, Xu Y F, Lu B L. Transfer learning for EEG-based brain-computer interfaces: a review of progress made since 2016. IEEE Trans Cogn Dev Syst, 2022, 14: 4–19
Pan S J, Yang Q. A survey on transfer learning. IEEE Trans Knowl Data Eng, 2010, 22: 1345–1359
Jayaram V, Alamgir M, Altun Y, et al. Transfer learning in brain-computer interfaces. IEEE Comput Intell Mag, 2016, 11: 20–31
He H, Wu D R. Transfer learning for brain-computer interfaces: a Euclidean space data alignment approach. IEEE Trans Biomed Eng, 2019, 67: 399–410
He H, Wu D R. Different set domain adaptation for brain-computer interfaces: a label alignment approach. IEEE Trans Neural Syst Rehabil Eng, 2020, 28: 1091–1108
Zhang X, Wu D R. On the vulnerability of CNN classifiers in EEG-based BCIs. IEEE Trans Neural Syst Rehabil Eng, 2019, 27: 814–825
Liu Z H, Meng L B, Zhang X, et al. Universal adversarial perturbations for CNN classifiers in EEG-based BCIs. J Neural Eng, 2021, 18: 0460a4
Zhang X, Wu D R, Ding L Y, et al. Tiny noise, big mistakes: adversarial perturbations induce errors in brain-computer interface spellers. Natl Sci Rev, 2021, 8: 233
Meng L B, Wu D R, Huang J, et al. EEG-based brain-computer interfaces are vulnerable to backdoor attacks. 2020. ArXiv:2011.00101
Bian R, Meng L B, Wu D R. SSVEP-based brain-computer interfaces are vulnerable to square wave attacks. Sci China Inf Sci, 2022, 65: 140406
Gu T Y, Dolan-Gavitt B, Garg S. Badnets: identifying vulnerabilities in the machine learning model supply chain. 2017. ArXiv:1708.06733
Brown T B, Mané D, Roy A, et al. Adversarial patch. In: Proceedings of Advances in Neural Information Processing Systems, Long Beach, 2017
Carlini N, Wagner D. Audio adversarial examples: targeted attacks on speech-to-text. In: Proceedings of IEEE Symposium on Security and Privacy, San Francisco, 2018. 1–7
Qayyum A, Usama M, Qadir J, et al. Securing connected & autonomous vehicles: challenges posed by adversarial machine learning and the way forward. IEEE Commun Surv Tut, 2020, 22: 998–1026
Rezaei S, Liu X. A target-agnostic attack on deep models: exploiting security vulnerabilities of transfer learning. In: Proceedings of International Conference on Learning Representations, 2020
Wang B L, Yao Y S, Viswanath B, et al. With great training comes great vulnerability: practical attacks against transfer learning. In: Proceedings of the 27th USENIX Security Symposium, Baltimore, 2018. 1281–1297
Wang S, Nepal S, Rudolph C, et al. Backdoor attacks against transfer learning with pre-trained deep learning models. IEEE Trans Serv Comput, 2022, 15: 1526–1539
Kurita K, Michel P, Neubig G. Weight poisoning attacks on pretrained models. In: Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, 2020
Settles B. Active Learning Literature Survey. Computer Sciences Technical Report 1648, University of Wisconsin-Madison, 2009
Settles B, Craven M. An analysis of active learning strategies for sequence labeling tasks. In: Proceedings of Conference on Empirical Methods in Natural Language Processing, Honolulu, 2008. 1070–1079
Cai W B, Zhang Y X, Zhang Y, et al. Active learning for classification with maximum model change. ACM Trans Inf Syst, 2017, 36: 1–28
Wu D R. Pool-based sequential active learning for regression. IEEE Trans Neural Netw Learn Syst, 2019, 30: 1348–1359
Wu D R, Lin C T, Huang J. Active learning for regression using greedy sampling. Inf Sci, 2019, 474: 90–105
Hoffmann U, Vesin J M, Ebrahimi T, et al. An efficient P300-based brain-computer interface for disabled subjects. J Neurosci Methods, 2008, 167: 115–125
Margaux P, Emmanuel M, Sébastien D, et al. Objective and subjective evaluation of online error correction during P300-based spelling. Adv Hum-Comput Int, 2012, 2012: 1–13
Tangermann M, Müller K R, Aertsen A, et al. Review of the BCI competition IV. Front Neurosci, 2012, 6: 55
Blankertz B, Dornhege G, Krauledat M, et al. The non-invasive Berlin brain-computer interface: fast acquisition of effective performance in untrained subjects. NeuroImage, 2007, 37: 539–550
Lawhern V J, Solon A J, Waytowich N R, et al. EEGNet: a compact convolutional neural network for EEG-based brain-computer interfaces. J Neural Eng, 2018, 15: 056013
Schirrmeister R T, Springenberg J T, Fiederer L D J, et al. Deep learning with convolutional neural networks for EEG decoding and visualization. Hum Brain Mapp, 2017, 38: 5391–5420
Kostas D, Rudzicz F. Thinker invariance: enabling deep neural networks for BCI across more people. J Neural Eng, 2020, 17: 056008
Yao Y, Li H, Zheng H, et al. Latent backdoor attacks on deep neural networks. In: Proceedings of Conference on Computer and Communications Security, London, 2019. 2041–2055
Wang H, Sreenivasan K, Rajput S, et al. Attack of the tails: yes, you really can backdoor federated learning. In: Proceedings of Advances in Neural Information Processing Systems, 2020. 16070–16084
Liu K, Dolan-Gavitt, Garg S. Fine-pruning: defending against backdooring attacks on deep neural networks. In: Research in Attacks, Intrusions, and Defenses. Berlin: Springer, 2018. 273–294
Liu Y, Xie Y, Srivastava A. Neural trojans. In: Proceedings of IEEE International Conference on Computer Design, Boston, 2017. 45–48
Borgnia E, Cherepanova V, Fowl L, et al. Strong data augmentation sanitizes poisoning and backdoor attacks without an accuracy tradeoff. In: Proceedings of IEEE International Conference on Acoustics, Speech and Signal Processing, 2021. 3855–3859
Li Y M, Zhai T Q, Wu B Y, et al. Rethinking the trigger of backdoor attack. 2020. ArXiv:2004.04692
Freer D, Yang G Z. Data augmentation for self-paced motor imagery classification with C-LSTM. J Neural Eng, 2020, 17: 016041
Xia K, Deng L F, Duch W, et al. Privacy-preserving domain adaptation for motor imagery-based brain-computer interfaces. IEEE Trans Biomed Eng, 2022, 69: 3365–3376
Rivet B, Souloumiac A, Attina V, et al. xDAWN algorithm to enhance evoked potentials: application to brain-computer interface. IEEE Trans Biomed Eng, 2009, 56: 2035–2043
Ramoser H, Müller-Gerking J, Pfurtscheller G. Optimal spatial filtering of single trial EEG during imagined hand movement. IEEE Trans Rehab Eng, 2000, 8: 441–446
Acknowledgements
This work was supported by Open Research Projects of Zhejiang Lab (Grnat No. 2021KE0AB04), Technology Innovation Project of Hubei Province of China (Grnat No. 2019AEA171), and Hubei Province Funds for Distinguished Young Scholars (Grnat No. 2020CFA050).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Jiang, X., Meng, L., Li, S. et al. Active poisoning: efficient backdoor attacks on transfer learning-based brain-computer interfaces. Sci. China Inf. Sci. 66, 182402 (2023). https://doi.org/10.1007/s11432-022-3548-2
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-022-3548-2