Skip to main content
SpringerLink
Log in

Active poisoning: efficient backdoor attacks on transfer learning-based brain-computer interfaces

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

Transfer learning (TL) has been widely used in electroencephalogram (EEG)-based brain-computer interfaces (BCIs) for reducing calibration efforts. However, backdoor attacks could be introduced through TL. In such attacks, an attacker embeds a backdoor with a specific pattern into the machine learning model. As a result, the model will misclassify a test sample with the backdoor trigger into a prespecified class while still maintaining good performance on benign samples. Accordingly, this study explores backdoor attacks in the TL of EEG-based BCIs, where source-domain data are poisoned by a backdoor trigger and then used in TL. We propose several active poisoning approaches to select source-domain samples, which are most effective in embedding the backdoor pattern, to improve the attack success rate and efficiency. Experiments on four EEG datasets and three deep learning models demonstrate the effectiveness of the approaches. To our knowledge, this is the first study about backdoor attacks on TL models in EEG-based BCIs. It exposes a serious security risk in BCIs, which should be immediately addressed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Graimann B, Allison B, Pfurtscheller G. Brain-computer interfaces: a gentle introduction. In: Brain-Computer Interfaces. Berlin: Springer, 2010. 1–27

    Chapter  Google Scholar 

  2. Nicolas-Alonso L F, Gomez-Gil J. Brain computer interfaces, a review. Sensors, 2012, 12: 1211–1279

    Article  Google Scholar 

  3. Pfurtscheller G, Neuper C. Motor imagery and direct brain-computer communication. Proc IEEE, 2001, 89: 1123–1134

    Article  Google Scholar 

  4. Zhou Z T, Yin E W, Liu Y, et al. A novel task-oriented optimal design for P300-based brain-computer interfaces. J Neural Eng, 2014, 11: 056003

    Article  Google Scholar 

  5. Jin J, Wang Z Q, Xu R, et al. Robust similarity measurement based on a novel time filter for SSVEPs detection. IEEE Trans Neural Netw Learn Syst, 2021, doi: https://doi.org/10.1109/TNNLS.2021.3118468

  6. Ji B W, Liang Z K, Yuan X C, et al. Recent advances in wireless epicortical and intracortical neuronal recording systems. Sci China Inf Sci, 2022, 65: 140401

    Article  Google Scholar 

  7. Gu C, Jiang J J, Tao T H, et al. Long-term flexible penetrating neural interfaces: materials, structures, and implantation. Sci China Inf Sci, 2021, 64: 221401

    Article  Google Scholar 

  8. Chen K Q, Chen M Y, Cheng L L, et al. A 124 dB dynamic range sigma-delta modulator applied to non-invasive EEG acquisition using chopper-modulated input-scaling-down technique. Sci China Inf Sci, 2022, 65: 140402

    Article  Google Scholar 

  9. Hao Y, Xiang S Y, Han G Q, et al. Recent progress of integrated circuits and optoelectronic chips. Sci China Inf Sci, 2021, 64: 201401

    Article  Google Scholar 

  10. Makeig S, Kothe C, Mullen T, et al. Evolving signal processing for brain-computer interfaces. Proc IEEE, 2012, 100: 1567–1584

    Article  Google Scholar 

  11. Jin J, Miao Y Y, Daly I, et al. Correlation-based channel selection and regularized feature optimization for MI-based BCI. Neural Netw, 2019, 118: 262–270

    Article  Google Scholar 

  12. Jin J, Xiao R C, Daly I, et al. Internal feature selection method of CSP based on L1-norm and dempster-shafer theory. IEEE Trans Neural Netw Learn Syst, 2021, 32: 4814–4825

    Article  Google Scholar 

  13. Lotte F, Bougrain L, Cichocki A, et al. A review of classification algorithms for EEG-based brain-computer interfaces: a 10 year update. J Neural Eng, 2018, 15: 031005

    Article  Google Scholar 

  14. Saha S, Ahmed K I U, Mostafa R, et al. Evidence of variabilities in EEG dynamics during motor imagery-based multiclass brain-computer interface. IEEE Trans Neural Syst Rehabil Eng, 2018, 26: 371–382

    Article  Google Scholar 

  15. Wu D R, Xu Y F, Lu B L. Transfer learning for EEG-based brain-computer interfaces: a review of progress made since 2016. IEEE Trans Cogn Dev Syst, 2022, 14: 4–19

    Article  Google Scholar 

  16. Pan S J, Yang Q. A survey on transfer learning. IEEE Trans Knowl Data Eng, 2010, 22: 1345–1359

    Article  Google Scholar 

  17. Jayaram V, Alamgir M, Altun Y, et al. Transfer learning in brain-computer interfaces. IEEE Comput Intell Mag, 2016, 11: 20–31

    Article  Google Scholar 

  18. He H, Wu D R. Transfer learning for brain-computer interfaces: a Euclidean space data alignment approach. IEEE Trans Biomed Eng, 2019, 67: 399–410

    Article  Google Scholar 

  19. He H, Wu D R. Different set domain adaptation for brain-computer interfaces: a label alignment approach. IEEE Trans Neural Syst Rehabil Eng, 2020, 28: 1091–1108

    Article  Google Scholar 

  20. Zhang X, Wu D R. On the vulnerability of CNN classifiers in EEG-based BCIs. IEEE Trans Neural Syst Rehabil Eng, 2019, 27: 814–825

    Article  Google Scholar 

  21. Liu Z H, Meng L B, Zhang X, et al. Universal adversarial perturbations for CNN classifiers in EEG-based BCIs. J Neural Eng, 2021, 18: 0460a4

    Article  Google Scholar 

  22. Zhang X, Wu D R, Ding L Y, et al. Tiny noise, big mistakes: adversarial perturbations induce errors in brain-computer interface spellers. Natl Sci Rev, 2021, 8: 233

    Article  Google Scholar 

  23. Meng L B, Wu D R, Huang J, et al. EEG-based brain-computer interfaces are vulnerable to backdoor attacks. 2020. ArXiv:2011.00101

  24. Bian R, Meng L B, Wu D R. SSVEP-based brain-computer interfaces are vulnerable to square wave attacks. Sci China Inf Sci, 2022, 65: 140406

    Article  Google Scholar 

  25. Gu T Y, Dolan-Gavitt B, Garg S. Badnets: identifying vulnerabilities in the machine learning model supply chain. 2017. ArXiv:1708.06733

  26. Brown T B, Mané D, Roy A, et al. Adversarial patch. In: Proceedings of Advances in Neural Information Processing Systems, Long Beach, 2017

  27. Carlini N, Wagner D. Audio adversarial examples: targeted attacks on speech-to-text. In: Proceedings of IEEE Symposium on Security and Privacy, San Francisco, 2018. 1–7

  28. Qayyum A, Usama M, Qadir J, et al. Securing connected & autonomous vehicles: challenges posed by adversarial machine learning and the way forward. IEEE Commun Surv Tut, 2020, 22: 998–1026

    Article  Google Scholar 

  29. Rezaei S, Liu X. A target-agnostic attack on deep models: exploiting security vulnerabilities of transfer learning. In: Proceedings of International Conference on Learning Representations, 2020

  30. Wang B L, Yao Y S, Viswanath B, et al. With great training comes great vulnerability: practical attacks against transfer learning. In: Proceedings of the 27th USENIX Security Symposium, Baltimore, 2018. 1281–1297

  31. Wang S, Nepal S, Rudolph C, et al. Backdoor attacks against transfer learning with pre-trained deep learning models. IEEE Trans Serv Comput, 2022, 15: 1526–1539

    Article  Google Scholar 

  32. Kurita K, Michel P, Neubig G. Weight poisoning attacks on pretrained models. In: Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, 2020

  33. Settles B. Active Learning Literature Survey. Computer Sciences Technical Report 1648, University of Wisconsin-Madison, 2009

  34. Settles B, Craven M. An analysis of active learning strategies for sequence labeling tasks. In: Proceedings of Conference on Empirical Methods in Natural Language Processing, Honolulu, 2008. 1070–1079

  35. Cai W B, Zhang Y X, Zhang Y, et al. Active learning for classification with maximum model change. ACM Trans Inf Syst, 2017, 36: 1–28

    Article  Google Scholar 

  36. Wu D R. Pool-based sequential active learning for regression. IEEE Trans Neural Netw Learn Syst, 2019, 30: 1348–1359

    Article  MathSciNet  Google Scholar 

  37. Wu D R, Lin C T, Huang J. Active learning for regression using greedy sampling. Inf Sci, 2019, 474: 90–105

    Article  MathSciNet  Google Scholar 

  38. Hoffmann U, Vesin J M, Ebrahimi T, et al. An efficient P300-based brain-computer interface for disabled subjects. J Neurosci Methods, 2008, 167: 115–125

    Article  Google Scholar 

  39. Margaux P, Emmanuel M, Sébastien D, et al. Objective and subjective evaluation of online error correction during P300-based spelling. Adv Hum-Comput Int, 2012, 2012: 1–13

    Article  Google Scholar 

  40. Tangermann M, Müller K R, Aertsen A, et al. Review of the BCI competition IV. Front Neurosci, 2012, 6: 55

    Article  Google Scholar 

  41. Blankertz B, Dornhege G, Krauledat M, et al. The non-invasive Berlin brain-computer interface: fast acquisition of effective performance in untrained subjects. NeuroImage, 2007, 37: 539–550

    Article  Google Scholar 

  42. Lawhern V J, Solon A J, Waytowich N R, et al. EEGNet: a compact convolutional neural network for EEG-based brain-computer interfaces. J Neural Eng, 2018, 15: 056013

    Article  Google Scholar 

  43. Schirrmeister R T, Springenberg J T, Fiederer L D J, et al. Deep learning with convolutional neural networks for EEG decoding and visualization. Hum Brain Mapp, 2017, 38: 5391–5420

    Article  Google Scholar 

  44. Kostas D, Rudzicz F. Thinker invariance: enabling deep neural networks for BCI across more people. J Neural Eng, 2020, 17: 056008

    Article  Google Scholar 

  45. Yao Y, Li H, Zheng H, et al. Latent backdoor attacks on deep neural networks. In: Proceedings of Conference on Computer and Communications Security, London, 2019. 2041–2055

  46. Wang H, Sreenivasan K, Rajput S, et al. Attack of the tails: yes, you really can backdoor federated learning. In: Proceedings of Advances in Neural Information Processing Systems, 2020. 16070–16084

  47. Liu K, Dolan-Gavitt, Garg S. Fine-pruning: defending against backdooring attacks on deep neural networks. In: Research in Attacks, Intrusions, and Defenses. Berlin: Springer, 2018. 273–294

    Chapter  Google Scholar 

  48. Liu Y, Xie Y, Srivastava A. Neural trojans. In: Proceedings of IEEE International Conference on Computer Design, Boston, 2017. 45–48

  49. Borgnia E, Cherepanova V, Fowl L, et al. Strong data augmentation sanitizes poisoning and backdoor attacks without an accuracy tradeoff. In: Proceedings of IEEE International Conference on Acoustics, Speech and Signal Processing, 2021. 3855–3859

  50. Li Y M, Zhai T Q, Wu B Y, et al. Rethinking the trigger of backdoor attack. 2020. ArXiv:2004.04692

  51. Freer D, Yang G Z. Data augmentation for self-paced motor imagery classification with C-LSTM. J Neural Eng, 2020, 17: 016041

    Article  Google Scholar 

  52. Xia K, Deng L F, Duch W, et al. Privacy-preserving domain adaptation for motor imagery-based brain-computer interfaces. IEEE Trans Biomed Eng, 2022, 69: 3365–3376

    Article  Google Scholar 

  53. Rivet B, Souloumiac A, Attina V, et al. xDAWN algorithm to enhance evoked potentials: application to brain-computer interface. IEEE Trans Biomed Eng, 2009, 56: 2035–2043

    Article  Google Scholar 

  54. Ramoser H, Müller-Gerking J, Pfurtscheller G. Optimal spatial filtering of single trial EEG during imagined hand movement. IEEE Trans Rehab Eng, 2000, 8: 441–446

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by Open Research Projects of Zhejiang Lab (Grnat No. 2021KE0AB04), Technology Innovation Project of Hubei Province of China (Grnat No. 2019AEA171), and Hubei Province Funds for Distinguished Young Scholars (Grnat No. 2020CFA050).

Author information

Authors and Affiliations

  1. School of Artificial Intelligence and Automation, Huazhong University of Science and Technology, Wuhan, 430074, China

    Xue Jiang, Lubin Meng, Siyang Li & Dongrui Wu

  2. Zhejiang Lab, Hangzhou, 311121, China

    Dongrui Wu

Authors
  1. Xue Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lubin Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Siyang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dongrui Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dongrui Wu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Jiang, X., Meng, L., Li, S. et al. Active poisoning: efficient backdoor attacks on transfer learning-based brain-computer interfaces. Sci. China Inf. Sci. 66, 182402 (2023). https://doi.org/10.1007/s11432-022-3548-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11432-022-3548-2

Keywords

Search

Navigation