Active Learning for Black-Box Adversarial Attacks in EEG-Based Brain-Computer Interfaces
This work addresses the vulnerability of deep learning models in EEG-based BCIs to adversarial attacks, offering a more efficient attack method for security testing, though it is incremental as it adapts existing active learning techniques to a new domain.
The paper tackles the problem of query-efficient black-box adversarial attacks on EEG-based brain-computer interfaces by proposing an active learning framework to train substitute models, resulting in improved attack success rates with fewer queries compared to baseline methods.
Deep learning has made significant breakthroughs in many fields, including electroencephalogram (EEG) based brain-computer interfaces (BCIs). However, deep learning models are vulnerable to adversarial attacks, in which deliberately designed small perturbations are added to the benign input samples to fool the deep learning model and degrade its performance. This paper considers transferability-based black-box attacks, where the attacker trains a substitute model to approximate the target model, and then generates adversarial examples from the substitute model to attack the target model. Learning a good substitute model is critical to the success of these attacks, but it requires a large number of queries to the target model. We propose a novel framework which uses query synthesis based active learning to improve the query efficiency in training the substitute model. Experiments on three convolutional neural network (CNN) classifiers and three EEG datasets demonstrated that our method can improve the attack success rate with the same number of queries, or, in other words, our method requires fewer queries to achieve a desired attack performance. To our knowledge, this is the first work that integrates active learning and adversarial attacks for EEG-based BCIs.