ManiBCI: Manipulating EEG BCI with Invisible and Robust Backdoor Attack via Frequency Transform

Thanks for your valuable comments, and we'd like to express our appreciation that the novelty and strong experimental evidences of our work are well recognized. Below we have addressed your questions and concerns point-by-point.

Standard baselines (fast gradient sign method and universal adversarial perturbation) are not included for comparison [1,2]

Thanks for providing the additional references. Actually, we have compared these adversarial-based methods [1,2] in our work (the baseline AdverMT). [1,2] are about adversarial perturbation on EEG BCI models, which is not the same as backdoor attack.

Although backdoor and adversarial attacks are all about the vulnerability of deep models, backdoor attacks is different from adversarial perturbation in two ways: (1) Attacking phase: while adversarial perturbation attacks the model in the inference phase, backdoor attack injects a backdoor in the training phase; (2) Attacking objective: while adversarial perturbation aims to let deep models misclassify (the attacker doesn't care about the target class models will misclassify), backdoor attack aims to let deep models misclassify the samples with particular tirggers to target class (the attacker clearly knows the target classes models will misclassify, thus can manipulate the model's output by injecting different triggers).

The adversarial perturbation can also be used as a trigger for backdoor attack, which has been researched in [3]. In our paper, we have compared [3] (the baseline AdverMT) at the multi-trigger and multi-target settings. As the adversarial perturbation is designed for single-target attack, it fails to attack multi-target classes. Please kindly refer to Table 1, it can be observed that our ManiBCI outperforms the adversarial-based backdoor attacks.

Limited to the datasets used in the experiments, raising questions about generalizability to other EEG datasets or real-world scenarios.

EEG BCI tasks are diverse and can not be investigated whitin a single paper. What we can do is meticulously selecting some representative datasets to evaluate our methods. The datasets we used are cover three widely-studied tasks, and the configurations of EEG signals from these three datasets are quite different from each others:

From table 1, our ManiBCI has been proven to be effective when facing various EEG signals with diverse montages, electrode numbers, and sampling rates. Namely, our work is generalizable when facing various situations. Hence, we have to argue that even though our methods are evaluated on three datasets (not more datasets), this does not negate the generalizability of our work to other EEG datasets or real-world scenarios.

Furthermore, we evaluate our ManiBCI on another public dataset which studies the P300 tasks [4,5]. The attack performances of three different EEG models on the dataset are still excellent:

It is worth mentioning that these results are obtained by only running the reinforcement learning 30 iterations, which takes only 0.5 hour on each model. These results can be another strong evidence to demonstrate the generalizability to other EEG datasets and real-world scenarios. Since our ManiBCI has sucessfully attacked EEG models on four different EEG tasks (emotion recognition, motor imagery, epilepsy detection, and P300 spell), where the EEG configurations of these four datasets are all different from each other.

The practical implementation of the proposed attack might be complex and computationally intensive due to the need for reinforcement learning optimization.

We can't agree more that it is a little more time-consuming for the reinforcement learning (RL) optimization (which has been discussed in the Limitations sections in Appendix). Here, we present three ways to mitigate these problems:

1. Do not use any optimization algorithm and choose the injecting strategies randomly, which has a relatively good attack performance. As shown in Table 2, for random strategies, the ASRs are 0.771 for 3-classes, 0.857 for 4-classes, and 0.721 for 4-classes, all significantly exceeding chance levels.
2. Reducing the iteration numbers of the RL. The time we reported in Table 2 are counted when running K=250 iterations of RL. However, from Figure 14 in the appendix, it can be seen that though the learning of RL is nonstationary, some strategies with relatively high performances are acquired within the first 50 iterations. Hence, we can adjust the iteration according to actual requirements, e.g., in our experiments we can reduce the K to K=50 and save 80% of optimization time while not harming performance much.
3. Using tremendous EEG data, it might be possible that a general injecting strategy can be learned for each EEG BCI tasks, which can achieve a relatively good performance without any adpations.

We anticipate that future studies can further refine and enhance the optimization process, leading to even more efficient, invisible, and robust backdoor attacks for EEG modality.

[1] X Zhang, et al. "On the vulnerability of CNN classifiers in EEG-based BCIs", IEEE TNSRE, 27(5):814–825, 2019.

[2] Z Liu, et al. "Universal adversarial perturbations for CNN classifiers in EEG-based BCIs", 2021.

[3] L. Meng, et al. "Adversarial filtering based evasion and backdoor attacks to EEG-based brain-computer interfaces", Information Fusion, 2024.

[4] U. Hoffmann, et al. "An efficient P300-based brain-computer interface for disabled subjects", J. Neurosci.Methods, 2008.

[5] Rodrigo Ramele. P300-Dataset. https://www.kaggle.com/datasets/rramele/p300samplingdataset

We truly thank you for your appreciation of our work and the positive comments of "a very interesting work". Our point-by-point responses are as follows.

In terms of general EEG analsyis, one of my main concern is the experiment settings. In normal EEG analysis domain, we usually set inter-subejct and intra-subject settings. I failed to see the calrifications of these experiment settings. Whether this strategy can work across subjects, and generalize on the EEG signals collected from new/unseen subject?

Our methods can work under both inter-subejct and intra-subject settings. For EEG BCI, it is easier and have better performance under intra-subject setting, or the subject-dependent setting due to the inter-subject variability of EEG data. In our previous experiments, our ManiBCI attack has excellent performances under the intra-subject setting, achieving attack success rate (ASR) of over 90% on three datasets while not influencing clean accuracy (CA).

However, only using one's EEG data is simple and not generalizable, thus, we follow the previous EEG backdoor attack work [1] and adopt the same poisoning attack process. This poisoning attack is a inter-subject setting, presenting more challenges but will have a wider application for more senarios. The whole attack process are as follow:

1. For a dataset contains N subjects, we select one subject as the poisoning set D_p, and only use the EEG data from D_p to generate poisoned data. Thus, the poisoned data all comes from the selected subject.
2. We perform a cross-validation test on the rest N-1 subjects, that is, select one subject as the test set D_test, and the rest N-2 subjects compose the training set D_train.
3. Randomly choose C triggers from D_p, C is the number of classes.
4. Run the reinforcement learning on the D_p, D_train, and D_test. Specifically, the policy network outputs a policy P, we generate the poisoned data S_p with EEG data from D_p used P. Combine S_p and D_train to acquire the dataset S and train a backdoor model on S. Calculate the CA and ASR of backdoor model on D_test. Finally, update the policy network with the testing CA and ASR.
5. After we run the reinforcement learning multiple times and get the final best policy P, adopt the policy P to generate poisoned data, train backdoor model, and calculate the best CA and ASR on D_test.
6. Back to step 2, and choose the next subject from N-1 subjects as the new test set D_test, and the remaining N-2 subjects composes the training set D_train. We have to choose every single subject as the test set, resulting in the process repeating N-1 times. At last, we reported the average of these N-1 results as our final results.

This whole process will run 3 times (choose 3 different subjects as poisoning set D_p for eliminating the influence of the selection of poisoned subjects). Actually, we have brefily described the whole process in section 3.1 from line 106-116 due to the page limitation. Of course, our response is more detailed and hope it can address your concerns. If you want to know the details of our ManiBCI, please kindly refer to the PDF file in the general response, where we write an algorithm to demonstrate the process of frequency injection and reinforcement learning.

[1] L. Meng, et al. “EEG-based brain-computer interfaces are vulnerable to backdoor attacks,” IEEE Transactions on Neural Systems and Rehabilitation Engineering, 2023.

We thank the reviewer for your time and effort in reviewing our work. We are learning from all the feedbacks from the reviewers and feel that this is a great opportunity to exchange ideas deeply. Therefore, we're making the following statements to ignite more discussion since we value more on the advances of the whole EEG BCI area.

However, in reality, the application of deep learning in the BCI or EEG field is limited, and shallow learning with simple hand-engineered features is still the gold standard.

We acknowledge that for specific EEG BCI field like seizure detection, simple hand-engineered features are still the gold standard due to the interpretability of these features has been well studied for decades. For the clinical field, the interpretability plays the most important role in making responsible diagnosis.

However, EEG BCI's applications are not constrained within the clinical field. EEG (especially scalp EEG) has been widely applied for many other interesting neuroscience researches, like decoding visual perceptions [1] and emotion recognition [2]. In [3], Deep ConvNet achieves better performance than Shallow ConvNet on some tasks. Recently, deep models pre-trained on large EEG dataset significantly outperforms the shallow models in a wide range of EEG field [4, 5].

Also, adopting hand-engineered features does not conflict with deep learning methods. In [4], DE feature is first extracted from EEG, then is used for pre-training the powerful deep encoders via masking.

But should we rely solely on hand-engineered features? The most common features of EEG are power spectral density (PSD) and differential entropy (DE), which are all calculated using the frequency information of an EEG segment. For a T-length EEG segment, the PSD or DE feature only extracts a single value from it, resulting in the massive loss of information (T values -> 1 value). Of course, it is effective and convenient when datasets and computing resources were relatively small, but we should acknowledge that hand-engineered features can be biased and will ignore some informations (like DE amplifies the differences in high-frequency bands).

Next, we would like to share some opinions of deep learning vs shallow learning. Data is the key factor for training deep models, if there is not enough data, deep models will overfit to the training set and thus are not competiable with shallow models. Let's take computer vision as an example, looking back to the era when there is no big dataset like ImageNet, the shallow learning with simple hand-engineered features (e.g., SIFT and HOG) was the gold standard for image classification. But what happened after the proposition of big dataset? Firstly, the Alexnet outperforms all hand-engineered features with 8 convolutional layers [7]. Then Resnet refreshed the record with up to 152 layers [8]. Until 2024, the deep models are already far ahead in CV for decades.

Limited by the EEG signal acquisition technology in the past years, the amout of EEG data is too small to train a good deep models. But with the development of EEG acquisition technology and more EEG data being collected, some works have already trained a powerful deep encoders with tremendous EEG data that outperforms shallow net [4,5].

With the amount of EEG data becomes larger, why not embrace the deep learning that has been revolutionizing many fields? We can see the success of AlphaGO, AlphaFold, and ChatGPT, and we hope scientists can develope a powerful EEG model (like detecting epilepsy with 99% accuracy), which definetly will save lives of millions of people.

Lack of connection with real-world problems, ... Why did the authors create a science fiction problem ... ?

Security is always a important topic no matter it can work instantly or in the future for warning nowadays people of possible future safety issues. Seeing the promising future of deep learning for EEG BCI [4,5], there are large possibilities that deep EEG models will be deployed across diverse fields. Our work proposes a threatening security issues, which must be considered when deploying EEG models.

Moreover, the EEG models tested in our experiment contains some widely-used EEG models, like EEGNet [6] and Deep ConvNet [3], and a shallow network which only possesses one LSTM layer and a linear layer. The results demonstrated that these common EEG models are easily to be injected backdoors, suggesting that we must consider the threatening security issues. Thus we would like to argue that our work is not having “no application in the real world”. Instead, our work alerts people to the possibilty of the EEG BCI models can actually be manipulated by an invisible and robust backdoor attacks, which leads to severe results if be ignored.

As discussed in the Broader Impacts, our ManiBCI can also be used for protecting intellectual property of EEG datasets and EEG models with watermarking, which also negate the comment that "lack of connection with real-world problems".

[1] Song Y, et al. "Decoding Natural Images from EEG for Object Recognition.", in ICLR, 2024

[2] Li X, et al. "EEG based emotion recognition: A tutorial and review." ACM Computing Surveys, 2022

[3] Schirrmeister, Robin Tibor, et al. "Deep learning with convolutional neural networks for EEG decoding and visualization." Human brain mapping, 2017

[4] Yi K, et al. "Learning topology-agnostic eeg representations with geometry-aware modeling.", in NeurIPS, 2023

[5] Jiang W-B, et al. "Large brain model for learning generic representations with tremendous EEG data in BCI." in ICLR, 2024

[6] V. J. Lawhern, et al. “EEGNet: a compact convolutional neural network for EEG-based brain-computer interfaces,” Journal of Neural Engineering, 2018

[7] K, Alex, et al. "Imagenet classification with deep convolutional neural networks.", in NeurIPS, 2012

[8] He, K, et al. "Deep residual learning for image recognition.", in CVPR, 2016

Thanks for your valuable comments. Below we have addressed your questions and concerns point-by-point.

Weaknesses

The proposed methodology is not well described. It mainly based on the application of Fourier transform (FFT) and reinforcement learning (RL).

Thanks for your advise, there is absolutely room for improvement in our descriptions of methods, and we will refine our paper. We submit the algorithm in the general response's PDF file, please kindly refer to it.

Meanwhile, we would like to take this opportunity to emphasize that though our method builds upon the established techniques (FFT and RL), the novelty of our work is not in implementing these techniques per se. Instead, it lies in applying these techniques in a new and challenging domain: how to inject invisible and robust triggers into the EEG modality? Our work is at the intersection of safety and EEG BCI, where the focus is not solely on inventing new tricks or models for the RL or FFT. Before our work, the backdoor attacks designed for EEG modality either require engaging the training stage, or fail to maintain high stealthiness. Instead, our work successfully designed an invisible and robust trigger in the frequency domain without engaging the training stage, offering a novel perspective of backdoor attack for multi-channel EEG modality.

We appreciate that you can acknowledge these contributions when summarizing the strengths of our paper. Our work alerts people using EEG BCIs to potential safety issues and calls for defensive studies to counter ManiBCI for EEG modality. We truly value your suggestion and will add more details to the paper.

Questions

It is suggested to describe well the proposed method by highlighting the novelty and originality of the proposed contribution. It is also suggested to summarize the proposed method as an algorithm.

Thanks for your contructive and helpful suggestion! Adding an algorithm can make our method more readable and clear. We have written an algorithm and will add it in our future version. Please kindly refer to the PDF file in the general response.