Active Learning for Black-Box Adversarial Attacks in EEG-Based Brain-Computer Interfaces

TL;DR

This paper introduces an active learning framework to enhance the efficiency of black-box adversarial attacks on EEG-based brain-computer interfaces by reducing the number of queries needed to train effective substitute models.

Contribution

It is the first to combine active learning with adversarial attacks in EEG-based BCIs, significantly improving query efficiency for transferability-based black-box attacks.

Findings

Improved attack success rate with fewer queries.

Active learning reduces the number of queries needed.

Effective across multiple CNN classifiers and EEG datasets.

Abstract

Deep learning has made significant breakthroughs in many fields, including electroencephalogram (EEG) based brain-computer interfaces (BCIs). However, deep learning models are vulnerable to adversarial attacks, in which deliberately designed small perturbations are added to the benign input samples to fool the deep learning model and degrade its performance. This paper considers transferability-based black-box attacks, where the attacker trains a substitute model to approximate the target model, and then generates adversarial examples from the substitute model to attack the target model. Learning a good substitute model is critical to the success of these attacks, but it requires a large number of queries to the target model. We propose a novel framework which uses query synthesis based active learning to improve the query efficiency in training the substitute model. Experiments on three convolutional neural network (CNN) classifiers and three EEG datasets demonstrated that our method can improve the attack success rate with the same number of queries, or, in other words, our method requires fewer queries to achieve a desired attack performance. To our knowledge, this is the first work that integrates active learning and adversarial attacks for EEG-based BCIs.