Tiny noise, big mistakes: adversarial perturbations induce errors in brain–computer interface spellers

作     者：Xiao Zhang Dongrui Wu Lieyun Ding Hanbin Luo Chin-Teng Lin Tzyy-Ping Jung Ricardo Chavarriaga Xiao Zhang;Dongrui Wu;Lieyun Ding;Hanbin Luo;Chin-Teng Lin;Tzyy-Ping Jung;Ricardo Chavarriaga

作者机构：Ministry of Education Key Laboratory of Image Processing and Intelligent ControlSchool of Artificial Intelligence and AutomationHuazhong University of Science and Technology School of Civil Engineering and Mechanics Huazhong University of Science and Technology Centre of Artificial IntelligenceFaculty of Engineering and Information Technology University of Technology Sydney Swartz Center for Computational NeuroscienceInstitute for Neural ComputationUniversity of California San Diego Center for Advanced Neurological Engineering Institute of Engineering in Medicine University of California San Diego ZHAW Data LabZürich University of Applied Sciences 

出 版 物：《National Science Review》 (国家科学评论(英文版))

年 卷 期：2021年第8卷第4期

页      面：78-90页

核心收录：

学科分类：0831[工学-生物医学工程（可授工学、理学、医学学位）] 08[工学] 0836[工学-生物工程] 

基　　金：supported by the Technology Innovation Project of Hubei Province of China (2019AEA171) the Hubei Province Funds for Distinguished Young Scholars (2020CFA050) the National Natural Science Foundation of China (61873321 and U1913207) the International Science and Technology Cooperation Program of China (2017YFE0128300) the Overseas Expertise Introduction Project for Discipline Innovation (111Project) on Computational Intelligence and Intelligent Control(B18024) 

主　　题：electroencephalogram brain-computer interfaces BCI spellers adversarial examples 

摘      要：An electroencephalogram(EEG)-based brain–computer interface(BCI) speller allows a user to input text to a computer by thought. It is particularly useful to severely disabled individuals, e.g. amyotrophic lateral sclerosis patients, who have no other effective means of communication with another person or a *** studies so far focused on making EEG-based BCI spellers faster and more reliable; however, few have considered their security. This study, for the first time, shows that P300 and steady-state visual evoked potential BCI spellers are very vulnerable, i.e. they can be severely attacked by adversarial perturbations,which are too tiny to be noticed when added to EEG signals, but can mislead the spellers to spell anything the attacker wants. The consequence could range from merely user frustration to severe misdiagnosis in clinical applications. We hope our research can attract more attention to the security of EEG-based BCI spellers, and more broadly, EEG-based BCIs, which has received little attention before.