 Research
 Open Access
 Published:
Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
BMC Medical Informatics and Decision Making volume 23, Article number: 115 (2023)
Abstract
Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safetysensitive use. This work exposes an important safety issue in deeplearningbased brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to whitebox attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAMDE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMsbased adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHBMIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAMbased adversarial samples produced by the proposed methods in this paper are aggressive to BEAMrelated victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEGrelated victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAMrelated models up to 0.8 while the top success rate of attacking EEGrelated models only 0.01; (2) GPBEAMDE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAMDE will make it have aggressiveness to both BEAMsrelated and EEGrelated models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design.
Introduction
Deep neural network (DNN), have been widely used for the analysis of common signals such as images and speech due to their excellent performance. Ullah et al. proposed a densely attention mechanismbased network (DAMNet) [1] and a multitask learning based adversarial semisupervised framework [2] for COVID19 detection in chest Xray. In [3], researchers proposed a novel fully automatic technique for brain tumor regions segmentation by using multiscale residual attentionUNet (MRAUNet). To help diagnose brain disorders, Hossain et al. [4] and Ding et al. [5] proposed the use of convolutional neural networks (CNN) to extract temporal features from Electroencephalography (EEG) data of epileptic patients to understand the general structure of seizures. In [6], researchers used 1D CNN to detect EEG spectrograms of epileptic patients. Bashivan et al. [7] proposed a new method for learning feature representations from multichannel EEG time series that preserves the structure of EEG data within space, time, and frequency.
However, DNN can be misled when normal samples become adversarial examples due to the addition of perturbations. Deep learning models have significant security concerns: Szegedy et al. [8] find that adding an imperceptible nonrandom perturbation to a picture has the potential to arbitrarily change the model's predictions; DNN are also vulnerable to adversarial examples in physical world scenarios [9]; normal speech with adversarial perturbations can be transcribed into any phrase the attacker wishes, and the perturbed speech sounds no different from normal speech [10]. The problems of adversarial attack and defense for medical and physiological DNN models have drawn some researchers' attention [11, 12]. Finlayson et al. [12] have demonstrated that medical deep learning systems are subject to adversarial attacks. Zhang et al. [13] find that adversarial attacks could make visual perception spelling errors or BCIbased wheelchairs out of the control of the person's consciousness.
EEG is the most widely used clinical tool to measure electrical signals of the brain for understanding the physiological and psychological activities of human. From raw EEG signals, it is easy and convenient to detect amplitude features such as spikes, but not so easy to learn other kinds of information such as spatial and frequency features. That is why many studies first extract useful empirical features from raw EEG signals and then put them into deep neural network models alone or together with raw EEG [14, 15].
Brain electrical activity mapping (BEAMs) are topographic maps of brain EEG power of specified rhythms (frequency bands), which visually display the distribution of different spectra and power levels by anatomical sites in the form of brain topography. BEAM is the earliest and most developed technique in quantitative EEG studies, serving as an advanced diagnostic tool for the evaluation of brain disease episodes and subsequent treatment. It has been widely and successfully applied in clinical diagnosis and validated accordingly [16], and its most frequent application is in epilepsy research, particularly as a method to localize epileptic foci and determine the type of epileptic syndrome [17, 18]. A clear advantage of BEAM over EEG is the improved diagnostic accuracy due to the high spatial resolution. The major advantage of BEAM for epileptic focus localization over other neurofunctional conventional studies (such as functional magnetic resonance imaging (fMRI) or positron emission tomography (PET) is the high temporal resolution that allows for separating initiation from rapid propagation of epileptic activity [19, 20].
BEAM has become a very important diagnostic aid in neuroscience. Nevertheless, it was not developed as a replacement for EEG. As shown in Fig. 1, EEG and BEAMs are widely used together by doctors/models to detect the onset of brain diseases, or to analyze brain activities [4, 16]. However, the analysis of adversarial attacks on EEG and BEAM is still very lacking [11, 21, 22], which is far from adequate for the current boom in brain science. Amir et al. [23] first investigated the vulnerability of epilepsy detection systems and showed that adversarial attacks can make epilepsy detection systems to diagnose seizures as nonepileptic. But they only considered SVMbased systems and no studies have yet examined the vulnerability of deep learning models in brain disease (such as epilepsy) diagnosis systems.
In this paper, the vulnerability of deep learning models in the diagnosis system of brain diseases is studied for the first time, and epilepsy diagnosis is used as an example. Currently, studies have been conducted to generate EEG adversarial samples by perturbing the raw EEG signal, EEG frequency and EEG spectrogram. This is the first study that generate EEG adversarial samples by perturbing BEAMs and have done the aggressiveness analysis of these adversarial examples. This paper proposes two methods that generate EEG adversarial samples by perturbing BEAMs, and find that these adversarial attacks can easily lead to misdiagnosis of BEAMs based epilepsy diagnosis. The study exposes an important safety issue in brain disease diagnostic systems and hopefully will lead us to design safer systems.
To summarize, the contributions of this paper are as follows:

1.
An EEG whitebox dense adversarial attack method are proposed. It generates EEG adversarial samples by imperceptibly perturbing all elements of BEAMs and then converting and adding the perturbation on the BEAMs to raw EEG samples (GPBEAM Section).

2.
An EEG whitebox sparse adversarial attack method is proposed. It generates EEG adversarial samples by imperceptibly perturbing only partial elements of BEAMs, leaving the attack possibly sparse in the dimension of time slice, rhythm, and electrode (GPBEAMDE Section).

3.
As far as we know, for the first time, EEG adversarial samples are generated by perturbing BEAMs and studied for the adversarial attack analysis of DNN models in brain disease diagnostic systems.

4.
The study shows that small perturbations on EEG or BEAMs may lead to misdiagnosis of epilepsy, exposing a critical safety issue in the use of DNN for brain disease diagnosis. The proposed methods can be used to test the vulnerability of existing systems, and to help improve their defense to adversarial attacks.
Related works
EEG adversarial attack to DNN architectures
Most of the work on EEG adversarial samples attack models with classical machine learning architecture, such as support vector machine SVM [23], typical correlation analysis [13], and regression [24], but only a few of them attack models with DNN architecture [21, 22], although DNN architecture has been widely studied for EEG signal processing [7].
Jiang et al. [21] and Zhang et al. [22] attack EEGrelated models that have raw EEG signals (twodimensional data of timechannel) as input to internal CNN architectures; Zhang et al. [13] attack frequencyrelated models that have the frequency (twodimensional data of frequencychannel) as input to typical correlation analysis. Zhang et al. [22] also attack spectrogramrelated models that have the spectrogram (threedimensional data of time–frequencychannel) as input to internal CNN architecture. In all these works, the perturbation on raw EEG signals could be got by calculating the gradient over the whole pipeline, because all steps are differentiable.
Unlike above works, the work in this paper makes whitebox attack to BEAMrelated models that have BEAMs (fourdimensional data of timerhythmwidthheight) as input to internal DNN architectures. Because the operation of converting EEG signals to BEAMs is not differentiable, this paper does some special work to convert and add perturbations on the BEAMs to the raw EEG signal. These special works include a sampling operation that select power perturbations for electrodes from the perturbations on BEAMs, an imposing operation that add power perturbations to the frequency domain representation of raw EEG data, and an inversing operation that convert the perturbationaffected frequency domain signals to time domain signals by Inverse Fast Fourier Transform (IFFT) and wavelet packet transform (WPT). Besides CNN architectures, this paper also tests the RNN architecture and a hybrid architecture of CNN and RNN. In addition, a simple modification is proposed to make the method in this paper have aggressiveness to both BEAMrelated and EEGrelated models, and this capacity enhancement is done without any cost of distortion increment. The most difference between this study and existing studies of EEG whitebox adversarial attacks are summarized in Table 1.
EEG sparse adversarial samples
A sparse adversarial sample is a special adversarial sample that requires only a small number of elements perturbed to deceive victim models. With the constrained perturbation size on one element, sparse attacks which perturb a few elements usually have higher stealth and less aggressiveness compared to dense attacks which perturb all elements instead. However, if the information of the features perturbed by a sparse attack is representative of this sample, its aggressiveness could be not much lower than that of dense attacks [26].
The work in this paper is inspired mostly by research in nonEEG fields: Wei et al. [27] argue that in a video classification task, perturbations added to one frame can be passed to the next frames through their time interaction, and therefore, not all frames need perturbation; Su et al. [28] find that attacking single pixels in an image using the Differential Evolution (DE) algorithm [29] can produce adversarial samples; Gao et al. [30] find that in the case of singlepixel attack, if the perturbation overflows, dividing the overflow to adjacent pixels can also produce adversarial samples.
Like Wei et al. [27], this study only perturbs part of the time slices of a sample, resulting in a sparse adversarial sample. Inspired by Su et al. [28], DE is used to select some time slices and electrode channels of BEAMs to generate perturbations. As the number of perturbed elements increases, the efficiency of DE will decrease exponentially. Therefore, this paper only uses DE to perturb partial elements of BEAMs, and let their perturbation overflows to other elements just like the work of Gao et al. [30].
The work of Feng et al. [25] is about EEG sparse adversarial attacks. Through adaptive masking, they automatically select the time step and electrode channel of the perturbation under sparse constraints. Unlike Feng et al., this paper attacks BEAMrelated models instead of EEGrelated models.
Extracting EEG rhythms
Extracting basic EEG rhythms, such as Delta (0.5 Hz4 Hz), Theta (4 Hz8 Hz), Alpha (8 Hz13 Hz) and Beta (13 Hz30 Hz) [31], is the key step to get BEAMs.
There is still disagreement on how to extract rhythms during the conversion of EEG signal to BEAMs. For example [32], use bandpass filtering, [33] use wavelet transforms and [34] use WPT. Wavelet transform is a time–frequency analysis method created to solve the problem of decomposing nonstationary signals and is suitable for feature extraction of nonstationary signals such as EEG due to its multiresolution characteristics. However, it only subdivides the lowfrequency part and not the highfrequency part of the signal, so it does not have a high resolution for the highfrequency part. In contrast, WPT allows the segmented highfrequency part to be subdivided while retaining the advantages of the wavelet transform. Therefore, this paper chooses to use the WPT to extract EEG rhythms in this paper.
Method
This paper proposes two EEG adversarial sample generation methods: Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAMDE). GPBEAM is a dense attack method. GPBEAMDE is a sparse attack method that produces perturbations on only a small number of electrode points and assigns perturbations beyond the \(\epsilon\) constrain (\(\epsilon\) used to ensure that there is little disturbance) to other electrode points with the help of GPBEAM's perturbation symbol information.
GPBEAM
GPBEAM can be divided into three parts (Fig. 2): Generating BEAMs; Generating perturbation on rhythm power array; Generating EEG adversarial samples. In the first part, WPT and FTT are used to extract the spectrum for each of B different rhythms from each time slice of the raw EEG data, obtain each rhythm power by averaging the absolute value of the corresponding spectrum, and then construct BEAMs by mapping and interpolating these rhythm power values; In the second part, the adversarial perturbations on BEAMs are first obtained through a perturbation generation algorithm and then reconstructed as the adversarial perturbations on rhythm power array by sampling; In the third part, adversarial perturbations on rhythm power array are added to the frequency domain rhythms, resulting in adversarial samples in the frequency domain. The adversarial samples in the frequency domain are then reconstructed into EEG adversarial samples by IFFT and WPT.
Generating BEAMs
Figure 3 illustrates the progress of conversion from a time slice of EEG data to BEAMs. This paper first extract four fundamental rhythms from the raw EEG signal of each electrode using WPT and transform these four rhythms from time series to frequency series using FFT; Then calculate the average power of each rhythm; Finally, map the average powers of each rhythm at all electrodes into a twodimensional headshaped space and give each point of this space a value by interpolation. The matrix that stores the distribution of the power value of a specific rhythm in the headshaped space is a BEAM. The progress will be described in detail (for the simplicity of expression, the time index for the time slice of EEG data in the process during the process has been omitted) in the following.

A
Extracting timedomain and frequencydomain rhythms
WPT [34] is used to extract specified timedomain rhythms, \({Rhy}_{c}^{b},b=\mathrm{1,2},\dots ,B\) (in the paper they are signals in delta, theta, alpha, beta band respectively), from \({E}_{c}\in {\mathbb{R}}^{S\times 1}\) which is a time slice of the EEG signal from the \(c\) th electrode, as follows,
where, WPT is the forward WPT which decomposes a timedomain signal into a set of wavelet coefficients, and IWPT is the inverse WPT which reconstructs a timedomain signal from a set of wavelet coefficients. This paper use db1 wavelet function and \(\#layers=8\) for the WPT. Function \(filter({A}_{c},b)\) let all wavelet coefficients in \({A}_{c}\) zero but those presenting the rhythm b.
FFT is used to extract frequencydomain rhythms \({F}_{c}^{b},b=\mathrm{1,2},\dots ,B\),from the timedomain rhythms\({Rhy}_{c}^{b},b=\mathrm{1,2},\dots ,B\), as follows,

B
Calculating rhythm power
The power of the \(b\) th rhythm of the \(c\) th electrode, \({P}_{c}^{b}\), is calculated from the frequencydomain rhythm \({F}_{c}^{b}\) as,
where S is the number of elements in \({F}_{c}^{b}\). Note that the rhythm powers from C electrodes, B bands and T time slices compose a rhythm power array \({\varvec{P}}\in {\mathbb{R}}^{C\times B\times T}\).

C
Getting BEAMs
Let \({{\varvec{L}}}^{3{\varvec{d}}}=[{l}_{1}^{3d},{l}_{2}^{3d},\dots ,{l}_{C}^{3d}]\) be the 3D locations of the C electrodes on a head modeled with an sphere ([35], \({r}^{2}={x}^{2}+{y}^{2}+{z}^{2},r=0.095(m)\)), \({{\varvec{L}}}^{2{\varvec{d}}}=[{l}_{1}^{2d},{l}_{2}^{2d},\dots ,{l}_{C}^{2d}]\) be the 2D locations of the C electrodes on the 2D flat head mapped from the 3D head through equidistant azimuthal projection which preserves the distance and direction from any point of the sphere to the center of projection, and \({{\varvec{P}}}^{b}=\left[{{P}_{1}^{b},P}_{2}^{b},\dots ,{P}_{C}^{b}\right]\) be the C powers for rhythm b. The minimum bounding rectangle of the 2D head is meshed with equal square unit, getting a grid of size \(H\times W\). The 2D locations of the central points of these squares compose a matrix as,
The power values of rhythm b at these locations compose a power matrix \({BEAM}_{ }^{b}\) of size \(H\times W\). For each location \((h,w)\), the corresponding power value in \({BEAM}_{ }^{b}\) is calculated as,
where, \(Interpolate\) is any interpolate function that estimate the value in location \((h,w)\) from existing values \({{\varvec{P}}}^{b}\) and their locations \({{\varvec{L}}}^{2d}\). Here, is used the cubic spline interpolation [36] that satisfies the requirement of smoothness and minimum curvature at the nodes.
Generating perturbation on rhythm power array
In this section, from an input \(BEAM\in {\mathbb{R}}^{T\times B\times H\times W}\), the progress of getting the perturbation on BEAMs \({\upeta }_{BEAM}\in {\mathbb{R}}^{T\times B\times H\times W}\) and the perturbation on rhythm power array \({\eta }_{{\varvec{P}}}\in {\mathbb{R}}^{T\times B\times C}\) will be described.

A．
Getting perturbation on BEAMs
Any known adversarial sample generation algorithm which could deals with a tensor \(x\in {\mathbb{R}}^{T\times B\times H\times W}\) as an input could be used in the method in this paper to generate the perturbation on BEAMs, so the perturbation generation algorithm of BEAM is not the focus of this paper. Here, the fast gradient sign algorithm (FGSM) [8] is used for its simplicity to generate the perturbation on BEAMs, as,
where \(\epsilon\) is a multiplier to ensure the perturbations are small; \(sign\) is the sign function; \({\theta }_{victim}\) are parameters of the victim model; \({y}_{true}\) is the true category of the input tensor \(BEAM\); \(\mathrm{J}(\uptheta ,BEAM,{\mathrm{y}}_{\mathrm{true}})\) is the loss function. \({\nabla }_{BEAM}\mathrm{J}(\uptheta ,BEAM,{\mathrm{y}}_{\mathrm{true}})\) is the gradient of the corresponding loss function.

B．
Getting perturbation on rhythm power array
Let \({\upeta }_{P}\in {\mathbb{R}}^{T\times B\times C}\) denote the perturbation on rhythm power array. For each t and b, the C elements \({\upeta }_{P}(t,b,:)\), could be sampled simply from the \(H\times W\) image \({\upeta }_{BEAM}(t,b,:,:)\), according to the 2D locations of electrodes\({{\varvec{L}}}^{2{\varvec{d}}}\), as,
where, \(Interpolate\) is any interpolate function that estimate the value in location \({{\varvec{L}}}^{2{\varvec{d}}}\left(c\right)\) from existing values \({\upeta }_{BEAM}\left(t,b,:,:\right)\) and their locations \({{\varvec{L}}}_{{\varvec{g}}{\varvec{r}}{\varvec{i}}{\varvec{d}}}^{2{\varvec{d}}}\). Here, cubic spline interpolation [36] is used.
Generating EEG adversarial samples
Here, the adversarial samples in frequency domain and time domain are generated based on \({\eta }_{P},\) the perturbation on rhythm power array.

A
Imposing perturbation on frequencydomain rhythms
This paper adds the power perturbation \({\upeta }_{P}\left(t,b,c\right)\) on \({F}_{c}^{t,b}\in {\mathbb{C}}^{S}\) which is the raw frequencydomain data of the \(b\) th rhythm of the \(c\) th electrode and in the \(t\) th time slice
where, \({F}_{c,R}^{t,b}\) and \({F}_{c,I}^{t,b}\) denote the real and imaginary parts of the original frequencydomain data of the \(b\) th rhythm of the \(c\) th electrode and in the \(t\) th time slice; \({\eta }_{P}(t,b,c)\) is the power perturbation supposed to be imposed on the \(b\) th rhythm of the \(c\) th electrode and in the \(t\) th time slice. Note that the reconstruction will be done in each dimension of \(t,b,c\) and s and finally get a new frequencydomain adversaria data \({\varvec{D}}\in {\mathbb{C}}^{T\times B\times C\times S}\).

B
Reconstructing EEG timedomain signal
Here, from the new frequencydomain data D and the raw timedomain data \({\varvec{E}}\), IFFT and WPT are used to generate the adversarial sample in timedomain, É The adversarial time signal of the \(c\) th electrode in the \(t\) th time slice, \({\acute{E} }_{c}^{t}\), are calculated as,
where function \(filter2({A}_{c}^{t},{\mathrm{\acute{A} }}_{c}^{t,b},b=[\mathrm{1,2},\dots ,B])\) replaces the wavelet coefficients presenting rhythms (\(b=\mathrm{1,2},\dots ,B\)) in \({A}_{c}^{t}\) with corresponding coefficients in \({\acute{A} }_{c}^{t}\) and returns the changed \({A}_{c}^{t}\).
GPBEAMDE
GPBEAM loses some perturbation in the process of sampling perturbation on rhythm power array from perturbation on BEAMs, reducing the aggressiveness of final adversarial samples. The only difference between GPBREAMDE and GPBEAM is in the part of generating perturbation on rhythm power array (see Fig. 4). In GPBEAMDE, DE is used to directly perturb partial elements of the rhythmic power array, resulting in more aggressive and sparse adversarial samples. In order to increase the efficiency of DE and to make perturbation imperceptible, a perturbation overflow module is added, in which, when the amplitude of disturbance generated by DE is over a predefined level, the excess part will be distributed to other electrodes with the help of the symbolic information of GPBEAM's perturbation.
Generating Perturbation with DE
It is set that there are total NP individuals in the \(g\) th generation of population, with everyone having N genes. Each gene is a (2 + B)length integer vector, which represents \(\eta \left(t,c,:\right)\), a sparse perturbation of B rhythm power values on the t time slice and c electrode, with first two elements as t and c and following B elements as perturbation of power values. The valid range for t is [0, T], for c is [0, C], and for perturbation of power values is \([round(\epsilon *r), round(\epsilon *r)]\), where \(\epsilon\) is the same parameter as in Eq. (7) and r is an amplification parameter to make \(round(\epsilon *r)\) a big integer. When performing a fitness comparison or finally outputting perturbation, the perturbation value is divided by r to get back a real number that is small enough. The goal in this paper is, through DE, to find a perturbation/individual that could successfully attack the victim model and keep the change as small as possible.
The initial population of DE is generated randomly and uniformly as follow,
where, \(rand\_int()\) randomly samples an integer from the input interval.
In each iteration of evolution, the offspring individuals are produced through mutation and crossover, as,
where \(r1\), \(r2\), \(r3\) are three different indexes randomly selected from \(\left\{\mathrm{1,2},\dots ,NP\right\}\); \(F\in \left[\mathrm{0,2}\right]\) is a scaling real factor; \(CR\in \left[\mathrm{0,1}\right]\) is a crossover probability; \(rand(\mathrm{0,1})\) produces a uniformly distributed random real from \(\left[\mathrm{0,1}\right]\); \(valid\_int(X)\) makes all elements of genes of the individual X integers by rounding, and if any integer exceeds its valid range, produces a valid random number to replace it.
\({U}_{i}(g+1)\) need to compete with its corresponding parent candidate \({X}_{i}\left(g\right)\) according to the fitness, and the winner is kept until the next iteration. The fitness measure, with \({\mathrm{X}}_{i}\left(g\right)\) as input for example, is defined as,
where \({{\varvec{\upeta}}}_{{\varvec{P}}}^{\mathbf{^{\prime}}}\in {\mathbb{R}}^{T\times B\times C}\) is created from \({X}_{i}\left(g\right),\) with all its elements zeros but those defined by genes of \({X}_{i}\left(g\right)\); \({\mathrm{map}}_{\mathrm{P}\to \mathrm{BEAM}}\left({{\varvec{\upeta}}}_{{\varvec{P}}}^{\mathrm{^{\prime}}}+\mathbf{P}\right)\) adds the perturbation of \({{\varvec{\upeta}}}_{{\varvec{P}}}^{\mathrm{^{\prime}}}\) to P and then converts the resulted P into BEAMs; \({P}_{\mathrm{victim}}\left(yBEAMs\right)\) returns from victim model the prediction probability that the input BEAMs belong to category y.
The iteration of DE ends, when any individual of the population (g + 1) matches the following formula,
Perturbation overflow
Perturbation overflow is a step in GPBEAMDE, which increases the attack power of adversarial samples from GPBEAMDE by decreasing the sparsity of their attacks in a very natural way (see Fig. 5) of distributing the excess perturbations on a few sparse electrodes equally to all other electrodes. By adding perturbation overflow to GPBEAMDE, the efficiency of generating successful adversarial samples improves.
In order to use perturbation overflow in GPBEAMDE, the valid range for perturbation of power value should be expanded a little bit with \(\Delta =C\) as \([round(\epsilon *r*\Delta ), round(\epsilon *r*\Delta )]\). Then the only thing that perturbation overflow do is to replace each \({\upeta }_{P}^{\mathrm{^{\prime}}}\) that generated from \({X}_{i}\left(g\right)\) in Eq. (13) with a new perturbation \({{\upeta }_{P}}^{^{\prime\prime} }\). The new perturbation is generated as,
where, \(clip\) is a crop function; \(1\left(condition\right)\) return 1, if condition is True, else return 0; \({\upeta }_{P}\) is the perturbation generated by GPBEAM (see Eq. 7). \(sign\left({\upeta }_{P}\left(t,b,:\right)\right)\) is used to extract symbolic information of \({\upeta }_{P}\left(t,b,:\right)\). Ultimately, GPBEAMDE will have the advantages of both DE and GPBEAM.
Experiments and analysis
Description of experimental data
The experimental data, the CHBMIT Scalp EEN Database [37, 38], was collected from Boston Children's Hospital and included EEG records of 22 children with recalcitrant epilepsy. Subjects were monitored for up to several days after discontinuation of antiepileptic drugs to characterize their seizures. Experiments were performed using the international 10–20 standard for laying out EEG electrode positions. All EEG signals were sampled at a sampling rate of 256 Hz. EEG signals have 23 channels, of which only 22 are used here. In addition, to facilitate the reconfiguration of the EEG into BEAMs [39], the channel names in the CHBMIT scalp EEG database are corresponded to those of the international 10–20 standard.
This paper gets a total of 7016 raw EEG samples, by firstly tailoring the experimental data to a series of 5 slength segments (2 soverlapping for seizures and nonoverlapping for nonseizures), and then selecting all seizure segments and the equal number of nonseizure segments. The final size of the raw EEG sample or the EEG adversarial sample is 5(time slice) * 22 (electrodes) * 256 (number of samples per second). Bad data are deleted and data are normalized before tailoring. Of all the raw EEG samples, 5612 are used for training the seizures detection models (victim models), and 1404 for generating adversarial samples. Subsequent experiments were conducted on this premise.
As shown in Fig. 3, one time slice of raw EEG signal can be reconstructed into four BEAMs, of which each represents an EEG rhythm. By setting the length of a time slice to be one second, a BEAMs sample of size 5 (time slice) * 4 (rhythm) * 22 (length) * 22 (width) will be got from each raw EEG sample. The information of the dataset used in this article is summarized in Table 2.
Victim models
Two types of victim models, the BEAMrelated model and the EEGrelated model, were used. They use the same inputs of EEG data and similar multilayer architectures (see Fig. 6). The main difference between them is that the first type needs to extract BEAMs features and then let them pass through multilayer architectures, and the second type directly passes EEG data through multilayer architectures.
Four multilayer architectures proposed by Bashivan et al. [7] are used. Maxpool and Temporal convolution are pure CNN architectures, LSTM and Mixed LSTM are CNN + RNN architectures.
The number of parameters of the fully connected layer and the number of LSTMs in multilayer architectures differs a little bit from those used by Pouya Bashivan et al. because the inputs used are different. The ConvNet configurations of victim models is described in Table 3.
Model training is carried out by optimizing the crossentropy loss function. The networks are trained using Adam algorithm with a learning factor of \({10}^{3}\), and decay rate of first and second moments as 0.9 and 0.999 respectively. In the experiments, only the EEGrelated model with Mixed LSTM architecture suffered from overfitting. The complexity of Mixed LSTM architecture is higher compared to that of other architectures, which should be the cause of overfitting. In this paper, L2 regularization, Dropout (dropout probability is set to 0.5, i.e., the network discards neurons with a probability of 0.5) and adjusting learning rate are used to reduce overfitting of this model.
In the end of training, the test accuracies of BEAMrelated models with Maxpool, Temporal convolution, LSTM and Mixed LSTM were 92%, 92%, 93%, and 94%. The training losses were all less than \({10}^{3}\) and the test losses were 0.63, 0.55, 0.27, and 0.63, respectively.
In the end of training, the test accuracy of EEGrelated models with Maxpool, Temporal convolution, LSTM and Mixed LSTM were 92%, 84%, 90%, and 88%. The training losses were all less than \({10}^{4}\) and the test losses were 0.38, 0.79, 0.50, and 0.54, respectively. More information can be found in Fig. 7.
Evaluation criteria
In this paper, the performance of GPBEAM/GPEBAMDE are evaluated with three metrics.

a)
Success rate (SR): As one of the most important measures for adversarial attack, it indicates the percentage of adversarial samples that successfully change their raw predicted labels. A higher SR indicates that the algorithm is more capable of attacking, and means that the target classifier is more vulnerable to attack.
$$SR = R/S$$(16)
where S is the total number of samples and R is the number of samples that succeeded in the attack.

b)
Distortion level (DL): It is used to measure the distortion of adversarial samples relative to the raw samples. \({\mathrm{DL}}_{B}\) and \({\mathrm{DL}}_{E}\) are used to indicates the distortion of BEAMs adversarial samples and EEG adversarial samples respectively. They are defined as follows,where \(N\) and \(M\) are the number of elements of a BEAMs sample and an EEG sample, respectively; \({\widehat{B}}_{n}^{s}\) and \({B}_{n}^{s}\) are the nth element of the BEAMs adversarial sample and BEAMs raw sample respectively; \({\widehat{E}}_{m}^{s}\) and \({E}_{m}^{s}\) are the \(m\) th element of the EEG adversarial sample and the EEG raw sample respectively.
$${\mathrm{DL}}_{B}=\frac{{\sum }_{s=1}^{S}\sqrt{\frac{{\sum }_{n=1}^{N}{\left({\widehat{B}}_{n}^{s}{B}_{n}^{s}\right)}^{2}}{N}}}{S}$$(17)$${\mathrm{DL}}_E=\frac{\sum_{s=1}^S\sqrt{\frac{\sum_{m=1}^M\left(\widehat E_m^sE_m^s\right)^2}M}}S.$$(18)

iii)
Accuracy (Acc): It measures the probability that a victim model predicts correctly and is defined,where A is the number of samples that the model classifies correctly.
$$Acc = A/S$$(19)
Experiment 1: attacking BEAMrelated models with GPBEAM
First, the aggression of GPBEAM to BEAMrelated models with different multilayer architectures is tested. In this experiment, FGSM [8] is chosen as the perturbation generation method of GPBEAM. FGSM is less aggressive than other stateofarts methods. If GPBEAM with FGSM can successfully attack BEAMrelated models, then GPBEAM with other perturbation methods can naturally attack successfully.
As shown in Table 4, BEAMrelated models with different multilayer architectures can achieve more than 90% accuracy when classifying clean data. However, after adding negligible perturbation to the clean data, the classification accuracy of these victim models decreases significantly. Compared with Gaussian noise, the attack effect of GPBEAM is obvious. As shown in Fig. 8, the accuracy of BEAMrelated models with pure CNN architectures (Maxpool and Temporal convolution) decreases particularly significantly as \({\mathrm{DL}}_{B}\) increases. From the attack success rate (SR) curves, GPBEAM attacks BEAMrelated models with pure CNN architectures have higher success rates than attacks on BEAMrelated models with CNN + RNN architectures. BEAMrelated models with CNN + RNN architecture are more robust to GPBEAM attacks than the BEAMrelated models with CNN architecture, as seen from the above experiments. It is suspected that BEAMs are richer in spatial features than temporal and frequency features, and GPBEAM mainly perturbs spatial features. This makes GPBEAM more aggressive to CNN architectures that mainly extract spatial features and less aggressive to RNN architectures that mainly exploit temporal features.
Second, the aggressiveness of GPBEAM with different perturbation generation algorithms are tested. IFGSM (IterativeFGSM) [9], MIFGSM (Momentum iterative FGSM) [40], DIIFGSM (Diverse Input IterativeFGSM) [41], PGD (Projected Gradient Descent) [42] and C&W (Carlini & Wagner) [43] are used here as perturbation generation algorithms. The BEAMrelated model with a Mixed LSTM architecture is used as the victim model. As shown in Table 5, the attack performance of GPBEAM with these perturbation generation algorithms are obviously better than GPBEAM with FGSM (see Table 4). Among them, GPBEAM (C&W) is the most aggressive.
Figure 9 shows a comparison of a perturbed BEAMs sample (generated by GPBEAM with \(\epsilon\)=0.5 and FGSM as perturbation generation method) and the corresponding raw BEAMs sample. The final perturbations of BEAMs do not exhibit the characteristics of random noise and it is almost impossible for the naked eye to immediately distinguish between the perturbed and raw samples.
The differences between a raw EEG data and an EEG adversarial sample (generated by GPBEAM with \(\epsilon\)=0.5 and FGSM as perturbation generation method) are shown in Fig. 10. The EEG adversarial sample and raw EEG data overlap almost completely and cannot be distinguished by human eyes. As shown in Fig. 11, if the data in Fig. 10 is magnified several times, the difference between the two will show, but they are still extremely similar.
Experiment 2: attacking BEAMrelated models with GPBEAMDE
In this experiment, it is tested that whether the sparse adversarial samples generated by GPBEAMDE can effectively attack the BEAMrelated models and that whether GPBEAMDE can achieve a higher attack success rate with less distortion than GPBEAM.
The BEAMrelated model with a Mixed LSTM architecture is used as the victim model and FGSM as the perturbation generation method. To test the sparse aggressiveness of GPBEAMDE, the number of genes N in eachindividual of GPBEAMDE was set to be different values. The experimental results are shown in Table 6. By comparing the results in Table 6 and that in Table 4 and Table 5, it is clear that GPBEAMDE outperforms GPBEAM in both SR and DL when parameter N is bigger than 1. The likely reason for this result is that GPBEAM loses some perturbation in the process of sampling perturbation on rhythm power array from perturbation on BEAMs, reducing the aggressiveness of final adversarial samples, while GPBEAMDE uses DE to directly perturbate some elements of rhythm power array, resulting in more aggressive and sparser adversarial samples.
To analysis the effect of perturbation overflow, this paper has done ablation experiments of perturbation overflow and the results are shown in Table 6. The aggressiveness of GPBEAMDE5 with perturbation overflow is substantially higher than that of GPBEAMDE5 without perturbation overflow. Compared to GPBEAMDE5 without perturbation overflow, the SR of GPBEAMDE5 with perturbation overflow is improved by between 0.3 and 0.5. This exactly meets expectation that perturbation overflow is effective. But it should be noted that the improvement in aggressiveness is got at the expense of higher distortion (the DL is increased by a factor of about 5).
Experiment 3: the transferability of EEG adversarial samples generated by GPBEAM/GPBEAMDE
First, the transferability of adversarial samples generated by GPBEAM and GPBEAMDE among BEAMrelated models is tested. Specifically, the BEAMrelated model with a Mixed LSTM architecture is used as the source victim model and the BEAMrelated models with other architectures as the target victim models. This experiment attacks the source model and apply the resulting adversarial samples to trick the target models. The FGSM is used as the perturbation generation method in GPBEAM and GPBEAMDE.
The results are shown in Table 7. When both the source and target models are BEAMrelated models, the transferability of adversarial samples is obvious with the SR values on target models being still considerable. The SR decreases a maximum of 0.26 when the adversarial samples generated by GPBEAMDE are transferred, and in contrast, the SR decreases a maximum of 0.05 when the adversarial samples generated by GPBEAM are transferred, indicating that adversarial samples of GPBEAM have better transferability than those of GPBEAMDE.
Second, the transferability of the adversarial samples generated by GPBEAM and GPBEAMDE from BEAMrelated models to EEGrelated models is tested. Here, the source and target models use the same multilayer architecture. The results are shown in Table 8. When the target model is EEGrelated models, the adversarial sample generated by GPBEAM and GPBEAMDE have almost no aggressiveness. The likely reason is that the process of converting each time slice of EEG to BEAM loses nearly all inslice information that is very important to those EEGrelated models. In addition, GPBEAMDE is worse than GPBEAM in transferability, and this paper suspect that is due to the sparse perturbation nature of GPBEAMDE.
In addition, this paper uses the EEG adversarial samples generated by GPBEAM/GPBEAMDE to attack the frequencyrelated models (these models are trained by feeding frequency domain representation of EEG signals to multilayer architectures. FFT is used here for extracting frequency domain representation) and the time–frequency related models [44] (these models are trained by feeding time–frequency domain presentation of EEG data to multilayer architectures. WignerVille method, one of the methods mentioned in [44] is used here for extracting time–frequency representation). However, the results of both experiments were not satisfactory (the attack success rate is about the same as Gaussian noise).
EEG adversarial samples generated by GPBEAM/GPBEAMDE cannot attack EEGrelated models, frequencyrelated models and time–frequencyrelated models just for the same key reason. That is GPBEAM/GPBEAMDE are whitebox methods, for which good performance must be with the right kind of victim models. Because GPBEAM/GPBEAMDE focus on BEAMrelated victim models, their attacks are almost nonaggressive to victim models that is not BEAMrelated.
Fortunately, has been found a way (just a simple modification to the methods in this paper) to make it possible that GPBEAM/GPBEAMDE could also attack victim models that are not BEAMrelated. The key idea is that fusing the information of the adversarial sample for attacking BEAMrelated models and information of the adversarial samples for attacking other kind of victim models may make the final adversarial sample be aggressive to all these victim models. The details of this modification are in Experiment 4: attacking both BEAMrelated and EEGrelated models with modified GPBEAM and modified GPBEAMDE. It should be noted that in the similar way as in experiment 4, the modified GPBEAM/GPBEAMDE may also attack frequencyrelated models and other kind of models.
Experiment 4: attacking both BEAMrelated and EEGrelated models with modified GPBEAM and modified GPBEAMDE
The future epilepsy diagnosis models may detect features from raw EEG, BEAMs, or both, considering that the diagnosis of epilepsy requires human doctors to analyze both the raw EEG and BEAMs signals. Therefore, it should be an advantage that the adversarial samples could attack both EEGrelated models and the BEAMrelated models.
This paper makes a simple modification to the GPBEAM/GPBEAMDE to make it aggressive to both BEAMrelated and EEGrelated models. In the new method (Fig. 12), another adversarial sample \({E}^{adv}\), which is aggressive to EEGrelated models and could be generated with any existing method, is used to modify the perturbation of rhythm power array \({\eta }_{P}\) and then to help the generation of final EEG adversarial sample É by replacing information from the raw \({\varvec{E}}\).
In the experiment, FGSM is used to generate \({E}^{adv}\) from EEGrelated models and GPBEAM/GPBEAMDE(N = 5) is used to generate perturbation of rhythm power array \({\eta }_{P}\) from BEAMrelated models. Here, \({\epsilon }_{E}\) denotes the parameter \(\epsilon\) of FGSM when it is used for \({E}^{adv}\) and \({\epsilon }_{B}\) denotes the parameter \(\epsilon\) of FGSM when it is used for \({\eta }_{P}\) in GPBEAM/GPBEAMDE.
To keep the adversarial samples imperceptible and to make it easy to compare the aggressive performance of the methods in this paper before and after the modification, this experiment keep the DL of the adversarial samples produced by the methods in this paper before and after the modification unchanged. That is, this experiment first use GPBEAM/GPBEAMDE to generate adversarial samples and get their DL value, then run modified GPBEAM/GPBEAMDE to generate new adversarial samples that have the same DL value by adjusting the \({\epsilon }_{E}\) parameter.
Table 8 shows the performance of the GPBEAM/GPBEAMDE (without the addition of \({\mathrm{E}}^{\mathrm{adv}}\)). Table 9 shows the performance of the modified GPBEAM/GPBEAMDE (with the addition of \({E}^{adv}\)). It is clear that by the modification, GPBEAM/GPBEAMDE obtained the new ability of attacking EEGrelated models, with the top attack success rate changed from 0.03 to 0.64 and the minimum attack success rate changed from 0.01 to 0.11. The modification does not change the power of GPBEAM/GPBEAMDE for attacking BEAMrelated model. It should be noted that the capacity enhancement of the modified GPBEAM/GPBEAMDE mainly attribute to the adding of the adversarial sample \({E}^{adv}\), and this paper just propose a way to fuse the information of the added adversarial sample for attacking EEGrelated models and information of the adversarial sample for attacking BEAMrelated models in the framework of GPBEAM/GPBEAMDE. Furthermore, the improvement would have been better if a more aggressive perturbation generation algorithm had been used to generate \({E}^{adv}\).
Conclusion
This paper examines the vulnerability of deep learning models for diagnosing epilepsy to whitebox attacks. It proposes two methods, GPBEAM and GPBEAMDE, which generate EEG adversarial samples by perturbing BEAMs densely and sparsely respectively. Unlike existing studies that generate EEG adversarial samples by perturbing raw EEG signal、EEG frequency and EEG spectrograms, this paper generates EEG adversarial samples by perturbing BEAMs for the first time. This study exposes an important safety issue for brain disease diagnostic systems with experiments using EEG data from the CHBMIT dataset and two types of victim models each of which has four different DNN architectures.
The experimental results show that: (1) GPBEAM/GPBEAMDE can successfully attack all BEAMrelated models with either pure CNN architectures or CNN + RNN architectures, showing their strong aggressiveness; (2) The aggressiveness of GPBEAM is sensitive to the effectiveness of the perturbation generation part which can theoretically be any whitebox attack. It shows another merit of GPBEAM that its performance could be further improved by introducing new stateofarts perturbation generation method other than any of those methods (FGSM, IFGSM, MIFGSM, DIIFGSM, PGD and C&W) having tested in this paper; (3) The sparse attack method GPBEAMDE outperforms the dense attack method GPBEAM in both SR and DL in most cases. That is because of the novel work, the combination of GPBEAM, DE and perturbation overflow in GPBEAMDE. DE is used to directly perturb some elements of the rhythmic power array. With the help of the sign information of the perturbation generated by GPBEAM, when the magnitude of the perturbation generated by DE exceeds a predefined level, the excess is allocated to other electrodes by perturbation overflow; (4) By using perturbation overflow, at the expense of a certain degree of distortion, the attack power of GPBEAMDE can be increased significantly; (5) Among four BEAMrelated models with different neural network architecture, the adversarial samples generated by GPBEAM/GPBEAMDE have obvious transferability.
There are some limitations that must be considered, before using the proposed methods to accomplish attacking tasks. Currently, the proposed methods could only work in the digitaldomain. They could have the chance to perturb EEG data and deceive models only if (1) there are time lags between the finish of capturing EEG data and that the victim deeplearning models start processing those data, (2) these EEG data could be stolen by hacking, and (3) these victim models are whiteboxes to attackers (means that attackers have copies of these models and could use them to calculate perturbations). Using them in physicaldomain will face some other limitations as mentioned by Dongrui Wu et al. [11]. They are (1) Trialspecificity, i.e., the attacker needs to generate different adversarial perturbations for different EEG trials; (2) Channelspecificity, i.e., the attacker needs to generate different adversarial perturbations for different EEG channels; (3) Noncausality, i.e., the complete EEG trial needs to be known in advance to compute the corresponding adversarial perturbation; (4) Synchronization, i.e., the exact starting time of the EEG trial needs to be known for the best attack performance.
Although GPBEAMDE obtains better performance than GPBEAM in most attacking cases, it has some limitations should be noted. First of all, GPBEAMDE needs feedback on whether the attack is successful during the execution of the evolutionary algorithm, which requires getting the labeled EEG data in advance. Secondly, the evolutionary algorithm itself requires much time to converge. Furthermore, unlike GPBEAM, which could easily create universal adversarial perturbations by using a universal perturbation generation algorithm as its part, GPBEAMDE could not create universal adversarial perturbations easily. At last, GPBEAMDE is a bit worse than GPBEAM in transferability. The adversarial samples generated by the methods in this paper show almost no aggressiveness to the four EEGrelated models in the experiments, indicating a poor transferability from BEAMrelated models to EEGrelated models; At last, a simple modification to the GPBEAM/GPBEAMDE will make it have aggressiveness to both BEAMrelated and EEGrelated models, and this capacity enhancement is done without any cost of distortion increment.
There are many further works which could be done in the future, such as: (1) The perturbation generation algorithms used for GPBEAM/GPBEAMDE could theoretically be replaced by any of other stateofart ones for pursuing better performance or new features; (2) Instead of whitebox scenario, the blackbox scenario, which is of greater significance to the security of BCI in real world, should be considered; (3) Although the proposed attacks do not be affected by EEGtoBEAM transformation, whether they still be effective after commonlyused EEG preprocessing which is an important part of BCI pipeline, is worth studying; (4) More aggressive and imperceptible attacks could be produced by making them sparse in all time, rhythm, and electrode dimensions.
It should be claimed that the goal of this study is not to attack any of the EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead us to a safer design.
Availability of data and materials
Source of data: Public access to the database(s) is open. A team of investigators from Children’s Hospital Boston (CHB) and the Massachusetts Institute of Technology (MIT) created and contributed this database to PhysioNet. https://archive.physionet.org/physiobank/database/chbmit/
This database is described in Ali Shoeb. Application of Machine Learning to Epileptic Seizure Onset Detection and Treatment. PhD Thesis, Massachusetts Institute of Technology, September 2009. DOI for CHBMIT Scalp EEG Database: https://doi.org/10.13026/C2K01R
The code can be referred to: https://github.com/yyyuuu060/perturbingBEAMs.git
References
Ullah Z, Usman M, Latif S, et al. Densely attention mechanism based network for COVID19 detection in chest Xrays. Sci Rep. 2023;13:261. https://doi.org/10.1038/s41598022272669.
Ullah Z, Usman M, Gwak J. MTSSAAE: Multitask semisupervised adversarial autoencoding for COVID19 detection based on chest Xray images. Expert Syst Appl. 2023;216:119475.
Ullah Z, Usman M, Jeon M, et al. Cascade multiscale residual attention cnns with adaptive roi for automatic brain tumor segmentation. Inf Sci. 2022;608:1541–56.
Hossain MS, Amin SU, Alsulaiman M, et al. Applying deep learning for epilepsy seizure detection and brain mapping visualization. ACM Trans Multimedia Comput Commun Appl (TOMM). 2019;15(1):1–17.
Ding Y, Hu X, Xia Z, et al. Interbrain EEG feature extraction and analysis for continuous implicit emotion tagging during video watching. IEEE Trans Affect Comput. 2018;12(1):92–102.
Jana GC, Sharma R, Agrawal A. A 1DCNNspectrogram based approach for seizure detection from EEG signal. Procedia Computer Sci. 2020;167:403–12.
Bashivan P, Rish I, Yeasin M, et al. Learning representations from EEG with deep recurrentconvolutional neural networks. arXiv preprint arXiv:1511.06448, 2015.
Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
Kurakin A, Goodfellow I J, Bengio S. Adversarial examples in the physical world. International Conference on Learning Representations (ICRL). Toulon. 2018. p. 99–112.
Schönherr L, Kohls K, Zeiler S, et al. Adversarial attacks against automatic speech recognition systems via psychoacoustic hiding. arXiv preprint arXiv:1808.05665, 2018.
Wu D, Fang W, Zhang Y, et al. Adversarial attacks and defenses in physiological computing: a systematic review. arXiv preprint arXiv:2102.02729, 2021.
Finlayson S G, Chung H W, Kohane I S, et al. Adversarial attacks against medical deep learning systems. arXiv preprint arXiv:1804.05296, 2018.
Zhang X, Wu D, Ding L, et al. Tiny noise, big mistakes: adversarial perturbations induce errors in brain–computer interface spellers. National Sci Rev. 2021;8(4):nwaa233.
Craik A, He Y, ContrerasVidal JL. Deep learning for electroencephalogram (EEG) classification tasks: a review. J Neural Eng. 2019;16(3): 031001.
Bansal D, Mahajan R. Chapter 2  EEGBased BrainComputer Interfacing (BCI). EEGBased BrainComputer Interfaces. Dipali Bansal, Rashima Mahajan, eds. Academic Press; 2019. p. 2171. ISBN 9780128146873.
Sung WT, Chen JH, Chang KW. Study on a RealTime BEAM System for Diagnosis Assistance Based on a System on Chips Design. Sensors. 2013;13:6552–77. https://doi.org/10.3390/s130506552.
Jothiraj SN, Selvaraj TG, Ramasamy B, Deivendran NP, M.S.P, S. Classification of EEG signals for detection of epileptic seizure activities based on feature extraction from brain maps using image processing algorithms. IET Image Processing. 2018;12:2153–62. https://doi.org/10.1049/ietipr.2018.5418.
Direito B, Teixeira C, Ribeiro B, et al. Modeling epileptic brain states using EEG spectral analysis and topographic mapping. J Neurosci Methods. 2012;210(2):220–9.
Misciagna S. Clinical Applications of Brain Mapping in Epilepsy. Epilepsy  Update on Classification, Etiologies, Instrumental Diagnosis and Treatment. IntechOpen. 2021.https://doi.org/10.5772/intechopen.95121.
Senhadji L, et al. Wavelet analysis of EEG for threedimensional mapping of epileptic events. Ann Biomed Eng. 1995;23(5):543–52. https://doi.org/10.1007/BF02584454.
Jiang X, Zhang X, Wu D. Active learning for blackbox adversarial attacks in EEGbased braincomputer interfaces. IEEE Symposium Series on Computational Intelligence (SSCI). Xiamen: 2019. p. 361–68.
Zhang X, Wu D. On the vulnerability of CNN classifiers in EEGbased BCIs. IEEE Trans Neural Syst Rehabil Eng. 2019;27(5):814–25.
Aminifar A. Minimal adversarial perturbations in mobile health applications: The epileptic brain activity case study[C]//ICASSP 2020–2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE. 2020:1205–1209.
Meng L, Lin C T, Jung T P, et al. Whitebox target attack for EEGbased BCI regression problems[C]//International conference on neural information processing. Springer, Cham. 2019: 476–488.
Feng B, Wang Y, Ding Y. Saga: Sparse adversarial attack on eegbased brain computer interface[C]//ICASSP 2021–2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE. 2021:975–979.
Zhu M, Chen T, Wang Z. Sparse and Imperceptible Adversarial Attack via a Homotopy Algorithm. 2021.
Wei X, Zhu J, Yuan S, et al. Sparse adversarial perturbations for videos. Proceedings of the AAAI Conference on Artificial Intelligence. Hawaii: 2019;33(01):8973–80.
Su J, Vargas DV, Sakurai K. One pixel attack for fooling deep neural networks. IEEE Trans Evol Comput. 2019;23(5):828–41.
Pant M, Zaheer H, GarciaHernandez L, et al. Differential Evolution: A review of more than two decades of research. Eng Appl Artif Intell. 2020;90:103479.
Gao L, Zhang Q, Song J, et al. Patchwise attack for fooling deep neural network. European Conference on Computer Vision (ECCV). Glasgow: 2020. p. 307–22.
Nakamura M, Chen Q, Sugi T, et al. Technical quality evaluation of EEG recording based on electroencephalographers’ knowledge. Med Eng Phys. 2005;27(1):93–100.
Volf P, Stehlik M, Kutilek P, et al. Brain Electrical Activity Mapping in Military Pilots During Simulator Trainings. International Conference on Military Technologies (ICMT). Brno: 2019. p. 1–6.
Amin HU, Yusoff MZ, Ahmad RF. A novel approach based on wavelet analysis and arithmetic coding for automated detection and diagnosis of epileptic seizure in EEG signals using machine learning techniques. Biomed Signal Process Control. 2020;56:101707.
Shen M, Sun L, Chan FHY. Method for extracting timevarying rhythms of electroencephalography via wavelet packet analysis. IEE ProceedingsSci Meas Technol. 2001;148(1):23–7.
Sun M. An efficient algorithm for computing multishell spherical volume conductor models in EEG dipole source localization. IEEE Trans Biomed Eng. 1997;44(12):1243–52.
Wahba G. Spline interpolation and smoothing on the sphere. SIAM J Sci Stat Comput. 1981;2(1):5–16.
Detti P, Vatti G, ZabaloManrique de Lara G. EEG Synchronization Analysis for Seizure Prediction: A Study on Data of Noninvasive Recordings. Processes. 2020;8(7):846. https://doi.org/10.3390/pr8070846.
Goldberger A, Amaral L, Glass L, Hausdorff J, Ivanov PC, Mark R, ... Stanley HE. PhysioBank, PhysioToolkit, and PhysioNet: Components of a new research resource for complex physiologic signals. Circulation. 2000;101(23):e215–e220.
Gramfort A, Luessi M, Larson E, et al. MEG and EEG data analysis with MNEPython[J]. Front Neurosci. 2013;7:267.
Dong Y, Liao F, Pang T, et al. Boosting Adversarial Attacks with Momentum, https://doi.org/10.48550/arXiv.1710.06081[P].
Xie C, Zhang Z, Zhou Y, et al. Improving Transferability of Adversarial Examples with Input Diversity. 2018.
Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
Carlini N, Wagner D. Towards evaluating the robustness of neural networks. IEEE Symposium on Security and Privacy (SP). San Jose: 2017. p. 3957.
Taherisadr, Mojtaba, Mohsen Joneidi, and Nazanin Rahnavard. "EEG signal dimensionality reduction and classification using tensor decomposition and deep convolutional neural networks." 2019 IEEE 29th International Workshop on Machine Learning for Signal Processing (MLSP). IEEE. 2019.
Acknowledgements
Not applicable.
Funding
This study was supported in part by Guizhou Provincial Science and Technology Foundation (GZKJ[2017]1128). The funding bodies did not play any role in the design of the study and collection, analysis, and interpretation of data and in writing the manuscript.
Author information
Authors and Affiliations
Contributions
JY and KQ were involved in the construction as members of the technical team and created the first draft of the manuscript. PW and YF are also members of the technical team and extended the manuscript. CS revised the manuscript. YC performed the systematic literature search, coordinated the authors and supervised the scientific writing. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Public access to the database(s) is open. The data used in this study were anonymized before its use.
Consent for publication
Not Applicable.
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated in a credit line to the data.
About this article
Cite this article
Yu, J., Qiu, K., Wang, P. et al. Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing. BMC Med Inform Decis Mak 23, 115 (2023). https://doi.org/10.1186/s12911023022125
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s12911023022125
Keywords
 EEG
 BEAMs
 Deep learning model
 Epilepsy
 Adversarial attack
 Sparse attack