Time-Frequency Jointed Imperceptible Adversarial Attack to Brainprint Recognition with Deep Learning Models

TL;DR

This work addresses the vulnerability of EEG-based brainprint recognition to adversarial attacks by introducing a time-frequency joint attack (TFAttack) that leverages discrete wavelet transforms to perturb both time-domain and frequency-domain representations of EEG signals. The method alternates perturbation updates between time-domain signals (TAttack) and frequency-domain components (FAttack), guided by a C&W-style loss, to produce strong yet imperceptible adversarial examples across three datasets and three backbone models (EEGNet, DeepConvNet, ShallowConvNet). Empirical results show state-of-the-art attack performance in white-box and grey-box settings, with low perceptual disruption measured by DTW and L2 norms and high transferability. The findings reveal significant security risks in brainprint recognition systems and underscore the need for robustness improvements in DL-based EEG biometrics for real-world deployments.

Abstract

EEG-based brainprint recognition with deep learning models has garnered much attention in biometric identification. Yet, studies have indicated vulnerability to adversarial attacks in deep learning models with EEG inputs. In this paper, we introduce a novel adversarial attack method that jointly attacks time-domain and frequency-domain EEG signals by employing wavelet transform. Different from most existing methods which only target time-domain EEG signals, our method not only takes advantage of the time-domain attack's potent adversarial strength but also benefits from the imperceptibility inherent in frequency-domain attack, achieving a better balance between attack performance and imperceptibility. Extensive experiments are conducted in both white- and grey-box scenarios and the results demonstrate that our attack method achieves state-of-the-art attack performance on three datasets and three deep-learning models. In the meanwhile, the perturbations in the signals attacked by our method are barely perceptible to the human visual system.

Figures (5)

• Figure 1: The comparison between benign and adversarial brainprint examples attacked by (a)FGSM, (b)PGD, and (c)our TFAttack. From left to right we present the overlap of the benign examples (green) and the corresponding adversarial examples (red), zoom-in of the overlapped examples, the perturbations added in the benign examples, and the zoom-in of the perturbations. Because of the square-wave patterns, the difference between the adversarial examples (red) attacked by FGSM and PGD and the benign examples (green) are much more evident compared to the ones from our proposed TFAttack.
• Figure 2: Illustration of the EEG signal decomposition and reconstruction using DWT and IDWT.
• Figure 3: Flowchart of the proposed TFAttack (middle) as a combination of TAttack (top) and FAttack (bottom). TAttack directly updates perturbations on raw EEG samples in the time domain, while FAttack first converts the samples to the frequency domain with DWT, updates the perturbation in the frequency domain and obtains the adversarial examples with IDWT. As for TFAttack, we have TAttack and FAttack take turns attacking the EEG samples, with TAttack first attacking the time-domain signal, and FAttack then attacking in the frequency domain.
• Figure 4: Perception study carried out on EEGMMI and SEED with EEGNet as the target model.
• Figure 5: The attack success rates (%) $\uparrow$ / DTW $\downarrow$ of transferring adversarial examples across three models in EEGMMI.