Active Poisoning: Efficient Backdoor Attacks on Transfer Learning-Based Brain-Computer Interfaces

TL;DR

Transfer learning enables rapid calibration of EEG-based BCIs but introduces a security risk: backdoors injected via poisoned source-domain data can cause targeted misclassification when a trigger is present, without harming benign performance. The authors propose active poisoning (AP) strategies—MDS, RDS, MUS, MMCS, and their combinations—to selectively poison source samples and embed backdoors efficiently through TL, using a robust NPP trigger. Empirical results across four EEG datasets and three CNNs show high attack success rates with AP while preserving overall accuracy, and the attack remains effective under challenging conditions such as fine-tuning, data augmentation, and cross-task TL; cross-subject TL with label alignment demonstrates partial transferability of the backdoor. These findings reveal a serious security risk in TL-based BCIs and motivate development of defense mechanisms and further study of robust TL pipelines for EEG-based BCIs.

Abstract

Transfer learning (TL) has been widely used in electroencephalogram (EEG)-based brain-computer interfaces (BCIs) for reducing calibration efforts. However, backdoor attacks could be introduced through TL. In such attacks, an attacker embeds a backdoor with a specific pattern into the machine learning model. As a result, the model will misclassify a test sample with the backdoor trigger into a prespecified class while still maintaining good performance on benign samples. Accordingly, this study explores backdoor attacks in the TL of EEG-based BCIs, where source-domain data are poisoned by a backdoor trigger and then used in TL. We propose several active poisoning approaches to select source-domain samples, which are most effective in embedding the backdoor pattern, to improve the attack success rate and efficiency. Experiments on four EEG datasets and three deep learning models demonstrate the effectiveness of the approaches. To our knowledge, this is the first study about backdoor attacks on TL models in EEG-based BCIs. It exposes a serious security risk in BCIs, which should be immediately addressed.

Figures (11)

• Figure 1: Illustration of backdoor attacks in TL-based BCIs. Circles and triangles represent EEG samples from different classes. The red solid circle indicates the trigger specified by the attacker. In the training phase, the trigger is inserted into some source-domain samples to inject the backdoor, and their labels are modified to an attacker-specified class. Then, data alignment is used to make the data distributions from the source and target domains consistent. Finally, the target model is trained on the poisoned and aligned source-domain data. In the test phase, the classification of the benign samples is unaffected, but the attacked samples (with the backdoor trigger added) will be classified into the target class.
• Figure 2: Illustrative examples for AP strategies in binary linear classifier. a) MDS; b) RDS; c) Model-based AP: MUS/MMCS; d) Combinational AP: MUS/MMCS + MDS.
• Figure 3: BCAs with and without poisoned samples.
• Figure 4: (a) The NPP trigger and (b) EEG signal of the first five channels before and after poisoning. Best viewed in color.
• Figure 5: BCAs and ASRs at different poisoning rates on a) P300; b) ERN; c) MI1; and, d) MI2.