Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
Abstract Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in de...
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
BMC
2023-07-01
|
| Series: | BMC Medical Informatics and Decision Making |
| Subjects: | |
| Online Access: | https://doi.org/10.1186/s12911-023-02212-5 |
| _version_ | 1797784541325164544 |
|---|---|
| author | Jianfeng Yu Kai Qiu Pengju Wang Caixia Su Yufeng Fan Yongfeng Cao |
| author_facet | Jianfeng Yu Kai Qiu Pengju Wang Caixia Su Yufeng Fan Yongfeng Cao |
| author_sort | Jianfeng Yu |
| collection | DOAJ |
| description | Abstract Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learning-based brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to white-box attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAM-DE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMs-based adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHB-MIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAM-based adversarial samples produced by the proposed methods in this paper are aggressive to BEAM-related victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEG-related victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAM-related models up to 0.8 while the top success rate of attacking EEG-related models only 0.01; (2) GPBEAM-DE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAM-DE will make it have aggressiveness to both BEAMs-related and EEG-related models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design. |
| first_indexed | 2024-03-13T00:41:22Z |
| format | Article |
| id | doaj.art-207aff4d8ae845fcbec5061fa213849c |
| institution | Directory Open Access Journal |
| issn | 1472-6947 |
| language | English |
| last_indexed | 2024-03-13T00:41:22Z |
| publishDate | 2023-07-01 |
| publisher | BMC |
| record_format | Article |
| series | BMC Medical Informatics and Decision Making |
| spelling | doaj.art-207aff4d8ae845fcbec5061fa213849c2023-07-09T11:15:40ZengBMCBMC Medical Informatics and Decision Making1472-69472023-07-0123111910.1186/s12911-023-02212-5Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosingJianfeng Yu0Kai Qiu1Pengju Wang2Caixia Su3Yufeng Fan4Yongfeng Cao5School of Big Data and Computer Science, Guizhou Normal UniversitySchool of Big Data and Computer Science, Guizhou Normal UniversitySchool of Big Data and Computer Science, Guizhou Normal UniversitySchool of Big Data and Computer Science, Guizhou Normal UniversitySchool of Big Data and Computer Science, Guizhou Normal UniversitySchool of Big Data and Computer Science, Guizhou Normal UniversityAbstract Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learning-based brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to white-box attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAM-DE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMs-based adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHB-MIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAM-based adversarial samples produced by the proposed methods in this paper are aggressive to BEAM-related victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEG-related victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAM-related models up to 0.8 while the top success rate of attacking EEG-related models only 0.01; (2) GPBEAM-DE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAM-DE will make it have aggressiveness to both BEAMs-related and EEG-related models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design.https://doi.org/10.1186/s12911-023-02212-5EEGBEAMsDeep learning modelEpilepsyAdversarial attackSparse attack |
| spellingShingle | Jianfeng Yu Kai Qiu Pengju Wang Caixia Su Yufeng Fan Yongfeng Cao Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing BMC Medical Informatics and Decision Making EEG BEAMs Deep learning model Epilepsy Adversarial attack Sparse attack |
| title | Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing |
| title_full | Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing |
| title_fullStr | Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing |
| title_full_unstemmed | Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing |
| title_short | Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing |
| title_sort | perturbing beams eeg adversarial attack to deep learning models for epilepsy diagnosing |
| topic | EEG BEAMs Deep learning model Epilepsy Adversarial attack Sparse attack |
| url | https://doi.org/10.1186/s12911-023-02212-5 |
| work_keys_str_mv | AT jianfengyu perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing AT kaiqiu perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing AT pengjuwang perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing AT caixiasu perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing AT yufengfan perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing AT yongfengcao perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing |