We studied the effects of adversarial stimuli on EEG-based Motor Imagery Brain-Computer Interfaces (BCIs). Similar to adversarial examples in machine learning, we explored the feasibility of manipulating BCIs through perturbations in sensory stimuli. Our human subject experiments showed that visual adversarial stimuli significantly deteriorated BCI performance, particularly under induced stress. We also analyzed the variations in Alpha, Beta, and Gamma bands. Our findings have important implications for BCI security and future research directions.

EEG-based BCIs have potential for user control, but how robust and secure are they? Can adversaries manipulate MI-based BCIs by altering sensory input? Inspired by adversarial example attacks against machine learning, we hypothesize that the integration of cognitive, measurement, and machine learning components in EEG-based BCIs may also be vulnerable to minor perturbations that can be induced directly at the sensory level. We define Adversarial Stimuli as perturbations in sensory events introduced by adversaries with the intent of tampering with the BCI performance. These stimuli can be in the form of auditory, visual, or tactile perturbations in the environment surrounding the targeted BCI user.

We experimented with 7 subjects by measuring their performance in normal vs adversarial environment. We created two modified version of Pong game where players moved the paddles in up and down directions: 

Warm-up Env : Balls stays stationary (non-time constraint) 

Full-game Env: Normal game environment (time-constraint) 

Subjects used motor imagery of throwing a ball with their right hand to trigger the “up" action and imagining kicking a ball with their right leg to trigger the “down" action. Both environment can be configured as Normal mode and Adversarial mode. In adversarial modes, the environment is perturbed by the visual stimuli of flicker at 20Hz. The duration of the flickering stimuli was randomly set to the range of (0 second to 5 seconds)

In the adversarial modes, we simulate a scenario in which an adversary has gained access to the Pong environment and can at any time change the flickering rate of the paddle and the ball. In our experiments, the adversarial flickering rate was set to 20 Hz. We chose this value because it corresponds to beta activity, which is associated with active, task-oriented thinking, busy or anxious mental states, and active concentration. In the normal environment, there are no adversarial stimuli, and the flickering rate remains constant. In contrast, in the adversarial environment, the flickering rate is modified at random intervals to create perturbations. The duration of each flickering stimulus was randomized between 0 and 5 seconds, this satisfied our fourth criteria for adversarial stimuli by not impeding the primary task

For each of the warm-up and full game environments, we measured the total score obtained by participants under both normal and adversarial modes. Furthermore, we also measured the error rate for each subject, Er = (S_n – S_a)/S_n, where S_n is the score achieved in the normal mode, and S_a is the score obtained in the adversarial mode. For experiments in the warm-up mode under normal mode (E1) and adversarial mode (E2), the maximum achievable score was set to 12. In the emph{full game} experiments under normal mode (E3) and adversarial mode (E4), no hard limit was set on the maximum score.

Fig: Full game Environment (Env 3 and Env 4)

We performed paired t-tests with significance level alpha = 0.05 for each case, namely E1 vs. E2 and E3 vs. E4. We also performed a paired t-test for the overall normal vs. adversarial environments combining warm-up and full game (i.e., E1, E3 vs.  E2, E4). The statistical test results are presented in Table 1. 

We conducted paired t-tests (α = 0.05) for E1 vs. E2 and E3 vs. E4, and for overall normal vs. adversarial environments (E1, E3 vs. E2, E4). Results showed t ≫ tc and p ≪ 0.05 in all cases, rejecting null hypotheses. The first null hypothesis rejection indicates significant performance deterioration from normal to adversarial mode in the Warm-up environment. Table 1 displays the statistical test results.

Our paired t-test (α = 0.05, tc = −1.943) for Hypothesis II showed t = −6.04 ≪ tc and p = 0.00005 ≪ 0.05, resulting in rejection of the null hypothesis. This indicates a significant increase in error rate during full game conditions when attacked with adversarial stimuli compared to Warm-up environments. Therefore, we accept the alternate hypothesis that the impact of the adversarial attack is more significant on time-constrained tasks than on warm-up tasks.

We also observed that adversarial stimuli increase beta-low to alpha and beta-high to alpha ratios and decrease overall alpha and beta power bands in EEG signals

Adversarial stimuli suppress alpha and beta power, particularly in the alpha band, as well as µ rhythm signals associated with motor imagery

Fig: Statistical test for Hypothesis-I

Average power for Alpha(8-12 Hz), BetaL(12-16 Hz) and BetaH(16- 25 Hz) bands in normal and adversarial settings.

• Are there optimal adversarial stimuli for inducing incorrect actions in BCIs? 
• Can adversarial training enhance BCI system and user robustness against adversarial stimuli?
• Are MI and SSVEP signals separable, and what is the source of vulnerability to adversarial stimuli in BCI systems: device/software or human cognitive limitations?