Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing

Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learni...

Descripción completa

Detalles Bibliográficos
Autores principales: Yu, Jianfeng, Qiu, Kai, Wang, Pengju, Su, Caixia, Fan, Yufeng, Cao, Yongfeng
Formato: Online Artículo Texto
Lenguaje:English
Publicado: BioMed Central 2023
Materias:
Research
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10324168/
https://www.ncbi.nlm.nih.gov/pubmed/37415186
http://dx.doi.org/10.1186/s12911-023-02212-5
_version_ 1785069091658137600
author Yu, Jianfeng
Qiu, Kai
Wang, Pengju
Su, Caixia
Fan, Yufeng
Cao, Yongfeng
author_facet Yu, Jianfeng
Qiu, Kai
Wang, Pengju
Su, Caixia
Fan, Yufeng
Cao, Yongfeng
author_sort Yu, Jianfeng
collection PubMed
description Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learning-based brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to white-box attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAM-DE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMs-based adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHB-MIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAM-based adversarial samples produced by the proposed methods in this paper are aggressive to BEAM-related victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEG-related victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAM-related models up to 0.8 while the top success rate of attacking EEG-related models only 0.01; (2) GPBEAM-DE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAM-DE will make it have aggressiveness to both BEAMs-related and EEG-related models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design.
format Online
Article
Text
id pubmed-10324168
institution National Center for Biotechnology Information
language English
publishDate 2023
publisher BioMed Central
record_format MEDLINE/PubMed
spelling pubmed-103241682023-07-07 Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing Yu, Jianfeng Qiu, Kai Wang, Pengju Su, Caixia Fan, Yufeng Cao, Yongfeng BMC Med Inform Decis Mak Research Deep learning models have been widely used in electroencephalogram (EEG) analysis and obtained excellent performance. But the adversarial attack and defense for them should be thoroughly studied before putting them into safety-sensitive use. This work exposes an important safety issue in deep-learning-based brain disease diagnostic systems by examining the vulnerability of deep learning models for diagnosing epilepsy with brain electrical activity mappings (BEAMs) to white-box attacks. It proposes two methods, Gradient Perturbations of BEAMs (GPBEAM), and Gradient Perturbations of BEAMs with Differential Evolution (GPBEAM-DE), which generate EEG adversarial samples, for the first time by perturbing BEAMs densely and sparsely respectively, and find that these BEAMs-based adversarial samples can easily mislead deep learning models. The experiments use the EEG data from CHB-MIT dataset and two types of victim models each of which has four different deep neural network (DNN) architectures. It is shown that: (1) these BEAM-based adversarial samples produced by the proposed methods in this paper are aggressive to BEAM-related victim models which use BEAMs as the input to internal DNN architectures, but unaggressive to EEG-related victim models which have raw EEG as the input to internal DNN architectures, with the top success rate of attacking BEAM-related models up to 0.8 while the top success rate of attacking EEG-related models only 0.01; (2) GPBEAM-DE outperforms GPBEAM when they are attacking the same victim model under a same distortion constraint, with the top attack success rate 0.8 for the former and 0.59 for the latter; (3) a simple modification to the GPBEAM/GPBEAM-DE will make it have aggressiveness to both BEAMs-related and EEG-related models (with top attack success rate 0.8 and 0.64), and this capacity enhancement is done without any cost of distortion increment. The goal of this study is not to attack any of EEG medical diagnostic systems, but to raise concerns about the safety of deep learning models and hope to lead to a safer design. BioMed Central 2023-07-06 /pmc/articles/PMC10324168/ /pubmed/37415186 http://dx.doi.org/10.1186/s12911-023-02212-5 Text en © The Author(s) 2023 https://creativecommons.org/licenses/by/4.0/Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/ (https://creativecommons.org/licenses/by/4.0/) . The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/ (https://creativecommons.org/publicdomain/zero/1.0/) ) applies to the data made available in this article, unless otherwise stated in a credit line to the data.
spellingShingle Research
Yu, Jianfeng
Qiu, Kai
Wang, Pengju
Su, Caixia
Fan, Yufeng
Cao, Yongfeng
Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title_full Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title_fullStr Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title_full_unstemmed Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title_short Perturbing BEAMs: EEG adversarial attack to deep learning models for epilepsy diagnosing
title_sort perturbing beams: eeg adversarial attack to deep learning models for epilepsy diagnosing
topic Research
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10324168/
https://www.ncbi.nlm.nih.gov/pubmed/37415186
http://dx.doi.org/10.1186/s12911-023-02212-5
work_keys_str_mv AT yujianfeng perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing
AT qiukai perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing
AT wangpengju perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing
AT sucaixia perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing
AT fanyufeng perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing
AT caoyongfeng perturbingbeamseegadversarialattacktodeeplearningmodelsforepilepsydiagnosing

Ejemplares similares