A Review of Noise-based Cyberattacks Generating Fake P300 Waves in Brain-Computer Interfaces

Abstract

Brain-Computer Interfaces are devices that enable two-way communication between an individual's brain and external devices, allowing the acquisition of neural activity and neurostimulation. Considering the first one, electroencephalographic signals are widely used for the acquisition of subjects' information. Therefore, a manipulation of the data acquired by a vulnerable BCI framework may cause a malfunction of the deployed applications. In this regard, this paper defines four noise-based cyberattacks attempting to generate fake P300 waves in two different phases of a BCI framework. A set of experiments show that the greater the attacker’s knowledge regarding the P300 waves, processes, and data of the BCI framework, the higher the attack impact. In this sense, the attacker with less knowledge impacts 1% in the acquisition phase and 4% in the processing phase, while the attacker with the most knowledge impacts 22% and 74%, respectively.

Full text

Editores:
José María de Fuentes - Lorena González - Jose Carlos
Sancho - Ana Ayerbe - María Luisa Escalante

Investigación en Ciberseguridad
Actas de las VII Jornadas Nacionales
(JNIC 2022)
27-29 de junio de 2022
Palacio Euskalduna, Bilbao
Editores:
José María de Fuentes
Lorena González
Jose Carlos Sancho
Ana Ayerbe
María Luisa Escalante

 de los tetos: sus autores
 de la edicin: Fundacin ecnalia esearch and nnoation
SB : 97--7--
Esta obra se encuentra bajo una licencia Creatie Coons CC B 0
Cualuier ora de reroduccin, distribucin o trasoracin de esta obra no incluida en la
licencia Creatie Coons CC B 0 solo uede ser realizada con la autorizacin eresa de
los titulares, salo ececin reista or la ley Puede d acceder al teto coleto de la
licencia en este enlace: htts:creatiecoonsorlicensesby0deedes

A Review of Noise-based Cyberattacks Generating
Fake P300 Waves in Brain-Computer Interfaces
Enrique Tom´
as Mart´
ınez Beltr´
an
Department of Information
and Communications Engineering
University of Murcia, 30100 Murcia, Spain
enriquetomas@um.es
Mario Quiles P´
erez
Department of Information
and Communications Engineering
University of Murcia, 30100 Murcia, Spain
mqp@um.es
Sergio L´
opez Bernal
Department of Information
and Communications Engineering
University of Murcia, 30100 Murcia, Spain
slopez@um.es
Alberto Huertas Celdr´
an
Communication Systems Group CSG
Department of Informatics IfI
University of Zurich UZH
CH—8050 Z¨
urich, Switzerland
huertas@ifi.uzh.ch
Gregorio Mart´
ınez P´
erez
Department of Information
and Communications Engineering
University of Murcia, 30100 Murcia, Spain
gregorio@um.es
Abstract—Brain-Computer Interfaces are devices that enable
two-way communication between an individual’s brain and
external devices, allowing the acquisition of neural activity and
neurostimulation. Considering the first one, electroencephalo-
graphic signals are widely used for the acquisition of subjects’
information. Therefore, a manipulation of the data acquired by
a vulnerable BCI framework may cause a malfunction of the
deployed applications. In this regard, this paper defines four
noise-based cyberattacks attempting to generate fake P300 waves
in two different phases of a BCI framework. A set of experiments
show that the greater the attacker’s knowledge regarding the
P300 waves, processes, and data of the BCI framework, the
higher the attack impact. In this sense, the attacker with less
knowledge impacts 1% in the acquisition phase and 4% in the
processing phase, while the attacker with the most knowledge
impacts 22% and 74%, respectively.
Index Terms—Brain-Computer Interfaces, Cybersecurity,
Data Integrity, Electroencephalographic signal, P300
Tipo de contribuci´
on: Investigaci´
on ya publicada
I. INTRODUCTION
Brain-Computer Interfaces (BCIs) allow the monitoring of
neural signals or the stimulation of a set of neurons. These
devices have been extensively used in medicine, offering
diagnostic capabilities to detect abnormal behaviors in the
brain or to treat neurological diseases such as Parkinson’s.
The advance of BCI technologies in the last decade has led to
their use in other areas such as military, or driving assistance.
Electroencephalography (EEG) is the most common tech-
nique for neural data acquisition, consisting in acquiring brain
waves from the scalp using non-invasive electrodes. Most of
the current BCI applications are based on evoked potentials
(ERPs), representing the users’ neural response to particular
external stimuli, like auditory or visual. These EEG signals are
then processed and used as inputs to computational systems
to make decisions. In this direction, one of the most used
ERPs is the P300, which represents a positive voltage peak in
the EEG when the user identifies a known visual or auditory
stimuli from a set of unfamiliar stimuli.
Despite the relevance and possibilities of BCIs, these sys-
tems generate significant concerns in terms of cybersecurity.
In recent years, numerous articles in the literature have
focused on the lack of security measures in both BCI software
and hardware. The relevance and value of the neural data
obtained increase the criticality of BCI devices, which are
vulnerable to the impact of cyberattacks that compromise their
integrity, availability or confidentiality.
This work summarizes the research published in [1], which
proposed a study of the impact of cyberattacks focused on
maliciously generating P300 in the EEG signals to determine
the impact on BCI devices. In particular, the study defines and
implements four noise-based attack profiles that produce mis-
classification and thus anomalous operation in the interaction
with BCI devices. The variation between profiles depends on
the existing knowledge about the BCI device, aspects of the
EEG signals and the framework.
II. USE CASE AND EXPERIMENTAL SETUP
Since the knowledge of cyberattacks affecting BCIs is an
open challenge, this work determined the impact of noise-
based attacks in a real use case. Based on that, this work
deploys a scenario consisting of three components: (1) a
monitor where visual stimuli are presented to the subject,
(2) a non-invasive BCI headset, and (3) a BCI framework
that synchronizes the EEG signals with the visual stimuli and
processes the data to detect P300 waves. These visual stimuli
generate a reaction in the subject’s brain waves based on the
Oddball paradigm, whereby familiar visual stimuli (target) are
presented within a set of unfamiliar ones (non-target).
The study defines four attacker profiles according to their
knowledge of the BCI framework and the scenario. The
selection is determined by the number of phases of the
implemented BCI cycle: neural activity generation, EEG
signals acquisition, processing, and P300 detection. Figure
1 shows the knowledge of the fourth attacker in the study.
Each attacker generates two types of noise-based cyberattacks:
(1) physical noise, in which noise is applied during neural
acquisition, and (2) malware-based noise, in which noise is
applied once the data have been processed.

Figure 1. Four attacker: knowledge the P300 detection model details and
outputs.
The noise generation is defined through Additive White
Gaussian Noise (AWGN). Moreover, noise distributions are
generated and applied based on the attacker’s knowledge. On
the one hand, static noise distributions are generated with a
different power level for each of them. On the other hand,
dynamic distributions are created by varying the power level
during a specified period (see Table I). Figure 2 shows a
fragment of dynamic noise generation performed by the fourth
attacker. The objective is to adapt the signal to the generation
of P300 potentials, which the P300 detector will identify.
Table I
TYPES OF NOISE GENERATED IN THE STUDY.
Type of noise Power level RMS noise level (dB)
Gaussian with static range Low ⇡0.8
Gaussian with static range High ⇡5
Gaussian with dynamic range Adaptive Between 0.8 to 5
11
Enrique Tomás Martínez Beltrán
Non-P300 detected P300 detected
Figure 2. Noise-based cyberattack performed by the fourth attacker.
III. RESULT ANALYSIS
The impact generated by each attack profile is measured
from the BCI framework. In particular, it uses a set of Machine
Learning (ML)-based models to provide an aggregated metric
of performance attack using the Area Under the Curve (AUC)
metric. A total of five classifiers for detecting P300 are
implemented: (1) C1 employs standardization algorithms and
regressions, (2) C2 uses Bayes’ rule, (3) C3 adds xDAWN
spatial filter, (4) C4 estimates based on a covariance matrix,
and (5) C5 employs the Minimum Distance to Mean. Since
the goal of the attacks is to generate P300 waves in the EEG
signals that does not contain them, the AUC value is obtained
by evaluating only with EEG segments without a P300 wave.
Table II compares the AUC values obtained by each classi-
fier, according to the noise behavior and the attacker profile.
Also, the AUC values of the unaltered signal (legitimate
signal) are included to estimate the impact of the attacker.
Table II
AUC VAL UES O F CL ASS IFI ER S (CX) BY ATTACK ER P ROFI LE A ND NO IS E
BEHAVIOR.PN PHYSICAL NOISE,AND MN MALWARE-BASE D NOIS E.
Attacker 1 Attacker 2 Attacker 3 Attacker 4 Legitimate
signal
PN MN PN MN PN MN PN MN
C1 0.74 0.72 0.74 0.70 0.68 0.45 0.60 0.20 0.75
C2 0.59 0.58 0.59 0.58 0.49 0.41 0.44 0.11 0.60
C3 0.54 0.53 0.52 0.52 0.50 0.31 0.47 0.10 0.54
C4 0.72 0.70 0.72 0.69 0.68 0.39 0.62 0.16 0.73
C5 0.78 0.79 0.77 0.71 0.70 0.47 0.62 0.21 0.79
The values demonstrate the slight progressive decrease of
the AUC with physical noise in the different profile attacks.
The decrease is between 1 and 22% concerning the legitimate
signal, being 1% for the first profile and 22% for the fourth
profile. On the other hand, the AUC values of the malware-
based noise decrease between the second and third profiles,
being 34% less, and between third and fourth profiles, being
55% less. Similarly, malware-based noise in the fourth profile
has an impact of 74% in the legitimate signal. Therefore,
generating noise in the processing phase by the fourth attacker
profile has the most significant impact on the AUC, which
translates into a high identification of P300 potentials.
IV. CONCLUSION
This paper presents four attacker profiles that generate
noise-based cyberattacks affecting BCI frameworks. Two
types of noise are generated for each attacker: (1) physi-
cal, affecting the acquisition phase of EEG signals, and (2)
malware-based, impacting the processing phase. To test them,
this work presents a scenario based on visual stimuli with
the aim of generating P300 waves and acquiring them with a
non-invasive BCI headset. The experimentation indicates that
the proposed cyberattacks allow affecting EEG signals, where
the attacker with the greatest knowledge of the BCI cycle has
the greatest impact. Likewise, cyberattacks in the processing
phase have a greater impact on the generation of the P300,
making it a point of great interest for potential attackers.
ACKNOWLEDGEMENTS
This work has been partially supported by (a) the Swiss
Federal Office for Defense Procurement (armasuisse) with the
RESERVE project (CYD-C-2020003), and (b) 21629/FPI/21,
Fundaci´
on S´
eneca, Regi´
on de Murcia (Spain).
REFERENCES
[1] Mart´
ınez Beltr´
an, E. T., Quiles P´
erez, M., L´
opez Bernal, S., Huertas
Celdr´
an, A., and Mart´
ınez P´
erez, G.: ”Noise-based cyberattacks generat-
ing fake P300 waves in brain–computer interfaces”, Cluster Computing,
vol. 25, pp. 33-48, 2021.

atrocinadore
375

376