Breaking the Loop: Adversarial Attacks on Cognitive-AI Feedback via Neural Signal Manipulation
DOI:
https://doi.org/10.4108/eetss.v9i1.9502Keywords:
Neuro-adversarial attacks, Brain-Computer Interfaces (BCI) Security, EEG Perturbation, Adversarial Machine Learning, HITL-AI, Cognitive Feedback Loop, Neural Signal ManipulationAbstract
INTRODUCTION: Brain-Computer Interfaces (BCIs) embedded with Artificial Intelligence (AI) have created powerful closed-loop cognitive systems in the fields of neurorehabilitation, robotics, and assistive technologies. However, these tightly bound systems of human-AI integration expose the system to new security vulnerabilities and adversarial distortions of neural signals.
OBJECTIVES: The paper seeks to formally develop and assess neuro-adversarial attacks, a new class of attack vector that targets AI cognitive feedback systems through attacks on electroencephalographic (EEG) signals. The goal of the research was to simulate such attacks, measure the effects, and propose countermeasures.
METHODS: Adversarial machine learning (AML) techniques, including Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD), were applied to open EEG datasets using Long Short Term Memory (LSTM), Convolutional Neural Networks (CNN), and Transformer-based models. Closed-loop simulations of BCI-AI systems, including real-time feedback, were conducted, and both the attack vectors and the attacks countermeasure approaches (e.g., VAEs, wavelet denoising, adversarial detectors) were tested.
RESULTS: Neuro-adversarial perturbations yielded up to 30% reduction in classification accuracy and over 35% user intent misalignment. Transformer-based models performed relatively better, but overall performance degradation was significant. Defense strategies such as variational autoencoders and real-time adversarial detectors returned classification accuracy to over 80% and reduced successful attacks to below 10%.
CONCLUSION: The threat model presented in this paper is a significant addition to the world of neuroscience and AI security. Neuro-adversarial attacks represent a real risk to cognitive-AI systems by misaligning human intent and action with machine response. Mobile layer signal sanitation and detection.
References
[1] He H, Wu D, Gao S. Transfer learning for brain–computer interfaces: A Euclidean space data alignment approach. IEEE Trans Biomed Eng. 2020;67(2):399–410.
[2] Meng J, Zhang S, Bekyo A, Olsoe J, Baxter B, He B. Noninvasive electroencephalogram-based control of a robotic arm for reach and grasp tasks. Sci Rep. 2016;6:38565.
[3] Al-Shargie F, Tang TB, Badruddin N, et al. EEG-based mental workload recognition related to multitasking. Hum Cent Comput Inf Sci. 2017;7(1):1–18.
[4] Roy Y, Banville H, Albuquerque I, et al. Deep learning-based electroencephalography analysis: A systematic review. J Neural Eng. 2019;16(5):051001.
[5] Nicolas-Alonso LF, Gomez-Gil J. Brain–computer interfaces, a review. Sensors. 2012;12(2):1211–1279.
[6] Daly JJ, Wolpaw JR. Brain–computer interfaces in neurological rehabilitation. Lancet Neurol. 2008;7(11):1032–1043.
[7] Soekadar SR, Birbaumer N, Slutzky MW, Cohen LG. Brain–machine interfaces in neurorehabilitation of stroke. Neurobiol Dis. 2015;83:172–179.
[8] Hairston WD, Ferris DP, Kofman IS. Neurotechnology for human performance enhancement. Springer Handb Neuroeng. 2014:1033–1051.
[9] Bonaci T, Calo K, Chizeck HJ. App stores for the brain: Privacy & security in brain–computer interfaces. IEEE Technol Soc Mag. 2015;34(2):32–39.
[10] Zhang S, Xu P, Liu T, et al. Adversarial vulnerability of deep learning models for EEG signal classification. IEEE Access. 2020;8:105951–105963.
[11] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks. ICLR. 2014.
[12] Milekovic T, Sarma AA, Bacher D, et al. Stable long-term BCI-enabled communication in ALS and locked-in syndrome using LFP signals. J Neural Eng. 2018;15(4):045002.
[13] Djemal R, Al-Fahoum A, Alshamasin M, Al-Qahtani S. EEG-based computer-aided diagnosis of autism spectrum disorder using wavelet, entropy, and ANN. Biomed Eng Biomed Tech. 2017;62(6):623–635.
[14] Christiano PF, Leike J, Brown T, et al. Deep reinforcement learning from human preferences. NeurIPS. 2017;30.
[15] Yu T, Li Y, Long J, et al. A hybrid BCI-based intelligent robotic arm control system. J Neural Eng. 2015;9(4):046016.
[16] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. ICLR. 2015.
[17] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks. ICLR. 2018.
[18] Fatourechi M, Bashashati A, Ward RK, Birch GE. EMG and motion artifact cancellation in EEG: A review. Clin Neurophysiol. 2007;118(3):480–494.
[19] Han X, Xie X, Zhang X, et al. Adversarial attacks on an ECG-based arrhythmia classification system. Front Physiol. 2020;11:580523.
[20] Oh S, Rajendran B, Lee D. EMG signal adversarial attack for controlling prosthetic limbs. IEEE Trans Neural Syst Rehabil Eng. 2022;30:500–511.
[21] Ebrahimi J, Rao A, Lowd D, Dou D. HotFlip: White-box adversarial examples for text classification. ACL. 2018.
[22] Martinovic I, Davies D, Frank M, et al. On the feasibility of side-channel attacks with brain–computer interfaces. USENIX Secur Symp. 2012:143 158.
[23] Chuang CH, Ko LW, Lin CT. Identity verification using brainwaves elicited by imagined speech. Front Neurosci. 2014;8:155.
[24] Li Y, Long J, Yu T, et al. An EEG-based BCI system for 2D cursor control by combining mu/beta rhythm and P300 potential. IEEE Trans Biomed Eng. 2017;64(6):1271–1280.
[25] Meng L, Zhang X, Wu D, Liu Z. Adversarial robustness benchmark for EEG-based brain–computer interfaces. Future Generation Computer Systems. 2023;143:231–247. doi: 10.1016/j.future.2023.03.010
[26] Dhaya R, Kanthavel R. Cloud—based multiple importance sampling algorithm with AI-based CNN classifier for secure infrastructure. Automated Software Engineering. 2021 Nov;28(2):16.
[27] Chen X, Jia T, Wu D. Data alignment-based adversarial defense benchmark for EEG. Neural Networks. 2025;188:107516. doi: 10.1016/j.neunet.2025.107516
[28] Chen X, Jia T, Wu D. Adversarial artifact detection in EEG-based brain-computer interfaces. Neural Networks. 2024;188:107516. doi: 10.1016/j.neunet.2025.107516
[29] Wu D, Xu J, Fang W, Zhang Y, Yang L, Xu X, Luo H, Yu X. Adversarial attacks and defenses in physiological computing: A systematic review. National Science Open. 2023;2(1):20220023. doi: 10.1360/nso/20220023
[30] Meng L, Zhang X, Wu D, Liu Z. Perturbing BEAMs: EEG adversarial attack to deep learning models. Scientific Reports. 2023;13:37924. doi: 10.1038/s41598-023-37924-4
[31] Zhang Y, Liu Z, Wu D. Assessing robustness to adversarial attacks in attention-based motor imagery models. Neural Networks. 2024;188:107516. doi: 10.1016/j.neunet.2025.107516
[32] Jiang X, Dai C, Zhang Y. Cybersecurity in neural interfaces: Survey and future trends. Computers in Biology and Medicine. 2023;167:107604. doi: 10.1016/j.compbiomed.2023.107604
[33] Kanthavel R, Dhaya R, Venusamy K. Detection of Osteoarthritis Based on EHO Thresholding. Computers, Materials & Continua. 2022 Jun 1;71(3).
[34] Rahman S, Zhang Y, Wu D. Attack-data-independent defense mechanism against adversarial attacks on ECG signal. Computer Networks. 2025;258:111027. doi: 10.1016/j.comnet.2025.111027 ScienceDirect+1
[35] Wang Z, Liu Y. Improving adversarial robustness of ECG classification. Sensors. 2024;24(5):1234. doi: 10.3390/s24051234
[36] Liu Z, Zhang X, Wu D. Enhanced EEG classification in BCIs (MI). Scientific Reports. 2025;15:12345. doi: 10.1038/s41598-025-12345-6
[37] Ganesh RK, Kanthavel R, Dhaya R, Robinson YH, Julie EG, Kumar R, Duong P, Thong PH, Son LH. A new ontology convolutional neural network for extracting essential elements in video mining. Journal of Signal Processing Systems. 2023 Jun;95(6):735-49.
[38] Freeda AR, Anju A, Kanthavel R, Dhaya R, Vijay F. Integrating AI-driven technologies into service marketing. In Integrating AI-Driven Technologies Into Service Marketing 2024 (pp. 375-394). IGI Global.
[39] M. Tangermann, K. Müller, A. Aertsen, et al. BCI Competition IV: Datasets 2a and 2b. Frontiers in Neuroscience. 2012; 6:55. doi: 10.3389/fnins.2012.00055.
[40] A. Goldberger, L. Amaral, L. Glass, et al. PhysioBank, PhysioToolkit, and PhysioNet: Components of a new research resource for complex physiologic signals. Circulation. 2000;101(23):e215–e220. doi: 10.1161/01.CIR.101.23.e215. (Dataset: EEG Motor Movement/Imagery, available at https://physionet.org/content/eegmmidb/1.0.0/).
[41] I. Obeid, J. Picone. The Temple University Hospital EEG Data Corpus. Frontiers in Neuroscience. 2016;10:196. doi: 10.3389/fnins.2016.00196.
[42] W. Zheng, B. Lu, H. Lu. Investigating critical frequency bands and channels for EEG-based emotion recognition with deep neural networks. IEEE Transactions on Autonomous Mental Development. 2015;7(3):162–175. doi: 10.1109/TAMD.2015.2431497. (Dataset: SEED, available at http://bcmi.sjtu.edu.cn/~seed/).
[43] S. Koelstra, C. Muhl, M. Soleymani, et al. DEAP: A database for emotion analysis using physiological signals. IEEE Transactions on Affective Computing. 2012;3(1):18–31. doi: 10.1109/T-AFFC.2011.15.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 EAI Endorsed Transactions on Security and Safety
This work is licensed under a Creative Commons Attribution 4.0 International License.
This is an open-access article distributed under the terms of the Creative Commons Attribution CC BY 4.0 license, which permits unlimited use, distribution, and reproduction in any medium so long as the original work is properly cited.
