Tiny noise, big mistakes: Adversarial perturbations induce errors in Brain-Computer Interface spellers

An electroencephalogram (EEG) based brain-computer interface (BCI) speller allows a user to input text to a computer by thought. It is particularly useful to severely disabled individuals, e.g., amyotrophic lateral sclerosis patients, who have no other effective means of communication with another person or a computer. Most studies so far focused on making EEG-based BCI spellers faster and more reliable; however, few have considered their security. This study, for the first time, shows that P300 and steady-state visual evoked potential BCI spellers are very vulnerable, i.e., they can be severely attacked by adversarial perturbations, which are too tiny to be noticed when added to EEG signals, but can mislead the spellers to spell anything the attacker wants. The consequence could range from merely user frustration to severe misdiagnosis in clinical applications. We hope our research can attract more attention to the security of EEG-based BCI spellers, and more broadly, EEG-based BCIs, which has received little attention before.

This article aims to expose a critical security concern in EEG-based BCI spellers, and more broadly, EEG-based BCIs, which has received little attention before. It shows for the first time that one can generate tiny adversarial EEG perturbation templates for target attacks for both P300 and SSVEP spellers, i.e., mislead the classification to any character the attacker wants, regardless of what the user intended character is. The consequence could range from merely user frustration to severe misdiagnosis in clinical applications [40]. We believe a new and more detailed understanding of how adversarial EEG perturbations affect BCI classification can inform the design of BCIs to defend against such attacks.
There have been some studies on adversarial attacks of time-series signals [25,[40][41][42]. They treated time-series signals just as images, and then applied essentially the same attack approaches in image classification to generate adversarial perturbations. As a result, they need to know the full time-series before computing the adversarial perturbations, which means these approaches are not causal and hence cannot be implemented in real-world applications. For example, to attack a voice command, previous approaches need to record the entire voice command first, and then design the perturbation. However, once the perturbation is obtained, the voice command has already been sent out (e.g., to a smartphone or Amazon Echo), so there is no chance to add the perturbation to the voice command to actually perform the attack.
What distinguishes the attack approaches in this article most from previous ones is that it explicitly considers the causality in designing the perturbations. The adversarial perturbation template is constructed directly from the training set and then fixed. So, there is no need to know the test EEG trial and compute the perturbation specifically for it. The perturbation can be directly added to a test EEG trial as soon as it starts, hence satisfies causality and can be implemented in practice. Thus, it calls for an urgent need to be aware of such attacks and defend against them.
A closely related concept is universal adversarial perturbations [43], which can also be viewed as adversarial perturbation templates and have been used to attack deep learning models in image classification. This study focuses on the security of a traditional and most frequently used BCI pipeline, which consists of separate feature 2 extraction and classification steps, whereas universal adversarial perturbations are usually designed for non-target attacks of end-to-end deep learning models.
To summarize, our contributions are: 1. We show, for the first time, that tiny noise can significantly manipulate the outputs of P300 and SSVEP spellers, exposing a critical security concern in BCIs.
2. Instead of Deep Learning models, we consider the classical BCI pipeline consisting of feature extraction and classification as our victim models, which dominate practical BCI spellers.
3. Our generated adversarial perturbation templates satisfy the causality of time-series signals, which rarely drew much attention before.

Performance evaluation
We used two measures to evaluate the performance of a BCI speller: The classification accuracy and the ITR [44], which measures the typing speed of the speller: where T is the average time (minutes) spent to input a user character, Q the number of different characters (which was 36 in our P300 speller and 40 in the SSVEP speller), and R the classification accuracy. The unit of ITR is bits/min. When the classification accuracy is lower than a random guess, i.e., R 1 Q , the ITR is directly set to 0. To distinguish between the character the user wants to spell, and the one the attacker wants to mislead to, we denote the former user character, and the latter attacker character. Accordingly, user score and user ITR are used to describe the classification accuracy of user characters and the corresponding ITR, respectively. An attacker score is defined as the ratio that the perturbation template leads the speller to output an attacker character, and the corresponding attacker ITR is calculated by replacing R in equation (1) with the attacker score. A higher attacker score or attacker ITR represents a better target attack performance.

Security of the P300 speller
Dataset: We used a public P300 dataset (dataset II) introduced by Wolpaw et al. [45]. It recorded 64-channel EEG signals from two subjects (A and B). The EEG data were sampled at 240 Hz, bandpass filtered to 0.1-40 Hz, then z-normalized for each channel. There were 85 training character trials and 100 test ones for each subject. For each trial, a set of 12 random intensifications (six rows and six columns) were repeated 15 times (i.e., each row was intensified 15 times, and each column was also intensified 15 times). Each intensification lasted for 100 ms, after which the character matrix was blanked for 75 ms. So, it took (100 + 75) × 12 × 15 = 31, 500 ms, or 31.5 s, to input a character. The spelling speed can be improved by using fewer repeats, e.g., 10 or 5; however, the spelling accuracy generally decreases with a smaller number of repeats.
Note that all the following experiments were also successfully performed on a public ALS P300 dataset with eight ALS patients (see Supplementary Information for the details).
The victim model: The victim model was a Riemannian geometry based approach, which won the Kaggle BCI challenge 1 in 2015. First, 16 xDAWN spatial filters [46], eight for the target trials and another eight for the non-target trials, were designed to filter all the trials. The template-signal covariance matrices of the EEG epochs were projected onto the tangent space of a Riemannian manifold [47-49], using Affine Invariant Riemannian Metric as its distance metric. Finally, we classified the feature vectors with a Logistic Regression model in the tangent space. The details can be found in the Supplementary Information. The model was trained with class-specific weights to accommodate class imbalance. All operations in these blocks are differentiable, so we re-implemented them using Tensorflow [50] to facilitate the gradient calculation.
To get the label (target or non-target) of an intensification, an epoch between 0-600 ms from the beginning of the intensification was extracted and fed into the victim model to calculate the target probability. Because each row and column was intensified multiple times, voting was performed for each trial to get the target row and target column, and hence the target character.
Baseline performance: The first part of Table 1 shows the baseline performance of the clean EEG data (without adding any perturbations). As the number of intensification repeats increased, the user score increased, indicating that the classification accuracy of the user characters increased. Meanwhile, the user ITR decreased, because the time needed to input each character significantly increased.
The second part of Table 1 shows the baseline performance when we added Gaussian noise to the raw EEG data, averaged over 10 runs. The Gaussian noise perturbations were preprocessed in the same way as the adversarial perturbations, by replacing the perturbation -P in equation (6)-with standard Gaussian noise, so that they had the same energy. We use signal-to-perturbation ratio (SPR) to quantify the magnitude of the perturbation, which is also presented in the second part of Table 1. Gaussian noise perturbations had almost no impact on the user score and the user ITR at all, not to mention forcing the P300 speller to output a specific attacker character. These results suggest that more sophisticated adversarial perturbations are needed to attack the P300 speller.
Performance under adversarial attacks: Then, we added the adversarial perturbation template to the test EEG trials to validate whether it was effective in misleading the P300 speller. Figure 2a shows the attacker scores of the 36 characters. The attacker can manipulate the P300 speller to spell whatever character he/she wants, regardless of what the user intended character is, with a higher than 90% average success rate.
The third part of Table 1 shows the average user scores and ITRs with different numbers of intensification repeats. The user scores and ITRs were close to zero, suggesting that the user almost cannot correctly input the character he/she wanted.
The fourth part of Table 1 shows the average attacker scores and ITRs with different numbers of intensification repeats. The attacker score increased with the number of intensification repeats, because more repeats increased the number of times that the attacker can inject the perturbation into the benign EEG trial.
To better quantify the magnitude of the perturbations, we also calculated two SPRs. The adversarial perturbation template was only added at some specific periods of the EEG trial, as shown in Figure 2b, therefore we defined a period SPR to measure the SPR of the perturbed period, and also a trial SPR to measure the SPR of the entire trial. The last part of Table 1 shows these SPRs. They were higher than 20 dB, suggesting that the adversarial perturbation template may be undetectable when added to benign EEG trials.
Visualization of the adversarial perturbations: In addition to high attack performance, another requirement in adversarial attacks is that the perturbations should not be detected easily. Figure 2b shows a typical EEG trial before and after the adversarial perturbation on Subject A. For clarity, we only show channels F3, F4, Cz, P3 and P4, which evenly distribute on the scalp. One can barely distinguish the adversarial EEG trial from the original EEG trial.
A traditional way to visualize the P300 signal is to take the average of multiple P300 trials. We also took this approach to check if there was a noticeable difference between the average target (or non-target) trials, before and after perturbation. Figure 2c shows the results from the Cz channel. One can hardly observe any differences. Figure 2c also shows the spectrograms and topoplots of the difference between the average target EEG trial and the average non-target EEG trial. The original and adversarial spectrograms (or topoplots) show very similar energy distributions, and are hardly distinguishable by human eyes.

Security of the SSVEP Speller
Dataset: The dataset was first introduced by Wang et al. [19] as a benchmark dataset for SSVEP-based BCIs. The 64-channel signals were recorded from 35 subjects using an extended 10-20 system. During the experiments, the subjects were facing a monitor, in which a 5 × 8 character matrix was flickering. Different flickering frequencies were assigned to the 40 characters respectively, ranging from 8 Hz to 15.8 Hz with 0.2 Hz increment, as shown in Figure 1c. Six blocks of EEG signals were recorded from each subject, each with 40 trials, corresponding to the 40 target characters. Each trial was downsampled to 250 Hz and lasted 6 seconds, including 0.5 s before stimulus onset, 5 s for stimulation, and 0.5 s after stimulus offset.
Chen et al. [51] showed that an SSVEP at the stimulation frequency and its harmonics usually starts to be evoked with a delay around 130-140 ms; hence, we extracted EEG signals between [0.13, 1.38] s after the stimulus onset as the input to the victim model. Nine channels over the occipital and parietal areas (Pz, POz, PO3, PO4, PO5, PO6, Oz, O1 and O2) were chosen. The signals were bandpass filtered to 7-90 Hz with a fourth-order Butterworth filter.
The victim model: Extracting the frequency information of SSVEPs is an essential step in recognizing the stimulation frequency, and hence the user character. A natural solution is to utilize fast Fourier transform to estimate the spectrum, so that the energy peaks can be matched to the stimulation frequency; however, canonical correlation analysis (CCA) was recently shown to be more promising in identifying the stimulation frequency [51,52]. Thus, CCA-based frequency recognition was used in the victim model.
CCA is a statistic approach that can be used to extract the underlying correlation between two multi-channel time series [53]. Its main idea is to find a linear combination of channels for each time series, so that their correlation is maximized. When applied to SSVEP spellers, CCA is utilized to calculate the maximum correlation between the input EEG signals and a standard reference signal, which consists of the sinusoidal signal of a stimulation frequency and its (N q − 1) harmonics (N q = 5 in our case).
Mathematically, let X ∈ R Ne×Ns denote an EEG trial with N e channels and N s samples, and Y f a standard reference signal of stimulation frequency f . The (c, n)-th entry of Y f is: where f s is the sampling rate, 1 c 2N q , and 1 n N s . To calculate the maximum correlation coefficient ρ(X, Y f ), X and Y f are first z-normalized, and then ρ(X, Y f ) is computed as the square root of the largest eigenvalue of matrix i.e., More detailed derivations can be found in the Supplementary Information.
be the set of K candidate stimulation frequencies (K = 40 in our case). Then, the SSVEP speller outputs the character corresponding to the following stimulation frequency:

5
Baseline performance: Among the 35 subjects, eight with the best baseline performances (shown in the first part of Table 2) were used in our experiments.
Because SSVEPs are highly susceptible to periodic noise, we evaluated the robustness of the victim model to Gaussian noise and sinusoidal noise of a random single frequency chosen from 40 stimulation frequencies, and a random phase chosen from − π 2 to π 2 . We also considered compound sinusoidal noise, which can be regarded as the summation of single sinusoidal noise of different frequencies, random amplitudes, and random phases. The SPRs were all set to 25 dB, so that the energy of the Gaussian noise and single/compound (S/C) periodic noise was comparable to that of the adversarial perturbation templates. The 'Gaussian Noise' and 'S/C Periodic Noise' panels of Table 2 show the results on these noisy data, averaged over 10 runs, respectively. The victim model was almost completely immune to the Gaussian noise. The single periodic noise degraded the model performance more than the Gaussian noise or compound periodic noise.
Performance under adversarial attacks: We generated 40 adversarial perturbation templates, each forcing the SSVEP speller to output a specific character. Figure 3a shows their attacker scores. For six of the eight subjects, their output character can be manipulated to any character the attacker wanted, at 70%-100% success rate. Interestingly, due to individual differences, Subjects 3 and 25 showed some resistance to adversarial perturbation templates.
The fifth and sixth parts of Table 2 show the averaged user and attacker performances, respectively. The adversarial perturbation templates were very effective on most subjects (except Subjects 3 and 25), reducing both the user scores and the user ITRs to almost zero, i.e., the user almost cannot correctly input any character he/she wanted. The attacker scores for five subjects were close to one, i.e., the attacker was able to force the SSVEP speller to output any character he/she wanted. The SPRs were all around 25 dB, comparable to the SPRs for random noise.
Visualization of the adversarial perturbations: This subsection shows the characteristics of the adversarial perturbation templates, and verifies their imperceptibility to some widely-used approaches for evaluating the quality of SSVEPs. Figure 3b shows the EEG signals before and after adversarial perturbations, along with the magnified difference. The SSVEP speller misclassified the user character, which was supposed to be Y (8.6 Hz), into N (13.2 Hz). Human eyes can barely recognize the difference between the benign and the adversarial EEG trials. After being magnified by 10 times, the perturbation looks periodical, which can modify the user frequency to the attacker frequency.
We compared the clean and adversarial EEG signals with standard sinusoidal signals in Figure 3c, using Subject 26 as an example. We took the average of the clean temporal waveforms of 8 Hz SSVEPs from Channel POz, and did the same for their adversarial signals with δ 13Hz added (which forced the SSVEP speller to output the character of 13 Hz stimulation frequency). We chose Channel POz because the adversarial perturbation on this channel had one of the largest amplitudes, as shown in Figure 3b. Figure 3c shows that both clean and adversarial EEG signals were synchronized with the standard 8 Hz sinusoidal signal, indicated by the green dot-dashed lines. Comparing the 13 Hz sinusoidal signal with the magnified difference, the synchronization can also be observed, suggesting that the adversarial perturbation template introduced a frequency component matching the attacker character, which was imperceptible to human eyes but powerful enough to mislead the SSVEP speller. Figure 3d shows the spectrum analysis of SSVEPs for 40 stimulation frequencies. We averaged the spectra of the benign EEG signals of the same stimulation frequency from all the subjects and all chosen channels, so that background activities can be suppressed. The first row of Figure 3d, for benign trials, clearly shows that the visual stimulus, flickering at a stimulation frequency, can evoke SSVEPs of the same frequency and its harmonics. The second row of Figure 3d shows the same property of adversarial trials, whose attacker character was randomly chosen and fixed for each stimulation frequency. We cannot observe noticeable differences between the two rows in Figure 3d, demonstrating the challenge in detecting the adversarial perturbation templates. 6

CONCLUSION AND DISCUSSION
This article shows that one can generate adversarial EEG perturbation templates for target attacks for both P300 and SSVEP spellers, i.e., deliberately-designed tiny perturbations can manipulate an EEG-based BCI speller to output anything the attacker wants with high success rate, demonstrating the vulnerability of BCI spellers. We should emphasize that the attack framework used here is not specific to the victim models used in this study. They may also be utilized to attack many other classifiers in BCIs with little modification.
Limitations: The current approaches have two limitations: (a) they require some subject-/model-specific EEG trials to construct the adversarial perturbation template; and, (b) they need to know the exact timing of the stimulus to achieve the best attack performance. The adversarial attacks could be more dangerous if these limitations are resolved.
The first limitation may be alleviated by utilizing the transferability of adversarial examples, which was one of the most dangerous properties of adversarial examples. It was first discovered by Szegedy et al. [20] in 2014 and further investigated by many others [24,[54][55][56]. The transferability means that adversarial examples generated from one model can also be used to attack another model, which may have a completely different architecture and/or be trained from a different dataset. Thus, it may be possible to construct the adversarial perturbation template from some existing subjects/models and then apply it to a new subject/model. Our Supplementary Information presents experimental results on both cross-subject and cross-model transferability of the generated adversarial perturbations.
The second limitation is that the attacker needs to know the precise time synchronization between adversarial perturbation templates and EEG signals. To study how the synchronization time delay affects the attack performance, we show the relationship between the user/attacker scores and the time delay in adding the perturbation template (see Supplementary Figure 1). It can be observed that the SSVEP perturbation template was fairly robust to the time delay whereas the P300 adversarial template was sensitive to the synchronization. For the P300 speller, when the time delay increased, the user scores increased rapidly while the attacker score decreased rapidly, suggesting that hiding the time synchronization information may help defend against adversarial attacks in the P300 spellers. However, attacks insensitive to the synchronization may also be possible. For example, the idea of adversarial patch [57], which is a tiny picture patch that can mislead the classifier when added anywhere to a large picture to be classified, may be used to increase the robustness to the synchronization time delay. Thus, defending against the attackers may not be an easy task.
Closed-loop BCI application considerations: In a typical closed-loop BCI speller, the user could receive real-time feedback of his/her chosen character from the screen. If the adversarial perturbation constantly misleads the speller and returns wrong characters that do not match the user's intentional input, the user would most likely stop using the speller. The consequent may not seem serious for a user that has other means of communication; however, for patients with severe impairments that rely on BCI spellers as their sole mean of communication, e.g., ALS patients, either the attacker changes the meaning of their sentences and they cannot do anything about it, or the patients stop responding, misleading doctors/researchers into thinking they are not able to communicate at all. Both consequents can significantly impact the patients.
Although this article focused on adversarial attacks of P300 and SSVEP spellers, P300 and SSVEP are also widely used in neuro-ergonomics and assessment of cognitive states, e.g., diagnosis of patients with disorder of consciousness [58]. The proposed approach can be used to attack these BCI systems with little modification. The adversarial perturbation could also be a serious concern if the BCI system is used in other scenarios such as wheelchair control or exoskeleton control, where the feedback could be too late and the cost of one step mistake could be fatal. Moreover, the attacker may only start the attack in some critical conditions. The user is completely unprepared, and the consequents could be more catastrophic.
Finally, we need to emphasize again that the goal of this study is not to damage EEG-based BCIs. Instead, we aim 7 to demonstrate that serious adversarial attacks to EEG-based BCIs are possible, and hence expose a critical security concern, which has received little attention before. Our future research will develop strategies to defend against such attacks. Meanwhile, we hope our study can attract more researchers' attention to the security of EEG-based BCIs.

METHODS
We detail our approaches to evaluating the vulnerability of P300 and SSVEP spellers in this section.

Attack the P300 Speller
The main idea to construct the adversarial perturbation template was to find a universal perturbation that leads the P300 classifier to classify non-target epochs into target ones. The approach was to get the directions pointing from non-target epochs to the decision boundary of the victim model, and then sum up these directions as the universal perturbation. These directions can be identified by simply calculating the gradients of the loss with respect to the input non-target EEG epochs, assuming the decision boundary is linear. Though the victim model includes nonlinear operations, the attack approach still worked surprisingly well.
Let X be an EEG trial, y its label (0 for non-target, and 1 for target), f the victim model which gives the label probability for each input X, J(X, y, f ) the loss function (cross-entropy loss in our case), and D N T the dataset containing all non-target epochs in the training set. Then, the overall direction can be computed as: After obtaining P , we filtered it by a fourth-order Butterworth bandpass filter of [0. 1,15] Hz, extracted the first 350ms signal, and then normalized it in each channel so that the L2 norm is 1. Denote the result as P . Then, the adversarial perturbation P was computed as: where ǫ is a constant controlling the energy of the perturbation (ǫ = 0.5 in our experiments).
To mislead the P300 speller, one only needs to tamper with some specific signal periods according to the onset of the target stimuli. Because in a practical P300 speller the same row or column is never intensified successively, the perturbation template can last more than one intensification period. In our experiments, the template lasted 2 × 175 = 350 ms, i.e., two intensification periods. Figure 4 illustrates the attack procedure. The benign EEG trial would output character 7, since the last row and the third column of the character matrix have the highest P300 probability, and their intersection is 7. However, after applying the perturbation template, the trial outputs the character Z, because the fifth row and the second column have the highest P300 probability. Interestingly, the adversarial template acts like random noise when it is not synchronized with an intensification onset. As shown in Figure 4, the last 175 ms of the template does not influence the classification of the corresponding intensification. 8

Attack the SSVEP Speller
There are two difficulties in attacking the victim model of the SSVEP speller. First, the victim model is not fixed, as the parameters of CCA vary in different EEG trials. Second, unlike the P300 speller whose base victim model only needs to classify the input into two classes, there are many more classes in the SSVEP speller. These make adversarial attacks of the SSVEP speller much more challenging.
The remedy was to generate the adversarial perturbation template δ f ∈ R Ne×Ns , which can lead the SSVEP speller to output the attacker character of stimulation frequency f . For each user, we used the first block to craft δ f , and the remaining five blocks to evaluate its attack performance.
According to the victim model, δ f should be able to maximize ρ(X + δ f , Y f ) in equation (4), such that arg max In other words, δ f can be crafted by solving where S(X, Y ) is defined in equation (3).
Since S(X + δ f , Y f ) is not symmetric, it is difficult to calculate the derivatives of its largest eigenvalue, resulting in challenges in optimization. Because of the fact that the largest eigenvalue is always no smaller than the average of all eigenvalues: instead of solving equation (9) directly, we can maximize its lower bound to reduce the optimization difficulty: Because the effective frequency band of SSVEP signals is 7-90 Hz, we introduced a new variable r f so that where filt(·) means retaining only the 7-90 Hz effective signal frequency components. As a result, we can ensure the integrity of the adversarial template during signal filtering. In addition, we added α · δ f F to penalize the energy of the perturbation, where α is the penalty coefficient.
Finally, the problem becomes: Gradient descent was used to update r f , and the iteration stopped when the SPR was lower than a threshold, which was set to 25dB in our experiments.

DATA AVAILABILITY STATEMENT
Publicly available BCI datasets were used in this study. The P300 speller dataset can be downloaded from http://www.bbci.d (Dataset II). The P300 speller dataset of ALS patients was first used in [59] and can be downloaded from http://bnci-horizon 9 (P300 speller with ALS patients (008-2014)). The SSVEP dataset can be downloaded from http://bci.med.tsinghua.edu.cn All source code is available on GitHub (https://github.com/ZhangXiao96/Speller-Attacks).    Figure 2 P300 speller attack results. a, Attacker scores of manipulating the P300 speller to misclassify the 100 test character trials into a specific attacker character. The P300 speller used 15 intensification repeats for each character. b, EEG trials before and after adversarial perturbation, which are almost completely overlapping (the SPRs are shown in Table 1), and the difference (magnified ten times) between the adversarial trial and the benign trial. The non-zero part of the difference is the adversarial perturbation template, which is added to a benign EEG trial according to the attacker character. The adversarial perturbation led the P300 speller to misclassify letter Y into N. c, left column: the average of 100×15×2 = 3, 000 target trials (containing P300) and the average of 100×15×10 = 15, 000 non-target trials (not containing P300) at channel Cz, for benign and adversarial trials; middle column: spectrogram of the difference between the average target trial and the average non-target trial in channel Cz, for benign and adversarial trials; right column: topoplot of the difference between the average target trial and the average non-target trial, for benign and adversarial trials. b and c present the visualization of the adversarial perturbations for Subject A.  Illustration of the attack procedure in the P300 protocol. The attacker character is Z, whereas the user character is 7. For the benign EEG trial, the P300 speller can correctly identify that P300 is elicited by the intensifications of the last row and the third column.
To mislead the P300 speller, adversarial perturbation template is added during the periods of 0-350ms and 700-1050ms, so that the fifth row and the second column are believed to elicit P300 with the highest probability. The added adversarial perturbation templates do not influence the results of the second and the last stimuli, because their corresponding periods are out of synchronization with the templates. As a result, the P300 speller misclassifies the perturbed trial to attacker character Z.

The victim model of the P300 speller
The details of the victim model of the P300 speller are introduced.

xDAWN spatial filters
The original xDAWN filter [46] was designed for P300 evoked potentials by enhancing the target response with respect to the non-target response. We used a generalized version in our experiments, which was implemented in pyRiemann 2 .
More specifically, let D = {(X i , y i )} N i=1 be the training set, where X i ∈ R Ne×Ns is the i-th mean-centered EEG epoch (N e is the number of channels, and N s the number of time domain samples), and y i ∈ {0, 1} its corresponding label (0 for non-target, and 1 for target ). The average epoch X c , c ∈ {0, 1}, is first calculated. Spatial filters U c ∈ R N f ×Ne were then designed to maximize the signal to signal-plus-noise ratio for each class: where N f is the number of filters (N f = 8 was used in our experiments), X all is obtained by concatenating all EEG epochs in D along the channels, and tr is the trace of a matrix. Generalized eigenvalue decomposition can be used to solve equation (14).
After obtaining the filters for both classes, the concatenated spatial filters U = [U 0 ; U 1 ] can be used to filter each EEG epoch:

Tangent space projection
Covariance matrices of the EEG trials are widely-used in BCIs. However, they lie on a Riemannian manifold of Symmetric Positive Definite (SPD) matrices, and hence cannot be directly used by Euclidean space classifiers, such as Logistic Regression and Support Vector Machines. To solve this problem, the covariance matrices are projected onto the Euclidean tangent space of a reference SPD matrix, and then the vectorized features are used by Euclidean space classifiers.
More specifically, we first calculate the augmented covariance matrix C i for each X i : where Z = U X 0 ; U X 1 . Then, C i is projected onto the tangent space of the reference SPD matrix C f , which is the geometric mean of {C i } N i=1 , i.e., where δ(C A , C B ) is the Affine Invariant Riemannian Metric distance: 2 https://pyriemann.readthedocs.io/en/latest/index.html

18
The vectorized features are: where upper(·) vectorizes the upper triangular part of a symmetric matrix. A weight of √ 2 is applied to the offdiagonal elements, and a weight of 1 to the rest, during the vectorization. s i can then be fed into any Euclidean space classifier.

Canonical correlation analysis (CCA)
This section introduces CCA, which can be used to extract the underlying correlation between two time series.

Problem setup
Let X ∈ R C1×N and Y ∈ R C2×N be two multi-channel time series, where C 1 and C 2 represent the number of channels, and N the number of time domain samples. X and Y are z-normalized in each channel.
The main idea of CCA is to find a pair of canonical variables, denoted as a ∈ R C1×1 and b ∈ R C2×1 , for X and Y respectively, so that the correlation coefficient ρ between a T X and b T Y can be maximized. The problem can be mathematically formulated as: which can be re-expressed as:

Solution of CCA
There are several approaches to solve equation (21). Here we introduce the Lagrange multiplier method [60].
Denote AB T by S AB . Then, equation (21) can be rewritten as: According to the Lagrange multiplier method, equation (22) is equivalent to max a,b,λ,θ J(a, b, λ, θ), where: By setting the first partial derivatives to zero, i.e., we have It should be noted that equation (28) is also the definition of the correlation coefficient ρ.
According to equations (24) and (25), we have: which implies that ρ 2 equals the largest eigenvalue of S −1 XX S XY S −1 Y Y S Y X , and a is the corresponding eigenvector. b can be obtained in a similar way.

Security of a P300 speller for Amyotrophic Lateral Sclerosis (ALS) patients
We performed additional experiments to investigate how adversarial perturbations impact ALS patients on P300 Spellers [59]. The eight-channel (Fz, Cz, Pz, Oz, P3, P4, PO7, and PO8) EEG signals were recorded from eight ALS patients. The EEG data were digitized at 256 Hz, bandpass filtered to 0.1-30 Hz, and then z-normalized for each channel. For each subject, there were 21 characters for training and 14 for testing. Each character corresponds to a set of 12 random intensifications, which were repeated 20 times. Each intensification lasted for 125 ms, followed by a 125 ms blank. In our experiments, 10 repeats were utilized to output a character during the test.
We applied the same Riemannian geometry based approach to recognizing the existence of P300 potentials. The only difference from the previous study was that the number of xDAWN spatial filters was eight. As shown in the 'Before attack' panel of Table 3, the victim models demonstrated good performance without attacks, and also high robustness to Gaussian noise perturbations. However, the 'After attack' panel shows that all user scores and ITRs were more or less reduced after adversarial perturbations. For half of the subjects (subjects 1, 2, 5 and 7), the user scores and ITRs approached zero, i.e., the P300 speller became almost completely useless, indicating a serious security concern of P300 spellers to ALS patients. We have mentioned that a limitation of the attack approaches is that they require some subject-/model-specific information to construct adversarial perturbation templates. One possible solution to alleviate this problem is to 20 enhance the transferability of adversarial perturbations: the attacker can generate adversarial perturbations based on EEG signals gathered by himself/herself, or any model he/she chooses to use, and then utilize them to attack another subject/model. Here, we present some experimental results on the cross-subject and cross-model transferability of our adversarial perturbations (for P300 spellers, the ALS patient dataset was used due to its large number of subjects). We found that adversarial perturbations for SSVEP spellers seem to have better transferability than P300 spellers.

Cross-subject transferability
We used adversarial perturbations generated from one subject to attack the victim model of another subject. Figure 5 shows the average attacker scores of cross-subject attacks. There was almost no cross-subject transferability of adversarial perturbation templates for the P300 spellers, whereas perturbations for SSVEP spellers can usually successfully attack the victim models of different subjects. Additionally, some subjects were much more robust to transfer attacks, e.g., Subjects 12, 22 and 25 in Figure 5b.
Why adversarial perturbation templates demonstrated poor cross-subject transferability for the P300 spellers would be investigated in more depth in our future research. Figure 5 Cross-subject transferability of adversarial perturbations. The heatmap shows the average attacker scores when using the adversarial perturbations of one subject to attack another subject. a, attacker scores for the P300 speller. b, attacker scores for the SSVEP speller.

Cross-model transferability
Cross-model transferability requires adversarial perturbations to be able to attack different EEG classification pipelines, which means the attacker does not need access to victim models anymore, implying a more serious threat to the security of BCI spellers. This subsection presents the attack performance of our generated adversarial perturbations on new EEG classification pipelines.
For the P300 spellers, the new classification pipeline consisted of xDAWN filtering and Logistic Regression classification, and the adversarial perturbation templates were again generated from the Riemannian geometry based approach. The 'Before attack' panel of Table 4 shows that the new pipeline had high classification accuracy without attacks, and it was also robust to Gaussian noise. The 'After attack' panel shows that the new pipeline can still be manipulated by adversarial perturbation templates constructed from a different pipeline, though not as much as that in Table 3. Comparing the attack performances in Tables 3 and 4, it seems that an adversarial perturbation template 21 with better attack performance on the model it was generated from may also have better cross-model transferability to attack another model.  Table 5 shows the baseline performance of FBCCA and the attack performance of adversarial perturbations (generated from CCA) on this model. FBCCA demonstrated promising performance on clean and randomly perturbed EEG signals. However, adversarial perturbations generated from CCA can still manipulate the output characters of FBCCA, verifying that cross-model transferability also exists in the SSVEP spellers. Table 5 SSVEP speller cross-model attack results. The victim model (FBCCA) was different from the attacker model (CCA), based on which adversarial perturbations were generated. Before attack: Baselines on clean data (without adding any perturbations), Gaussiannoise-perturbed EEG data and periodic-noise-perturbed EEG data (single/compound). After attack: Average user/attacker scores/ITRs of 40 attacker characters in target attacks, and the corresponding SPRs (dB). The key to the transferability is to find the most common patterns shared by different models, hence the adversarial perturbations affecting these patterns can attack as many models as possible. From this point of view, generating adversarial perturbations based on an ensemble of multiple models presents a serious threat to the security of BCIs. We will explore this in our future research. Figure 6 shows how the synchronization time delay affects the attack performance. Figure 6 User and attacker scores with respect to the synchronization time delay. The curve represents the mean of all attacker characters, and the shadow the standard deviation. a, scores for the P300 speller, where 100 test trials for Subject A were perturbed to be misclassified as each of the 36 attacker characters. b, scores for the SSVEP speller, where 5 × 40 = 200 test trials for Subject 26 were perturbed to be misclassified as each of the 40 attacker characters.