EEG-based models have gained prominence in Ambient, Active & Assisted Living (A3L) systems, particularly for sensitive health applications such as epileptic seizure detection and cognitive state monitoring. Despite the security assurances provided by deploying these models within secure inference modules, we demonstrate a practical and impactful spoofing attack leveraging only hard-label outputs (i.e., the API only returns the predicted class label, such as “seizure” or “no seizure”, without any probability or confidence score). By querying the model with carefully crafted EEG signals, an adversary can reconstruct internal weights, bypass embedded watermarks, and insert subtle yet potentially devastating backdoors that can make the model sabotage itself. We experimentally validate this attack using publicly available EEG datasets, successfully spoofing seizure detection classifiers. Our findings highlight critical vulnerabilities in EEG-based health systems, emphasizing the need for stronger protections in model deployment and Over-The-Air (OTA) updates.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Hard-Label Model Extraction and Backdoor Insertion in EEG-Based A3L Systems

  • Marcos Rodriguez-Vega,
  • Pino Caballero Gil,
  • Wojciech Mazurczyk

摘要

EEG-based models have gained prominence in Ambient, Active & Assisted Living (A3L) systems, particularly for sensitive health applications such as epileptic seizure detection and cognitive state monitoring. Despite the security assurances provided by deploying these models within secure inference modules, we demonstrate a practical and impactful spoofing attack leveraging only hard-label outputs (i.e., the API only returns the predicted class label, such as “seizure” or “no seizure”, without any probability or confidence score). By querying the model with carefully crafted EEG signals, an adversary can reconstruct internal weights, bypass embedded watermarks, and insert subtle yet potentially devastating backdoors that can make the model sabotage itself. We experimentally validate this attack using publicly available EEG datasets, successfully spoofing seizure detection classifiers. Our findings highlight critical vulnerabilities in EEG-based health systems, emphasizing the need for stronger protections in model deployment and Over-The-Air (OTA) updates.