Machine learning has achieved great success in electroencephalogram (EEG) based brain-computer interfaces (BCIs). Most existing BCI studies focused on improving the decoding accuracy, with only a few considering the adversarial security. Although many adversarial defense approaches have been proposed in other application domains such as computer vision, previous research showed that their direct extensions to BCIs degrade the classification accuracy on benign samples. This phenomenon greatly affects the applicability of adversarial defense approaches to EEG-based BCIs. To mitigate this problem, we propose alignment-based adversarial training (ABAT), which performs EEG data alignment before adversarial training. Data alignment aligns EEG trials from different domains to reduce their distribution discrepancies, and adversarial training further robustifies the classification boundary. The integration of data alignment and adversarial training can make the trained EEG classifiers simultaneously more accurate and more robust. Experiments on five EEG datasets from two different BCI paradigms (motor imagery classification, and event related potential recognition), three convolutional neural network classifiers (EEGNet, ShallowCNN and DeepCNN) and three different experimental settings (offline within-subject cross-block/-session classification, online cross-session classification, and pre-trained classifiers) demonstrated its effectiveness. It is very intriguing that adversarial attacks, which are usually used to damage BCI systems, can be used in ABAT to simultaneously improve the model accuracy and robustness.

翻译：机器学习在基于脑电图（EEG）的脑机接口（BCI）领域已取得巨大成功。现有大多数BCI研究专注于提升解码精度，仅有少数考虑了对抗安全性。尽管在计算机视觉等其他应用领域已提出多种对抗防御方法，但先前研究表明，将这些方法直接扩展至BCI会降低对良性样本的分类准确率。这一现象极大影响了对抗防御方法在基于EEG的BCI中的适用性。为缓解此问题，我们提出基于对齐的对抗训练（ABAT），该方法在对抗训练前执行EEG数据对齐。数据对齐通过将来自不同域的EEG试次进行对齐以降低其分布差异，而对抗训练则进一步强化分类边界。数据对齐与对抗训练的融合可使训练后的EEG分类器同时具备更高的准确性与更强的鲁棒性。在来自两种不同BCI范式（运动想象分类与事件相关电位识别）的五个EEG数据集、三种卷积神经网络分类器（EEGNet、ShallowCNN与DeepCNN）以及三种不同实验设置（离线被试内跨区块/跨会话分类、在线跨会话分类及预训练分类器）上进行的实验验证了该方法的有效性。尤为引人深思的是，通常用于破坏BCI系统的对抗攻击，在ABAT中竟能同时提升模型的准确性与鲁棒性。