Making Brain-Computer Interfaces More Secure

# Making Brain-Computer Interfaces More Secure
Source: [https://arxiv.org/html/2606.02597](https://arxiv.org/html/2606.02597)
###### Abstract

The development of brain–computer interfaces \(BCIs\) based on electroencephalograms \(EEGs\) has advanced significantly mainly to machine learning\. Although the majority of earlier research has been on increasing classification accuracy, relatively little focus has been placed on security and robustness\. According to recent research, EEG\-based BCIs are susceptible to adversarial attacks, which can cause misdiagnosis due to minute, well\-crafted disturbances\. Evaluating model robustness against such perturbations is therefore critical for ensuring reliable deployment\. In this study, we propose a lightweight custom Convolutional Neural Network \(CNN\) architecture to investigate adversarial robustness in EEG\-based BCIs\. The suggested method is assessed using two EEG datasets and contrasted with three novel CNN models tailored to EEG, namely EEGNet, DeepConvNet, and SleepEEGNet, under gradient\-based adversarial attack scenarios\. According to experimental findings, the suggested model continuously performs better in classification under adversarial perturbations compared to baseline models, indicating improved robustness\. These findings highlight the potential of lightweight architectures for enhancing the reliability of EEG\-based BCI systems under adversarial conditions\.

## IIntroduction

The human brain and external equipment may communicate directly with the help of a brain\-computer interface \(BCI\) and has been widely explored in fields such as neuroscience, neural engineering, and clinical recovery\[[14](https://arxiv.org/html/2606.02597#bib.bib1)\]\. Because it is inexpensive, noninvasive, and simple to use, electroencephalography \(EEG\) has become the most popular brain recording method for BCIs\[[26](https://arxiv.org/html/2606.02597#bib.bib2)\]\. The four primary parts of a typical EEG\-based BCI architecture are signal acquisition, signal preprocessing, machine learning, and control execution, as shown in Fig\.[1](https://arxiv.org/html/2606.02597#S1.F1)\. Conventional methods at the machine learning stage usually entail manual feature extraction, classification, or regression\.

![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/framework_overview_1.png)Figure 1:Overview of a EEG\-based BCIs system\.In applications such as human behavior analysis, brain signal analysis has been widely used\[[6](https://arxiv.org/html/2606.02597#bib.bib20),[12](https://arxiv.org/html/2606.02597#bib.bib21)\], neuro\-assistive systems including seizure prediction\[[21](https://arxiv.org/html/2606.02597#bib.bib22),[20](https://arxiv.org/html/2606.02597#bib.bib23),[8](https://arxiv.org/html/2606.02597#bib.bib24)\], and more recently, cybersecurity applications\[[11](https://arxiv.org/html/2606.02597#bib.bib25),[13](https://arxiv.org/html/2606.02597#bib.bib26)\]\. In EEG classification, signal decomposition techniques are among the most frequently applied approaches\[[24](https://arxiv.org/html/2606.02597#bib.bib3),[15](https://arxiv.org/html/2606.02597#bib.bib28)\]\. For example, Sadiqet al\.\[[10](https://arxiv.org/html/2606.02597#bib.bib4)\]introduced a multivariate variational mode decomposition \(MVMD\) method, while Yuet al\.\[[27](https://arxiv.org/html/2606.02597#bib.bib5)\], for EEG\-based classification tasks, empirical Fourier decomposition \(EFD\) and its updated form \(IEFD\) were used\. Signal denoising has also been widely recognized as a critical step for enhancing classification accuracy\[[22](https://arxiv.org/html/2606.02597#bib.bib6)\]\. In this context, Sadiqet al\.\[[23](https://arxiv.org/html/2606.02597#bib.bib7)\]proposed the multiscale principal component analysis \(MSPCA\) technique which can reduce noise in EEG recordings\. Graphical feature\-based methods have become a viable avenue for revealing hidden patterns in EEG data in more recent times\.\[[15](https://arxiv.org/html/2606.02597#bib.bib28),[2](https://arxiv.org/html/2606.02597#bib.bib9)\]\.

Beyond these traditional techniques, deep learning models have demonstrated strong performance by learning hierarchical representations of features automatically, doing away with the requirement for manually created feature extraction\[[3](https://arxiv.org/html/2606.02597#bib.bib27),[4](https://arxiv.org/html/2606.02597#bib.bib29)\]\. However, while prior research has primarily focused on improving classification accuracy, relatively security and resilience have received little attention in EEG\-based BCIs\. Existing studies often overlook how adversarial perturbations can compromise model reliability, making adversarial resilience an underexplored yet critical area of research\.

## IIRelated Work

### II\-AAttack Approaches

Adversarial attacks are categorized according to the level of exposure the attacker has to the target architecture, where black\-box, gray\-box, and white\-box attacks are the three types\. Because they presume total knowledge of the model’s structure and variables, white\-box attacks are thought to be the most effective\. Consequently, evaluating model robustness under white\-box settings provides a strong benchmark for worst\-case vulnerability\. In this study, we concentrate on two popular white\-box attack methods: FGSM and PGD\. Adversarial examples are purposefully distorted inputs intended to deceive machine learning models while remaining nearly indistinguishable from the original data\.

#### II\-A1Fast Gradient Sign Method \(FGSM\)

An attack method called FGSM uses gradient information to create adversarial instances\[[9](https://arxiv.org/html/2606.02597#bib.bib10)\]\. It creates adversarial samples by optimizing the model’s loss function in a single step\. Specifically, a small perturbationϵ\\epsilonis applied in the direction of the gradient, producing an adversarial example as follows:

xa​d​v=x\+ϵ⋅sign​\(∇xJ​\(θ,x,y\)\),x\_\{adv\}=x\+\\epsilon\\cdot\\text\{sign\}\(\\nabla\_\{x\}J\(\\theta,x,y\)\),\(1\)
whereJ​\(θ,x,y\)J\(\\theta,x,y\)is the loss function,xxis the initial input, andθ\\thetastands for the model parameters\. Thesign​\(⋅\)\\text\{sign\}\(\\cdot\)function ensures that the perturbation follows the gradient direction\.

For EEG\-based BCI regression, Menget al\.\[[18](https://arxiv.org/html/2606.02597#bib.bib17)\]presented one of the first research on adversarial attacks, introducing white\-box targeted attack strategies that effectively alter regression outputs\. Zhanget al\.\[[28](https://arxiv.org/html/2606.02597#bib.bib11)\]proposed an unsupervised variant, termed Unsupervised FGSM \(UFGSM\), which replaces true labels with predicted labels for EEG\-based BCIs\. Their results demonstrate that such attacks are both effective and transferable across models, highlighting critical security concerns\.

To jointly perform classification and adversarial discrimination, Aissaet al\.\[[1](https://arxiv.org/html/2606.02597#bib.bib18)\]suggested using adversarial training for a hierarchical neural network\. With BCI Competition IV\-2a dataset, the model was evaluated under FGSM attacks, the method achieved 99\.92% accuracy and a 0\.9985 Cohen’s Kappa score, demonstrating strong robustness\.

#### II\-A2Projected Gradient Descent \(PGD\)

PGD is an iterative extension of FGSM\[[17](https://arxiv.org/html/2606.02597#bib.bib12)\], which performs multiple small update steps while constraining the perturbation within a predefined range\. It begins with a random initialization near the original input and then iteratively refines the adversarial example:

xa​d​v0=x\+ξ,x\_\{adv\}^\{0\}=x\+\\xi,\(2\)
xa​d​vi=Projx,ϵ​\(xa​d​vi−1\+α⋅sign​\(∇xa​d​vi−1J​\(θ,xa​d​vi−1,y\)\)\),x\_\{adv\}^\{i\}=\\text\{Proj\}\_\{x,\\epsilon\}\\big\(x\_\{adv\}^\{i\-1\}\+\\alpha\\cdot\\text\{sign\}\(\\nabla\_\{x\_\{adv\}^\{i\-1\}\}J\(\\theta,x\_\{adv\}^\{i\-1\},y\)\)\\big\),\(3\)
where random noise is denotes byξ∈U​\(−ϵ,ϵ\)\\xi\\in U\(\-\\epsilon,\\epsilon\),α\\alphais the step size,i=1,2,…,ni​t​e​ri=1,2,\\ldots,n\_\{iter\}, andProjx,ϵ\\text\{Proj\}\_\{x,\\epsilon\}projects the adversarial sample onto theϵ\\epsilon\-bounded neighborhood of the original input under thel∞l\_\{\\infty\}norm\.

Fenget al\.\[[7](https://arxiv.org/html/2606.02597#bib.bib19)\]introduced SAGA, a framework for EEG analytics that perturbs only a small subset of channels and time steps using an adaptive mask combined with a PGD\-based solver\. Which is also called as a sparse adversarial attack\. Experimental results show that SAGA can cause an average accuracy drop of 77\.02% by modifying only 5% of the data, highlighting the significant vulnerability of EEG\-based BCI systems\.

## IIIMethodology

### III\-ABasic Idea

The overall workflow of this study follows a structured pipeline consisting of data preprocessing, fold\-wise model training, ensemble integration, and robustness evaluation\. We consider white\-box, untargeted adversarial attack scenarios, where the model parameters are fully accessible to the attacker and aims to induce misclassification without specifying a target class\. FGSM and PGD are employed under this setting to evaluate worst\-case robustness\. Figure[2](https://arxiv.org/html/2606.02597#S3.F2)presents a high\-level depiction of the proposed framework\.

![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/framework_detailed_1.png)Figure 2:The process of preprocessing EEG signals and generating time\-frequency representations to develop the proposed lightweight CNN architecture\.Every EEG spectrogram picture is normalized to the range \[0,1\] and scaled to a set resolution of 224 X 224 pixels\. To ensure reliable performance estimation, we use stratifiedKK\-fold cross\-validation \(K=10K=10\), where dataset𝒟\\mathcal\{D\}is partitioned intoKKmutually exclusive subsets\{𝒟1,𝒟2,…,𝒟K\}\\\{\\mathcal\{D\}\_\{1\},\\mathcal\{D\}\_\{2\},\\dots,\\mathcal\{D\}\_\{K\}\\\}\. For each foldkk, a modelfk​\(⋅;θk\)f\_\{k\}\(\\cdot;\\theta\_\{k\}\)is trained on𝒟∖𝒟k\\mathcal\{D\}\\setminus\\mathcal\{D\}\_\{k\}and evaluated on𝒟k\\mathcal\{D\}\_\{k\}\.

The categorical cross\-entropy loss is optimized by the training procedure:

ℒ=−1N​∑i=1N∑c=1Cyi,c​log⁡y^i,c,\\mathcal\{L\}=\-\\frac\{1\}\{N\}\\sum\_\{i=1\}^\{N\}\\sum\_\{c=1\}^\{C\}y\_\{i,c\}\\log\\hat\{y\}\_\{i,c\},\(4\)wherey^i,c\\hat\{y\}\_\{i,c\}is the predicted probability,yi,cy\_\{i,c\}is the ground\-truth label for classcc,NNis the number of sample sizes, andC=4C=4is the number of categories\. The Adam optimizer is used for optimization, with an initial learning rate of1×10−41\\times 10^\{\-4\}, early halting, and learning rate scheduling to avoid overfitting\.

Upon completion of fold\-wise training, theKKmodels are integrated into an ensemble framework\. Lety^\(k\)\\hat\{y\}^\{\(k\)\}denote the class\-probability output of modelfkf\_\{k\}\. The final ensemble prediction is obtained via average fusion:

y^=1K​∑k=1Ky^\(k\)\.\\hat\{y\}=\\frac\{1\}\{K\}\\sum\_\{k=1\}^\{K\}\\hat\{y\}^\{\(k\)\}\.\(5\)The ensemble is then evaluated as a unified model\.

To assess robustness, both individual models and the ensemble are evaluated on clean and adversarially perturbed test sets\. Accuracy, precision, recall, F1\-score, confusion matrices, and ROC\-AUC are used to evaluate performance\. Results are reported per fold and averaged across folds, with standard deviation included to quantify stability\. Training histories \(loss and accuracy curves\) are also analyzed to ensure consistent convergence across all folds\.

### III\-BProposed CNN Architecture

Throughout all experiments, we employ a lightweight Convolutional Neural Network \(CNN\) designed to balance classification performance and computational efficiency\. The network takes spectrogram images of size224×224×3224\\times 224\\times 3as input and processes them through a sequence of convolutional and pooling operations\.

The first two convolutional blocks use3×33\\times 3filters with 8 and 16 channels, respectively, to improve feature extraction and stabilize training, ReLU activation and batch normalization are then applied\. A max\-pooling layer reduces spatial resolution, enabling the model to capture higher\-level patterns while controlling parameter growth\. Followed by a convolutional layer with 32 filters, accompanied by batch normalization, extracts more discriminative features, after which average pooling further compresses the learned representations\.

To reduce overfitting, the resultant feature maps are flattened into a one\-dimensional vector and regularized with a dropout layer at a rate of 0\.25\. In the final stage, a fully connected dense layer consisting of four output neurons applies a softmax activation function to generate class probabilities\.

Our proposed lightweight CNN is well\-suited for adversarial settings due to its reduced parameter complexity and controlled feature extraction process, which can help limit overfitting to high\-frequency or noise\-like patterns often exploited by adversarial perturbations\. Compared to deeper architectures such as DeepConvNet and specialized models like EEGNet and SleepEEGNet, the proposed model offers a balanced trade\-off between generalization, computational efficiency, and robustness under adversarial conditions\. A summary of the architecture is illustrated in Fig\.[2](https://arxiv.org/html/2606.02597#S3.F2)\.

## IVExperimental Setup

### IV\-ADatasets

Two EEG datasets are used in this study: a private dataset and a benchmark dataset that is accessible to the public\. This combination enables evaluation across both standard motor imagery tasks \(MI4\) and clinically relevant EEG signals \(rTMS dataset\)\. As a result, the proposed approach is assessed under both controlled experimental conditions and real\-world medical scenarios, enhancing the practical relevance and generalizability of the findings\. A description of these datasets and their preparation methods is given below\.

#### IV\-A1Four\-Class Motor Imagery Dataset \(MI4\)

The MI4 dataset\[[25](https://arxiv.org/html/2606.02597#bib.bib13)\], also known as Dataset 2a from BCI Competition IV, where the data was gathered from nine participants over the course of two sessions on separate days\. The left hand, right hand, foot, and tongue are its four motor imagery labels\. 22 channels of EEG waves were captured at a 250 Hz sampling rate\. For analysis, tests were band\-pass filtered between 8 and 32 Hz after data from 0 to 4 seconds following each imagining trigger were removed\. For each lesson, each participant provided 144 EEG epochs\.

#### IV\-A2rTMS Therapy EEG Dataset

The rTMS dataset was collected from 15 individuals at Atieh Hospital, Tehran, Iran, diagnosed with depression and undergoing rTMS treatment prescribed by clinical specialists\. Treatment outcomes were evaluated using Beck Depression Inventory \(BDI\) scores measured before and four weeks after therapy\. Patients were labeled as responders \(R\) if their BDI scores decreased by at least 50%, and non\-responders \(NR\) otherwise, with classifications verified by clinicians\.

EEG recordings were obtained using the standard 10\-20 electrode system with 19 scalp channels, sampled at 500 Hz\. Signals were segmented into fixed\-length windows of 1024 samples \(approximately 2\.05 seconds\) for consistency\. The A1\-A2 reference channel pair was excluded from this dataset\. Although the dataset size is relatively limited, to improve the reliability and stability of the results, stratified cross\-validation and repeated experiments are employed\.

### IV\-BCNN Models for EEG Classification

Along side with our proposed lightweight custom CNN\. In this experiment, the following three convolutional neural network models are used, which are common in EEG signals:

#### IV\-B1EEGNet

A small convolutional neural network called EEGNet\[[16](https://arxiv.org/html/2606.02597#bib.bib14)\]was created especially for EEG\-based brain–computer interactions\. It is appropriate for limited data sets and real\-time applications because it effectively extracts both temporal and spatial characteristics from EEG signals using depthwise and separable convolutions\.

#### IV\-B2DeepConvNet

DeepConvNet\[[5](https://arxiv.org/html/2606.02597#bib.bib16)\]is a deeper CNN architecture for EEG decoding\. It combines multiple convolutional and pooling layers to hierarchically acquire spatial and temporal representations from unprocessed EEG data\. Its deeper structure enables it to capture complex patterns, but it typically requires more data and computational resources\.

#### IV\-B3SleepEEGNet

SleepEEGNet\[[19](https://arxiv.org/html/2606.02597#bib.bib15)\]is a lightweight CNN tailored for automatic sleep stage classification\. The network employs multiple temporal convolutional layers followed by spatial filtering to maintain a modest model size for practical application while extracting biased features from multi\-channel EEG data\.

### IV\-CExperimental Setup

A within\-subject experimental design is adopted, where 10% of each participant’s EEG data is used for testing and 90% is used for training\. Since smaller dataset tends to overfit easily, an early halting approach with a patience of six epochs is used to avoid overfitting\. Model performance is evaluated using both average classification accuracy and balanced accuracy across all subjects\. The CNN models are trained using the categorical cross\-entropy loss function in combination with the Adam optimizer\. To ensure reproducibility, every experiment is conducted 10 times, and the average outcomes are presented\.

For adversarial evaluation, perturbation strengths \(ϵ\\epsilon\) of 0\.1, 0\.3, and 0\.5 are applied across all selected attack methods\. FGSM attacks are performed under thel∞l\_\{\\infty\}\-norm constraint\. The baseline experiment involves classification on clean datasets using four models under identical training settings to ensure fair comparison\. With a batch size of 32 and a starting learning rate of1×10−41\\times 10^\{\-4\}, training is carried out for 100 epochs, with dynamic learning rate scheduling applied\. All implementations are carried out using TensorFlow 2\.14 with Python 3\.10\.

## VResults

Table[I](https://arxiv.org/html/2606.02597#S5.T1)presents the classification performance of four CNN models under FGSM adversarial attacks\. The baseline accuracies indicate that the proposed CNN achieves higher performance \(88\.21%\) compared to EEGNet \(42\.35%\), DeepConvNet \(47\.66%\), and SleepEEGNet \(24\.91%\)\. After applying FGSM perturbations, accuracy drops significantly across all models; however, the proposed CNN maintains a substantially higher accuracy \(73\.02%\) relative to the other networks, which fall below 7%\.

TABLE I:Performance of Models under FGSM AttackModelsBaseline AccAfter Attack Accϵ\\epsilon= 0\.1ϵ\\epsilon= 0\.3ϵ\\epsilon= 0\.5Avg KappaAvg AccuracySleepEEGNet24\.911\.3644\.6625\.9524\.0232\.0931\.54EEGNet42\.355\.2750\.7634\.4331\.3836\.6638\.85DeepConvNet47\.666\.1799\.4495\.1890\.5193\.3995\.04Proposed CNN88\.2173\.02100\.0099\.9999\.9499\.9699\.97When varying perturbation strengths \(ϵ=0\.1,0\.3,0\.5\\epsilon=0\.1,0\.3,0\.5\), DeepConvNet and the proposed CNN demonstrate consistently high robustness, maintaining accuracies above 90% across all cases\. In contrast, EEGNet and SleepEEGNet show moderate performance at lower perturbation levels, reaching 50\.76% and 44\.66%, respectively, but degrade more noticeably asϵ\\epsilonincreases\. The average Cohen’s Kappa further supports this trend, with the proposed CNN \(99\.96\) and DeepConvNet \(93\.39\) outperforming EEGNet \(36\.66\) and SleepEEGNet \(32\.09\)\.

Figure[3](https://arxiv.org/html/2606.02597#S5.F3)illustrates the impact of FGSM adversarial perturbations at varying strengths on model accuracy, showing that the proposed CNN maintains comparatively higher robustness across different attack intensities\. Also figure[4](https://arxiv.org/html/2606.02597#S5.F4)shows the classification differences of before and after FGSM attack through confusion matrix plot with proposed CNN\.

![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/progress_plot.png)Figure 3:Accuracy of different CNN models under FGSM attacks with varying perturbation strengths \(ϵ\\epsilon\)\.![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/clean_cm.png)\(a\)
![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/clean_on_attacked.png)\(b\)
![Refer to caption](https://arxiv.org/html/2606.02597v1/assets/robust.png)\(c\)

Figure 4:Confusion matrices of the proposed CNN before and after applying FGSM attack\.While the proposed CNN achieves very high performance under adversarial conditions, we acknowledge that such results may appear unusually strong\. This behavior can be attributed to the combination of \(i\) spectrogram\-based representations that enhance discriminative patterns, \(ii\) consistent training settings across all models, and \(iii\) the use of ensemble averaging, which improves stability and reduces variance across folds\. Importantly, all baseline models \(EEGNet, DeepConvNet, SleepEEGNet\) are trained under identical preprocessing, training schedules, and evaluation protocols to ensure a fair comparison\. The observed performance differences therefore reflect variations in architectural behavior under adversarial perturbations rather than inconsistencies in training\.

Overall, these results indicate that while FGSM attacks significantly degrade performance in standard EEG\-specific networks, the proposed lightweight CNN demonstrates improved resilience under adversarial perturbations and consistently outperforms the baseline models\. These results demonstrate how reliable and computationally viable designs may improve the dependability of EEG\-based BCI systems in practical applications including healthcare diagnosis, assistive technologies, and neurorehabilitation\.

## VIConclusion

In this work, we adapted adversarial evaluation techniques originally developed for computer vision to EEG\-based brain\-computer interfaces \(BCIs\)\. Using the suggested lightweight CNN and three cutting\-edge EEG\-based CNN models, we assessed model performance under gradient\-based white\-box attacks, such FGSM, on two EEG datasets\. The results demonstrate that classification models can maintain varying levels of robustness under adversarial perturbations, with some architectures being more resilient than others\.

Notably, the suggested lightweight CNN achieves consistently high performance under adversarial conditions, reaching an average accuracy of 99\.97%\. This suggests that appropriately designed lightweight architectures can improve robustness while maintaining computational efficiency\. However, these results should be interpreted within the context of the selected datasets and experimental setup\.

Future work will focus on the following directions:

1. 1\.Exploring additional robustness evaluation metrics to capture diverse characteristics of adversarial perturbations and provide deeper insights into model behavior\.
2. 2\.Designing and integrating complementary feature representations to improve model generalization under adversarial conditions\.
3. 3\.Assessing the model’s resilience to a greater variety of attack techniques, such as transfer\-based and black\-box attacks\.
4. 4\.Investigating dedicated defense mechanisms, such as adversarial training and input preprocessing, to further enhance system reliability\.

## References

- \[1\]N\. E\. H\. S\. B\. Aissa, A\. Lakas, A\. Korichi, C\. A\. Kerrache, and A\. N\. Belkacem\(2023\)Robust detection of adversarial attacks for eeg\-based motor imagery classification using hierarchical deep learning\.In2023 15th International Conference on Innovations in Information Technology \(IIT\),pp\. 156–161\.Cited by:[§II\-A1](https://arxiv.org/html/2606.02597#S2.SS1.SSS1.p5.1)\.
- \[2\]H\. Akbari, M\. T\. Sadiq, N\. Jafari, J\. Too, N\. Mikaeilvand, A\. Cicone, and S\. Serra\-Capizzano\(2023\)Recognizing seizure using poincaré plot of eeg signals and graphical features in dwt domain\.Bratislava Medical Journal/Bratislavske Lekarske Listy124\(1\),pp\. 12–24\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[3\]M\. F\. K\. Chowdhury, M\. D\. Chando, and S\. M\. Shawon\(2022\)Development of a smart system for neonatal jaundice detection using cnn algorithm\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p3.1)\.
- \[4\]M\. F\. K\. Chowdhury and J\. Ferdous\(2025\)Brain tumor classification in mri images: a computationally efficient convolutional neural network\.In2025 IEEE International Conference on Biomedical Engineering, Computer and Information Technology for Health \(BECITHCON\),Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p3.1)\.
- \[5\]X\. Ding and Q\. He\(2017\)Energy\-fluctuated multiscale feature learning with deep convnet for intelligent spindle bearing fault diagnosis\.IEEE Transactions on Instrumentation and Measurement66\(8\),pp\. 1926–1935\.Cited by:[§IV\-B2](https://arxiv.org/html/2606.02597#S4.SS2.SSS2.p1.1)\.
- \[6\]S\. Essahraui, I\. Lamaakal, Y\. Maleh, K\. El Makkaoui, M\. F\. Bouami, I\. Ouahbi, A\. A\. Abd El\-Latif, M\. Almousa, and J\. J\. Rodrigues\(2025\)Human behavior analysis: a comprehensive survey on techniques, applications, challenges, and future directions\.IEEE Access\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[7\]B\. Feng, Y\. Wang, and Y\. Ding\(2021\)Saga: sparse adversarial attack on eeg\-based brain computer interface\.InICASSP 2021\-2021 IEEE International Conference on Acoustics, Speech and Signal Processing \(ICASSP\),pp\. 975–979\.Cited by:[§II\-A2](https://arxiv.org/html/2606.02597#S2.SS1.SSS2.p5.1)\.
- \[8\]P\. Ghane and G\. Hossain\(2020\)Learning patterns in imaginary vowels for an intelligent brain computer interface \(bci\) design\.arXiv preprint arXiv:2010\.12066\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[9\]I\. J\. Goodfellow, J\. Shlens, and C\. Szegedy\(2014\)Explaining and harnessing adversarial examples\.arXiv preprint arXiv:1412\.6572\.Cited by:[§II\-A1](https://arxiv.org/html/2606.02597#S2.SS1.SSS1.p1.1)\.
- \[10\]G\. Han, B\. Lin, and Z\. Xu\(2017\)Electrocardiogram signal denoising based on empirical mode decomposition technique: an overview\.Journal of Instrumentation12\(03\),pp\. P03010–P03010\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[11\]G\. Hossain, H\. Khan, and M\. I\. HossainCogntive consistency analysis in adaptive bio\-metric authentication system design\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[12\]G\. Hossain, M\. H\. Myers, and R\. Kozma\(2018\)Spatial directionality found in frontal\-parietal attentional networks\.Neuroscience journal2018\(1\),pp\. 7879895\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[13\]G\. Hossain, P\. Palaniswamy, and R\. Challoo\(2016\)Pattern of success vs\. pattern of failure: adaptive authentication through kolmogorov–smirnov \(ks\) statistics\.IJARAI\) International Journal of Advanced Research in Artificial Intelligence\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[14\]M\. Ienca, P\. Haselager, and E\. J\. Emanuel\(2018\)Brain leaks and consumer neurotechnology\.Nature biotechnology36\(9\),pp\. 805–810\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p1.1)\.
- \[15\]W\. Korani, M\. F\. K\. Chowdhury, S\. AlQadi, P\. M\. Kumar, R\. Rostami, and R\. Kazemi\(2026\)Predicting the outcome of rtms depression therapy using eeg signals and cnn\.InRecent Trends in Image Processing and Pattern Recognition,Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[16\]V\. J\. Lawhern, A\. J\. Solon, N\. R\. Waytowich, S\. M\. Gordon, C\. P\. Hung, and B\. J\. Lance\(2018\)EEGNet: a compact convolutional neural network for eeg\-based brain–computer interfaces\.Journal of neural engineering15\(5\),pp\. 056013\.Cited by:[§IV\-B1](https://arxiv.org/html/2606.02597#S4.SS2.SSS1.p1.1)\.
- \[17\]A\. Madry, A\. Makelov, L\. Schmidt, D\. Tsipras, and A\. Vladu\(2017\)Towards deep learning models resistant to adversarial attacks\.arXiv preprint arXiv:1706\.06083\.Cited by:[§II\-A2](https://arxiv.org/html/2606.02597#S2.SS1.SSS2.p1.1)\.
- \[18\]L\. Meng, C\. Lin, T\. Jung, and D\. Wu\(2019\)White\-box target attack for eeg\-based bci regression problems\.InInternational conference on neural information processing,pp\. 476–488\.Cited by:[§II\-A1](https://arxiv.org/html/2606.02597#S2.SS1.SSS1.p4.1)\.
- \[19\]S\. Mousavi, F\. Afghah, and U\. R\. Acharya\(2019\)SleepEEGNet: automated sleep stage scoring with sequence to sequence deep learning approach\.PloS one14\(5\),pp\. e0216456\.Cited by:[§IV\-B3](https://arxiv.org/html/2606.02597#S4.SS2.SSS3.p1.1)\.
- \[20\]M\. H\. Myers and G\. Hossain\(2022\)Dual eeg alignment between participants during shared intentionality experiments\.Brain Research1790,pp\. 147986\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[21\]M\. H\. Myers, A\. Padmanabha, G\. Hossain, A\. L\. de Jongh Curry, and C\. D\. Blaha\(2016\)Seizure prediction and detection via phase and amplitude lock values\.Frontiers in human neuroscience10,pp\. 80\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[22\]M\. T\. Sadiq, H\. Akbari, S\. Siuly, Y\. Li, and P\. Wen\(2022\)Alcoholic eeg signals recognition based on phase space dynamic and geometrical features\.Chaos, solitons & fractals158,pp\. 112036\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[23\]M\. T\. Sadiq, X\. Yu, Z\. Yuan, and M\. Z\. Aziz\(2020\)Motor imagery bci classification based on novel two\-dimensional modelling in empirical wavelet transform\.Electronics Letters56\(25\),pp\. 1367–1369\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[24\]M\. T\. Sadiq, X\. Yu, Z\. Yuan, F\. Zeming, A\. U\. Rehman, I\. Ullah, G\. Li, and G\. Xiao\(2019\)Motor imagery eeg signals decoding by multivariate empirical wavelet transform\-based framework for robust brain–computer interfaces\.IEEE access7,pp\. 171431–171451\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[25\]M\. Tangermann, K\. Müller, A\. Aertsen, N\. Birbaumer, C\. Braun, C\. Brunner, R\. Leeb, C\. Mehring, K\. J\. Miller, G\. R\. Müller\-Putz,et al\.\(2012\)Review of the bci competition iv\.Frontiers in neuroscience6,pp\. 55\.Cited by:[§IV\-A1](https://arxiv.org/html/2606.02597#S4.SS1.SSS1.p1.1)\.
- \[26\]K\. Värbu, N\. Muhammad, and Y\. Muhammad\(2022\)Past, present, and future of eeg\-based bci applications\.Sensors22\(9\),pp\. 3331\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p1.1)\.
- \[27\]X\. Yu, M\. Z\. Aziz, M\. T\. Sadiq, Z\. Fan, and G\. Xiao\(2021\)A new framework for automatic detection of motor and mental imagery eeg signals for robust bci systems\.IEEE Transactions on Instrumentation and Measurement70,pp\. 1–12\.Cited by:[§I](https://arxiv.org/html/2606.02597#S1.p2.1)\.
- \[28\]X\. Zhang and D\. Wu\(2019\)On the vulnerability of cnn classifiers in eeg\-based bcis\.IEEE transactions on neural systems and rehabilitation engineering27\(5\),pp\. 814–825\.Cited by:[§II\-A1](https://arxiv.org/html/2606.02597#S2.SS1.SSS1.p4.1)\.