Investigating Membership Inference Attacks against CNN Models for BCI Systems.
Journal:
IEEE journal of biomedical and health informatics
Published Date:
Jul 28, 2025
Abstract
As Deep Learning (DL) algorithms become more widely adopted in healthcare applications, there is a greater emphasis on understanding and addressing potential privacy risks associated with these models. The purpose of this study is to investigate the privacy vulnerabilities of the Convolutional Neural Network (CNN) classifiers for Electroencephalogram (EEG) data in the Brain-Computer Interfaces (BCIs). Specifically, it focuses on the Membership Inference Attack (MIA), which seeks to determine if data from an individual were used in model training. The novelty of this work lies in its empirical analysis of MIA, specifically by addressing two key challenges that are less common in other domains: 1) datasets that are heterogeneous and 2) spatial-temporal design choices. Motivated by these challenges, we investigate the susceptibility to MIA based on: 1) specifics of the training dataset (number of participants, demographics), and 2) specifics of the CNN (such as architecture, regularization). Our experiments revealed that an adversary with limited knowledge of the model and its training process can compromise the privacy of training participants, noting that the same attack is not effective against deep learning models trained on image and tabular datasets. Some of our findings are: 1) training on diverse participant datasets improves the privacy of the most participants but increases risks of memorization and vulnerabilities for underrepresented groups; 2) regularization is less effective in defending against the MIA for EEG data CNN classifiers when compared to other types of input data; 3) depth and width of model architecture has no impact on membership attack effectiveness. We hope that the presented insights will assist future researchers develop more privacy-aware deep learning based BCI systems.
Authors
Keywords
No keywords available for this article.
