Keyboards and mouses, and recently also touchscreens, are the most popular means that a user sends commands to a computer. However, they convey little information about the psychological state of the user, e.g., cognitions, motivations and emotions, which are also very important in the development of ‘smart’ technology . For example, on emotions, Marvin Minsky, a pioneer in artificial intelligence, pointed out early in the 1980s that  “the question is not whether intelligent machines can have any emotions, but whether machines can be intelligent without emotions.”
Physiological computing  is “the use of human physiological data as system inputs in real time.” It opens up bandwidth within human-computer interaction by enabling an additional channel of communication from the user to the computer , which is necessary in adaptive and collaborative human-computer symbiosis.
Common physiological data in physiological computing include the electroencephalogram (EEG), electrocorticogram (ECoG), electrocardiogram (ECG), electrooculogram (EOG), electromyogram (EMG), eye movement, blood pressure (BP), electrodermal activity (EDA), respiration (RSP), skin temperature, etc., which are recordings or measures produced by the physiological process of human beings. Their typical measurement locations are shown in Fig. 1. These signals have been widely studied in the literature in various applications, including and beyond physiological computing, as shown in Table I.
|Electro-encephalogram||EEG OR Electroencephalogram OR Electroencephalography||139,000|
|Electrocardiogram||ECG OR EKG OR Electrocardiogram||96,000|
|Electromyogram||EMG OR Electromyogram||41,900|
|Electrocorticogram||ECoG OR Electrocorticogram OR Electrocorticography||4,100|
|Electrooculogram||EOG OR Electrooculogram||2,540|
|Blood Pressure||Blood Pressure||19,300|
|Heart Rate Variability||HRV OR Heart Rate Variability||18,900|
|Electrodermal Activity||EDA OR GSR OR EDR OR Electrodermal OR Galvanic Skin Response||17,800|
|Eye Movement||Eye Movement OR Eye Tracking||16,200|
|Oxygen Saturation||SpO2 OR Oxygen Saturation OR Blood Oxygen||13,700|
|Skin Temperature||Skin Temperature||5,250|
|Photo-plethysmogram||PPG OR Photoplethysmogram||4,900|
|Pulse Rate||Pulse Rate||3,210|
Physiological signals are usually single-channel or multi-channel time series, as shown in Fig. 2. In many clinical applications, the recording may last hours, days, or even longer. For example, long-term video-EEG monitoring for seizure diagnostics may need 24 hours, and ECG monitoring in intensive care units (ICUs) may last days or weeks. Wearable ECG monitoring devices, e.g., iRythm Zio Patch, AliveCor KardiaMobile, Apple Watch, and Huawei Band, are being used by millions of users. A huge amount of physiological signals are collected during these processes. Manually labelling them is very labor-intensive, and even impossible for wearable devices, given the huge number of users.
Machine learning 70], e.g., EEGNet , DeepCNN , ShallowCNN  and TIDNet  for EEG classification, SeizureNet for EEG-based seizure recognition , CNN for ECG rhythm classification , ECGNet for ECG-based mental stress monitoring , and so on.
However, recent research has shown that both traditional machine learning and deep learning models are vulnerable to various types of attacks [78, 27, 68, 57]. For example, Chen et al.  created a backdoor in the target model by injecting poisoning samples, which contain an ordinary sunglass, into the training set, so that all test images with the sunglass would be classified into a target class. Eykholt et al.  stuck a carefully crafted graffiti to road signs, and caused the model to classify ‘Stop’ as ‘Speed limit 40’. Finlayson et al. [24, 23] successfully performed adversarial attacks to deep learning classifiers across three clinical domains (fundoscopy, chest X-ray, and dermoscopy). Rahman et al.  performed adversarial attacks to six COVID-19 related applications, including recognizing whether a subject is wearing a mask, maintaining deep learning based QR codes as immunization certificates, recognizing COVID-19 from CT scan or X-ray images, etc. Ma et al.  showed that medical deep learning models can be more vulnerable to adversarial attacks than models for natural images, but surprisingly and fortunately, medical adversarial attacks may also be easily detected. Kaissis et al.  pointed out that various other attacks, in addition to adversarial attacks, also exist in medical imaging, and called for secure, privacy-preserving and federated machine learning to cope with them.
Machine learning models in physiological computing are not exempt from adversarial attacks [90, 43, 42]. However, to the best of our knowledge, there does not exist a systematic review on adversarial attacks in physiological computing. This paper fills this gap, by comprehensively reviewing different types of adversarial attacks, their applications in physiological computing, and possible defense strategies. It will be very important to the security of physiological computing systems in real-world applications.
We need to emphasize that this paper focuses on the emerging adversarial attacks and defenses. For other types of attacks and defenses, e.g., cybersecurity, the readers can refer to, e.g., .
The remainder of this paper is organized as follows: Section II introduces five relevant research areas in physiological computing. Section III introduces different categorizations of adversarial attacks. Section IV describes various adversarial attacks to physiological computing systems. Section V introduces different approaches to defend against adversarial attacks, and their applications in physiological computing. Finally, Section VI draws conclusions and points some future research directions.
Ii Physiological Computing
Physiological computing includes, or significantly overlaps with, brain-computer interfaces (BCIs), affective computing, adaptive automation, health informatics, and physiological signal based biometrics.
The flowchart of a closed-loop EEG-based BCI system is shown in Fig. 3
. After EEG signal acquisition, signal processing, usually including both temporal filtering and spatial filtering, is used to enhance the signal-to-noise ratio. Machine learning is next performed to understand what the EEG signal means, based on which a control command may be sent to an external device.
EEG-based BCI spellers may be the only non-muscular communication devices for Amyotrophic Lateral Sclerosis (ALS) patients to express their opinions . In seizure treatment, responsive neurostimulation (RNS) [26, 31] recognizes ECoG or intracranial EEG patterns prior to ictal onset, and delivers a high-frequency stimulation impulse to stop the seizure, improving the patients’ quality-of-life.
Ii-B Affective Computing
Affective computing is “computing that relates to, arises from, or deliberately influences emotion or other affective phenomena” .
In bio-feedback based relaxation training , EDA can be used to detect the user’s affective state, based on which a relaxation training application can provide the user with explicit feedback to learn how to change his/her physiological activity to improve health and performance. In software adaptation 
, the graphical interface, difficulty level, sound effects and/or content are automatically adapted based on the user’s real-time emotion estimated from various physiological signals, to keep the user more engaged.
Ii-C Adaptive Automation
Adaptive automation keeps the task workload demand within appropriate levels to avoid both underload and overload, hence to enhance the overall performance and safety of the human-machine system .
In air traffic management , an operator’s EEG signal can be used to estimate the mental workload, and trigger specific adaptive automation solutions. This can significantly reduce the operator’s workload during high-demanding conditions, and increase the task execution performance. A study  also showed that pupil diameter and fixation time, measured from an eye-tracking device, can be indicators of mental workload, and hence be used to trigger adaptive automation.
Ii-D Health Informatics
Health informatics studies information and communication processes and systems in healthcare .
A single-lead short ECG recording (9-60 s), collected from the AliveCor personal ECG monitor, can be used by a convolutional neural network (CNN) to classify normal sinus rhythm, atrial fibrillation, an alternative rhythm, or noise, with an average test accuracy of 88% on the first three classes. A very recent study  also showed that heart rate data from consumer smart watches, e.g., Apple, Fitbits and Garmin devices, can be used for pre-symptomatic detection of COVID-19, sometimes nine or more days earlier.
Ii-E Physiological Signal Based Biometrics
Physiological signal based biometrics  use physiological signals for biometric applications, e.g., digitally identify a person to grant access to systems, devices or data.
Iii Adversarial Attacks
Iii-a Targeted and Non-targeted Attacks
According to the outcome, there are two types of adversarial attacks : targeted attacks and non-targeted (indiscriminate) attacks.
Targeted attacks force a model to classify certain examples, or a certain region of the feature space, into a specific (usually wrong) class. Non-targeted attacks force a model to misclassify certain examples or feature space regions, but do not specify which class they should be misclassified into.
For example, in a 3-class classification problem, assume the class labels are , and . Then, a targeted attack may force the input to be classified into Class , no matter what its true class is. A non-targeted attack forces an input from Class to be classified into Class or , but does not specify it must be or ; as long as it is not , then the non-targeted attack is successful.
Iii-B White-Box, Black-Box and Gray-Box Attacks
According to how much the attacker knows about the target model, there can be three types of attacks :
White-box attacks, in which the attacker knows everything about the target model, including its architecture and parameters. This is the easiest attack scenario and could cause the maximum damage. It may correspond to the case that the attacker is an insider, or the model designer is evaluating the worst-case scenario when the model is under attack. Popular attack approaches include L-BFGS , DeepFool , the C&W method , the fast gradient sign method (FGSM) , the basic iterative method (BIM) , etc.
Black-box attacks, in which the attacker knows neither the architecture nor the parameters of the target model, but can supply inputs to the model and observe its outputs. This is the most realistic and also the most challenging attack scenario. One example is that the attacker purchases a commercial BCI system and tries to attack it. Black-box attacks are possible, due to the transferability of adversarial examples , i.e., an adversarial example generated from one machine learning model may be used to fool another machine learning model at a high success rate, if the two models solve the same task. So, in black-box attacks , the attacker can query the target model many times to construct a training set, train a substitute machine learning model from it, and then generate adversarial examples from the substitute model to attack the original target model.
Gray-box attacks, which assume the attacker knows a limited amount of information about the target model, e.g., (part of) the training data that the target model is tuned on. They are frequently used in data poisoning attacks, as introduced in the next subsection.
Table II compares the main characteristics of the three attack types.
|Target model information||White-Box||Gray-Box||Black-Box|
|Know its architecture|
|Know its parameters|
|Know its training data|
|Can observe its response|
Iii-C Poisoning and Evasion Attacks
According to the stage that the adversarial attack is performed, there are two types of attacks: poisoning attacks and evasion attacks.
Poisoning attacks  happen at the training stage, to create backdoors in the machine learning model by adding contaminated examples to the training set. They are usually white-box or gray-box attacks, achieved by data injection, i.e., adding adversarial examples to the training set , or data modification, i.e., poisoning the training data by modifying their features or labels .
Iv Adversarial Attacks in Physiological Computing
Most adversarial attack studies considered computer vision applications, where the inputs are 2D images. Physiological signals are continuous time series, which are quite different from images. There are relatively few adversarial attack studies on time series, and even fewer on physiological signals. A summary of them is shown in Table III.
Iv-a Adversarial Attacks in BCIs
Attacking the machine learning models in BCIs could cause serious damages, ranging from user frustration to serious injuries. For example, in seizure treatment, attacks to RNS’s  seizure recognition algorithm may quickly drain its battery or make it completely ineffective, and hence significantly reduces the patient’s quality-of-life. Adversarial attacks to an EEG-based BCI speller may hijack the user’s true input and output wrong letters, leading to user frustration or misunderstanding. In BCI-based driver drowsiness estimation , adversarial attacks may make a drowsy driver look alert, increasing the risk of accidents.
Although pioneers in BCIs have thought of neurosecurity , i.e., “devices getting hacked and, by extension, behavior unwillfully and unknowingly manipulated for nefarious purposes,” most BCI research so far focused on making the BCIs faster and more accurate, paying little attention to its security.
In 2019, Zhang and Wu  first pointed out that adversarial examples exist in EEG-based BCIs, i.e., deep learning models in BCIs are also vulnerable to adversarial attacks. They successfully performed white-box, gray-box and black-box non-targeted evasion attacks to three CNN classifiers, i.e., EEGNet , DeepCNN and ShallowCNN , in three different BCI paradigms, i.e., P300 evoked potential detection, feedback error-related negativity detection, and motor imagery classification. The basic idea, shown in Fig. 6, is to add a jamming module between EEG signal processing and machine learning to generate adversarial examples, optimized by unsupervised FGSM. The generated adversarial perturbations are too small to be noticed by human eyes (an example is shown in Fig. 5), but can significantly reduce the classification accuracy.
It is important to note that the jamming module is implementable, as research  has shown that BtleJuice, a framework to perform Man-in-the-Middle attacks on Bluetooth devices, can be used to intercept the data from a consumer grade EEG-based BCI system, modify them, and then send them back to the headset.
Jiang et al.  focused on black-box non-targeted evasion attacks to deep learning models in BCI classification problems, in which the attacker trains a substitute model to approximate the target model, and then generates adversarial examples from the substitute model to attack the target model. Learning a good substitute model is critical to the success of black-box attacks, but it requires a large number of queries to the target model. Jiang et al. 
proposed a novel query synthesis based active learning framework to improve the query efficiency, by actively synthesizing EEG trials scattering around the decision boundary of the target model, as shown in Fig.7. Compared with the original black-box attack approach in , the active learning based approach can improve the attack success rate with the same number of queries, or, equivalently, reduce the number of queries to achieve a desired attack performance. This is the first work that integrates active learning and adversarial attacks for EEG-based BCIs.
The above two studies considered classification problems, as in most adversarial attack research. Adversarial attacks to regression problems were much less investigated in the literature. Meng et al.  were the first to study white-box targeted evasion attacks for BCI regression problems. They proposed two approaches, based on optimization and gradient, respectively, to design small perturbations to change the regression output by a pre-determined amount. Experiments on two BCI regression problems (EEG-based driver fatigue estimation, and EEG-based user reaction time estimation in the psychomotor vigilance task) verified their effectiveness: both approaches can craft adversarial EEG trials indistinguishable from the original ones, but can significantly change the outputs of the BCI regression model. Moreover, adversarial examples generated from both approaches are also transferable, i.e., adversarial examples generated from one known regression model can also be used to attack an unknown regression model in black-box attacks.
The above three attack strategies are theoretically important, but there are some constraints in applying them to real-world BCIs:
Trial-specificity, i.e., the attacker needs to generate different adversarial perturbations for different EEG trials.
Channel-specificity, i.e., the attacker needs to generate different adversarial perturbations for different EEG channels.
Non-causality, i.e., the complete EEG trial needs to be known in advance to compute the corresponding adversarial perturbation.
Synchronization, i.e., the exact starting time of the EEG trial needs to be known for the best attack performance.
Some recent studies tried to overcome these constraints.
Zhang et al.  performed white-box targeted evasion attacks to P300 and steady-state visual evoked potential (SSVEP) based BCI spellers (Fig. 8), and showed that a tiny perturbation to the EEG trial can mislead the speller to output any character the attacker wants, e.g., change the output from ‘Y’ to ‘N’, or vice versa. The most distinguishing characteristic of their approach is that it explicitly considers the causality in designing the perturbations, i.e., the perturbation should be generated before or as soon as the target EEG trial starts, so that it can be added to the EEG trial in real-time in practice. To achieve this, an adversarial perturbation template is constructed from the training set only and then fixed. So, there is no need to know the test EEG trial and compute the perturbation specifically for it. Their approach resolves the trial-specificity and non-causality constraints, but different EEG channels still need different perturbations, and it also requires the attacker to know the starting time of an EEG trial in advance to achieve the best attack performance, i.e., there are still channel-specificity and synchronization constraints.
Zhang et al. 
considered targeted attacks to a traditional and most frequently used BCI speller pipeline, which has separate feature extraction and classification steps. Liuet al.  considered both targeted and non-targeted white-box evasion attacks to end-to-end deep learning models in EEG-based BCIs, and proposed a total loss minimization (TLM) approach to generate universal adversarial perturbations (UAPs) for them. Experimental results demonstrated its effectiveness on three popular CNN classifiers (EEGNet, ShallowCNN, and DeepCNN) in three BCI paradigms (P300, feedback error related negativity, and motor imagery). They also verified the transferability of UAPs in non-targeted gray-box evasion attacks.
To further simplify the implementation of TLM-UAP, Liu et al.  also considered smaller template size, i.e., mini TLM-UAP with a small number of channels and time domain samples, which can be added anywhere to an EEG trial. Mini TLM-UAPs are more practical and flexible, because they do not require the attacker to know the exact number of EEG channels and the exact length and starting time of an EEG trial. Liu et al.  showed that, generally, all mini TLM-UAPs were effective. However, their effectiveness decreased when the number of used channels and/or the template length decrease, which is intuitive. This is the first study on UAPs of CNN classifiers in EEG-based BCIs, and also the first on optimization based UAPs for targeted evasion attacks.
In summary, the TLM-UAP approach  resolves the trial-specificity and non-causality constraints, and mini TLM-UAPs further alleviate the channel-specificity and synchronization constraints.
All above studies focused on evasion attacks. Meng et al.  were the first to show that poisoning attacks can also be performed for EEG-based BCIs, as shown in Fig. 9. They proposed a practically realizable backdoor key, narrow period pulse, for EEG signals, which can be inserted into the benign EEG signal during data acquisition, and demonstrated its effectiveness in black-box targeted poisoning attacks, i.e., the attacker does not know any information about the test EEG trial, including its starting time, and wants to classify the test trial into a specific class, regardless of its true class. In other words, it resolves the trial-specificity, channel-specificity, causality and synchronization constraints simultaneously. To our knowledge, this is to-date the most practical BCI attack approach.
A summary of existing adversarial attack approaches in EEG-based BCIs is shown in Table IV.
Iv-B Adversarial Attacks in Health Informatics
Adversarial attacks in health informatics can also cause serious damages, even deaths. For example, adversarial attacks to the machine learning algorithms in implantable cardioverter defibrillators could lead to unnecessary painful shocks, damaging the cardiac tissue, and even worse therapy interruptions and sudden cardiac death .
Han et al.  proposed both targeted and non-targeted white-box evasion attack approaches to construct smoothed adversarial examples for ECG trials that are invisible to one board-certified medicine specialist and one cardiac electrophysiology specialist, but can successfully fool a CNN classifier for arrhythmia detection. They achieved 74% attack success rate (74% of the test ECGs originally classified correctly were assigned a different diagnosis, after adversarial attacks) on atrial fibrillation classification from single-lead ECG collected from the AliveCor personal ECG monitor. This study suggests that it is important to check if ECGs have been altered before using them in medical machine learning models.
studied white-box targeted evasion attack in EEG-based epileptic seizure detection, through UAPs. He computed the UAPs via solving an optimization problem, and showed that they can fool a support vector machine classifier to misclassify most seizure samples into non-seizure ones, with imperceptible amplitude.
Newaz et al.  investigated adversarial attacks to machine learning-based smart healthcare systems, consisting of 10 vital signs, e.g., EEG, ECG, SpO, respiration, blood pressure, blood glucose, blood hemoglobin, etc. They performed both targeted and non-targeted attacks, and both poisoning and evasion attacks. For evasion attacks, they also considered both white-box and black-box attacks. They showed that adversarial attacks can significantly degrade the performance of four different classifiers in smart health system in detecting diseases and normal activities, which may lead to to erroneous treatment.
Deep learning has been extensively used in health informatics; however, generally it needs a large amount of training data for satisfactory performance. Transfer learning can be used to alleviate this requirement, by making use of data or machine learning models from an auxiliary domain or task. Wang et al. 
studied targeted backdoor attacks against transfer learning with pre-trained deep learning models on both image and time series (e.g., ECG). Three optimization strategies, i.e., ranking-based neuron selection, autoencoder-powered trigger generation and defense-aware retraining, were used to generate backdoors and retrain deep neural networks, to defeat pruning based, fine-tuning/retraining based and input pre-processing based defenses. They demonstrated its effectiveness in brain MRI image classification and ECG heartbeat type classification.
Iv-C Adversarial Attacks in Biometrics
Physiological signals, e.g., EEG, ECG and PPG, have recently been used in biometrics . However, they are subject to presentation attacks in such applications. In a physiological signal based presentation attack, the attacker tries to spoof the biometric sensors with a fake piece of physiological signal , which would be authenticated as from a specific victim user.
Maiorana et al.  investigated the vulnerability of an EEG-based biometric system to hill-climbing attacks. They assumed that the attacker can access the matching scores of the biometric system, which can then be used to guide the generation of synthetic EEG templates until a successful authentication is achieved. This is essentially a black-box targeted evasion attack in the adversarial attack terminology: the synthetic EEG signal is the adversarial example, and the victim’s identify is the target class. It’s a black-box attack, because the attacker can only observe the output of the biometric system, but does not know anything else about it.
Eberz et al.  proposed an offline ECG biometrics presentation attack approach, illustrated in Fig. 10. The basic idea was to find a mapping function to transform ECG trials recorded from the attacker so that they resemble the morphology of ECG trials from a specific victim. The transformed ECG trials can then be used to fool an ECG biometric system to obtain unauthorized access. They showed that the attacker ECG trials can be obtained from a device different from the one that the victim ECG trials are recorded (i.e., cross-device attack), and there could be different approaches to present the transformed ECG trials to the biometric device under attack, the simplest being the playback of ECG trials encoded as .wav files using an off-the-shelf audio player.
Unlike , the above approach is a gray-box targeted evasion attack in the adversarial attack terminology: the attacker’s ECG signal can be viewed as the benign example, the transformed ECG signal is the adversarial example, and the victim’s identify is the target class. The mapping function plays the role of the jamming module in Fig. 6. It’s a gray-box attack, because the attacker needs to know the feature distributions of the victim ECGs in designing the mapping function.
Karimian et al.  proposed an online ECG biometrics presentation attack approach, shown in Fig. 10. Its procedure is very similar to the offline attack one in Fig. 10, except that the online approach is simpler, because it only requires as few as one victim ECG segment to compute the mapping function, and the mapping function is linear. Karimian  also proposed a similar presentation attack approach to attack PPG-based biometrics. Again, these approaches can be viewed as gray-box targeted evasion attacks.
Although we have not found adversarial attack studies on affective computing and adaptive automation in physiological computing, it does not mean that adversarial attacks cannot be performed in such applications. Machine learning models in affective computing and adaptive automation are not fundamentally different from those in BCIs; so, adversarial attacks in BCIs can easily be adapted to affective computing and adaptive automation.
Particularly, Meng et al.  have shown that it is possible to attack the regression models in EEG-based driver fatigue estimation and EEG-based user reaction time estimation, whereas driver fatigue and user reaction time could be triggers in adaptive automation.
V Defense Against Adversarial Attacks
As researchers just started to investigate adversarial attacks in physiological computing, there were even fewer studies on defense strategies against them. A summary of them is shown in Table V.
V-a Adversarial Training
Adversarial training, which trains a robust machine learning model on normal plus adversarial examples, may be the most popular data modification based adversarial defense approach.
Hussein et al.  proposed an approach to augment deep learning models with adversarial training for robust prediction of epilepsy seizures. Though their goal was to overcome some challenges in EEG-based seizure classification, e.g., individual differences and shortage of pre-ictal labeled data, their approach can also be used to defend against adversarial attacks.
They first constructed a deep learning classifier from available limited amount of labeled EEG data, and then performed white-box attacks to the classifier to obtain adversarial examples, which were next combined with the original labeled data to retrain the deep learning classifier. Experiments on two public seizure datasets demonstrated that adversarial training increased both the classification accuracy and classifier robustness.
V-B Model Modification
Regularization based model modification to defend against adversarial attacks usually also considers the model security (robustness) in the optimization objective function.
Sadeghi et al.  proposed an analytical framework for tuning the classifier parameters, to ensure simultaneously its accuracy and security. The optimal classifier parameters were determined by solving an optimization problem, which takes into account both the test accuracy and the robustness against adversarial attacks. For
-nearest neighbor (kNN) classifiers, the two parameters to be optimized are the number of neighbors and the distance metric type. Experiments on EEG-based eye state (open or close) recognition verified that it is possible to achieve both high classification accuracy and high robustness against black-box targeted evasion attacks.
V-C Adversarial Detection
Adversarial detection uses a separate module to detect if there is adversarial attack, and takes actions accordingly. The simplest is to discard adversarial examples directly.
Cai and Venkatasubramanian  proposed an approach to detect signal injection-based morphological alterations (evasion attack) of ECGs. Because multiple physiological signals based on the same underlying physiological process (e.g., cardiac process) are inherently related to each other, any adversarial alteration of one of the signals will lead to inconsistency in the other signal(s) in the group. Since both ECG and arterial blood pressure measurements are representations of the cardiac process, the latter can be used to detect morphological alterations in ECGs. They demonstrated over 90% accuracy in detecting even subtle ECG morphological alterations for both healthy subjects and patients. A similar idea  was also used to detect temporal alternations of ECGs, by making use of their correlations with arterial blood pressure and respiration measurements.
Karimian et al.  proposed two strategies to protect ECG biometric authentication systems from spoofing, by evaluating if ECG signal characteristics match the corresponding heart rate variability or PPG features (pulse transit time and pulse arrival time). The idea is actually similar to Cai and Venkatasubramanian’s . If there is a mismatch, then the system considers the input to be fake, and rejects it.
Vi Conclusions and Future Research
Physiological computing includes, or significantly overlaps with, BCIs, affective computing, adaptive automation, health informatics, and physiological signal based biometrics. It increases the communication bandwidth from the user to the computer, but is also subject to adversarial attacks. This paper has given a comprehensive review on adversarial attacks and their defense strategies in physiological computing, hopefully will bring more attention to the security of physiological computing systems.
Promising future research directions in this area include:
Transfer learning has been extensively used in physiological computing , to alleviate the training data shortage problem by leveraging data from other subjects  or tasks , or to warm-start the training of a (deep) learning algorithm by borrowing parameters or knowledge from an existing algorithm , as shown in Fig. 11. However, transfer learning is particularly susceptive to poisoning attacks [55, 80]. It’s very important to develop strategies to check the integrity of data and models before using them in transfer learning.
Adversarial attacks to other components in the machine learning pipeline (an example on BCI is shown in Fig. 12
), which includes signal processing, feature engineering, and classification/regression, and the corresponding defense strategies. So far all adversarial attack approaches in physiological computing considered the classification or regression model only, but not other components, e.g., signal processing and feature engineering. It has been shown that feature selection is also subjective to data poisoning attacks, and adversarial feature selection can be used to defend against evasion attacks .
Additional types of attacks in physiological computing [19, 71, 12, 66, 7], as shown in Fig. 13, and the corresponding defense strategies. For example, Paoletti et al.  performed parameter tampering attacks on Boston Scientific implantable cardioverter defibrillators, which use a discrimination tree to detect tachycardia episodes and then initiate the appropriate therapy. They slightly modified the parameters of the discrimination tree to achieve both attack effectiveness and stealthiness. These attacks are also very dangerous in physiological computing, and hence deserve adequate attention.
Adversarial attacks to affective computing and adaptive automation applications, which have not been studied yet, but are also possible and dangerous. Many existing attack approaches in BCIs, health informatics and biometrics can be extended to them, either directly or with slight modifications. However, there could also be unique attack approaches specific to these areas. For example, emotions are frequently represented as continuous numbers in the 3D space of valence, arousal and dominance in affective computing , and hence adversarial attacks to regression models in affective computing should be paid enough attention to.
Finally, we need to emphasize that the goal of adversarial attack research in physiological computing should be discovering its vulnerabilities, and then finding solutions to make it more secure, instead of merely causing damages to it.
-  F. Agrafioti, J. Gao, D. Hatzinakos, and J. Yang, “Heart biometrics: Theory, methods and applications,” in Biometrics. InTech Shanghai, China, 2011, pp. 199–216.
-  A. Aminifar, “Universal adversarial perturbations in epileptic seizure detection,” in Proc. Int’l Joint Conf. on Neural Networks, Jul. 2020, pp. 1–6.
-  R. V. Aranha, C. G. Corrêa, and F. L. Nunes, “Adapting software with affective computing: a systematic review,” IEEE Trans. on Affective Computing, 2021, in press.
-  P. Aricò, G. Borghini, G. Di Flumeri, A. Colosimo, S. Bonelli, A. Golfetti, S. Pozzi, J.-P. Imbert, G. Granger, R. Benhacene et al., “Adaptive automation triggered by EEG-based mental workload index: a passive brain-computer interface application in realistic air traffic control environment,” Frontiers in Human Neuroscience, vol. 10, p. 539, 2016.
U. Asif, S. Roy, J. Tang, and S. Harrer, “SeizureNet: Multi-spectral deep feature learning for seizure type classification,” inMachine Learning in Clinical Neuroimaging and Radiogenomics in Neuro-oncology, 2020, pp. 77–87.
-  S. L. Bernal, A. H. Celdran, L. F. Maimó, M. T. Barros, S. Balasubramaniam, and G. M. Pérez, “Cyberattacks on miniature brain implants to disrupt spontaneous neural signaling,” IEEE Access, vol. 8, pp. 152 204–152 222, 2020.
-  S. L. Bernal, A. H. Celdrán, G. M. Pérez, M. T. Barros, and S. Balasubramaniam, “Security in brain-computer interfaces: State-of-the-art, opportunities, and future challenges,” ACM Computing Surveys, vol. 54, no. 1, pp. 1–35, 2021.
-  S. Bianco and P. Napoletano, “Biometric recognition using multimodal physiological signals,” IEEE Access, vol. 7, pp. 83 581–83 588, 2019.
B. Biggio, B. Nelson, and P. Laskov, “Support vector machines under adversarial label noise,” inProc. Asian Conf. on Machine Learning, Taiwan, China, Nov. 2011, pp. 97–112.
-  H. Cai and K. K. Venkatasubramanian, “Detecting malicious temporal alterations of ECG signals in body sensor networks,” in Proc. Int’l Conf. on Network and System Security, New York, NY, Dec. 2015, pp. 531–539.
-  ——, “Detecting signal injection attack-based morphological alterations of ECG measurements,” in Proc. Int’l Conf. on Distributed Computing in Sensor Systems, Washington, DC, May 2016, pp. 127–135.
-  C. Camara, P. Peris-Lopez, and J. E. Tapiador, “Security and privacy issues in implantable medical devices: A comprehensive survey,” Journal of Biomedical Informatics, vol. 55, pp. 272–289, 2015.
-  N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in Proc. IEEE Symposium on Security and Privacy, San Jose, CA, May 2017, pp. 39–57.
-  Q. Chen, X. Ma, Z. Zhu, and Y. Sun, “Evolutionary multi-tasking single-objective optimization based on cooperative co-evolutionary memetic algorithm,” in Proc. 13th Int’l Conf. on Computational Intelligence and Security, 2017, pp. 197–201.
-  L. Chittaro and R. Sioni, “Affective computing vs. affective placebo: Study of a biofeedback-controlled game for relaxation training,” Int’l Journal of Human-Computer Studies, vol. 72, no. 8-9, pp. 663–673, 2014.
-  E. Coiera, Guide to Health Informatics. CRC press, 2015.
-  N. Das, M. Shanbhogue, S.-T. Chen, F. Hohman, L. Chen, M. E. Kounavis, and D. H. Chau, “Keeping the bad guys out: Protecting and vaccinating deep learning with JPEG compression,” arXiv preprint arXiv:1705.02900, 2017.
-  T. de Greef, H. Lafeber, H. van Oostendorp, and J. Lindenberg, “Eye movement as indicators of mental workload to trigger adaptive automation,” in Int’l Conf. on Foundations of Augmented Cognition, San Diego, CA, Jul. 2009, pp. 219–228.
-  T. Denning, Y. Matsuoka, and T. Kohno, “Neurosecurity: security and privacy for neural devices,” Neurosurgical Focus, vol. 27, no. 1, p. E7, 2009.
-  S. Eberz, N. Paoletti, M. Roeschlin, M. Kwiatkowska, I. Martinovic, and A. Patané, “Broken hearted: How to attack ECG biometrics,” in Proc. Network and Distributed System Security Symposium. San Diego, CA: Internet Society, Feb. 2017.
I. Evtimov, K. Eykholt, E. Fernandes, T. Kohno, B. Li, A. Prakash, A. Rahmati,
and D. Song, “Robust physical-world attacks on deep learning visual
Proc. IEEE Conf. on Computer Vision and Pattern Recognition, Salt Lake City, UT, Jun. 2018, pp. 1625–1634.
-  S. H. Fairclough, “Fundamentals of physiological computing,” Interacting with Computers, vol. 21, pp. 133–145, 2009.
-  S. G. Finlayson, J. D. Bowers, J. Ito, J. L. Zittrain, A. L. Beam, and I. S. Kohane, “Adversarial attacks on medical machine learning,” Science, vol. 363, no. 6433, pp. 1287–1289, 2019.
-  S. G. Finlayson, H. W. Chung, I. S. Kohane, and A. L. Beam, “Adversarial attacks against medical deep learning systems,” arXiv preprint arXiv:1804.05296, 2018.
-  J. Gao, B. Wang, Z. Lin, W. Xu, and Y. Qi, “DeepCloak: Masking deep neural network models for robustness against adversarial samples,” arXiv preprint arXiv:1702.06763, 2017.
-  E. B. Geller, “Responsive neurostimulation: review of clinical trials and insights into focal epilepsy,” Epilepsy & Behavior, vol. 88, pp. 11–20, 2018.
-  I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in Proc. Int’l Conf. on Learning Representations, San Diego, CA, May 2015.
-  S. D. Goodfellow, A. Goodwin, R. Greer, P. C. Laussen, M. Mazwi, and D. Eytan, “Towards understanding ECG rhythm classification using convolutional neural networks and attention mappings,” in Proc. 3rd Machine Learning for Healthcare Conf., Stanford, CA, Aug. 2018, pp. 83–101.
-  S. Gu and L. Rigazio, “Towards deep neural network architectures robust to adversarial examples,” arXiv preprint arXiv:1412.5068, 2014.
-  Q. Gui, Z. Jin, and W. Xu, “Exploring EEG-based biometrics for user identification and authentication,” in Proc. IEEE Signal Processing in Medicine and Biology Symposium, Philadelphia, PA, Dec. 2014, pp. 1–6.
-  A. Gummadavelli, H. P. Zaveri, D. D. Spencer, and J. L. Gerrard, “Expanding brain-computer interfaces for controlling epilepsy networks: novel thalamic responsive neurostimulation in refractory epilepsy,” Frontiers in Neuroscience, vol. 12, p. 474, 2018.
-  X. Han, Y. Hu, L. Foschini, L. Chinitz, L. Jankelson, and R. Ranganath, “Deep learning models for electrocardiograms are susceptible to adversarial attack,” Nature Medicine, vol. 3, pp. 360–363, 2020.
-  H. He and D. Wu, “Transfer learning for brain-computer interfaces: A Euclidean space data alignment approach,” IEEE Trans. on Biomedical Engineering, vol. 67, no. 2, pp. 399–410, 2020.
-  H. Hosseini, Y. Chen, S. Kannan, B. Zhang, and R. Poovendran, “Blocking transferability of adversarial examples in black-box learning systems,” arXiv preprint arXiv:1703.04318, 2017.
-  A. Hussein, M. Djandji, R. A. Mahmoud, M. Dhaybi, and H. Hajj, “Augmenting DL with adversarial training for robust prediction of epilepsy seizures,” ACM Trans. on Computing for Healthcare, vol. 1, no. 3, pp. 1–18, 2020.
-  B. Hwang, J. You, T. Vaessen, I. Myin-Germeys, C. Park, and B.-T. Zhang, “Deep ECGNet: An optimal deep learning framework for monitoring mental stress using ultra short-term ECG signals,” TELEMEDICINE and e-HEALTH, vol. 24, no. 10, pp. 753–772, 2018.
-  G. Jacucci, S. Fairclough, and E. T. Solovey, “Physiological computing,” Computer, vol. 48, no. 10, pp. 12–16, 2015.
-  I. Jarchum, “The ethics of neurotechnology,” Nature Biotechnology, vol. 37, pp. 993–996, 2019.
-  X. Jiang, X. Zhang, and D. Wu, “Active learning for black-box adversarial attacks in EEG-based brain-computer interfaces,” in Proc. IEEE Symposium Series on Computational Intelligence, Xiamen, China, Dec. 2019.
-  G. A. Kaissis, M. R. Makowski, D. Rückert, and R. F. Braren, “Secure, privacy-preserving and federated machine learning in medical imaging,” Nature Machine Intelligence, vol. 2, pp. 305–311, 2020.
-  F. Karim, S. Majumdar, and H. Darabi, “Adversarial attacks on time series,” IEEE Trans. on Pattern Analysis and Machine Intelligence, 2021, in press.
-  N. Karimian, D. Woodard, and D. Forte, “ECG biometric: Spoofing and countermeasures,” IEEE Trans. on Biometrics, Behavior, and Identity Science, vol. 2, no. 3, pp. 257–270, 2020.
N. Karimian, “How to attack PPG biometric using adversarial machine learning,” inAutonomous Systems: Sensors, Processing, and Security for Vehicles and Infrastructure, vol. 11009, Baltimore, MD, Apr. 2019, p. 1100909.
-  N. Karimian, D. L. Woodard, and D. Forte, “On the vulnerability of ECG verification to online presentation attacks,” in IEEE Int’l Joint Conf. on Biometrics, Denver, CO, Oct. 2017, pp. 143–151.
-  D. Kostas and F. Rudzicz, “Thinker invariance: enabling deep neural networks for BCI across more people,” Journal of Neural Engineering, vol. 17, no. 5, p. 056008, 2020.
-  A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in Proc. Int’l Conf. on Learning Representations, Toulon, France, Apr. 2017.
-  B. J. Lance, S. E. Kerick, A. J. Ries, K. S. Oie, and K. McDowell, “Brain-computer interface technologies in the coming decades,” Proc. of the IEEE, vol. 100, no. 3, pp. 1585–1599, 2012.
-  V. J. Lawhern, A. J. Solon, N. R. Waytowich, S. M. Gordon, C. P. Hung, and B. J. Lance, “EEGNet: a compact convolutional neural network for EEG-based brain-computer interfaces,” Journal of Neural Engineering, vol. 15, no. 5, p. 056013, 2018.
-  F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu, and J. Zhu, “Defense against adversarial attacks using high-level representation guided denoiser,” in Proc. IEEE Conf. on Computer Vision and Pattern Recognition, Salt Lake City, UT, Jun. 2018, pp. 1778–1787.
-  Z. Liu, L. Meng, X. Zhang, W. Fang, D. Wu, and L. Ding, “Universal adversarial perturbations for CNN classifiers in EEG-based BCIs,” Engineering, 2021, submitted. [Online]. Available: https://arxiv.org/abs/1912.01171
-  X. Ma, Y. Niu, L. Gu, Y. Wang, Y. Zhao, J. Bailey, and F. Lu, “Understanding adversarial attacks on deep learning based medical image analysis systems,” Pattern Recognition, vol. 110, p. 107332, 2020.
-  E. Maiorana, G. E. Hine, D. L. Rocca, and P. Campisi, “On the vulnerability of an EEG-based biometric system to hill-climbing attacks algorithms’ comparison and possible countermeasures,” in Proc. IEEE 6th Int’l Conf. on Biometrics: Theory, Applications and Systems, 2013, pp. 1–6.
-  A. Mehrabian, Basic Dimensions for a General Psychological Theory: Implications for Personality, Social, Environmental, and Developmental Studies. Oelgeschlager, Gunn & Hain, 1980.
-  S. Mei and X. Zhu, “Using machine teaching to identify optimal training-set attacks on machine learners,” in Proc. AAAI Conf. on Artificial Intelligence, vol. 29, no. 1, Austin, TX, Jan. 2015.
-  L. Meng, J. Huang, Z. Zeng, X. Jiang, S. Yu, T.-P. Jung, C.-T. Lin, R. Chavarriaga, and D. Wu, “EEG-based brain-computer interfaces are vulnerable to backdoor attacks,” Nature Computational Science, 2021, submitted. [Online]. Available: https://www.researchsquare.com/article/rs-108085/v1
-  L. Meng, C.-T. Lin, T.-P. Jung, and D. Wu, “White-box target attack for EEG-based BCI regression problems,” in Proc. Int’l Conf. on Neural Information Processing, Sydney, Australia, Dec. 2019.
-  D. J. Miller, Z. Xiang, and G. Kesidis, “Adversarial learning targeting deep neural network classification: A comprehensive review of defenses against attacks,” Proc. IEEE, vol. 108, no. 3, pp. 402–433, 2020.
-  M. Minsky, The Society of Mind. New York, NY: Simon and Schuster, 1988.
-  T. Mishra, M. Wang, A. A. Metwally, G. K. Bogu, A. W. Brooks, A. Bahmani, A. Alavi, A. Celli, E. Higgs, O. Dagan-Rosenfeld et al., “Pre-symptomatic detection of COVID-19 from smartwatch data,” Nature Biomedical Engineering, vol. 4, no. 12, pp. 1208–1220, 2020.
-  S.-M. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “DeepFool: a simple and accurate method to fool deep neural networks,” in Proc. IEEE Conf. on Computer Vision and Pattern Recognition, Las Vegas, NV, Jun. 2016, pp. 2574–2582.
-  A. Newaz, N. I. Haque, A. K. Sikder, M. A. Rahman, and A. S. Uluagac, “Adversarial attacks to machine learning-based smart healthcare systems,” arXiv preprint arXiv:2010.03671, 2020.
-  N. Paoletti, Z. Jiang, M. A. Islam, H. Abbas, R. Mangharam, S. Lin, Z. Gruber, and S. A. Smolka, “Synthesizing stealthy reprogramming attacks on cardiac devices,” in Proc. 10th ACM/IEEE Int’l Conf. on Cyber-Physical Systems, 2019, pp. 13–22.
-  N. Papernot, P. McDaniel, I. Goodfellow, S. Jha, Z. B. Celik, and A. Swami, “Practical black-box attacks against machine learning,” in Proc. Asia Conf. on Computer and Communications Security, Abu Dhabi, United Arab Emirates, Apr. 2017, pp. 506–519.
-  N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation as a defense to adversarial perturbations against deep neural networks,” in Proc. IEEE Symp. on Security and Privacy, San Jose, CA, May 2016, pp. 582–597.
-  R. Picard, Affective Computing. Cambridge, MA: The MIT Press, 1997.
-  L. Pycroft, S. G. Boccard, S. L. Owen, J. F. Stein, J. J. Fitzgerald, A. L. Green, and T. Z. Aziz, “Brainjacking: implant security issues in invasive neuromodulation,” World Neurosurgery, vol. 92, pp. 454–462, 2016.
-  A. Qayyum, J. Qadir, M. Bilal, and A. Al-Fuqaha, “Secure and robust machine learning for healthcare: A survey,” IEEE Reviews in Biomedical Engineering, vol. 14, pp. 156–180, 2021.
-  S. Qiu, Q. Liu, S. Zhou, and C. Wu, “Review of artificial intelligence adversarial attack and defense technologies,” Applied Sciences, vol. 9, no. 5, p. 909, 2019.
-  A. Rahman, M. S. Hossain, N. A. Alrajeh, and F. Alsolami, “Adversarial examples – security threats to COVID-19 deep learning systems in medical IoT devices,” IEEE Internet of Things Journal, 2021, in press.
-  B. Rim, N.-J. Sung, S. Min, and M. Hong, “Deep learning in physiological signal data: A survey,” Sensors, vol. 20, no. 4, p. 969, 2020.
-  M. Rushanan, A. D. Rubin, D. F. Kune, and C. M. Swanson, “SoK: Security and privacy in implantable medical devices and body area networks,” in Proc. IEEE Symposium on Security and Privacy, 2014, pp. 524–539.
-  K. Sadeghi, A. Banerjee, and S. K. Gupta, “An analytical framework for security-tuning of artificial intelligence applications under attack,” in IEEE Int’l Conf. On Artificial Intelligence Testing, San Francisco, CA, Apr. 2019, pp. 111–118.
-  P. Samangouei, M. Kabkab, and R. Chellappa, “Defense-GAN: Protecting classifiers against adversarial attacks using generative models,” arXiv preprint arXiv:1805.06605, 2018.
-  R. T. Schirrmeister, J. T. Springenberg, L. D. J. Fiederer, M. Glasstetter, K. Eggensperger, M. Tangermann, F. Hutter, W. Burgard, and T. Ball, “Deep learning with convolutional neural networks for EEG decoding and visualization,” Human Brain Mapping, vol. 38, no. 11, pp. 5391–5420, 2017.
-  E. W. Sellers and E. Donchin, “A P300-based brain-computer interface: initial tests by ALS patients,” Clinical Neurophysiology, vol. 117, no. 3, pp. 538–548, 2006.
-  Y. N. Singh, S. K. Singh, and A. K. Ray, “Bioelectrical signals as emerging biometrics: Issues and challenges,” Int’l Scholarly Research Notices, vol. 2012, 2012.
-  K. Sundararajan, “Privacy and security issues in brain computer interfaces,” Master’s thesis, Auckland University of Technology, 2017. [Online]. Available: http://orapp.aut.ac.nz/bitstream/handle/10292/11449/SundararajanK.pdf
-  C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in Proc. Int’l Conf. on Learning Representations, Banff, Canada, Apr. 2014.
-  F. Tramèr, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “Ensemble adversarial training: Attacks and defenses,” arXiv preprint arXiv:1705.07204, 2017.
-  S. Wang, S. Nepal, C. Rudolph, M. Grobler, S. Chen, and T. Chen, “Backdoor attacks against transfer learning with pre-trained deep learning models,” IEEE Trans. on Services Computing, 2020, in press.
-  D. Wu, V. J. Lawhern, S. Gordon, B. J. Lance, and C.-T. Lin, “Driver drowsiness estimation from EEG signals using online weighted adaptation regularization for regression (OwARR),” IEEE Trans. on Fuzzy Systems, vol. 25, no. 6, pp. 1522–1535, 2017.
-  D. Wu, V. J. Lawhern, W. D. Hairston, and B. J. Lance, “Switching EEG headsets made easy: Reducing offline calibration effort using active wighted adaptation regularization,” IEEE Trans. on Neural Systems and Rehabilitation Engineering, vol. 24, no. 11, pp. 1125–1137, 2016.
-  D. Wu, Y. Xu, and B.-L. Lu, “Transfer learning for EEG-based brain-computer interfaces: A review of progress made since 2016,” IEEE Trans. on Cognitive and Developmental Systems, 2021, in press.
-  H. Xiao, B. Biggio, G. Brown, G. Fumera, C. Eckert, and F. Roli, “Is feature selection secure against training data poisoning?” in Proc. 32nd Int’l Conf. on Machine Learning, Lille, France, Jul. 2015, p. 1689–1698.
-  C. Xie, J. Wang, Z. Zhang, Y. Zhou, L. Xie, and A. Yuille, “Adversarial examples for semantic segmentation and object detection,” in Proc. IEEE Int’l Conf. on Computer Vision, Venice, Italy, Oct. 2017, pp. 1369–1378.
-  W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial examples in deep neural networks,” arXiv preprint arXiv:1704.01155, 2017.
-  U. Yadav, S. N. Abbas, and D. Hatzinakos, “Evaluation of PPG biometrics for authentication in different states,” in Proc. Int’l Conf. on Biometrics, Queensland, Australia, Feb. 2018, pp. 277–282.
-  F. Zhang, P. P. K. Chan, B. Biggio, D. S. Yeung, and F. Roli, “Adversarial feature selection against evasion attacks,” IEEE Trans. on Cybernetics, vol. 46, no. 3, pp. 766–777, 2016.
-  X. Zhang and D. Wu, “On the vulnerability of CNN classifiers in EEG-based BCIs,” IEEE Trans. on Neural Systems and Rehabilitation Engineering, vol. 27, no. 5, pp. 814–825, 2019.
-  X. Zhang, D. Wu, L. Ding, H. Luo, C.-T. Lin, T.-P. Jung, and R. Chavarriaga, “Tiny noise, big mistakes: Adversarial perturbations induce errors in brain-computer interface spellers,” National Science Review, 2021, in press.