Adversarial Robustness in Biomedical Time-Series Models
I would like to express my deepest gratitude to Dr. Jacob Luber, my thesis advisor and professor at the University of Texas at Arlington, for his invaluable guidance, insightful feedback, and unwavering support throughout the course of this research.
I am also sincerely thankful to Dr. Justyn Jaworski and Dr. Xi Zhu for serving on my thesis committee.
My appreciation extends to Dr. Khosrow Behbehani, whose support in identifying and providing access to the initial datasets and pretrained model weights made the early stages of this project possible.
I would also like to acknowledge Jai Prakash Veerla, my Ph.D. mentor, for his continuous encouragement, technical guidance, and mentorship.
My Parents Sanjay and Mamta Tiwari for their tremendous encouragement and support.
Finally, I am grateful to the Department of Bioengineering at the University of Texas at Arlington for providing the academic environment and resources necessary to carry out this research.
Abstract
This study investigates adversarial vulnerabilities in deep learning models for biomedical time-series classification across two clinically important modalities: electrocardiography (ECG) and electroencephalography (EEG). Using the MIT-BIH Arrhythmia and CHB-MIT seizure datasets, I evaluate time-domain attacks (FGSM, PGD), Fourier-domain constrained attacks, and learned spectral perturbations designed to reveal modality-specific sensitivity patterns. Across both tasks, a consistent trend emerges low-frequency components (0–5 Hz) constitute a dominant axis of adversarial vulnerability, with perturbations in this range producing the steepest degradation in classification performance. In ECG models, protecting the physiologically relevant QRS band (5–20 Hz) significantly improves robustness, whereas EEG models remain highly sensitive to delta-band perturbations even under strict spectral constraints. Learned spectral masks and gradient-based analyses converge on similar frequency profiles, indicating that deep networks rely heavily on slow-wave structure for decision-making. Additionally, minority classes exhibit disproportionately higher susceptibility to adversarial perturbations. These findings demonstrate that adversarial vulnerabilities in biomedical time-series models are closely tied to underlying signal physiology and spectral composition. The results show the need for frequency-aware defenses, physiologically informed architectures, and robust training frameworks to ensure reliable deployment of neural systems in clinical environments.