Black-box Adversarial Attacks on Network-wide Multi-step Traffic State Prediction Models

TL;DR

The paper tackles robustness of network-wide, multi-step traffic state prediction under black-box adversarial attacks. It introduces a framework where an attacker queries a target model to assemble input-output pairs, trains a substitute model, and crafts adversarial signals that transfer to the target. Empirical results on PeMS data show significant RMSE degradation for DCRNN (up to $54.07\%$) and GCGRNN (up to $26.41\%$), while LR and HA remain comparatively robust, highlighting a gap between predictive accuracy and resilience in graph-based models. The findings suggest that incorporating domain knowledge or simpler baselines may improve robustness, with GCGRNN offering a better balance between accuracy and resilience than DCRNN.

Abstract

Traffic state prediction is necessary for many Intelligent Transportation Systems applications. Recent developments of the topic have focused on network-wide, multi-step prediction, where state of the art performance is achieved via deep learning models, in particular, graph neural network-based models. While the prediction accuracy of deep learning models is high, these models' robustness has raised many safety concerns, given that imperceptible perturbations added to input can substantially degrade the model performance. In this work, we propose an adversarial attack framework by treating the prediction model as a black-box, i.e., assuming no knowledge of the model architecture, training data, and (hyper)parameters. However, we assume that the adversary can oracle the prediction model with any input and obtain corresponding output. Next, the adversary can train a substitute model using input-output pairs and generate adversarial signals based on the substitute model. To test the attack effectiveness, two state of the art, graph neural network-based models (GCGRNN and DCRNN) are examined. As a result, the adversary can degrade the target model's prediction accuracy up to $54\%$. In comparison, two conventional statistical models (linear regression and historical average) are also examined. While these two models do not produce high prediction accuracy, they are either influenced negligibly (less than $3\%$) or are immune to the adversary's attack.

Figures (3)

• Figure 1: Systematic diagram of our framework. Network-wide traffic flow data is pre-processed and split into two parts, one is used by the adversary to oracle the target model to obtain input-output pairs for training the substitute model; the other is used by the adversary to generate adversarial signals based on the trained substitute model. The attack effectiveness is conducted on the target model using original signals and their corresponding adversarial signals.
• Figure 2: Examples of original signals and their corresponding adversarial signals' impact on model prediction results. For both GCGRNN and DCRNN, we can see that the adversarial signals can cause large deviation between the prediction results and the ground truth than the original signals.
• Figure 3: The RMSE distributions on both original signals and their adversarial signals (AS) of four target models ($2~616$ in total). Between GCGRNN and DCRNN, DCRNN shows larger distribution shift in RMSE values, which demonstrates the comparative robustness of GCGRNN against adversarial attacks. For LR, the shift is marginal; for HA, no shift is observed. These results demonstrate that traditional models can be more robust or even immune against adversarial attacks.