Correlation Analysis of Adversarial Attack in Time Series Classification

TL;DR

This work addresses adversarial vulnerability in time series classification by probing how models rely on local versus global information. It introduces a Normalized Auto Correlation Function (NACF) based theoretical framework and two frequency-focused regularizers using FFT and a cosine-style objective to shape perturbations. Extensive experiments on 128 UCR2018 datasets across five architectures show FFT-based perturbations achieve higher attack success and smaller perturbation magnitudes, while defense strategies like random/noise and Gaussian smoothing reduce ASR and improve robustness. The findings suggest that building models with a bias toward global information improves resilience, highlighting the value of frequency-domain analysis for designing robust TSC systems.

Abstract

This study investigates the vulnerability of time series classification models to adversarial attacks, with a focus on how these models process local versus global information under such conditions. By leveraging the Normalized Auto Correlation Function (NACF), an exploration into the inclination of neural networks is conducted. It is demonstrated that regularization techniques, particularly those employing Fast Fourier Transform (FFT) methods and targeting frequency components of perturbations, markedly enhance the effectiveness of attacks. Meanwhile, the defense strategies, like noise introduction and Gaussian filtering, are shown to significantly lower the Attack Success Rate (ASR), with approaches based on noise introducing notably effective in countering high-frequency distortions. Furthermore, models designed to prioritize global information are revealed to possess greater resistance to adversarial manipulations. These results underline the importance of designing attack and defense mechanisms, informed by frequency domain analysis, as a means to considerably reinforce the resilience of neural network models against adversarial threats.

Figures (7)

• Figure 1: A diagram illustrating the susceptibility of neural networks to external noise. In this diagram, $f$ represents the model, $x_1$ and $x_2$ are samples, $r$ denotes the perturbation, and $\epsilon$ signifies the maximum allowable magnitude of $r$.
• Figure 2: This scatter plot visualizes the relationship between the sigmoid function's midpoint position, expressed as a percentage of its range (X-axis), and the Normalized Attack Success Rate (Relative ASR) (Y-axis). Here, the Y-axis values are normalized to the highest ASR observed across trials for the same dataset, but with varying midpoints $k$ of the sigmoid function.
• Figure 3: proposed Attack and Defense Framework For Time Series Classification models. Note that, the green pathway shows how traditional model trained, and the red pathway explains how the perturbation $r$ learned by the framework.
• Figure 4: Comparison of Attack Success Rate (ASR) and Mean Success Distance (MSD) among PGD (GM), SWAP, SWAP($l^2$), COS, and FFT algorithms.
• Figure 5: This box plot presents comprehensive experimental results across selected models, each embodying a mainstream neural network architecture. Distinct colors denote various defense methods. For each subplot, the initial column illustrates the test accuracy, while the subsequent five columns detail the Attack Success Rate (ASR) against five distinct attack methodologies.