TrojanTime: Backdoor Attacks on Time Series Classification

TL;DR

TrojanTime tackles backdoor vulnerabilities in time series classification under data-inaccessible conditions by synthesizing a diverse pseudo-dataset $D_{adv}$ from an external dataset $D'$ via adversarial attacks, then poisoning it to obtain $D_{bd}$ with a trigger. The method preserves clean accuracy through a two-stage training that combines logits alignment with a backdoor objective and freezes BatchNorm layers to mitigate concept drift, while linking the trigger to a target class. A defense based on unlearning isolates high-activation rear-layer samples to reduce the attack efficacy with a decaying unlearning strength $\alpha$. Evaluations on UCR benchmarks across multiple triggers and architectures show high attack success rates with modest clean accuracy loss, and the proposed defense effectively lowers ASR while maintaining CA, highlighting practical security implications for TSC systems.

Abstract

Time Series Classification (TSC) is highly vulnerable to backdoor attacks, posing significant security threats. Existing methods primarily focus on data poisoning during the training phase, designing sophisticated triggers to improve stealthiness and attack success rate (ASR). However, in practical scenarios, attackers often face restrictions in accessing training data. Moreover, it is a challenge for the model to maintain generalization ability on clean test data while remaining vulnerable to poisoned inputs when data is inaccessible. To address these challenges, we propose TrojanTime, a novel two-step training algorithm. In the first stage, we generate a pseudo-dataset using an external arbitrary dataset through target adversarial attacks. The clean model is then continually trained on this pseudo-dataset and its poisoned version. To ensure generalization ability, the second stage employs a carefully designed training strategy, combining logits alignment and batch norm freezing. We evaluate TrojanTime using five types of triggers across four TSC architectures in UCR benchmark datasets from diverse domains. The results demonstrate the effectiveness of TrojanTime in executing backdoor attacks while maintaining clean accuracy. Finally, to mitigate this threat, we propose a defensive unlearning strategy that effectively reduces the ASR while preserving clean accuracy.

Figures (3)

• Figure 1: The framework of TrojanTime. We provide a clear demonstration of the two-step training: 1) Data synthesis: after matching the dimensions of the introduced external dataset, PGD attack is applied to generate diverse adversarial samples; 2) Backdoor training: logits alignment and BatchNorm freezing during the training process to ensure the generalization ability in clean samples.
• Figure 2: T-SNE visualization of latent separability characteristic on ECG5000 of $D^{\text{left}} \text{(marker:}\circ\text{)} \cup D^{\text{right}} \text{(marker:} \times\text{)}\ $ at $f_{\theta}$: benign model, $f_{\theta'}$: TrojanTime trained backdoor model, $f_{\theta^{*}}$: backdoor model without logits alignment (threat model: InceptionTime, colors represent different classes).
• Figure 3: Output norm differences ($value = |norm_\text{bad} - norm_\text{clean}|$) of each channel by layer (dataset: Coffee model: InceptionTime).