Concealed Adversarial attacks on neural networks for sequential data

TL;DR

The paper investigates adversarial vulnerabilities in time-series classifiers and introduces a concealed adversarial attack that jointly optimizes a target-model loss and a discriminator-based concealment loss. It formalizes the method with a target model $f$, a discriminator $D$, and an attack $h$, using an aggregation $g$ to combine losses, and trains a discriminator with curriculum-style exposure to progressively weaker perturbations. A practical pipeline is proposed: generate weak adversarial data, train a discriminator on it, and perform a final attack that optimizes along $g$; the final perturbations aim to mislead $f$ while remaining undetectable by $D$. Empirical evaluation on six UCR time-series datasets across four architectures (ResCNN, RNNAttention, PatchTST, S4) shows that Sum and Harmonic Regularizations substantially improve concealability and often overall success compared to vanilla attacks and the SGM baseline, though black-box attacks like SimBA remain difficult to conceal. These findings highlight a growing need for robust defenses against realistic adversarial threats in time-series domains and point to future work on adaptive regularization and cross-model defenses.

Abstract

The emergence of deep learning led to the broad usage of neural networks in the time series domain for various applications, including finance and medicine. While powerful, these models are prone to adversarial attacks: a benign targeted perturbation of input data leads to significant changes in a classifier's output. However, formally small attacks in the time series domain become easily detected by the human eye or a simple detector model. We develop a concealed adversarial attack for different time-series models: it provides more realistic perturbations, being hard to detect by a human or model discriminator. To achieve this goal, the proposed adversarial attack maximizes an aggregation of a classifier and a trained discriminator loss. To make the attack stronger, we also propose a training procedure for a discriminator that provides broader coverage of possible attacks. Extensive benchmarking on six UCR time series datasets across four diverse architectures - including recurrent, convolutional, state-space, and transformer-based models - demonstrates the superiority of our attack for a concealability-efficiency trade-off. Our findings highlight the growing challenge of designing robust time series models, emphasizing the need for improved defenses against realistic and effective attacks.

Figures (6)

• Figure 1: Examples of common adversarial attacks fgsm in the computer vision domain (a) and the time series domain (b). In computer vision, adversarially perturbed and original images appear nearly identical to the human eye. In the time series domain, standard adversarial attacks introduce noticeable artefacts, making them easily detectable. Our regularized approach generates more natural-looking perturbations, enhancing attack concealment.
• Figure 2: Pipeline of definition (a) and validation (b) for an adversarial attack with the discriminator regularization. Firstly, we train the target model for an attack. Then, we generate adversarial data with a vanilla attack to train discriminator models to classify whether the data object has been attacked or not. The next step is to apply a final attack on the original data to generate perturbed data objects to compromise both the target model and the discriminator. Finally, we get Efficiency and Concealability metrics to estimate the results of our final attack.
• Figure 3: The successfulness of iFGSM with sum regularization versus two baseline approaches for different pairs of models and datasets: for almost all experiments, our approach outperforms vanilla attack (a) and SGM baseline (b).
• Figure 4: Successfullness for different models (the greater, the better). The performance of different regularization types varies depending on the model's architecture.
• Figure 5: The iFGSM with sum regularization for almost all experiments outperforms vanilla attack version (a), and SGM baseline (b).