Revisiting Backdoor Attacks on Time Series Classification in the Frequency Domain

TL;DR

This work analyzes backdoor attacks on real-valued time series classification through a frequency-domain lens, revealing that existing triggers misalign with model sensitivities in the frequency domain. It introduces FreqBack, which computes a frequency heatmap via a 1D DFT-based perturbation analysis and guides trigger generation to align with the victim model's frequency sensitivities, coupled with a regularized optimization objective. Empirical results across eight datasets and five models show FreqBack achieves ASR exceeding 90% with less than a 3% drop in clean accuracy, outperforming static, dynamic, and generative baselines while remaining robust to several defenses. The approach offers a scalable, efficient avenue for evaluating and exploiting TSC systems, and highlights the need for frequency-aware defenses and model design considerations in time-series security.

Abstract

Time series classification (TSC) is a cornerstone of modern web applications, powering tasks such as financial data analysis, network traffic monitoring, and user behavior analysis. In recent years, deep neural networks (DNNs) have greatly enhanced the performance of TSC models in these critical domains. However, DNNs are vulnerable to backdoor attacks, where attackers can covertly implant triggers into models to induce malicious outcomes. Existing backdoor attacks targeting DNN-based TSC models remain elementary. In particular, early methods borrow trigger designs from computer vision, which are ineffective for time series data. More recent approaches utilize generative models for trigger generation, but at the cost of significant computational complexity. In this work, we analyze the limitations of existing attacks and introduce an enhanced method, FreqBack. Drawing inspiration from the fact that DNN models inherently capture frequency domain features in time series data, we identify that improper perturbations in the frequency domain are the root cause of ineffective attacks. To address this, we propose to generate triggers both effectively and efficiently, guided by frequency analysis. FreqBack exhibits substantial performance across five models and eight datasets, achieving an impressive attack success rate of over 90%, while maintaining less than a 3% drop in model accuracy on clean data.

Figures (13)

• Figure 1: The illustration of a backdoor attack.
• Figure 2: Static and dynamic backdoor attacks.
• Figure 3: The frequency domain analysis conducted on the RacketSports dataset. The first five subplots demonstrate the frequency heatmap generated for different model architectures. The last three subplots demonstrate the average perturbation scale in the frequency domain of the Static, PGD, and TSBA attacks on the BiRNN model. The values are averaged over channels.
• Figure 4: The overview of the procedure of FreqBack. In each iteration: (1) Time series data are transformed to frequency domain for frequency heatmap estimation on victim model. (2) Triggers are generated under the guidance of the heatmap and other regularizations in both domains. (3) Poison data with triggers are used to finetune the victim model.
• Figure 5: The frequency heatmap (up) and perturbation scale of our method (down) for BiRNN and CNN on the UWave dataset. The values are averaged over channels.