Adversarial Observations in Weather Forecasting

TL;DR

This work demonstrates that AI-based weather forecasting with autoregressive diffusion, such as GenCast, is vulnerable to adversarial observations that can fabricate extreme weather or conceal real events while keeping perturbations within plausible noise bounds. It introduces a novel attack framework that approximates the diffusion inference across multiple noise levels, with a per-variable perturbation constraint, and shows superior performance over baselines across diverse locations and events. Using ERA5 data, the authors quantify that perturbations as small as $\epsilon$ can yield dramatic forecast deviations (e.g., wind up to $30.7\,\mathrm{m/s}$, temperature up $\sim$ $24.6$°C, precipitation up to $221\,\mathrm{mm}$ in 12 hours) and can obscure major historical events like Cyclone Amphan, the 2006 European heat wave, and Hurricane Katrina. The study also finds that simple statistical detection via a chi-square test for variance would rarely detect such attacks, underscoring the urgency of robust data-provenance and defense strategies before large-scale deployment of AI-based weather models.

Abstract

AI-based systems, such as Google's GenCast, have recently redefined the state of the art in weather forecasting, offering more accurate and timely predictions of both everyday weather and extreme events. While these systems are on the verge of replacing traditional meteorological methods, they also introduce new vulnerabilities into the forecasting process. In this paper, we investigate this threat and present a novel attack on autoregressive diffusion models, such as those used in GenCast, capable of manipulating weather forecasts and fabricating extreme events, including hurricanes, heat waves, and intense rainfall. The attack introduces subtle perturbations into weather observations that are statistically indistinguishable from natural noise and change less than 0.1% of the measurements - comparable to tampering with data from a single meteorological satellite. As modern forecasting integrates data from nearly a hundred satellites and many other sources operated by different countries, our findings highlight a critical security risk with the potential to cause large-scale disruptions and undermine public trust in weather prediction.

Figures (6)

• Figure 1: Locations of satellite observations (blue ) and grid points (gray ) for a single prediction step. The satellite paths are computed based on the orbital elements of METOP-B, METOP-C and NOAA 15 as measured by NORAD celetrak.
• Figure 2: Resulting mean deviation induced by adversarial observations of different sizes. The average deviation of wind speed, temperature and precipitation as well as the 90% confidence interval across all target locations and times are shown. The attacker goal is to achieve the threshold for 99% extreme weather deviations with minimal noise increase.
• Figure 3: Mean required noise increase at different locations. The dashed line shows a linear regression of the required noise. The mean increase in noise required to fabricate an extreme weather prediction grows with increasing distance from the equator.
• Figure 4: Predicted precipitation at the peak of Cyclone Amphan. The forecast is shown $($a$)$ without attack and $($b$)$ after including adversarial observations. The dashed rectangle depicts the target region of the attack. The precipitation is expressed as mm over a 12-hour period.
• Figure 5: Predicted temperature at the peak of the European Heat Wave 2006. The forecast is shown $($a$)$ without attack and $($b$)$ after including adversarial observations. The dashed rectangle depicts the target region of the attack.