Table of Contents
Fetching ...

The Ephemeral Threat: Assessing the Security of Algorithmic Trading Systems powered by Deep Learning

Advije Rizvani, Giovanni Apruzzese, Pavel Laskov

TL;DR

This paper investigates the security of DL-powered algorithmic trading systems in finance by introducing ephemeral perturbations (EP), a realistic, short-lived adversarial threat. It formalizes EP and develops the ATS Security Framework (ATS-SF) to enable end-to-end, system-wide security assessment of DL-based ATS. Through a custom, open-source ATS and two case studies (indiscriminate and targeted EP attacks), the study shows that EP can meaningfully reduce profitability (e.g., Sharpe Ratio and cumulative returns) even when model predictions degrade only marginally. The findings underscore the importance of evaluating security at the entire ATS level, not just the ML component, and motivate future defenses and more comprehensive robustness analyses in financial AI systems.

Abstract

We study the security of stock price forecasting using Deep Learning (DL) in computational finance. Despite abundant prior research on the vulnerability of DL to adversarial perturbations, such work has hitherto hardly addressed practical adversarial threat models in the context of DL-powered algorithmic trading systems (ATS). Specifically, we investigate the vulnerability of ATS to adversarial perturbations launched by a realistically constrained attacker. We first show that existing literature has paid limited attention to DL security in the financial domain, which is naturally attractive for adversaries. Then, we formalize the concept of ephemeral perturbations (EP), which can be used to stage a novel type of attack tailored for DL-based ATS. Finally, we carry out an end-to-end evaluation of our EP against a profitable ATS. Our results reveal that the introduction of small changes to the input stock prices not only (i) induces the DL model to behave incorrectly but also (ii) leads the whole ATS to make suboptimal buy/sell decisions, resulting in a worse financial performance of the targeted ATS.

The Ephemeral Threat: Assessing the Security of Algorithmic Trading Systems powered by Deep Learning

TL;DR

This paper investigates the security of DL-powered algorithmic trading systems in finance by introducing ephemeral perturbations (EP), a realistic, short-lived adversarial threat. It formalizes EP and develops the ATS Security Framework (ATS-SF) to enable end-to-end, system-wide security assessment of DL-based ATS. Through a custom, open-source ATS and two case studies (indiscriminate and targeted EP attacks), the study shows that EP can meaningfully reduce profitability (e.g., Sharpe Ratio and cumulative returns) even when model predictions degrade only marginally. The findings underscore the importance of evaluating security at the entire ATS level, not just the ML component, and motivate future defenses and more comprehensive robustness analyses in financial AI systems.

Abstract

We study the security of stock price forecasting using Deep Learning (DL) in computational finance. Despite abundant prior research on the vulnerability of DL to adversarial perturbations, such work has hitherto hardly addressed practical adversarial threat models in the context of DL-powered algorithmic trading systems (ATS). Specifically, we investigate the vulnerability of ATS to adversarial perturbations launched by a realistically constrained attacker. We first show that existing literature has paid limited attention to DL security in the financial domain, which is naturally attractive for adversaries. Then, we formalize the concept of ephemeral perturbations (EP), which can be used to stage a novel type of attack tailored for DL-based ATS. Finally, we carry out an end-to-end evaluation of our EP against a profitable ATS. Our results reveal that the introduction of small changes to the input stock prices not only (i) induces the DL model to behave incorrectly but also (ii) leads the whole ATS to make suboptimal buy/sell decisions, resulting in a worse financial performance of the targeted ATS.
Paper Structure (26 sections, 1 equation, 8 figures, 3 tables, 1 algorithm)

This paper contains 26 sections, 1 equation, 8 figures, 3 tables, 1 algorithm.

Figures (8)

  • Figure 1: Schema of an Algorithmic Trading System (ATS).The broker (e.g., a bank) sends stock-related data to a given organization which owns an ATS (dotted box). The ATS includes various DL models, used to make predictions on the basis of the input data. Such predictions are then used by the ATS to enact a given trading strategy, which must account for the available resources and decide what to do (i.e., buy/hold/sell). After making a decision, the resources are updated.
  • Figure 2: Architecture of our ATS-SF.Our framework has three environments that allow fine-grained control on the entire management pipeline of an ATS, thereby enabling security assessments.
  • Figure 3: Baseline ATS.We show the profitability of our self-developed ATS. The LSTM models effectively predict (avg RMSE=3.89) the future close price of the stocks in the portfolio (Fig. \ref{['sfig:dl_baseline']}). The ATS uses these predictions for its trading strategy, leading to trades that net a profit over-time, shown by increasing cumulative daily returns (Fig. \ref{['sfig:daily_returns_cumulative']}) and underscored by the Sharpe Ratio consistently above 0 (Fig. \ref{['sfig:sharpe_ratio']}).
  • Figure 4: Exemplary results of an EP.We showcase what happens if a DL predictor and overarching ATS are targeted by some of our proposed EP. The blue line represents the baseline performance (y-axis), whereas the others represent the effects of various EPs (targeting the same day, but with different $m$) over our test timeframe (x-axis).
  • Figure 5: Overall impact of our untargeted attacks.For each attacked day (of our 666 testing window), we compute: the difference between the Sharpe Ratio (SR) achieved by the ATS at the end of the simulation (i.e., at day 666) with the baseline SR (Fig. \ref{['sfig:sr']}); and the ratio between the cumulative returns (CR) achieved by the baseline ATS respect to when it is attacked by an EP. We then plot the distribution of these "impacts". For the SR (Fig. \ref{['sfig:sr']}) numbers below 0 means that the SR was degraded by the EP; whereas, for the CR (Fig. \ref{['sfig:cr']}), numbers below 1 means that the CR was degraded by the EP. Overall, the attack is very successful: for each considered magnitude ($\omega$=30,40,50) the EP leads to a lower sharpe ratio and inferior cumulative returns in most cases. This is evident by looking at the notches of the boxplots (indicating the mean).
  • ...and 3 more figures