BadTime: An Effective Backdoor Attack on Multivariate Long-Term Time Series Forecasting

TL;DR

This work identifies a critical security gap in multivariate long-term time series forecasting (MLTSF) by introducing BadTime, the first backdoor attack tailored for MLTSF. BadTime employs a two-phase approach: a data-poisoning phase that uses a GAT-based variable selection, lag-aware trigger placement, and a hybrid sample strategy, and a backdoor training phase featuring a decoupled, multi-objective loss with iterative trigger optimization. The method achieves a long attack horizon (up to 720 timesteps) and reduces the target-variable forecast error by over 50% relative to prior attacks, while significantly improving stealth against anomaly detectors and enabling effective operation even at a 1% poisoning rate. These results demonstrate a substantial threat to MLTSF deployments and underscore the need for robust defenses and auditing of training pipelines in critical domains.

Abstract

Multivariate long-term time series forecasting (MLTSF) models are increasingly deployed in critical domains such as climate, finance, and transportation. Despite their growing importance, the security of MLTSF models against backdoor attacks remains entirely unexplored. To bridge this gap, we propose BadTime, the first effective backdoor attack tailored for MLTSF. BadTime can manipulate hundreds of future predictions toward a target pattern by injecting a subtle trigger. BadTime addresses two key challenges that arise uniquely in MLTSF: (i) the rapid dilution of local triggers over long horizons, and (ii) the extreme sparsity of backdoor signals under stealth constraints. To counter dilution, BadTime leverages inter-variable correlations, temporal lags, and data-driven initialization to design a distributed, lag-aware trigger that ensures effective influence over long-range forecasts. To overcome sparsity, it introduces a hybrid strategy to select valuable poisoned samples and a decoupled backdoor training objective that adaptively adjusts the model's focus on the sparse backdoor signal, ensuring reliable learning at a poisoning rate as low as 1%. Extensive experiments show that BadTime significantly outperforms state-of-the-art (SOTA) backdoor attacks on time series forecasting by extending the attackable horizon from at most 12 timesteps to 720 timesteps (a 60-fold improvement), reducing MAE by over 50% on target variables, and boosting stealthiness by more than 3-fold under anomaly detection.

Figures (6)

• Figure 1: An attack example of BadTime: even a short trigger in poisoned variables can manipulate the forecasting of the target variables to match the predefined target pattern, posing serious threats to critical real-world systems.
• Figure 2: Overview of the proposed BadTime attack. The top row shows four elaborate designs for data poisoning, and the bottom row depicts the backdoor training stage, where the introduced custom multi-objective loss functions are employed to optimize the model and trigger alternately.
• Figure 3: Workflow of our poisoned variable selection. From the multivariate series $X$, we build a directed graph and train a GAT with a proxy task of predicting next step on $V_t$ to obtain edge attentions. Averaged attentions $\bar{\alpha}_{ij}$ are aggregated as $\mathrm{Influence}(i)=\sum_{j\in V_t}\bar{\alpha}_{ij}$, and the top-$k$ variables by this score are selected as $V_p$.
• Figure 4: Visualization of attack examples for BackTime and BadTime across four prediction lengths: 96, 192, 336, and 720.
• Figure 5: Attack performance of BadTime under varying poisoning ratios ($\alpha_T$) and trigger length ratios ($\rho$). Curves for MAE$_\text{c}$, MAE$_\text{pa}$, and MAE$_\text{pn}$ should be read against the left y-axis (MAE; lower is better), whereas curves for ACC$_{\text{USAD}}$ and ACC$_{\text{TranAD}}$ should be read against the right y-axis (Accuracy; lower indicates better stealth).