Adversarial Attacks on Downstream Weather Forecasting Models: Application to Tropical Cyclone Trajectory Prediction

TL;DR

This work addresses the vulnerability of downstream tropical cyclone trajectory predictions to adversarial perturbations in upstream deep learning weather forecasts. It introduces Cyc-Attack, a two-stage pipeline that first trains a differentiable surrogate $\tilde{g}$ to approximate the black-box detector $g$, enabling gradient-based manipulation of upstream forecasts $\hat{\mathbf{Y}}$ toward a chosen trajectory $\hat{\mathbf{Z}}^*$; it further employs a skewness-aware loss with kernel dilation and distance-based gradient weighting to ensure realism. The approach demonstrates superior target TC trajectory disruption performance over baselines while maintaining stealth, and it provides insights into the detectability of such attacks by standard anomaly detectors. These results highlight critical security considerations in DLWF pipelines and motivate development of robust defenses and validation practices for downstream weather forecasting tasks.

Abstract

Deep learning based weather forecasting (DLWF) models leverage past weather observations to generate future forecasts, supporting a wide range of downstream tasks, including tropical cyclone (TC) trajectory prediction. In this paper, we investigate their vulnerability to adversarial attacks, where subtle perturbations to the upstream weather forecasts can alter the downstream TC trajectory predictions. Although research on adversarial attacks in DLWF models has grown recently, generating perturbed upstream forecasts that reliably steer downstream output toward attacker-specified trajectories remains a challenge. First, conventional TC detection systems are opaque, non-differentiable black boxes, making standard gradient-based attacks infeasible. Second, the extreme rarity of TC events leads to severe class imbalance problem, making it difficult to develop efficient attack methods that will produce the attacker's target trajectories. Furthermore, maintaining physical consistency in adversarially generated forecasts presents another significant challenge. To overcome these limitations, we propose Cyc-Attack, a novel method that perturbs the upstream forecasts of DLWF models to generate adversarial trajectories. First, we pre-train a differentiable surrogate model to approximate the TC detector's output, enabling the construction of gradient-based attacks. Cyc-Attack also employs skewness-aware loss function with kernel dilation strategy to address the imbalance problem. Finally, a distance-based gradient weighting scheme and regularization are used to constrain the perturbations and eliminate spurious trajectories to ensure the adversarial forecasts are realistic and not easily detectable.

Figures (12)

• Figure 1: Adversarial manipulation of Hurricane Irene's projected trajectory, generated using TempestExtremes software from the 10-day weather forecast of the GraphCast model, steering its original forecasted path (shown as blue line) towards a targeted region with extensive energy infrastructure (shown as red line).
• Figure 1: Impact of dilation radius $R$ on the segmentation performance of the pre-trained DeepLabV3+ (Xception backbone) used as the surrogate model, evaluated on a test set of 684 global 1° maps ($180 \times 360$ grid each) containing 578 TC and 41,701,822 non-TC locations.
• Figure 2: Adversarial attack on downstream tropical cyclone (TC) trajectory prediction.
• Figure 3: Results of applying 3 anomaly detection methods against adversarial upstream forecasts generated by different attack methods on TC dataset. Precision is the fraction of detected anomalies that are truly adversarial; Recall is the fraction of adversarial samples correctly detected; and F1-score is the harmonic mean of precision and recall. Smaller values imply higher attack effectiveness.
• Figure 4: Visualization of adversarial attacks. Top: Hurricane Delta (from 10/26/2020 to 11/05/2020); Bottom: Typhoon Haiyan (from 11/03/2013 to 11/13/2013). For each case, the left panel shows the original trajectory (blue) detected by TempestExtremes from upstream GraphCast forecasts and the adversarial target trajectory (red); the right panels show the produced by different baseline methods using the pretrained surrogate model.