Targeted Manipulation: Slope-Based Attacks on Financial Time-Series Data
Dominik Luszczynski
TL;DR
This paper addresses the vulnerability of financial time-series forecasting to adversarial manipulation by introducing two slope-based targeted attacks, General Slope Attack ($GSA$) and Least-Squares Slope Attack ($LSSA$), that embed a desired forecasting slope into the loss to decisively alter trends. The attacks are evaluated against a state-of-the-art N-HiTS forecasting model trained on 360 stocks from CRSP data, demonstrating the ability to double the forecast slope while evading simple detectors; the authors also integrate the slope objectives into a Generative Adversarial Network (A-GAN) to produce realistic adversarial inputs. The study shows that slope-based attacks can meaningfully distort predictions with small perturbations, and that A-GANs can generate believable synthetic data with comparable distributional properties, albeit with mode collapse challenges. Finally, the work highlights security risks across the entire ML pipeline, including model interfaces, and suggests directions for defense, robustness improvements, and broader application to time-series domains beyond finance.
Abstract
A common method of attacking deep learning models is through adversarial attacks, which occur when an attacker specifically modifies the input of a model to produce an incorrect result. Adversarial attacks have been deeply investigated in the image domain; however, there is less research in the time-series domain and very little for forecasting financial data. To address these concerns, this study aims to build upon previous research on adversarial attacks for time-series data by introducing two new slope-based methods aimed to alter the trends of the predicted stock forecast generated by an N-HiTS model. Compared to the normal N-HiTS predictions, the two new slope-based methods, the General Slope Attack and Least-Squares Slope Attack, can manipulate N-HiTS predictions by doubling the slope. These new slope attacks can bypass standard security mechanisms, such as a discriminator that filters real and perturbed inputs, reducing a 4-layered CNN's specificity to 28% and accuracy to 57%. Furthermore, the slope based methods were incorporated into a GAN architecture as a means of generating realistic synthetic data, while simultaneously fooling the model. Finally, this paper also proposes a sample malware designed to inject an adversarial attack in the model inference library, proving that ML-security research should not only focus on making the model safe, but also securing the entire pipeline.