Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Adversarial Robustness of Deep State Space Models for Forecasting

Sribalaji C. Anand, George J. Pappas

Abstract

State-space model (SSM) for time-series forecasting have demonstrated strong empirical performance on benchmark datasets, yet their robustness under adversarial perturbations is poorly understood. We address this gap through a control-theoretic lens, focusing on the recently proposed Spacetime SSM forecaster. We first establish that the decoder-only Spacetime architecture can represent the optimal Kalman predictor when the underlying data-generating process is autoregressive - a property no other SSM possesses. Building on this, we formulate robust forecaster design as a Stackelberg game against worst-case stealthy adversaries constrained by a detection budget, and solve it via adversarial training. We derive closed-form bounds on adversarial forecasting error that expose how open-loop instability, closed-loop instability, and decoder state dimension each amplify vulnerability - offering actionable principles towards robust forecaster design. Finally, we show that even adversaries with no access to the forecaster can nonetheless construct effective attacks by exploiting the model's locally linear input-output behavior, bypassing gradient computations entirely. Experiments on the Monash benchmark datasets highlight that model-free attacks, without any gradient computation, can cause at least 33% more error than projected gradient descent with a small step size.

Adversarial Robustness of Deep State Space Models for Forecasting

Abstract

State-space model (SSM) for time-series forecasting have demonstrated strong empirical performance on benchmark datasets, yet their robustness under adversarial perturbations is poorly understood. We address this gap through a control-theoretic lens, focusing on the recently proposed Spacetime SSM forecaster. We first establish that the decoder-only Spacetime architecture can represent the optimal Kalman predictor when the underlying data-generating process is autoregressive - a property no other SSM possesses. Building on this, we formulate robust forecaster design as a Stackelberg game against worst-case stealthy adversaries constrained by a detection budget, and solve it via adversarial training. We derive closed-form bounds on adversarial forecasting error that expose how open-loop instability, closed-loop instability, and decoder state dimension each amplify vulnerability - offering actionable principles towards robust forecaster design. Finally, we show that even adversaries with no access to the forecaster can nonetheless construct effective attacks by exploiting the model's locally linear input-output behavior, bypassing gradient computations entirely. Experiments on the Monash benchmark datasets highlight that model-free attacks, without any gradient computation, can cause at least 33% more error than projected gradient descent with a small step size.

Paper Structure

This paper contains 25 sections, 4 theorems, 23 equations, 5 figures, 2 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Data-generating mechanism and forecaster model
  4. Attack scenario
  5. Attack detector and false alarm rate
  6. Attacker knowledge, constraints, and objective
  7. Robust forecaster and problem definition
  8. Spacetime Model
  9. Forecaster model
  10. Control-theoretic analysis of the Spacetime model
  11. Experiments
  12. Robust forecaster design
  13. Attack Model
  14. Robust forecasters via adversarial training
  15. Experiments
  16. ...and 10 more sections

Key Result

Proposition 1

Let the underlying data-generating mechanism be a noiseless auto-regressive (AR) process: Then no class of Linear SSMs gu2021efficiently, except Spacetime, can exactly represent eq:prop. $\square$$\blacktriangleleft$$\blacktriangleleft$

Figures (5)

  • Figure B1: Problem setup: the adversary (red) injects attack signal into the data stream, producing corrupted input $\tilde{y}_k$ to the SSM-Forecaster. The detector uses $\tilde{y}_k$ and $\hat{y}_k$ to raise an alarm.
  • Figure C1: Spacetime architecture (left) and layer components (right). Here GeLU represents a Gaussian Error Linear Unit activation function, and Linear denotes a linear activation function.
  • Figure C2: Forecaster performance on test data excerpt (left) and distribution of absolute percentage errors (right). Mean Absolute Percentage Error: $6.53\%$.
  • Figure D1: Adversarial error as a function of $\ell$ (left) and $h$ (right), with approximately constant spectral radius across models in both experiments.
  • Figure E1: Adversarial error caused by PGD attacks, and data-driven attacks.

Theorems & Definitions (11)

  • Remark 1
  • Remark 2
  • Remark 3
  • Proposition 1
  • Proposition 2
  • proof
  • Remark 4
  • Proposition 3
  • proof
  • Theorem 1
  • ...and 1 more