¹¹institutetext: School of Computer and Mathematical Sciences, University of Adelaide, 5000, SA, Australia ²²institutetext: Institute of Plasma Physics and Technology, Jiangsu Key Laboratory of Thin Films, School of Physical Science and Technology, Soochow University, Suzhou 215006, China

Correlation Analysis of Adversarial Attack in Time Series Classification

Zhengyang Li 11 Wenhao Liang 11 Chang Dong Email: [email protected] 11 Weitong Chen 11 Dong Huang 22

Abstract

This study investigates the vulnerability of time series classification models to adversarial attacks, with a focus on how these models process local versus global information under such conditions. By leveraging the Normalized Auto Correlation Function (NACF), an exploration into the inclination of neural networks is conducted. It is demonstrated that regularization techniques, particularly those employing Fast Fourier Transform (FFT) methods and targeting frequency components of perturbations, markedly enhance the effectiveness of attacks. Meanwhile, the defense strategies, like noise introduction and Gaussian filtering, are shown to significantly lower the Attack Success Rate (ASR), with approaches based on noise introducing notably effective in countering high-frequency distortions. Furthermore, models designed to prioritize global information are revealed to possess greater resistance to adversarial manipulations. These results underline the importance of designing attack and defense mechanisms, informed by frequency domain analysis, as a means to considerably reinforce the resilience of neural network models against adversarial threats.

Keywords:

Time Series Classification Correlation Function Local vs Global Information preference Adversarial Attack vs Defense.

1 Introduction

Recently, time series data has become increasingly prevalent. As we transit into the era of Industry 4.0, countless sensors generate vast volumes of time series data [1, 2, 3]. Correspondingly, the application of deep neural networks (DNNs) for time series classification (TSC) has surged in popularity [1, 4]. However, DNNs exhibit vulnerabilities to minor perturbations in input data, often leading to misclassification, indicating low resistance to external perturbation, which has attracted significant attention from the research community across various domains [5, 6, 7, 8, 9].

Refer to caption — Figure 1: A diagram illustrating the susceptibility of neural networks to external noise. In this diagram, $f$ represents the model, $x_{1}$ and $x_{2}$ are samples, $r$ denotes the perturbation, and $\epsilon$ signifies the maximum allowable magnitude of $r$ .

As illustrated in Figure 1, even a minor change to the input image can cause a Deep Neural Network (DNN) to misclassify across its decision boundary, which underscores the vulnerability of neural networks to external noise. Such errors raise considerable concerns and risks, especially when implementing these advanced technologies in real-world scenarios [10], which has garnered substantial evidence within the field of computer vision (CV). For example, a “Stop Sign” can be attacked as “Speed Limit” by adding specific patterns on the surface of the sign, while it can still be recognized as a stop sign in human eyes [11], which can lead to a severe consequence in the self-driving automobile.

Moreover, time series data, which have been endorsed as an important research aspect in medical, financial and engineering domains [12], also suffer from signal distortions during transmission or deliberate manipulations by malicious entities or noise generated by the environment. Given that many TSC models are pivotal in medical sectors [13, 14, 15], the consequences of successful adversarial attacks can be even more devastating. Therefore, researchers are striving to devise robust defense against these malevolent activities by developing techniques of adversarial attacks to detect the faults of TSC models.

Most algorithms for TSC attacks have been directly adapted from those in CV. For instance, Fast Gradient Sign Method (FGSM) [8] can achieve successful but easily detectable attacks due to the distinctive saw-tooth pattern in the time series. To mitigate this, Gautier. et. al. introduced regularization as a Smooth Gradient Method(SGM) to enhance the stealthiness of the attacks [16], albeit at the expense of the Attack Success Rate (ASR). Chang et al. [17] proposed a SWAP attack, aiming to improve the Attack Success Rate (ASR) while minimizing the distance level, by adjusting logits. Despite their effectiveness, these strategies-originating from CV—do not fully illuminate the impact of adversarial patterns on model predictions within TSC.

To bridge this gap, our study turns to the traditional signal processing tool: the correlation function, renowned for its capability to examine a system’s response to external stimuli. Here, the correlation function is applied as a regularization term in adversarial attacks to thoroughly investigate how neural networks differentiate between local and global information during training and their consequent vulnerability to adversarial threats. Specifically, this paper employs the Normalized Auto Correlation Function (NACF) to dissect neural networks’ tendencies, marking a pivotal contribution to understanding and enhancing TSC model resilience against adversarial attacks.The main contribution of this work can be summarised as:

$\bullet$

It benchmarked an analysis of adversarial perturbations’ impact on time series classification models and assesses the defense strategies, thereby broadening the understanding of model vulnerabilities and mitigation techniques.
$\bullet$

Utilizing the Normalized Auto Correlation Function (NACF), the research reveals neural networks’ propensity for prioritizing local over global information under adversarial conditions, contributing novel insights into model biases and processing tendencies.
$\bullet$

The effectiveness of frequency-focused regularization techniques, particularly those employing Fast Fourier Transform (FFT) methods, and the superior resilience of models emphasizing global information processing, underscore the importance of frequency domain analysis in developing robust defense mechanisms.

2 Related Works

2.1 Preliminary of Adversarial Attack

In time series classification, an adversarial attack refers to a malicious attempt to introduce slight perturbations to a time series $x\in\mathbb{R}^{d}$ to produce a closely related series $x^{\prime}=x+r$ ( $x^{\prime}\in\mathbb{R}^{d}$ ) with the goal of altering the predicted label. This can be mathematically characterized by the equation:

\text{argmax}\ \{f(x)\}\neq\text{argmax}\ \{f(x+r)\},\text{s.t.}\ ||r||^{2}\ll||x||^{2}.

(1)

Here, $f(x)$ represents the predicted probability distribution over the labels for the input $x$ and perturbation $r$ is intentionally small in magnitude relative to $x$ as indicated by their norms. In GM based methods, including SWAP, the perturbed logits and the target logits are used as the main part of loss function to measure the difference between the two distributions.

2.2 Adversarial Attacks

There are main stream of adversarial attacks: White-Box and Black-Box. White-Box attacks, where the attacker has access to the model’s architecture, dataset, and parameters, facilitate gradient-based strategies. In contrast, Black-Box attacks operate with limited information, making them more challenging. Most of attacking methods are developed as the white-box attacks targeting image classification task to examine the trustworthiness of model. Goodfellow et al. [8] introduced the Fast Gradient Sign Method (FGSM), a straightforward approach that generates perturbations by moving in the gradient direction with a small scalar. Madry et al. [7] expanded on this with Projected Gradient Descent (PGD), an iterative version of FGSM. Similarly, Kurakrin et al. [16] proposed the Basic Iterative Method (BIM), to seek perturbations that maximize the loss for a input data while the noise amplitude is clipped under a threshold ( $\epsilon$ ) to conceal the obvious perturbations. Carlini et al. [18] framed the attack as an optimization problem aiming to minimize the distance (e.g. $\mathcal{L}_{2}$ norm) between original sample and adversarial sample upon a successful attack (C&W method). Notably, SWAP highlights the use of KL-divergence and the strategic selection of labels to challenge the original prediction effectively [17]. This targeted label approach, as evidenced in preliminary experiments, yields higher ASR compared to random target selection methods like PGD.

2.3 Adversarial Defense

On the defense side, Papernot et al. [19] introduced a distillation-based approach to transfer knowledge from a complex network to simpler ones, enhancing resilience to adversarial attacks and improving generalization against adversarial samples. Madry et al. [7] developed an adversarial training method, framing it as a min-max optimization problem that integrates both adversarial and original samples during training to enhance model robustness. Expanding on this, Kannan et al. [20] employed a logit pairing technique to minimize the difference in logits between original and adversarial samples, adding a regularizer to the training process. Similarly, Ma et al. [21] approached defense by minimizing empirical risk through adversarial training, introducing a second-order adversarial regularizer based on a Taylor series expansion for robustness improvement. Additionally, Sammangouei et al. [22] utilized a Wasserstein GAN framework for adversarial training, aiming to reconstruct original images from adversarial samples by minimizing reconstruction errors.

3 Proposed Method

3.1 Theoretical Analysis

3.1.1 Similarity metriced by the Correlation Function.

Suppose we have two infinitely long discrete time series, $x$ and $x^{\prime}=x+r$ , where $r$ represents a residual or noise sequence. We aim to calculate their degree of similarity.

\text{Time-Lagged Correlation}_{xx^{\prime}}(\tau)=\langle(x(t)-\bar{x})(x^{\prime}(t+\tau)-\bar{x^{\prime}})\rangle.

(2)

In this equation, $\tau$ represents the time delay, a parameter that allows us to explore the correlation between the sequences at various intervals. Specifically, $x^{\prime}(t)$ denotes the value of the first time series at time point $t$ , and $x^{\prime}(t+\tau)$ corresponds to the value of the second time series at time point $t+\tau$ . This latter value can be seen as the first series displaced by a time delay $\tau$ , potentially incorporating noise or other modifications. The symbols $\bar{x}$ and $\bar{x^{\prime}}$ represent the mean values of the time series $x(t)$ and $x^{\prime}(t)$ , respectively. This formulation captures the essence of how the similarity between two time series evolves as they are shifted relative to each other over time. By summing over the time series, we can obtain a measure of the similarity between the two time series:

\text{Correlation Sum}_{xx^{\prime}}=\lim_{N\rightarrow\infty}\frac{1}{N}\sum_{\tau=0}^{N-1}(x(t)-\bar{x})(x^{\prime}(t+\tau)-\bar{x^{\prime}}).

(3)

Here $N$ is the length of the time series. Then we introduce a weight function $w(\tau,k)$ during the summation process:

w(\tau,k)=\frac{(1+e^{-(\tau-k)})^{-1}}{\sum_{\tau=0}^{N-1}(1+e^{-(\tau-k)})^{-1}},

(4)

where the parameter $k$ , referred as the ”midpoint”, is the critical value at which the Sigmoid function reaches a value of $1/2$ . By incorporating the weight function $w(t)$ into the similarity calculation during the summation process, we derive a weighted similarity measure:

\text{Weighted Corr Sim}_{xx^{\prime}}(k)=\lim_{N\rightarrow\infty}\sum_{\tau=0}^{N-1}w(\tau,k)\cdot(x(t)-\bar{x})(x^{\prime}(t+\tau)-\bar{x^{\prime}}).

(5)

This Weighted Correlation Similarity measure can be incorporated into the overarching loss function of a neural network, serving as a regularization component alongside the cross-entropy:

\mathcal{L}=H(P,Q)+a\cdot\text{Weighted Corr Sim}_{xx^{\prime}}(k),

(6)

where $H(P,Q)$ represents the cross-entropy loss and $a$ is weight coefficient to balance. The adaptation of the midpoint parameter $k$ provides an additional lever to fine-tune the attention of neural network, in adversarial attack, towards either more local or global features within the time series, depending on the specific requirements of the application.

This mathematical framework, inspired by principles from the linear response theory [23], draws a parallel between the dynamic behavior of physical systems under perturbation and the response of neural networks to adversarial inputs. In essence, it provides a robust theoretical foundation for leveraging time-lagged correlations as a metric for assessing and enhancing the robustness of machine learning models against adversarial attacks, grounding the approach in well-established scientific concepts.

3.1.2 Pre-experiment.

In this preliminary experiment, by using weighted similarity 5 as regularization, we investigate the influence of the sigmoid function’s midpoint adjustment on the model’s vulnerability to adversarial attacks. By conducting an empirical study across 128 datasets using the Inception Time model, we explored the relationship between the midpoint position of the sigmoid function and the attack success rate (ASR).

For each dataset, after training the model, we randomly selected ten midpoints in logarithmic space and subjected the trained models to attacks, calculating the ASR at each midpoint. Given the significant variance in ASR across datasets, we normalized the ASRs within each dataset against the highest ASR observed, obtaining a relative ASR. This normalization allowed us to control the neural network’s focus on specific scales of the time series by adjusting the midpoint. Statistically, in fig 2, we observed a trend where an increase in the midpoint led to a gradual decline in the relative ASR, suggesting that the model, during training, tends to focus more on local (small $\tau$ , high-frequency) information rather than global (large $\tau$ , low-frequency) information.

Based on these findings, we hypothesize that introducing a regularization mechanism that increases the frequency component of $r$ could enhance the effectiveness of attacks. Conversely, encouraging the model to focus more on global information during training could improve its robustness. To test this hypothesis, we devised two regularization methods aimed at increasing the frequency of $r$ :

$\bullet$

Applying a fast Fourier transform (FFT) to $r$ , multiplying it by a function similar to the sigmoid used previously, and then performing an inverse FFT. This transformed $r$ with its associated weight is then used as a regularization term in the loss function. Let the Fast Fourier Transform and its inverse be denoted by fft and ifft, respectively. By using the low frequency-based regularization term, the following loss can enfore the perturbation $r$ has more components on high frequency:

$\mathcal{L}_{\text{FFT}}=H(P,Q)+a_{1}\cdot\text{FFT}^{-1}(\text{FFT}(r)\cdot w(t)).$ (7)
$\bullet$

Starting from the concept of correlation and focusing on the limit case where $\tau=0$ , the correlation of $x$ and $y$ ( $y=x+r$ ) simplifies to the cosine similarity between $x$ and $y$ . By maximizing this cosine similarity, we aim to increase the high-frequency components of $r$ .

$\mathcal{L}_{\text{COS}}=H(P,Q)+a_{2}\cdot\log_{10}\left(\frac{x\cdot x^{\prime}}{|x||x^{\prime}|}+1\right).$ (8)

Here, $H(P,Q)$ represents the cross-entropy loss, $a_{1}$ and $a_{2}$ ( $a_{2}<0$ ) are weight coefficients to balance the regularization term and the cross-entropy loss.

These approaches are grounded in the observation that models trained with a focus on capturing global information exhibit increased robustness to adversarial attacks, suggesting a promising direction for enhancing model security against such threats.

3.2 Attack and Defense Framework

Figure 3 elucidates the structure of our comprehensive attack and defense framework. During the forward propagation process, an input data first traverses a defense layer, where it encounters three paths: direct passage without any augmentation; application of Gaussian filtering for smoothing; or the introduction of white noise before being forwarded to the neural network. For conventional classification tasks, a neural network typically consists of an encoder, a fully connected layer, and a softmax layer. In this paper, we explore five distinct models, each representing a different mainstream neural network architecture, with specifics to be detailed later. Following the passage through the fully connected layer, the cross-entropy between the predicted and actual labels is computed and backpropagated. In adversarial attacks, the objective is to minimize the cross-entropy between the predicted distribution and a desired distribution $P$ , a concept derived from the[17] paper, which involves swapping labels of the highest and second-highest probabilities. During back propagation, rather than updating the model $f$ , the perturbation $r$ is adjusted, and the modified input $x+r$ is fed back into the network. This architectural design allows us to examine the efficacy and drawbacks of various attack and defense strategies, as well as assess different models. The results of these experiments are detailed in the following section.

4 Experiments and Results

4.1 Experimental Setup

4.1.1 Dataset.

To validate the effectiveness of attack and defense to the TSC Model, the UCR2018 datasets [24] were applied to train the model. These 128 datasets span a diverse range of real-world domains, including healthcare, agriculture, finance, engineering and more. Each dataset comprises a distinct number of samples, all of which have been pre-partitioned into training and testing sets.

4.1.2 Models.

Here, we use five different models, namely Inception Time v4 [17], LSTM-FCN, MACNN, ResNet18, TS2V [25]. These five models represent several different neural network architectures that are currently mainstream.

4.1.3 Evaluation Metrics.

For a rigorous and equitable comparison with existing methodologies, the Attack Success Rate (ASR) and the Mean Success Distance (MSD, based on the $\mathcal{L}^{2}$ Distance) are used as our metrics for evaluating the performance of attack and defense mechanisms. ASR quantifies the effectiveness of an attack by calculating the ratio of misclassified adversarial samples to the total adversarial samples generated. Meanwhile, MSD measures the effectiveness and subtlety of an attack by averaging the $\mathcal{L}^{2}$ distance between original and corresponding adversarial samples.

4.1.4 Implementation Details.

Our model was developed using PyTorch 2.0, diverging from the Tensorflow-based baseline [17], where the training parameters remained consistent. Our experiments were executed on a server outfitted with Nvidia RTX 4090 GPUs, 128 GB RAM, and Dual Xeon E5-2667 v4 processors. We standardized training across all models to 1000 epochs, while adversarial attacks were assessed 100 epochs to gauge their impact.

4.2 Attack Performance Comparison

Table 1: Attack Performance Comparison on Models Without Defense

	PGD		SWAP		SWAP( $\mathcal{L}^{2}$ )		COS		FFT
	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD
Inception	0.648	1.325	0.736	1.060	0.735	0.935	0.736	1.064	0.738	0.740
LSTMFCN	0.639	1.373	0.726	1.150	0.723	0.979	0.726	1.157	0.729	0.645
MACNN	0.513	0.697	0.580	0.831	0.402	0.262	0.581	0.836	0.594	0.489
ResNet18	0.869	0.656	0.907	0.501	0.906	0.431	0.907	0.505	0.908	0.323
TS2V	0.508	1.275	0.651	1.361	0.441	0.541	0.652	1.365	0.653	0.855

We begin our discussion with Table 1, where we evaluate five adversarial attack methods: PGD, SWAP, SWAP( $\mathcal{L}^{2}$ ), COS, and FFT, across five neural network architectures to assess the universality of our results. Notably, the FFT approach, which increases the frequency component $r$ , consistently achieves higher ASR and lower MSD in the majority of cases. Conversely, the SWAP( $\mathcal{L}^{2}$ ) regularization method exhibits a significant decline in ASR when MSD values are low, suggesting potential limitations in its effectiveness. Meanwhile, the efficacy of COS regularization remains less evident, possibly due to suboptimal parameter settings, highlighting an avenue for further experimentation.

Our custom implementation of SWAP notably outperforms the Classic Gradient Method (PGD), affirming the validity of the SWAP approach and reinforcing the reliability of our experimental outcomes. This study deliberately omits comparisons with other methods, focusing instead on validating our hypothesis: that perturbed $x$ focus on local correlation (higher-frequency) enhances attack success. This is further substantiated by introducing regularization to SWAP (as opposed to PGD), allowing for controlled variable analysis. Our observations reveal that PGD can lead to unstable ASR values across multi-label datasets, attributing to its decision-space directionality. In contrast, SWAP demonstrates remarkable stability, underscoring the strategic advantage of our chosen methodology.

In Figure 4, we evaluate the efficacy and subtleties of five adversarial attack methodologies. This figure meticulously contrasts the Attack Success Rate (ASR) and Mean Success Distance (MSD) across these methods. A data point positioned above the $y=x$ line in the ASR comparison signifies superior performance of the corresponding Y-axis method over its X-axis counterpart. Conversely, for the MSD comparison, a point below the $y=x$ line indicates a more effective minimization of perturbation by the Y-axis method. Specifically, the comparisons between SWAP and PGD (GM) across subfigures (a) and (e) indicate SWAP has its superiority in ASR across numerous datasets without a significant reduction in MSD, hinting at the influence of target label chosen on the results. Moreover, the slight advantage of COS over SWAP in ASR, as shown in subfigures (c) and (g), alongside almost identical MSD values, underscores the potential unrealized potential of COS regularization, necessitating further experimental validations. The FFT method, as evaluated in subfigures (d) and (h), not only surpasses SWAP in ASR across the majority of datasets but also demonstrates a lower MSD, aligning with our initial hypothesis regarding the effectiveness of higher-frequency perturbations. Our observation reveals that FFT, by emphasizing higher frequency modifications in $r$ , consistently achieves better ASR and lower MSD across most datasets, suggesting its efficiency in generating subtle and successful adversarial samples.

4.3 Defense Performance Comparison

In our subsequent analysis, we assess the efficacy of employing noise and Gaussian filtering as defense mechanisms. Figure 5 encapsulates the entirety of our experimental data, spanning from subgraphs (a) to (e), each delineating different models. Within each subplot, the leftmost column delineates the model’s test accuracy, followed by five columns representing the ASR for diverse attack methodologies. Distinct coloration signifies varied attack methods. A preliminary examination of test accuracy reveals that lighter models such as Inception v4, LSTM-FCN, and MACNN exhibit a decrement in test performance upon the integration of noise as a defensive strategy. Intriguingly, the TS2V model demonstrates a significant augmentation in test accuracy when training incorporates augmentation, a phenomenon warranting further discussion. Moreover, our observations indicate that models fortified with Gaussian smoothing (filtering) slightly outperform their counterparts employing noise in terms of test set performance. This suggests that discarding high-frequency information exerts a lesser adverse impact on data integrity compared to the substitution of erroneous high-frequency information.

Table 2: Comparison on Models With White Noise Augmentation

	PGD		SWAP		SWAP( $\mathcal{L}^{2}$ )		COS		FFT
	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD
Inception	0.540	1.984	0.665	1.550	0.662	1.345	0.664	1.554	0.667	1.019
LSTMFCN	0.512	2.442	0.644	2.064	0.641	1.716	0.644	2.070	0.645	1.084
MACNN	0.430	1.176	0.559	1.453	0.339	0.425	0.560	1.465	0.564	0.967
ResNet18	0.659	1.749	0.762	1.296	0.761	1.127	0.761	1.297	0.763	0.922
TS2V	0.420	2.138	0.540	2.158	0.359	0.779	0.542	2.168	0.542	1.307

Table 3: Comparison on Models With Gaussian Smooth Augmentation

	PGD		SWAP		SWAP( $\mathcal{L}^{2}$ )		COS		FFT
	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD	ASR	MSD
Inception	0.568	1.282	0.693	0.936	0.691	0.817	0.692	0.938	0.698	0.615
LSTMFCN	0.599	1.059	0.713	0.851	0.711	0.732	0.713	0.856	0.717	0.514
MACNN	0.373	0.775	0.481	0.930	0.321	0.283	0.484	0.947	0.486	0.612
ResNet18	0.737	0.969	0.807	0.715	0.807	0.654	0.807	0.721	0.810	0.601
TS2V	0.400	1.878	0.525	1.883	0.387	0.783	0.522	1.880	0.524	1.117

Shifting focus to the impact of defense implementations on attack outcomes, the rightmost five columns correspond to the previously discussed five attack methodologies. For contextual comparison, ASR values without defense implementation are also depicted. Observations indicate a general reduction in ASR across most models upon defense integration, affirming the efficacy of the defense strategies deployed. Notably, models fortified with noise as a defense mechanism exhibited a more pronounced reduction in ASR, suggesting a greater impact of introducing incorrect high-frequency information during model training than the absence of specific model weight adjustments (pertaining to the decision space distribution). To furnish quantifiable insights, Tables 2 and 3 delineate the ASR and MSD values post-application of noise and Gaussian smoothing as defensive measures. A comparative analysis with Table 1 reveals a decline in ASR and an elevation in MSD upon incorporating defense layers, aligning with the findings illustrated in Figure 5.

In the TS2V model specifically, the introduction of Gaussian filtering led to a decrease in the ASR of the FFT attack method, falling below its default performance. This phenomenon is attributed to the Gaussian filter’s propensity to eliminate high-frequency information, which is precisely the domain FFT attack methods exploit to craft adversarial samples. Remarkably, TS2V’s resilience can be seen as evidence that learning global information is inherently challenging; such capability necessitates not only sophisticated model design but also considerable complexity. Interestingly, employing Gaussian noise as defense slightly increased the ASR for FFT attacks compared to SWAP, indicating that while noise affects high-frequency data, it doesn’t completely remove relevant high-frequency information, merely masking it. If a model can denoise, it might still detect accurate high-frequency signals within the noise, implying that increasing perturbation frequency could enhance adversarial sample effectiveness, albeit with trade-offs to be considered in further analysis.

Figure 6 presents a comparative analysis of the MSD across three data operation strategies, showcasing the MSD for five distinct models and five different attack methods under each augmentation strategy. Subgraph (a) distinctly illustrates an almost universal rise in MSD upon noise introduction, indicating that more significant perturbations are requisite for successful attacks. Contrarily, subgraph (b) reveals that the application of Gaussian filtering as a defense does not markedly alter MSD values in comparison to the unprotected scenarios. This nuanced observation is further elaborated in subgraph (c), delineating the disparate impacts of noise addition and low-pass filtering on MSD.

A meticulous examination of MSD values, especially under the threshold $r<0.1$ , uncovers that models defended with Gaussian filtering exhibit significantly higher MSD compared to those either unprotected or shielded with noise. This trend, however, converges when larger perturbations $r$ are necessary for a successful attack, highlighting a diminished discrepancy between Gaussian-blurred and undefended models. Such findings underscore that while both corrupting and eliminating high-frequency information escalate the complexity of launching an attack, the manifestation of these defensive measures diverges, offering insightful implications for designing robust defense mechanisms.

4.4 Analysis of attack and defense mechanisms

Figure 7 serves to elucidate the observed resilience of models against adversarial attacks upon the implementation of noise or filtering defenses. Subfigure (a) contrasts an original time series (OTS, in green) with its noisy counterpart (NTS, in red), while subfigures (b) and (c) analyze their auto correlations, respectively. The transformation from green to red symbolizes the effect of noise introduction, whereas Gaussian filtering essentially reverts the process. Crucially, this transformation highlights a significant disparity in correlation across small ( $\tau=0$ ) and larger $\tau$ values within the NACF, suggesting a pronounced alteration in local correlations post-defense without substantially affecting larger scale correlations. Remarkably, the exclusion of the initial data point from the noise-affected time series-owing to its compromised local correlation-results in an autocorrelation function closely aligned along a straight line. Linear fitting post-removal further exemplifies the integrity of the correlations between the remaining data points. Moreover, the similarity in slopes between the two NACFs and the numerical ratio from the second to the first point underscores the minimal impact of defense on large-scale time series correlation, upon re-normalization.

In subfigures (d) and (e), we draw the autocorrelation function of the autocorrelation function. It can be seen that there is almost no difference between the two. This phenomenon, coupled with the intrinsic feature selection capability of deep neural networks, implies that the complexity of such networks suffices to discern and retain valuable global information despite local distortions. Consequently, this sheds light on why TS2V exhibits improved performance with defense augmentation and offers a broader understanding of defense mechanisms’ efficacy in mitigating attack impacts. Interestingly, this analysis also suggests that simpler models may exhibit performance degradation (e.g., reduced test accuracy) upon defense layer addition, highlighting the differential learning challenges posed by local (high frequency) versus global (low frequency) information and providing insight into the effectiveness of high-frequency perturbations in adversarial attacks.

5 Conclusion

In this paper, we explore the impact of adversarial attacks on time series classification models and assess the effectiveness of defense mechanisms, with a focus on the influence of frequency components on model vulnerability. Utilizing the Normalized Auto Correlation Function (NACF), we reveal a predilection within small neural networks for processing local rather than global information-a bias exploited by adversarial attacks. Our analysis shows that regularization strategies, especially those leveraging Fast Fourier Transform (FFT) methods, significantly improve attack success rates by emphasizing the frequency domain. In contrast, defenses like noise introduction and Gaussian filtering effectively diminish the Attack Success Rate (ASR), enhancing model robustness, particularly by mitigating high-frequency distortions. Notably, models designed to emphasize global information, such as the enhanced TS2V model, demonstrate superior resistance to adversarial manipulations. These results underscore the necessity of integrating considerations of local versus global information processing and frequency analysis in designing both attacks and defenses to bolster neural network resilience. This study advocates for further investigation into achieving an optimal balance between adversarial sophistication and model robustness, aiming to forge more secure and dependable machine learning frameworks.

References

[1] A. Xu et al., “Adversarial Attacks on Deep Neural Networks for Time Series Prediction,” in ICICSE ’21, ACM, pp. 8-14, 2022.
[2] F. Karim et al., “Adversarial Attacks on Time Series,” T-PAMI, vol. 43, no. 10, pp. 3309-3320, Oct. 2021.
[3] S.A. Siddiqui et al., “Benchmarking Adversarial Attacks and Defenses for Time-Series Data,” in ICONIP ’20 LNC, Springer, Cham, 2020.
[4] H. I. Fawaz et al., “InceptionTime: Finding AlexNet for time series classification,” DMKD, vol. 34, no. 6, pp. 1936–1962, Sep. 2020.
[5] W. Brendel et al., “Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models,” 2018, arXiv:1712.04248.
[6] C. Szegedy et al., “Intriguing properties of neural networks,” 2014, arXiv:1312.6199.
[7] A. Madry et al., “Towards Deep Learning Models Resistant to Adversarial Attacks,” 2019, arXiv:1706.06083.
[8] I. J. Goodfellow et al., “Explaining and Harnessing Adversarial Examples,” 2015, arXiv:1412.6572.
[9] Y. Wang et al., “Self-Supervised Adversarial Distribution Regularization for Medication Recommendation,” in Proc. IJCAI-21, pp. 3134–3140, Aug. 2021.
[10] J. Wang, “Adversarial Examples in Physical World,” in IJCAI, pp. 4925–4926, 2021.
[11] R. T. Olszewski, “Generalized feature extraction for structural pattern recognition in time-series data,” Carnegie Mellon University, School of Computer Science, Tech. Rep. CMU-CS-01-108, 2001. https://www.cs.cmu.edu/~bobski/pubs/tr01108-twosided.pdf.
[12] B. Lim and S. Zohren, “Time-series forecasting with deep learning: a survey,” Phil. Trans. R. Soc. A, vol. 379, no. 2194, pp. 20200209, 2021.
[13] X. Han et al., “Deep learning models for electrocardiograms are susceptible to adversarial attack,” Nat. Med., vol. 26, pp. 360-363, Mar. 2020.
[14] J. Shao et al., “Defending Against Adversarial Attack in ECG Classification with Adversarial Distillation Training,” 2022, arXiv:2203.09487.
[15] S. An et al., “Longitudinal Adversarial Attack on Electronic Health Records Data,” in WWW ’19, ACM, New York, NY, USA, pp. 2558-2564, 2019.
[16] G. Pialla et al., “Smooth perturbations for time series adversarial attacks,” in PAKDD, Springer, pp. 485–496, 2022.
[17] C. Dong et al., “SWAP: Exploiting Second-Ranked Logits for Adversarial Attacks on Time Series,” in ICKG ’23, IEEE, Los Alamitos, CA, USA, pp. 117–125, 2023.
[18] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural networks,” in IEEE SP ’17, pp. 39–57, IEEE, 2017.
[19] N. Papernot et al., “Distillation as a defense to adversarial perturbations against deep neural networks,” in IEEE S&P ’16, pp. 582–597, IEEE, 2016.
[20] H. Kannan et al., “Adversarial Logit Pairing,” 2018, arXiv:1803.06373.
[21] A. Ma et al., “Soar: Second-order adversarial regularization,” 2020, arXiv:2004.01832.
[22] P. Samangouei et al., “Defense-gan: Protecting classifiers against adversarial attacks using generative models,” 2018, arXiv:1805.06605.
[23] D. Huang et al., “Origin of viscosity at individual particle level in Yukawa liquids,” Phys. Rev. Res., vol. 4, Jul. 2022.
[24] H. A. Dau et al., “The UCR Time Series Classification Archive,” 2018. [Online]. Available: https://www.cs.ucr.edu/eamonn/time_series_data_2018/.
[25] Z. Yue et al., “TS2Vec: Towards Universal Representation of Time Series,” 2022, arXiv:2106.10466.