TSFool: Crafting Highly-Imperceptible Adversarial Time Series through Multi-Objective Attack

Yanyun Wang,Dehui Du,Haibo Hu,Zi Liang,Yuanhao Liu
2024-09-05
Abstract:Recent years have witnessed the success of recurrent neural network (RNN) models in time series classification (TSC). However, neural networks (NNs) are vulnerable to adversarial samples, which cause real-life adversarial attacks that undermine the robustness of AI models. To date, most existing attacks target at feed-forward NNs and image recognition tasks, but they cannot perform well on RNN-based TSC. This is due to the cyclical computation of RNN, which prevents direct model differentiation. In addition, the high visual sensitivity of time series to perturbations also poses challenges to local objective optimization of adversarial samples. In this paper, we propose an efficient method called TSFool to craft highly-imperceptible adversarial time series for RNN-based TSC. The core idea is a new global optimization objective known as "Camouflage Coefficient" that captures the imperceptibility of adversarial samples from the class distribution. Based on this, we reduce the adversarial attack problem to a multi-objective optimization problem that enhances the perturbation quality. Furthermore, to speed up the optimization process, we propose to use a representation model for RNN to capture deeply embedded vulnerable samples whose features deviate from the latent manifold. Experiments on 11 UCR and UEA datasets showcase that TSFool significantly outperforms six white-box and three black-box benchmark attacks in terms of effectiveness, efficiency and imperceptibility from various perspectives including standard measure, human study and real-world defense.
Machine Learning,Cryptography and Security
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is: how to generate highly imperceptible adversarial examples for time - series classification (TSC) tasks based on recurrent neural networks (RNN). Specifically, the paper points out that most current adversarial attack methods are mainly aimed at feed - forward neural networks (such as image recognition tasks), and these methods perform poorly on RNNs for the following reasons: 1. **The periodic computing structure of RNN**: The special structure of RNN makes it difficult to directly perform model differentiation, thus hindering the effective use of gradient information. 2. **The high sensitivity of time series to perturbations**: Compared with image data, time series are more sensitive to perturbations, which makes it difficult for traditional local optimization objectives to generate imperceptible adversarial examples. To overcome these problems, the paper proposes a new method named TSFool. By introducing the "Camouflage Coefficient", a global optimization objective, it transforms the adversarial attack problem into a multi - objective optimization problem. In addition, to accelerate the optimization process, the paper also proposes a method based on the representation model to capture fragile samples with deep embedding. The following are the specific improvement points of TSFool: - **Camouflage Coefficient**: A new global optimization objective is defined to measure the imperceptibility of adversarial examples in the class distribution. The Camouflage Coefficient evaluates the concealment of adversarial examples by comparing the relative distances between the adversarial examples and the original class and the misclassified class. \[ C(\vec{x}^*)=\frac{\|\vec{x}^* - \vec{m}_i\| / d_i}{\|\vec{x}^* - \vec{m}_j\| / d_j} \] where \(\vec{m}_i\) and \(\vec{m}_j\) are the centroids of the original class and the misclassified class respectively, and \(d_i\) and \(d_j\) are the average distances of the corresponding classes. - **Multi - objective perturbation attack**: Combining the Camouflage Coefficient and the minimum perturbation objective, TSFool adopts a multi - objective optimization strategy to ensure that the generated adversarial examples not only have a small perturbation amount but also are more difficult to be detected globally. - **Fragile sample capture based on the manifold hypothesis**: By constructing a representation model (such as the interval - weighted finite automaton i - WFA), TSFool can capture fragile samples whose features deviate from the latent manifold, thereby guiding the generation of adversarial examples. The experimental results show that TSFool significantly outperforms the existing white - box and black - box benchmark attack methods on 11 UCR and UEA datasets, and performs excellently in terms of effectiveness, efficiency and imperceptibility.