MIA: A Framework for Certifiably Robust Time-Series Classification and Forecasting Against Temporally-Localized Perturbations

Abstract

Recent literature demonstrates that times-series forecasting/classification are sensitive to input perturbations. However, the defenses for time-series models are relatively under-explored. In this paper, we propose Masking Imputing Aggregation (MIA), a plug-and-play framework to provide an arbitrary deterministic timeseries model with certified robustness against temporally-localized perturbations (also known as ℓ 0 -norm localized perturbations), which is to our knowledge the first ℓ 0 -norm defense for time-series models. Our main insight is to let an occluding mask move across the input series, guaranteeing that, for an arbitrary localized perturbation there must exist at least one mask that completely occlude the perturbed area, so that the prediction on this masked series is certifiably unaffected. MIA is flexible as it still works even if we only have the query access to the pretrained model. To further validate the superior effectiveness of MIA, we specifically compare MIA to two baselines extended from prior randomized smoothing approaches. Extensive experiments show that MIA yields stronger robustness.

1. Introduction

Time series forecasting/classification (TSF/TSC) have been widely applied to help businesses make informed decisions and plans (Miyato et al., 2017; Zhou et al., 2019; Schlegl et al., 2019; Park et al., 2018) . However, a wide range of literature demonstrate that time-series models are vulnerable to adversarial input perturbations (Connor et al., 1994; Gelper et al., 2010; Ding et al., 2022; Yang et al., 2020; Dang-Nhu et al., 2020; Oregi et al., 2018; Han et al., 2020) , e.g., an elaborately designed imperceptible perturbation could control the prediction (Karim et al., 2020; Fawaz et al., 2019) . So far related literature is mainly focusing on detecting the outliers (Ruff et al., 2018; Yairi et al., 2017) , the adversarial robustness of time-series models is relatively under-explored, especially ℓ 0 -norm robustness, e.g., (Yoon et al., 2022) only explore the ℓ 2 -norm adversarial robustness for probabilistic forecasting models. In the present work, we focus on the robustness against temporally-localized perturbations, as we notice there already exists corresponding powerful attacks (Yang et al., 2022) . Generally, defenses can be divided into two types, heuristic defenses and certified defenses. Heuristic defense can yield better empirical robustness but lack robustness guarantees. From the experience on image classification (Athalye et al., 2018; Carlini & Wagner, 2017; Athalye & Carlini, 2018) , the heuristic defenses would be useless when confronted with the newly designed adaptive attacks, e.g., Athalye et al. (2018) leverage Backward Pass Differentiable Approximation technique to successfully circumvent almost all the heuristic defenses at that time. To end such a "cat and mouse" game between the adaptive attacks and the heuristic defenses, the concept of certified defense is proposed, with unbreakable robustness certificates. Current certified defenses can produce robustness certificates but often require the user to retrain the base model from scratch, e.g., Yoon et al. ( 2022 2019) retrain the base model as these defenses do perform poorly on naturally-trained models. The requirement for retraining could bring additional challenges when it comes to the real-world deployments. In addition, the certified defenses on sequence-based data are quite under-explored, since almost all the certified defenses are focusing on matrix-based data (e.g. image). To address these issues, in this paper, we propose Masking Imputing Aggregation (MIA), a flexible framework to arm an arbitrary TSF/TSC deterministic model with robustness certificates against temporally-localized perturbations. Different from the requirement for retraining in prior defenses, MIA only an imputation model for recovering the masked areas, which can be easily learned in an unsupervised setting. Specifically, MIA works as follows: 1) masking: MIA first masked series via sliding a mask through the input series; 2) imputing: MIA imputes the masked series with the imputation model; 3) aggregation (checking agreement): MIA only returns the the class if the pretrained model outputs the same for all the imputed series, otherwise returns Abstain. With the above three steps, we can guarantee that all the predictions from MIA is clean. Furthermore, we compare MIA to two baselines extended from randomized smoothing, as we notice that randomized smoothing has achieved a widespread success in defending different adversarial attacks. The contributions are: 1) We propose MIA, a plug-and-play framework to arm an arbitrary TSF/TSC model with certified robustness against temporally-localized perturbations, which is to our knowledge the first ℓ 0 -norm certified defense in time series domain.

2)

We propose randomized masked training, a specialized training algorithm for training the imputation model of MIA, to further boost the performance of MIA. 3) We compare MIA to two baseline methods comprehensively on three aspects. 1) robustness: extensive experiments on different datasets validate that superior robustness of MIA. 2) Practicality: MIA is stronger as it is plug-and-play and do not require retraining. 3) Inference cost: the inference time of MIA is comparable to the time cost of two baselines.

2. Related Work

Heuristic defenses for time-series models. Prior works on robust TSF/TSC can be divided into two general categories: outlier detection and deep learning. The former is to filter the outliers in a statistical way, including k-Means clustering (Yang et al., 2017) , one-class SVM clustering (Schölkopf et al., 2001) , Kalman filters (de Bézenac et al., 2020) and support vector data description (Tax & Duin, 2004) . The latter leverages the strong representation ability of neural networks to recover the perturbed series, including robust feature-based approaches (Guo et al., 2016; Yang & Fan, 2022 ), reconstruction-based methods (Li et al., 2021; 2019; Xu et al., 2018; Schlegl et al., 2019) , GNN-based methods (Zhao et al., 2020; Deng & Hooi, 2021 ), association discrepancy (Xu et al., 2022) , LSTM-based methods (Hundman et al., 2018; Tariq et al., 2019) . However, these empirical methods lack robustness guarantees, hinting that they would be meaningless once a new adaptive attack is found. For that reason, certified defenses are crucial because their mathematical robustness certificates are permanently unbreakable. Certified adversarial defenses. In the field of image classification, there has been much work on the certified defenses, including randomized smoothing (Cohen et al., 2019; Salman et al., 2020) , convex polytope (Wong & Kolter, 2018) , CROWN-IBP (Zhang et al., 2019) and Lipschitz bounding (Cisse et al., 2017) . Among them, the ℓ 0 -norm defenses include derandomized smoothing (Levine & Feizi, 2020a) , randomized ablation (Levine & Feizi, 2020b; Zhang et al., 2020) and a series of mask-based



); Li et al. (2020); Cohen et al. (

Figure 1: Overview of MIA pipeline. Inputted a series x 1:t0 , MIA first masks different periods of x 1:t0 to construct the masked series x 1:t0 ⊙ M (k) , k = 0, . . . , M . Then MIA imputes the masked series with the imputation model G(•). We classify the imputed series with the pretrained model. If the predictions of all the imputed series are Class 0, MIA will return Class 0 with the robustness guarantee that the output is clean, otherwise MIA will return Abstain.

