Skip to main content
QUICK REVIEW

[Paper Review] Adversarial Attacks on Probabilistic Autoregressive Forecasting Models

Raphaël Dang-Nhu, Gagandeep Singh|arXiv (Cornell University)|Jan 1, 2020
Adversarial Robustness in Machine Learning48 references5 citations
TL;DR

This paper presents the first method for generating adversarial attacks on deep probabilistic autoregressive forecasting models, which output sequences of probability distributions rather than point estimates. By leveraging reparametrization and score-function estimators to differentiate through Monte Carlo approximations of expectations, the authors demonstrate effective attacks with minimal input perturbations on stock trading and electricity consumption forecasting tasks, with reparametrization proving significantly more efficient and effective than the score-function estimator.

ABSTRACT

We develop an effective generation of adversarial attacks on neural models that output a sequence of probability distributions rather than a sequence of single values. This setting includes the recently proposed deep probabilistic autoregressive forecasting models that estimate the probability distribution of a time series given its past and achieve state-of-the-art results in a diverse set of application domains. The key technical challenge we address is effectively differentiating through the Monte-Carlo estimation of statistics of the joint distribution of the output sequence. Additionally, we extend prior work on probabilistic forecasting to the Bayesian setting which allows conditioning on future observations, instead of only on past observations. We demonstrate that our approach can successfully generate attacks with small input perturbations in two challenging tasks where robust decision making is crucial: stock market trading and prediction of electricity consumption.

Motivation & Objective

  • To address the challenge of generating adversarial attacks on deep probabilistic autoregressive models that predict probability distributions rather than single values.
  • To enable gradient-based white-box attacks in a setting where the model's output is defined through Monte Carlo estimation of expectations.
  • To extend prior work on probabilistic forecasting to a Bayesian setting that allows conditioning on future observations.
  • To evaluate the effectiveness of adversarial attacks in real-world domains requiring robust sequential decision-making, such as stock market trading and electricity consumption prediction.

Proposed method

  • The authors model the probabilistic autoregressive forecasting task as a sequence of conditional distributions parameterized by a neural network, using architectures like LSTMs to generate distribution parameters.
  • They formulate the attack objective as minimizing a loss function that encourages deviation from the true forecast distribution, using a differentiable surrogate for the expectation over Monte Carlo samples.
  • Two gradient estimation techniques are employed: the score-function estimator (reinforcement learning-style gradient) and the reparametrization estimator (pathwise gradient), both enabling backpropagation through stochastic outputs.
  • The reparametrization estimator is applied by expressing the random samples as a deterministic function of noise, allowing direct gradient computation through the sampling process.
  • The attack generation process involves optimizing input perturbations using these gradient estimators to maximize the divergence between the original and adversarial forecasts.
  • The Bayesian extension allows conditioning on future observations, enabling new types of inference and attack queries beyond standard autoregressive conditioning.

Experimental results

Research questions

  • RQ1Can adversarial attacks be effectively generated for probabilistic autoregressive models that output sequences of probability distributions rather than point predictions?
  • RQ2How can gradients be efficiently computed through Monte Carlo estimates of expectations in a differentiable manner for white-box attack generation?
  • RQ3Does the reparametrization estimator outperform the score-function estimator in generating low-norm adversarial perturbations for probabilistic forecasting models?
  • RQ4Can adversarial attacks be successfully applied to real-world sequential forecasting tasks such as stock market trading and electricity consumption prediction?
  • RQ5How does extending the model to a Bayesian setting affect the feasibility and effectiveness of adversarial attacks?

Key findings

  • The reparametrization estimator significantly outperforms the score-function estimator in generating adversarial attacks with smaller perturbation norms, demonstrating superior optimization stability and gradient quality.
  • Adversarial attacks were successfully generated on two challenging real-world forecasting tasks—stock market trading and electricity consumption—using minimal input perturbations.
  • The attack success was validated through qualitative and quantitative analysis, showing that the adversarial forecasts deviated substantially from the original predictions while maintaining small input changes.
  • The Bayesian extension of the model enabled new query types, such as conditioning on future observations, which expanded the scope of possible adversarial queries.
  • The proposed method is general and applicable to various probabilistic autoregressive architectures, including LSTMs, TCNs, and Transformers, as long as they output parametric distributions.
  • The authors released code, datasets, and reproduction scripts, enabling full reproducibility and further research in adversarial robustness for probabilistic forecasting.

Better researchstarts right now

From paper design to paper writing, dramatically reduce your research time.

No credit card · Free plan available

This review was created by AI and reviewed by human editors.