On Defensive Mechanisms against Adversarial Attacks on Deep Timeseries Classification
Abdu-Aguye, Mubarak Gwaza
Abdu-Aguye, Mubarak Gwaza
Author
Supervisor
Department
Machine Learning
Embargo End Date
2026-05-30
Type
Dissertation
Date
2025
License
Language
English
Collections
Research Projects
Organizational Units
Journal Issue
Abstract
Despite their high performance, DNNs have been shown to be vulnerable to “adversarial examples” (AEs). These are inputs that have been imperceptibly altered by specially crafted perturbations to cause a given DNN to produce a wrong / erroneous output despite their visual normality (i.e., similarity to their unperturbed counterparts). This vulnerability was first identified in DNN classifiers for the computer vision (CV) domain, but has also been shown to extend to other tasks (e.g., segmentation/object detection, clustering, etc.) and to other domains, recently including deep timeseries classification (TSC). The primary implication of adversarial vulnerability is that DNNs can be manipulated (in non-apparent ways) to produce arbitrary outputs by malicious adversaries, which calls the overall reliability of such models into question. Accordingly, much research effort has gone into developing defenses against such attacks, e.g. detection (to identify AEs so as to decline to classify them or identify their source for enforcement purposes), purification (to “disinfect” AEs, reverting them to a benign form) and robustification (hardening DNNs to lessen their adversarial vulnerability) to name a few. However, such efforts have mainly been focused on the CV domain, leaving others comparatively unexplored. In most cases, CV-centric defenses are applied asis to such domains under the assumption that such DNNs function in similar ways to those in the CV domain and can therefore be protected in similar ways. However, timeseries data (and DNNs) have many structural and semantic differences from images (and image-based DNNs), which militates against such direct transfer. This motivates the need to develop timeseries-specific approaches in order to protect such models from adversarial risks. In this thesis, we investigate adversarial vulnerability in deep timeseries classifiers with a view to understanding its root causes, and developing specific protections/mitigations against same. In particular, we develop a novel AE detection algorithm that establishes a new state-of-theart in the timeseries domain. Our proposed method involves the analysis of timeseries samples via recurrence analysis, where adversarial perturbations can be naturally isolated. We then design a novel feature descriptor and pipeline to quantify the recurrence patterns of benign samples, which we subsequently learn in a normalcy modeling setting treating adversarial samples as outliers. In extensive experiments involving different adversarial attacks and datasets, our proposed method significantly outperforms the previous state-of-the-art (SOTA) and other baselines, while also being averagely 5× faster. Based on the limitations of detection approaches, we subsequently propose FeMPure, the firstever purification-based defense for the timeseries domain. Due to a lack of local smoothness in timeseries data, we alternatively utilize DNNs’ builtin feature space redundancy to design a pluggable, lightweight, wavelet-based purification network (and an associated training and supervision framework) which repairs representational distortions arising from adversarial attacks. We then evaluate FeMPure on benign data and multiple adversarial attacks, as well as defenseaware and unaware threat models, and confirm its superiority to multiple (inputspace and featurespace) baselines, including adversarial training. Furthermore, we demonstrate the benefit of FeMPure against SOTA methods on the AE detection task. v Finally, we investigate a novel perspective on adversarial vulnerability in deep timeseries classifiers, motivated by observations around their fundamental fragility even outside adversarial contexts. We put forth hypotheses about two coincident and architecturally motivated causes of this vulnerability, and propose corresponding structural modifications to mitigate same without any adversarial samples or training process changes. We demonstrate the improved robustness of timeseries DNN models incorporating the proposed changes across diverse threat models (including the nobox setting). We also show that the modified DNNs also come with enhanced certified robustness and smoothness, and extensively analyze the modifications’ mechanisms of action to validate their correctness. We also show that the modified DNNs yield useful and trustworthy explanations, setting a new standard in the timeseries domain. Our work paves the way for principled adversarial defenses in the timeseries domain, with broader outlook/impacts on the fundamental understanding of DNN operation and design.
Citation
Mubarak Gwaza Abdu-Aguye, “On Defensive Mechanisms against Adversarial Attacks on Deep Timeseries Classification,” Doctor of Philosophy thesis, Machine Learning, MBZUAI, 2025.
Source
Conference
Keywords
Adversarial, Timeseries, Detection, Purification, Robustification, Classification