Adversarial Robustness of Deep State Space Models for Forecasting

Adversarial Robustness of Deep State Space Models for Forecasting

Introduction and Context

The paper "Adversarial Robustness of Deep State Space Models for Forecasting" (2604.03427) investigates the resilience of deep state space models (SSMs), specifically the Spacetime architecture, in the context of adversarial perturbations to time series data. While SSMs like Spacetime have demonstrated superior empirical results for forecasting benchmark time series, their vulnerability to adversarial manipulation and the theoretical underpinnings of their robustness were not previously understood.

This research grounds adversarial robustness within a control-theoretic framework, analyzes the Spacetime architecture's representational fidelity with optimal predictors, formalizes robust forecasting as a Stackelberg game, and empirically assesses vulnerabilities via both gradient-based and model-free attacks.

Problem Formulation and Threat Model

The primary setup considers a scalar time series $y_k$, with a forecasting model $f$ producing $h$-step ahead predictions based on a past window of length $\ell$. During deployment, the input can be corrupted by an additive attack signal: $\tilde{y}_k = y_k + a_k$. Critically, the forecaster is paired with an attack detector that triggers alarms if a prediction-based test statistic exceeds a threshold, with the detector threshold $\delta$ calibrated for a target false alarm rate (FAR) $\alpha$.

The adversary, assumed to know the forecaster, detector, and historical data, is restricted to "stealthy" attacks—i.e., those that do not raise the FAR above $\alpha$. The robust forecasting objective is thus formalized as a zero-sum Stackelberg game: the forecaster minimizes worst-case prediction error against all possible stealthy attacks.

Figure 1: Problem setup, showing adversary signal injection and interaction with the detector-augmented forecaster.

Spacetime State Space Model: Structure and Theoretical Properties

The Spacetime model is a deep SSM which combines an input embedding, projection, a stack of Spacetime layers for encoding/decoding, and a linear output head. Each layer comprises parallel SISO state space models with skip connections and feed-forward (GeLU-activated) mixing. During forecasting, the encoder and decoder map historical inputs to predictions, with the decoder autoregressively generating future inputs in the embedding space.

Figure 2: The Spacetime model's architecture and principal layer elements (GeLU activations and linear components).

Critically, the paper establishes that:

Only Spacetime among deep SSMs can exactly represent the optimal Kalman predictor for autoregressive (AR) processes, under mild controllability conditions (Proposition 2). This extends to all Luenberger-type observers, showing that Spacetime is unique in achieving optimal linear prediction for AR data within SSMs.

Robust Forecaster Design: Principles and Performance

Adversarial Attack and Training Methodology

Adversarial attacks are primarily constructed via Projected Gradient Descent (PGD), with the attack-generation process halted when perturbations exceed the detector threshold, ensuring stealthiness. Robust forecasters are built via adversarial training—first training on clean data, generating worst-case stealthy attacks, and then fine-tuning on these adversarially perturbed examples.

The effect of attack and adversarial defense is demonstrated empirically on the Monash electricity benchmark dataset.

Figure 3: Forecasting performance on real-world electricity consumption data—test excerpt and absolute percentage error distribution (MAPE = $6.53\%$).

Numerical Results

• Adversarial fine-tuning with a CNN-based detector yields up to 10% reduction in adversarial MAE compared to classical input-constrained adversarial training.
• Model-free (gradient-free) attacks—discussed below—can induce at least 33% more error than PGD with small step sizes.
• Detector architecture significantly influences robustness: CNN-based detectors outperform norm-based detectors in adversarial MAE per-unit attack norm.

Control-Theoretic Analysis of Adversarial Sensitivity

Theoretical bounds are derived for adversarial error growth, expressing how SSM parameters influence robustness. Let $H$ be the forecaster's input-output map; then the worst-case increase in output error due to any unit-norm input perturbation is exactly $f$0 (the largest singular value of $f$1). Key findings include:

• Open-loop instability in the encoder or decoder exponentially amplifies adversarial vulnerability with increasing look-back length $f$2.
• Closed-loop instability in the decoder significantly increases vulnerability for long forecast horizons $f$3.
• Increasing decoder state dimension nontrivially scales susceptibility, albeit conservatively in practice.

Empirical validation confirms these theoretical relationships, demonstrating monotonically increasing adversarial error with $f$4 and $f$5 when relevant spectral radii are near or above unity.

Figure 4: Adversarial error increases (left: with look-back length $f$6; right: with forecast horizon $f$7), confirming theoretical predictions under Spacetime SSM parameterizations.

Model-Free Attacks and Phase Transition in Robustness

A central contribution is the demonstration that even adversaries without any knowledge of the forecaster model can construct highly effective attacks.

Exploiting the local linearity of SSMs, a data-driven attacker can estimate the forecaster's local gain and input-output alignment from data alone, then solve for input perturbations that maximize error while remaining under the detection threshold. This closed-form "data-driven attack" (DDA) often matches or surpasses PGD-based attacks in effect, especially when the forecaster is well trained and input-output alignment is high.

Figure 5: Comparison of adversarial errors induced by PGD and model-free (data-driven) attacks; data-driven attacks cause markedly higher error without gradients or model access.

Implications and Future Directions

Practical Implications

• Adversarial robustness in SSM-based forecasting cannot be guaranteed by norm-bounded adversarial defenses alone; detector-constrained adversarial objectives are more appropriate and reveal stronger attack classes.
• State-space model architectures should be explicitly regularized for open- and closed-loop stability during design and training to limit exponential amplification of adversarial inputs.
• Detector architecture choice (CNN-based vs. norm-based) materially affects outcomes; advanced, data-driven detectors enhance resilience.

Theoretical Outlook

The findings highlight an intrinsic trade-off: The local linearity that enables SSMs' high-accuracy predictions also renders them highly susceptible to easy-to-construct, model-free adversarial attacks. This manifests a phase transition in model robustness as detector thresholds or forecast horizons change.

Prospective AI Research Directions

• Extending adversarial robustness frameworks to structured, targeted attacks (as opposed to simply maximizing error) may deepen understanding and improve defenses.
• Generalizing the control-theoretic sensitivity analysis to nonlinear, multi-layer SSMs or integrating explicit adversarial regularization into model design pipelines is a promising avenue.
• Investigating robust detection mechanisms that do not rely solely on prediction error or input reconstruction, possibly leveraging ensemble or hybrid architectures, could enhance security.

Conclusion

This work systematically characterizes adversarial robustness in deep SSM-based forecasting, making strong theoretical and empirical contributions to understanding the limits and vulnerabilities of architectures such as Spacetime. The control-theoretic perspective elucidates how core model parameters drive error growth under attack, while the efficacy of model-free attacks signals the inadequacy of existing defenses that rely on model secrecy or input energy constraints. The insights and frameworks presented will likely inform both robust model design and the ongoing development of adversarial threat models in sequential prediction.