TrojanTime: Backdoor Attacks on Time Series Classification

TL;DR

TrojanTime introduces a novel two-step training method for backdoor attacks on time series classifiers, effectively embedding malicious triggers while maintaining model accuracy, and proposes a defense strategy to mitigate such attacks.

Contribution

It presents TrojanTime, a new training algorithm enabling backdoor attacks without direct training data access, and a defense method to reduce attack success rate.

Findings

TrojanTime achieves high attack success rates across multiple datasets and architectures.

The defense strategy significantly lowers backdoor effectiveness while preserving accuracy.

The approach demonstrates practical threat scenarios in real-world time series applications.

Abstract

Time Series Classification (TSC) is highly vulnerable to backdoor attacks, posing significant security threats. Existing methods primarily focus on data poisoning during the training phase, designing sophisticated triggers to improve stealthiness and attack success rate (ASR). However, in practical scenarios, attackers often face restrictions in accessing training data. Moreover, it is a challenge for the model to maintain generalization ability on clean test data while remaining vulnerable to poisoned inputs when data is inaccessible. To address these challenges, we propose TrojanTime, a novel two-step training algorithm. In the first stage, we generate a pseudo-dataset using an external arbitrary dataset through target adversarial attacks. The clean model is then continually trained on this pseudo-dataset and its poisoned version. To ensure generalization ability, the second stage employs a carefully designed training strategy, combining logits alignment and batch norm freezing. We evaluate TrojanTime using five types of triggers across four TSC architectures in UCR benchmark datasets from diverse domains. The results demonstrate the effectiveness of TrojanTime in executing backdoor attacks while maintaining clean accuracy. Finally, to mitigate this threat, we propose a defensive unlearning strategy that effectively reduces the ASR while preserving clean accuracy.