BadTime: An Effective Backdoor Attack on Multivariate Long-Term Time Series Forecasting

TL;DR

This paper introduces BadTime, a novel backdoor attack on multivariate long-term time series forecasting models, capable of influencing predictions over extended horizons with high stealthiness and low poisoning rates.

Contribution

It presents the first effective backdoor attack tailored for MLTSF, addressing challenges of trigger dilution and sparsity, and demonstrating significant improvements over existing methods.

Findings

Extends attack horizon from 12 to 720 timesteps

Reduces MAE by over 50% on target variables

Increases stealthiness by more than 3-fold

Abstract

Multivariate long-term time series forecasting (MLTSF) models are increasingly deployed in critical domains such as climate, finance, and transportation. Despite their growing importance, the security of MLTSF models against backdoor attacks remains entirely unexplored. To bridge this gap, we propose BadTime, the first effective backdoor attack tailored for MLTSF. BadTime can manipulate hundreds of future predictions toward a target pattern by injecting a subtle trigger. BadTime addresses two key challenges that arise uniquely in MLTSF: (i) the rapid dilution of local triggers over long horizons, and (ii) the extreme sparsity of backdoor signals under stealth constraints. To counter dilution, BadTime leverages inter-variable correlations, temporal lags, and data-driven initialization to design a distributed, lag-aware trigger that ensures effective influence over long-range forecasts. To overcome sparsity, it introduces a hybrid strategy to select valuable poisoned samples and a decoupled backdoor training objective that adaptively adjusts the model's focus on the sparse backdoor signal, ensuring reliable learning at a poisoning rate as low as 1%. Extensive experiments show that BadTime significantly outperforms state-of-the-art (SOTA) backdoor attacks on time series forecasting by extending the attackable horizon from at most 12 timesteps to 720 timesteps (a 60-fold improvement), reducing MAE by over 50% on target variables, and boosting stealthiness by more than 3-fold under anomaly detection.