Adversarial Robustness of Deep State Space Models for Forecasting

TL;DR

This paper investigates the adversarial robustness of deep state space models for forecasting, introducing a control-theoretic framework and demonstrating vulnerabilities through both theoretical bounds and practical attacks.

Contribution

It establishes the optimality of the Spacetime SSM architecture, formulates a robust forecasting design as a Stackelberg game, and uncovers vulnerabilities exploitable by model-free attacks.

Findings

Spacetime SSM can represent the optimal Kalman predictor.

Adversarial errors are amplified by instability and decoder state dimension.

Model-free attacks can cause 33% more error than gradient-based methods.

Abstract

State-space model (SSM) for time-series forecasting have demonstrated strong empirical performance on benchmark datasets, yet their robustness under adversarial perturbations is poorly understood. We address this gap through a control-theoretic lens, focusing on the recently proposed Spacetime SSM forecaster. We first establish that the decoder-only Spacetime architecture can represent the optimal Kalman predictor when the underlying data-generating process is autoregressive - a property no other SSM possesses. Building on this, we formulate robust forecaster design as a Stackelberg game against worst-case stealthy adversaries constrained by a detection budget, and solve it via adversarial training. We derive closed-form bounds on adversarial forecasting error that expose how open-loop instability, closed-loop instability, and decoder state dimension each amplify vulnerability - offering actionable principles towards robust forecaster design. Finally, we show that even adversaries with no access to the forecaster can nonetheless construct effective attacks by exploiting the model's locally linear input-output behavior, bypassing gradient computations entirely. Experiments on the Monash benchmark datasets highlight that model-free attacks, without any gradient computation, can cause at least 33% more error than projected gradient descent with a small step size.