Adversarial Robustness of Time-Series Classification for Crystal Collimator Alignment

TL;DR

This paper enhances the adversarial robustness of a CNN used for crystal collimator alignment at CERN by formalizing robustness properties, implementing preprocessing-aware defenses, and benchmarking with established frameworks.

Contribution

It introduces a preprocessing-aware wrapper for time-series classification, enabling formal verification and robustness benchmarking of CNNs in a real-world physics application.

Findings

Adversarial fine-tuning increased robust accuracy by up to 18.6%.

Pipeline-checked validity and robustness estimates were achieved using Foolbox and ART.

Extended robustness analysis from single windows to sequence-level classification.

Abstract

In this paper, we analyze and improve the adversarial robustness of a convolutional neural network (CNN) that assists crystal-collimator alignment at CERN's Large Hadron Collider (LHC) by classifying a beam-loss monitor (BLM) time series during crystal rotation. We formalize a local robustness property for this classifier under an adversarial threat model based on real-world plausibility. Building on established parameterized input-transformation patterns used for transformation- and semantic-perturbation robustness, we instantiate a preprocessing-aware wrapper for our deployed time-series pipeline: we encode time-series normalization, padding constraints, and structured perturbations as a lightweight differentiable wrapper in front of the CNN, so that existing gradient-based robustness frameworks can operate on the deployed pipeline. For formal verification, data-dependent preprocessing such as per-window z-normalization introduces nonlinear operators that require verifier-specific abstractions. We therefore focus on attack-based robustness estimates and pipeline-checked validity by benchmarking robustness with the frameworks Foolbox and ART. Adversarial fine-tuning of the resulting CNN improves robust accuracy by up to 18.6 % without degrading clean accuracy. Finally, we extend robustness on time-series data beyond single windows to sequence-level robustness for sliding-window classification, introduce adversarial sequences as counterexamples to a temporal robustness requirement over full scans, and observe attack-induced misclassifications that persist across adjacent windows.