Practical Adversarial Attacks on Spatiotemporal Traffic Forecasting Models Fan LIU

2025-05-02 0 0 3.65MB 18 页 10玖币
侵权投诉
Practical Adversarial Attacks on Spatiotemporal
Traffic Forecasting Models
Fan LIU
AI Thrust&RBM, The Hong Kong University of Science and Technology (Guangzhou)
fliu236@connect.hkust-gz.edu.cn&liufan@ust.hk
Hao LIU
AI Thrust, The Hong Kong University of Science and Technology (Guangzhou)
Guangzhou HKUST Fok Ying Tung Research Institute
CSE, The Hong Kong University of Science and Technology
liuh@ust.hk
Wenzhao Jiang
AI Thrust, The Hong Kong University of Science and Technology (Guangzhou)
wjiang431@connect.hkust-gz.edu.cn
Abstract
Machine learning based traffic forecasting models leverage sophisticated spatiotem-
poral auto-correlations to provide accurate predictions of city-wide traffic states.
However, existing methods assume a reliable and unbiased forecasting environ-
ment, which is not always available in the wild. In this work, we investigate the
vulnerability of spatiotemporal traffic forecasting models and propose a practical
adversarial spatiotemporal attack framework. Specifically, instead of simultane-
ously attacking all geo-distributed data sources, an iterative gradient-guided node
saliency method is proposed to identify the time-dependent set of victim nodes.
Furthermore, we devise a spatiotemporal gradient descent based scheme to generate
real-valued adversarial traffic states under a perturbation constraint. Meanwhile,
we theoretically demonstrate the worst performance bound of adversarial traffic
forecasting attacks. Extensive experiments on two real-world datasets show that the
proposed two-step framework achieves up to
67.8%
performance degradation on
various advanced spatiotemporal forecasting models. Remarkably, we also show
that adversarial training with our proposed attacks can significantly improve the
robustness of spatiotemporal traffic forecasting models. Our code is available in
https://github.com/kdd-hkust/Adv-ST.
1 Introduction
Machine learned spatiotemporal forecasting models have been widely adopted in modern Intelligent
Transportation Systems (ITS) to provide accurate and timely prediction of traffic dynamics, e.g.,
traffic flow [1], traffic speed [2, 3], and the estimated time of arrival [4, 5]. Despite fruitful progress
in improving the forecasting accuracy and utility [
6
], little attention has been paid to the robustness
of spatiotemporal forecasting models. For example, Figure 1 demonstrates that injecting slight
adversarial perturbations on a few randomly selected nodes can significantly degrade the traffic
Corresponding author
36th Conference on Neural Information Processing Systems (NeurIPS 2022).
arXiv:2210.02447v1 [cs.LG] 5 Oct 2022
(a)
(b)
malicious attacker
(c)
Figure 1: An illustration of adversarial attack against spatiotemporal forecasting models on the Bay
Area traffic network in California, the data ranges from January 2017 to May 2017. (a) Adversarial
attack of geo-distributed data. The malicious attacker may inject adversarial examples into a few
randomly selected geo-distributed data sources. (e.g., roadway sensors) to mislead the prediction of
the whole traffic forecasting system. (b) Accuracy drop of victim nodes. By adding less than 50%
traffic speed perturbations to 10% victim nodes, we observe 60.4% accuracy drop of victim nodes in
morning peak hour. (c) Accuracy drop of neighbouring nodes. Due to the information diffusion of
spatiotemporal forecasting models, the adversarial attack also leads to up to about 47.23% accuracy
drop for neighboring nodes.
forecasting accuracy of the whole system. Therefore, this paper investigates the vulnerability of
traffic forecasting models against adversarial attacks.
In recent years, adversarial attacks have been extensively studied in various application domains,
such as computer vision and natural language processing [
7
] However, two major challenges prevent
applying existing adversarial attack strategies to spatiotemporal traffic forecasting. First, the traffic
forecasting system makes predictions by exploiting signals from geo-distributed data sources (e.g.,
hundreds of roadway sensors and thousands of in-vehicle GPS devices). It is expensive and impractical
to manipulate all data sources to inject adversarial perturbations simultaneously. Furthermore, state-
of-the-art traffic forecasting models propagate local traffic states through the traffic network for more
accurate prediction [
5
]. Attacking a few arbitrary data sources will result in node-varying effects on
the whole system. How to identify the subset of salient victim nodes with a limited attack budget
to maximize the attack effect is the first challenge. Second, unlike most existing adversarial attack
strategies that focus on time-invariant label classification [
8
,
9
], the adversarial attack against traffic
forecasting aims to disrupt the target model to make biased predictions of continuous traffic states.
How to generate real-valued adversarial examples without access to the ground truth of future traffic
states is another challenge.
To this end, in this paper, we propose a practical adversarial spatiotemporal attack framework that
can disrupt the forecasting models to derive biased city-wide traffic predictions. Specifically, we
first devise an iterative gradient-guided method to estimate node saliency, which helps to identify a
small time-dependent set of victim nodes. Moreover, a spatiotemporal gradient descent scheme is
proposed to guide the attack direction and generate real-valued adversarial traffic states under a human
imperceptible perturbation constraint. The proposed attack framework is agnostic to forecasting
model architecture and is generalizable to various attack settings, i.e., white-box attack, grey-box
attack, and black-box attack. Meanwhile, we theoretically analyze the worst performance guarantees
of adversarial traffic forecasting attacks. We prove the adversarial robustness of spatiotemporal traffic
forecasting models is related to the number of victim nodes, the maximum perturbation bound, and
the maximum degree of the traffic network.
Extensive experimental studies on two real-world traffic datasets demonstrate the attack effectiveness
of the proposed framework on state-of-the-art spatiotemporal forecasting models. We show that
attacking
10%
nodes in the traffic system can break down the global forecasting Mean Average
Error (MAE) from
1.975
to
6.1329
. Moreover, the adversarial attack can induce
68.65%
, and
56.67%
performance degradation under the extended white-box and black-box attack settings, respectively.
Finally, we also show that incorporating adversarial examples we generated with adversarial training
can significantly improve the robustness of spatiotemporal traffic forecasting models.
2
2 Background and problem statement
In this section, we first introduce some basics of spatiotemporal traffic forecasting and adversarial
attack, then formally define the problem we aim to address.
2.1 Spatiotemporal traffic forecasting
Let
Gt= (V,E)
denote a traffic network at time step
t
, where
V
is a set of
n
nodes (e.g., regions,
road segments, roadway sensors, etc.) and
E
is a set of edges. The construction of
Gt
can be
categorized into two types, (1) prior-based, which pre-define
Gt
based on metrics such as geographical
proximity and similarity [
10
], and (2) learning-based, which automatically learns
Gt
in an end-to-
end way [
2
]. Note the
Gt
can be static or time-evolving depending on the forecasting model. We
denote
Xt= (x1,t,x2,t,· · · ,xn,t)
as the spatiotemporal features associated to
Gt
, where
xi,t Rc
represents the
c
-dimensional time-varying traffic conditions (e.g., traffic volume, traffic speed) and
contextual features (e.g., weather, surrounding POIs) of node
vi∈ V
at
t
. The spatiotemporal traffic
forecasting problem aims to predict traffic states for all vi∈ V over the next τtime steps,
ˆ
Yt+1:t+τ=fθ(HtT+1:t),(1)
where
HtT+1:t={(XtT+1,GtT+1),...,(Xt,Gt)}
denotes the traffic states contains input
features and the traffic network in previous
T
time steps,
fθ(·)
is the spatiotemporal traffic forecasting
model parameterized by
θ
, and
ˆ
Yt+1:t+τ={ˆ
Yt+1,ˆ
Yt+2,· · · ,ˆ
Yt+τ}
is the estimated traffic condi-
tions of interest of
V
from time step
t+1
to
t+τ
. We denote
Yt+1:t+τ={Yt+1,Yt+2,· · · ,Yt+τ}
as the ground truth of HtT+1:t.
Note the above formulation is consistent with the state-of-the-art Graph Neural Network (GNN)
based spatiotemporal traffic forecasting models [
2
,
10
,
11
,
12
], and is also generalizable to other
variants such as Convolutional Neural Network (CNN) based approaches [13].
2.2 Adversarial attack
Given a machine learning model, adversarial attack aims to mislead the model to derive biased
predictions by generating the optimal adversarial example
xarg max
x0L(x0, y;θ)s.t. kx0xkpε, (2)
where
x0
is the adversarial example with maximum bound
ε
under
Lp
norm to guarantee the pertur-
bation is imperceptible to human, and yis the ground truth of clean example x.
Various gradient-based methods have been proposed to generate adversarial examples, such
as FGSM [
14
], PGD [
8
], MIM [
9
], etc. For instance, the adversarial example
x0=x+
εsign(xLCE (x, y;θ))
in FGSM, where
sign(·)
is the Signum function and
LCE (·)
is the cross
entropy loss.
Note the adversarial attack happened in the testing stage, and the attackers cannot manipulate the
forecasting model or its output. On the benign testing set, the forecasting model can perform well.
Based on the amount of information the attacker can access in the testing stage, the adversarial attack
can be categorized into three classes. White-box attack. The attacker can fully access the target model,
including the model architecture, the model parameters, gradients, model outputs, the input traffic
states, and the corresponding labels. Grey-box attack. The attacker can partially access the system,
including the target model and the input traffic states, but without the labels. Black-box attack. The
attacker can only access the input traffic states, query the outputs of the target model or leverage a
surrogate model to craft the adversarial examples.
2.3 Adversarial attack against spatiotemporal traffic forecasting
This work aims to apply adversarial attacks to spatiotemporal traffic forecasting models. We first
define the adversarial traffic state as follow,
H0
t=n(X0
t,Gt) : kStk0η, k(X0
tXt)·Stkpεo,(3)
3
where St∈ {0,1}n×nis a diagonal matrix with ith diagonal element indicating whether node iis a
victim node, and
X0
t
is the perturbed spatiotemporal feature named adversarial spatiotemporal feature.
We restrict the adversarial traffic state by the victim node budget ηand the perturbation budget ε.
Note that following the definition of adversarial attack, we leave the topology of
Gt
immutable as we
regard the adjacency relationship as a part of the model parameter that may be automatically learned
in an end-to-end way.
Attack goal. The attacker aims to craft adversarial traffic states to fool the spatiotemporal forecasting
model to derive biased predictions. Formally, given a spatiotemporal forecasting model
fθ(·)
, the
adversarial attack against spatiotemporal traffic forecasting is defined as
max
H0
tT+1:t
t∈Ttest X
t∈Ttest
L(fθ(H0
tT+1:t),Yt+1:t+τ)(4a)
s.t., θ= arg min
θX
t∈Ttrain
L(fθ(HtT+1:t),Yt+1:t+τ),(4b)
where
Ttest
and
Ttrain
denote the set of time steps of all testing and training samples, respectively.
L(·)
is the loss function measuring the distance between the predicted traffic states and ground truth,
and θis optimal parameters learned during the training stage.
Since the ground truth (i.e., future traffic states) under the spatiotemporal traffic forecasting setting
is unavailable at run-time, the practical adversarial spatiotemporal attack primarily falls into the
grey-box attack setting.
However, investigating white-box attacks is still beneficial to help us understand how adversarial
attack works and can help improve the robustness of spatiotemporal traffic forecasting models (e.g.,
apply adversarial training). We discuss how to extend our proposed adversarial attack framework to
white-box and black-box settings in Section 3.2.
3 Methodology
In this section, we introduce the practical adversarial spatiotemporal attack framework in detail.
Specifically, our framework consists of two steps: (1) identify the time-dependent victim nodes, and
(2) attack with the adversarial traffic state.
3.1 Identify time-dependent victim nodes
One unique characteristic that distinguishes attacking spatiotemporal forecasting from conventional
classification tasks is the inaccessibility of ground truth at the test phase. Therefore, we first construct
future traffic states’ surrogate label to guide the attack direction,
˜
Yt+1:t+τ=gφ(HtT+1:t) + δt+1:t+τ,(5)
where
gφ(·)
is a generalized function (e.g.,
tanh(·)
,
sin (·)
,
fθ(·))
,
δt+1:t+τ
are random variables
sampled from a probability distribution
π(δt+1:t+τ)
to increase the diversity of the attack direction.
In our implementation, we derive
φ
based on the pre-trained forecasting model parameter
θ
, and
δt+1:t+τU(ε/10, ε/10)
. In the real-world production [
5
], the forecasting models are usually
updated in an online fashion (e.g., per hours). Therefore, we estimate the missing latest traffic states
based on previous input data,
˜
Ht=gϕ(Ht1)
, where
gϕ(·)
is the estimation function parameterized
by ϕ. For simplicity, we directly obtain ϕfrom the pre-trained traffic forecasting model fθ(·).
With the surrogate traffic state label
˜
Yt+1:t+τ
, we derive the time-dependent node saliency (TDNS)
for each node as
Mt=
σ(L(fθ(˜
HtT+1:t),˜
Yt+1:t+τ)
˜
XtT+1:t
)
p
,(6)
where
L(fθ(˜
HtT+1:t),˜
Yt+1:t+τ)
is the loss function and
σ
is the activation function. Intuitively,
Mt
reveals the node-wise loss impact with the same degree of perturbations. Note depending on the
time step
t
,
Mt
may vary. A similar idea also has been adopted to identify static pixel saliency for
image classification [15].
4
摘要:

PracticalAdversarialAttacksonSpatiotemporalTrafcForecastingModelsFanLIUAIThrust&RBM,TheHongKongUniversityofScienceandTechnology(Guangzhou)fliu236@connect.hkust-gz.edu.cn&liufan@ust.hkHaoLIUAIThrust,TheHongKongUniversityofScienceandTechnology(Guangzhou)GuangzhouHKUSTFokYingTungResearchInstituteCSE,...

展开>> 收起<<
Practical Adversarial Attacks on Spatiotemporal Traffic Forecasting Models Fan LIU.pdf

共18页,预览4页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:18 页 大小:3.65MB 格式:PDF 时间:2025-05-02

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 18
评分 收藏
分享
立即下载
客服
关注