Recent years have witnessed the success of recurrent neural network (RNN) models in time series classification (TSC). However, neural networks (NNs) are vulnerable to adversarial samples, which cause real-life adversarial attacks that undermine the robustness of AI models. To date, most existing attacks target at feed-forward NNs and image recognition tasks, but they cannot perform well on RNN-based TSC. This is due to the cyclical computation of RNN, which prevents direct model differentiation. In addition, the high visual sensitivity of time series to perturbations also poses challenges to local objective optimization of adversarial samples. In this paper, we propose an efficient method called TSFool to craft highly-imperceptible adversarial time series for RNN-based TSC. The core idea is a new global optimization objective known as "Camouflage Coefficient" that captures the imperceptibility of adversarial samples from the class distribution. Based on this, we reduce the adversarial attack problem to a multi-objective optimization problem that enhances the perturbation quality. Furthermore, to speed up the optimization process, we propose to use a representation model for RNN to capture deeply embedded vulnerable samples whose features deviate from the latent manifold. Experiments on 11 UCR and UEA datasets showcase that TSFool significantly outperforms six white-box and three black-box benchmark attacks in terms of effectiveness, efficiency and imperceptibility from various perspectives including standard measure, human study and real-world defense.

翻译：近年来，循环神经网络（RNN）模型在时间序列分类（TSC）中取得了成功。然而，神经网络（NN）易受对抗样本影响，这些样本会引发破坏AI模型鲁棒性的现实对抗攻击。迄今为止，大多数现有攻击主要针对前馈神经网络和图像识别任务，但无法在基于RNN的TSC中表现良好。这是由于RNN的循环计算阻碍了直接的模型微分，同时时间序列对扰动的高度视觉敏感性也对对抗样本的局部目标优化构成了挑战。本文提出了一种名为TSFool的高效方法，用于制作针对基于RNN的TSC的高度不可感知对抗时间序列。其核心思想是一种新的全局优化目标——"伪装系数"（Camouflage Coefficient），该系数从类别分布中捕捉对抗样本的不可感知性。基于此，我们将对抗攻击问题简化为一个多目标优化问题，从而提升扰动质量。此外，为加速优化过程，我们提出使用RNN的表示模型来捕捉深度嵌入的脆弱样本，这些样本的特征偏离了潜在流形。在11个UCR和UEA数据集上的实验表明，TSFool在有效性、效率和不可感知性方面（涵盖标准度量、人工研究和实际防御等多个视角）显著优于六种白盒和三种黑盒基准攻击方法。