Balancing the trade-off between accuracy and robustness is a long-standing challenge in time series forecasting. While most of existing robust algorithms have achieved certain suboptimal performance on clean data, sustaining the same performance level in the presence of data perturbations remains extremely hard. In this paper, we study a wide array of perturbation scenarios and propose novel defense mechanisms against adversarial attacks using real-world telecom data. We compare our strategy against two existing adversarial training algorithms under a range of maximal allowed perturbations, defined using $\ell_{\infty}$-norm, $\in [0.1,0.4]$. Our findings reveal that our hybrid strategy, which is composed of a classifier to detect adversarial examples, a denoiser to eliminate noise from the perturbed data samples, and a standard forecaster, achieves the best performance on both clean and perturbed data. Our optimal model can retain up to $92.02\%$ the performance of the original forecasting model in terms of Mean Squared Error (MSE) on clean data, while being more robust than the standard adversarially trained models on perturbed data. Its MSE is 2.71$\times$ and 2.51$\times$ lower than those of comparing methods on normal and perturbed data, respectively. In addition, the components of our models can be trained in parallel, resulting in better computational efficiency. Our results indicate that we can optimally balance the trade-off between the performance and robustness of forecasting models by improving the classifier and denoiser, even in the presence of sophisticated and destructive poisoning attacks.

翻译：在时间序列预测中，准确性与鲁棒性之间的权衡是一个长期存在的挑战。尽管现有的大多数鲁棒算法在干净数据上能达到一定次优性能，但在数据扰动下维持相同性能水平仍然极其困难。本文利用真实电信数据研究了多种扰动场景，并提出了针对对抗性攻击的新型防御机制。我们将所提出的策略与两种现有对抗训练算法在最大允许扰动范围（定义为$\ell_{\infty}$-范数，$\in [0.1,0.4]$）内进行了比较。研究结果表明，我们的混合策略由检测对抗样本的分类器、消除扰动数据样本噪声的去噪器以及标准预测器组成，在干净数据和扰动数据上均取得了最佳性能。我们的最优模型在干净数据上可保留原始预测模型高达$92.02\%$的均方误差（MSE）性能，同时在扰动数据上比标准对抗训练模型更具鲁棒性。其MSE在正常数据和扰动数据上分别比对比方法低2.71倍和2.51倍。此外，模型各组件可并行训练，从而提高了计算效率。研究结果表明，即使面对复杂且具有破坏性的投毒攻击，通过改进分类器和去噪器，我们仍能实现预测模型性能与鲁棒性之间的最优平衡。