Multivariate long-term time series forecasting (MLTSF) models are increasingly deployed in critical domains such as climate, finance, and transportation. Despite their growing importance, the security of MLTSF models against backdoor attacks remains entirely unexplored. To bridge this gap, we propose BadTime, the first effective backdoor attack tailored for MLTSF. BadTime can manipulate hundreds of future predictions toward a target pattern by injecting a subtle trigger. BadTime addresses two key challenges that arise uniquely in MLTSF: (i) the rapid dilution of local triggers over long horizons, and (ii) the extreme sparsity of backdoor signals under stealth constraints. To counter dilution, BadTime leverages inter-variable correlations, temporal lags, and data-driven initialization to design a distributed, lag-aware trigger that ensures effective influence over long-range forecasts. To overcome sparsity, it introduces a hybrid strategy to select valuable poisoned samples and a decoupled backdoor training objective that adaptively adjusts the model's focus on the sparse backdoor signal, ensuring reliable learning at a poisoning rate as low as 1%. Extensive experiments show that BadTime significantly outperforms state-of-the-art (SOTA) backdoor attacks on time series forecasting by extending the attackable horizon from at most 12 timesteps to 720 timesteps (a 60-fold improvement), reducing MAE by over 50% on target variables, and boosting stealthiness by more than 3-fold under anomaly detection.

翻译：多元长期时间序列预测（MLTSF）模型正日益部署于气候、金融和交通等关键领域。尽管其重要性不断提升，但MLTSF模型面对后门攻击的安全性仍完全未被探索。为填补这一空白，我们提出了BadTime，这是首个针对MLTSF定制且有效的后门攻击方法。BadTime能够通过注入一个细微的触发器，操纵数百个未来预测值朝向目标模式。BadTime解决了在MLTSF中独特出现的两个关键挑战：（i）局部触发器在长预测范围内快速稀释的问题，以及（ii）在隐蔽性约束下后门信号极度稀疏的问题。为应对稀释，BadTime利用变量间相关性、时间滞后和数据驱动的初始化，设计了一种分布式、滞后感知的触发器，确保对长期预测的有效影响。为克服稀疏性，它引入了一种混合策略来选择有价值的污染样本，以及一个解耦的后门训练目标，该目标自适应地调整模型对稀疏后门信号的关注，确保在低至1%的污染率下实现可靠学习。大量实验表明，BadTime在时间序列预测的后门攻击中显著优于现有最优（SOTA）方法，将可攻击的预测范围从最多12个时间步扩展至720个时间步（提升60倍），在目标变量上降低MAE超过50%，并在异常检测下将隐蔽性提升超过3倍。