Defending Against Adversarial Attacks on Time-series with Selective Classification

Despite their many advantages, deep learning models are known for their poor performance on input data that is dissimilar to the training data. With adversarial attacks the input data is intentionally perturbed to test the model's robustness. Low robustness of deep learning models prohibits their usage in safety critical applications. This study suggests to counteract adversarial attacks with a combination of adversarial training and selective classification. While adversarial training is a state-of-the-art approach to increase the robustness against adversarial attacks, selective classification is thus far mainly used to improve the model performance independent of targeted attacks. It identifies malicious samples and neglects them instead of conducting false predictions. This work shows that combining both approaches leads to a more performant defense against adversarial attacks. Four different methods for selective time-series classification regarding their impact on defense against different white- and black-box attacks are evaluated: Softmax Respone, VAE Reconstruction Loss, Selective Net and a Joint Model, the latter being a combination of a VAE and a classifier developed by the authors of this work in a previous paper. The study reveals the superiority of the Joint Model approach for strong white-box attacks.