Least-Squares Slope Attack

• Least-Squares Slope Attack is a targeted adversarial technique that manipulates trends in financial forecasts by optimizing input perturbations under strict bounds.
• It employs least-squares regression to calculate the best-fit slope over forecasting points, enabling controlled directional changes in models like N-HiTS.
• Empirical evaluations reveal substantial slope alterations and stealth effectiveness, highlighting the need for robust security measures in ML pipelines.

The Least-Squares Slope Attack (LSSA) is a targeted adversarial methodology designed to manipulate the long-term directional trend (slope) of financial time-series forecasts. Unlike adversarial perturbations that target classification errors, LSSA seeks to introduce subtle yet strategically significant trend alterations within the prediction outputs of sequence models such as N-HiTS. The attack is formulated by optimizing input perturbations bounded in $\ell_\infty$-norm ($\|\eta\|_\infty \leq \epsilon$) to ensure stealthiness, and is characterized by its use of the least-squares best-fit slope to modulate the trajectory of the forecast over the entire prediction horizon. LSSA bypasses common security mechanisms, including CNN-based discriminators, and demonstrates empirical efficacy and stealth in financial forecasting benchmarks (Luszczynski, 24 Nov 2025).

1. Mathematical Framework and Slope Optimization

LSSA departs from endpoint-based adversarial techniques by fitting a least-squares regression across all forecast points. For a time-series input $x$ (e.g., 300 days of adjusted prices) processed by an N-HiTS forecaster $f$, the attack objective is to find a perturbation $\eta$ such that the forecast $\hat{y} = f(x+\eta)$ exhibits an anomalous slope $m$ in a designated direction $t\in\{-1,0,1\}$ (downward, flat, upward).

The least-squares slope $m$ over $N$ forecast points $(x_i, \hat{y}_i)$ ($x_i = i$) is given by: $$m = \frac{\sum_{i=1}^N (x_i - \bar{x})(\hat{y}_i - \bar{y})}{\sum_{i=1}^N (x_i - \bar{x})^2}$$ where $\bar{x} = (1/N)\sum_{i} x_i$, $\bar{y} = (1/N)\sum_i \hat{y}_i$.

The slope-based loss function is parameterized to penalize undesired trends: $$\text{loss}(m) = \begin{cases} c\, e^{-t d m}, & \text{if}~ t \in \{-1,1\} \ c\, m^2, & \text{if}~ t = 0 \end{cases}$$ where $c$ and $d$ are scalar hyperparameters controlling penalty strength.

2. Iterative Adversarial Perturbation Algorithm

LSSA implements projected gradient descent to optimize $\eta$ subject to $\|\eta\|_\infty \leq \epsilon$, maximizing the slope deviation. The canonical iteration is: $$x^{k+1}_{\text{adv}} = \text{clip}_{[x-\epsilon, x+\epsilon]} \Bigl( x^k_{\text{adv}} - \alpha\, \text{sign}(\nabla_{x_{\text{adv}}} \text{loss}) \Bigr)$$ with $\alpha = 1.5\epsilon/I$ and $I$ as the total number of steps (typically $I=30$).

The stepwise procedure is as follows:

• Initialize $x_{\text{adv}} \leftarrow x$
• For $k=1,\ldots,I$:
  1. Enable gradients on $x_{\text{adv}}$
  2. Extract features (e.g., rolling means, returns)
  3. Forecast $\hat{y} = f(\text{features})$
  4. Compute slope $m_{LS}$
  5. Calculate loss
  6. Backpropagate to obtain gradients
  7. Update $x_{\text{adv}}$
  8. Project within perturbation bounds
  9. Detach gradients

• Return $x_{\text{adv}}$

3. Integration with N-HiTS and Generative Architectures

LSSA is implemented with direct white-box access to the N-HiTS inference pipeline via PyTorch-Forecasting (encoder length=100, forecast=20), leveraging backpropagation for slope loss optimization through all layers. Feature extraction includes rolling statistics and returns to match the forecasting model’s expected input.

In the generative context, LSSA is incorporated within a Conditional Wasserstein GAN (A-GAN) that produces synthetic 99-day log-return sequences conditioned on actual returns. The generator $G(z)$ ($z\sim N(0,I)$) yields price-space samples, which are input to N-HiTS. The LSSA loss is appended to the generator’s objective: $$L_G = \mathbb{E}[-D(G(z)|\text{cond})] + \alpha\, L_{\text{slope}}$$ where $D$ is the WGAN critic and $\alpha$ modulates the adversarial component. The critic employs a gradient penalty $\lambda \|\nabla D\|^2$. By backpropagating through N-HiTS into $G$, the model learns to synthesize realistic but slope-manipulated data.

4. Experimental Evaluation and Metrics

Empirical analysis on financial time-series (first 300 days) demonstrates slope manipulation effectiveness and stealth:

Attack Type	MAE	GenSlope	LS-Slope
Normal	2.15	3.37e–2	2.22e–2
FGSM	2.57	≈3.22e–2	≈2.34e–2
TIM (Upward)	—	3.72e–2	2.00e–2
LSSA (Upward)	2.49	5.38e–2	4.96e–2
LSSA (Downward)	—	—	–5.04e–3

LSSA (Upward) increases LS-Slope by +120% versus normal; downward attacks invert the predicted trend. Epsilon sweeps show that LS-Slope under LSSA grows roughly linearly with $\epsilon$, ranging from 2.97e–2 (0.5%) to 7.22e–2 (4%), compared to normal’s 2.22e–2.

Discriminator stealth metrics indicate that a 4-layer CNN (trained to detect adversarial samples) achieves only 56.25% accuracy and 26.40% specificity under LSSA; Cohen’s $\kappa = 0.125$ is near random, confirming covert characteristics. In contrast, A-GAN samples are highly detectable (accuracy=92.8%).

On stock “A,” A-GAN manipulates LS-Slope from real data’s –2.41e–3 to 2.17e–1 (a 90× increase), while maintaining moment statistics $\mu, \sigma, \text{skew}, \text{kurtosis}$ comparable to the real distribution (MMD=1.2e–4).

5. Implementation Details and Malware Injection

Algorithmic parameters include $I=30$ iterations, $\alpha=1.5\epsilon/I$, $c=5$, $d=2$, $\epsilon = p\%\cdot \text{median(price)}$ ($p \in [0.5,4.0]$). A-GAN configuration comprises a conditional WGAN with a 4-layer TCN generator and a 5-layer TCN+GRU critic, gradient penalty $\lambda=1$, and an adversarial loss coefficient $\alpha_{\text{adversarial}}\in[0.25,0.35]$ across five 50-epoch blocks.

The malware sample is structured to inject the slope attack within the model’s inference library (e.g., in __init__.py), intercepting model calls and embedding the attack code while eliminating torch.no_grad() blocks.

6. Limitations and Security Implications

Adversarial training for N-HiTS is rendered operationally impractical due to rolling window constraints and feature dependencies on prices. A-GAN is susceptible to mode collapse, yielding low-diversity outputs that become less covert. The General Slope Attack (GSA) maintains stealth near endpoints but cannot invert long-term trends.

Security challenges are pronounced: standard input discriminators (e.g., 4-layer CNN) exhibit low specificity ($<$28%) against slope attacks, allowing adversaries to manipulate model outputs while remaining undetected. Malware injection at the model interface enables white-box adversary capabilities, circumventing input validation and gradient-blocking measures.

Recommended countermeasures include adversarial training on less complex models or modified N-HiTS architectures that avoid direct price features, input sanity checks utilizing stronger or ensemble discriminators, and securing the ML pipeline via code hashing, rigorous reviews, and runtime integrity verification.

7. Context and Implications for ML Security

The LSSA underscores the necessity of holistic ML security beyond model-level robustness, extending protection requirements to data pipelines and inference infrastructure. The demonstrated effectiveness of LSSA and related slope-based attacks in manipulating financial forecasts and evading detection mechanisms suggests an elevated risk profile for time-series ML applications within critical domains. A plausible implication is that approaches focusing solely on model architecture are insufficient; comprehensive defenses must encompass pipeline integrity, input validation, and adversarial awareness throughout deployment (Luszczynski, 24 Nov 2025).