N-HiTS Model & General Slope Attack (GSA)

Updated 26 November 2025

N-HiTS Model is a deep learning forecaster that predicts multi-step future values from time-series data, often applied in financial modeling.
GSA employs an iterative gradient-based optimization under ℓ∞ constraints to precisely adjust the forecast endpoint slope with minimal perturbation.
Empirical evaluations show that GSA can double or reverse forecast trends while maintaining forecast accuracy and evading detection by standard discriminators.

The General Slope Attack (GSA) is a targeted adversarial attack methodology developed for time-series forecasting models, specifically designed to manipulate the trend of predictions, such as those produced by an N-HiTS deep learning model. By optimizing a bespoke loss that encodes the desired change in the slope of the multi-step forecast, GSA enables fine-grained trend manipulation with minimal input perturbation, maintaining a high degree of stealth against typical discrimination mechanisms (Luszczynski, 24 Nov 2025).

1. Formal Definition and Problem Setup

In the GSA framework, the attacker operates under a white-box setting with full access to the target model, typically an N-HiTS forecaster $f(\cdot)$ . The input is a time-series vector $x \in \mathbb{R}^n$ (e.g., the last $n=300$ days of adjusted stock prices), and the model outputs a multi-step forecast $\hat{y} = f(x) \in \mathbb{R}^H$ for $H$ future time points.

The goal is to construct a perturbed input $x_\mathrm{adv} = x + \delta$ obeying the constraint $\|\delta\|_\infty \leq \epsilon$ , where $\epsilon$ is typically a small fraction (e.g., $2\%$ ) of the median price. The key objective is to ensure that the slope, defined as

$m(x_\mathrm{adv}) = \frac{\hat{y}_2 - \hat{y}_1}{H - 1}$

(where $\hat{y}_1$ and $\hat{y}_2$ represent the first and last forecasted values), is significantly altered, typically either doubled, reversed, or flattened, while the input perturbation remains imperceptible.

A target direction $t \in \{+1, 0, -1\}$ is used to control whether the attack aims to increase, flatten, or decrease the slope.

2. Optimization Formulation and Loss Construction

The attack is formulated as minimizing a slope-focused loss function under an $\ell_\infty$ -norm constraint on the input perturbation: $\min_{\delta}\;\; L_\mathrm{slope}(x + \delta) \quad \text{subject to} \quad \|\delta\|_\infty \leq \epsilon$ The slope loss $L_\mathrm{slope}$ depends on the target direction $t$ :

For $t \in \{+1, -1\}$ (increase or decrease slope):

$L_\mathrm{slope}(x_\mathrm{adv}) = c \cdot e^{-t \cdot d \cdot m(x_\mathrm{adv})}$

For $t = 0$ (flatten trend):

$L_\mathrm{slope}(x_\mathrm{adv}) = c \cdot \left[ m(x_\mathrm{adv}) \right]^2$

Here, $c > 0$ and $d > 0$ act as scaling hyperparameters. The exponentiated loss formulation for $t \neq 0$ accelerates convergence toward the targeted slope direction.

3. Iterative Gradient-Based Attack Algorithm

GSA employs an iterative, projected gradient approach to optimize the adversarial perturbation. The algorithm proceeds as follows for $K$ iterations:

Enable gradient computation on the current adversarial input $x_\mathrm{adv}^k$ .
Compute the model's forecast $\hat{y} = f(x_\mathrm{adv}^k)$ .
Calculate the empirical slope $m = (\hat{y}_2 - \hat{y}_1)/(H - 1)$ .
Evaluate the loss $L_\mathrm{slope}$ .
Backpropagate to compute the gradient $\nabla_{x_\mathrm{adv}^k} L$ .
Update using $x_\mathrm{adv}^{k+1} \gets x_\mathrm{adv}^k - \alpha \cdot \mathrm{sign}( \nabla_{x_\mathrm{adv}^k} L )$ .
Project to satisfy the $\ell_\infty$ constraint: $x_\mathrm{adv}^{k+1} \gets \mathrm{clamp}( x_\mathrm{adv}^{k+1}, x - \epsilon, x + \epsilon )$ .
Detach gradients.
Repeat for $K$ steps, returning $x_\mathrm{adv}^K$ as the attacked sample.

Key hyperparameters:

$\epsilon$ : Maximum perturbation per feature, typically $2\%$ of the median adjusted price.
$K$ : Number of iterations, typically $20$–$50$.
$\alpha$ : Step size, suggested as $1.5 \epsilon / K$ .
$c, d$ : Loss scaling and sensitivity parameters.
$t$ : Trend direction target.

4. Empirical Evaluation and Trends

Extensive tests on financial time-series using an N-HiTS forecaster validate the effectiveness of GSA. Representative results, using $\epsilon = 2\%$ of median price, $K=40$ , $\alpha = 1.5\epsilon/K$ , $c=5$ , $d=2$ , and $t \in \{+1,-1\}$ or $0$, demonstrate key characteristics:

Attack	MAE	RMSE	MAPE	Gen. Slope	LS. Slope
Normal (no attack)	2.15	2.72	$3.82 \times 10^{-2}$	$3.37 \times 10^{-2}$	$2.22 \times 10^{-2}$
FGSM	2.57	3.21	$4.51 \times 10^{-2}$	$3.22 \times 10^{-2}$	$2.34 \times 10^{-2}$
BIM	3.38	3.99	$5.68 \times 10^{-2}$	$3.48 \times 10^{-2}$	$2.39 \times 10^{-2}$
TIM (Up)	2.49	3.21	$4.52 \times 10^{-2}$	$3.72 \times 10^{-2}$	$2.00 \times 10^{-2}$
GSA (Up)	2.26	2.88	$4.03 \times 10^{-2}$	$6.76 \times 10^{-2}$	$2.77 \times 10^{-2}$
GSA (Down)	2.23	2.83	$3.89 \times 10^{-2}$	$-1.68 \times 10^{-4}$	$1.75 \times 10^{-2}$

GSA (Up) achieves a near doubling of the endpoint slope (from $0.0337$ to $0.0676$) with minimal impact on mean absolute error or RMSE. GSA (Down) reverses the forecast trend. The increase in slope scales approximately linearly with $\epsilon$ . A plausible implication is that GSA's targeted perturbation mechanism provides efficient and precise trend manipulation with relatively undetectable modifications to the input.

5. Stealth and Evasion Properties

GSA is characterized by high stealth. When a four-layer CNN discriminator attempts to differentiate GSA-perturbed from clean inputs, it attains only $28\%$ specificity and $57\%$ overall accuracy, approximating random guessing. This suggests that GSA exploits model-specific vulnerabilities without introducing artifacts easily identifiable by adversarial detectors. Notably, because the loss term exclusively involves the forecast endpoints, the perturbations minimally impact the middle-slice forecast values, further enhancing detectability resilience.

6. Comparative Analysis with Prior Adversarial Approaches

Compared to classical adversarial methods such as FGSM, BIM, and MI-FGSM—which maximize pointwise errors (e.g., MAE) and do not consider trend manipulation—GSA induces explicit and significant changes in the prediction trend. The Temporal-Intensity Manipulation (TIM) method, in contrast, requires specifying an ad-hoc per-timestep target or scalar shift, affecting the forecast pattern more globally but lacking direct slope control.

Distinctive GSA properties include:

Direct optimization of the forecast's endpoint slope rather than generating a full synthetic target.
Fine-grained control over trend direction and magnitude (e.g., exact slope doubling).
Preservation of forecast shape in regions away from the endpoints, improving stealth.
Lightweight computational burden relative to adversarial sample construction alternatives.

7. Applications and Security Implications

GSA represents a practical tool for both evaluating adversarial robustness and probing security in financial time-series forecasting. Its integration into a generative adversarial network (GAN) architecture has been demonstrated for generating realistic, adversarial synthetic data capable of simultaneously deceiving both forecaster and discriminator. Demonstrations also include the use of adversarial malware capable of manipulating inputs at the inference library level, highlighting the need for comprehensive machine learning security that encompasses the entire deployment pipeline, beyond model-level defenses (Luszczynski, 24 Nov 2025).

Markdown Upgrade to Chat

References (1)

Targeted Manipulation: Slope-Based Attacks on Financial Time-Series Data (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to N-HiTS Model.