pith. sign in

arxiv: 2510.10140 · v2 · pith:YMXDIDCXnew · submitted 2025-10-11 · 💻 cs.LG · cs.CR· stat.ML

Adversarial Attacks on Downstream Weather Forecasting Models: Application to Tropical Cyclone Trajectory Prediction

Yue Deng , Francisco Santos , Pang-Ning Tan , Lifeng Luo This is my paper

Pith reviewed 2026-05-21 20:05 UTC · model grok-4.3

classification 💻 cs.LG cs.CRstat.ML
keywords adversarial attacksweather forecastingtropical cyclonetrajectory predictionsurrogate modelclass imbalancegradient-based attacks
0
0 comments X

The pith

Small changes to upstream weather forecasts can redirect downstream tropical cyclone trajectory predictions to specific targets.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper investigates the vulnerability of deep learning weather forecasting models to adversarial perturbations in their inputs that alter predicted tropical cyclone paths. Conventional attacks struggle because TC detectors act as opaque non-differentiable systems and because cyclones occur so rarely that class imbalance blocks effective optimization. Cyc-Attack addresses both issues by training a surrogate detector to enable gradients, applying a skewness-aware loss with kernel dilation for the imbalance, and adding distance-based weighting plus regularization to keep changes realistic and hidden. If the approach succeeds, it establishes that upstream forecast data can be manipulated to produce attacker-chosen storm tracks in downstream outputs.

Core claim

Cyc-Attack approximates the conventional TC detection system with a differentiable surrogate model, enabling gradient-based optimization of perturbations to upstream forecasts. It incorporates a skewness-aware loss function with kernel dilation to manage the class imbalance from rare TC events and uses distance-based gradient weighting along with regularization to ensure the resulting trajectories appear realistic and the perturbations remain stealthy. Experiments indicate this yields higher true positive rates for target trajectories, lower false alarm rates, and less detectable changes than conventional attack approaches.

What carries the argument

Cyc-Attack, which replaces the black-box TC detector with a differentiable surrogate and combines it with a skewness-aware loss and regularization constraints to enable targeted adversarial perturbations on upstream forecasts.

Load-bearing premise

A differentiable surrogate model can be trained to approximate the opaque non-differentiable TC detection system closely enough that gradient-based attacks transfer effectively.

What would settle it

Applying the perturbations generated using the surrogate directly to the original conventional TC detection system and measuring whether the true positive rate for matching target trajectories falls substantially below the reported levels.

Figures

Figures reproduced from arXiv: 2510.10140 by Francisco Santos, Lifeng Luo, Pang-Ning Tan, Yue Deng.

Figure 1
Figure 1. Figure 1: Adversarial manipulation of Hur￾ricane Irene’s projected trajectory, gener￾ated using TempestExtremes software from the 10-day weather forecast of the Graph￾Cast model, steering its original forecasted path (shown as blue line) towards a targeted region with extensive energy infrastructure (shown as red line). Generating realistic adversarial weather forecasts that alter the original TC trajectories is cha… view at source ↗
Figure 2
Figure 2. Figure 2: Adversarial attack on downstream tropical [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Visualization of TC location predictions [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Visualization of adversarial attacks. Top: Hurricane [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Hurricane Delta (from 10/26/2020 to 11/05/2020). De￾scription follows [PITH_FULL_IMAGE:figures/full_fig_p009_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Effect of the perturbation clipping threshold [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Perturbations (right) were added to the original [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: For hurricane Delta (2020), the left panel shows the original [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Difference (right) between the original GraphCast wind-speed forecasts (left, in knots) and the adversarial forecasts (middle, in knots) produced from the constructed adversarial upstream inputs shown in [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: provides supplementary results illustrating the sensitivity of Cyc-Attack to the choice of dilation radius. These results are consistent with the conclusions presented in the main text: as the dilation radius increases, the generated adversarial predicted trajectories exhibit more pronounced zigzagging, and, to a certain extent, induce an increased number of false-positive trajectories. Fig￾ure 11 provide… view at source ↗
Figure 11
Figure 11. Figure 11: Cyclone Maria (09/16/2017–09/26/2017) and Cyclone Nargis (04/27/2008–05/07/2008), shown from top to bottom. The description follows [PITH_FULL_IMAGE:figures/full_fig_p019_11.png] view at source ↗
read the original abstract

Deep learning-based weather forecasting (DLWF) models leverage past weather observations to generate future forecasts, supporting a wide range of downstream applications, including tropical cyclone (TC) prediction. In this paper, we investigate their vulnerability to adversarial attacks, where subtle perturbations to the upstream forecasts can alter the downstream TC trajectory predictions. Although research into adversarial attacks on DLWF models has grown recently, it remains challenging to craft perturbed upstream forecasts that steer the downstream outputs toward attacker-specified trajectories. First, conventional TC detection systems are opaque, non-differentiable black boxes, making standard gradient-based attacks infeasible. Second, the extreme rarity of TC events leads to severe class imbalance problem, making it difficult to develop attack methods for perturbing upstream forecasts that produce realistic-looking cyclone paths aligned with attacker's target trajectories. To overcome these limitations, we propose Cyc-Attack, a novel method for perturbing the upstream forecasts of DLWF models to generate adversarial trajectories. The proposed method uses a differentiable surrogate model to approximate the TC detector's output, enabling the application of gradient-based attacks. Cyc-Attack also employs a skewness-aware loss function with kernel dilation strategy to address the imbalance problem. Finally, a distance-based gradient weighting scheme and regularization are used to constrain the perturbations and eliminate unrealistic-looking trajectories, thereby making the adversarial upstream forecasts less easily detectable. Our experiments show that Cyc-Attack achieves a higher true positive rate in matching the attacker's target trajectories, along with lower false alarm rates and stealthier perturbations than conventional attack methods.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes Cyc-Attack, a method to craft adversarial perturbations on upstream forecasts from deep learning weather forecasting (DLWF) models in order to steer downstream tropical cyclone (TC) trajectory predictions toward attacker-specified targets. It addresses the non-differentiability of conventional TC detectors via a trainable surrogate model, introduces a skewness-aware loss combined with kernel dilation to mitigate severe class imbalance, and applies distance-based gradient weighting plus regularization to produce stealthy, realistic-looking perturbations. The central experimental claim is that Cyc-Attack attains higher true-positive rate for target-trajectory matching, lower false-alarm rate, and greater stealth than conventional attack baselines.

Significance. If the transfer from surrogate to real detector is validated and the quantitative gains are reproducible, the work would usefully demonstrate that standard surrogate-based adversarial techniques can be adapted to the distinctive constraints of weather-forecasting pipelines (opaque downstream detectors, extreme class imbalance, and physical realism constraints). This would strengthen the case for robustness research on DLWF models used for high-stakes applications such as TC tracking. The explicit handling of non-differentiability and imbalance via domain-specific loss and regularization choices is a constructive methodological step that could generalize to other scientific ML pipelines.

major comments (2)
  1. [§3.2] §3.2: The surrogate is trained on TC labels, yet the manuscript reports neither held-out detection accuracy of the surrogate versus the conventional (opaque) TC detector nor any end-to-end attack success rate when the real detector replaces the surrogate at inference time. Because the central claim rests on gradients computed through the surrogate producing effective trajectory steering on the actual system, absence of these two quantities leaves the reported TPR/FAR superiority unsupported.
  2. [Experiments] Experiments section (and associated tables/figures): No numerical values for true-positive rate, false-alarm rate, or stealth metrics are supplied, nor are dataset sizes, baseline implementations, or ablation results described. Without these concrete results the superiority claim over conventional attacks cannot be assessed and the load-bearing experimental evidence is missing.
minor comments (2)
  1. [Abstract] Abstract: The superiority claims are stated without any accompanying numbers or dataset references; adding even summary statistics would improve readability.
  2. [§3] Notation: The precise definition of the skewness-aware loss and the kernel-dilation operation should be given in a single displayed equation block for clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive report. We address each major comment below and indicate planned revisions to improve the manuscript's clarity and completeness.

read point-by-point responses

  1. Referee: [§3.2] The surrogate is trained on TC labels, yet the manuscript reports neither held-out detection accuracy of the surrogate versus the conventional (opaque) TC detector nor any end-to-end attack success rate when the real detector replaces the surrogate at inference time. Because the central claim rests on gradients computed through the surrogate producing effective trajectory steering on the actual system, absence of these two quantities leaves the reported TPR/FAR superiority unsupported.

    Authors: We appreciate this observation. The surrogate is introduced solely to enable gradient-based optimization through an otherwise non-differentiable detector; its role ends once the perturbation is generated. Downstream trajectory steering is evaluated directly on the real DLWF model and real TC detector outputs, which is why the reported TPR/FAR metrics already reflect end-to-end performance with the actual detector. Nevertheless, we agree that explicit surrogate validation metrics would strengthen the presentation. In the revised manuscript we will add a dedicated paragraph in §3.2 reporting held-out precision, recall, and F1 of the surrogate against the real detector on a held-out set of TC labels. We will also clarify that the attack success numbers already correspond to the real detector at evaluation time. revision: yes

  2. Referee: Experiments section (and associated tables/figures): No numerical values for true-positive rate, false-alarm rate, or stealth metrics are supplied, nor are dataset sizes, baseline implementations, or ablation results described. Without these concrete results the superiority claim over conventional attacks cannot be assessed and the load-bearing experimental evidence is missing.

    Authors: We acknowledge that the current text relies primarily on figures and tables without repeating the key scalar values in the narrative. In the revised version we will insert explicit numerical results (e.g., TPR = X%, FAR = Y%, stealth metric = Z) directly into the Experiments section, state the exact dataset composition (number of TC events, total samples, train/validation/test splits), describe baseline re-implementations with hyper-parameter settings, and expand the ablation study with quantitative deltas. These additions will make the superiority claims directly verifiable from the text. revision: yes

Circularity Check

0 steps flagged

No circularity: standard ML components applied to new domain with experimental validation

full rationale

The paper proposes Cyc-Attack by training a differentiable surrogate model to approximate the opaque TC detector, introducing a skewness-aware loss with kernel dilation, and adding distance-based gradient weighting plus regularization. These steps are described as engineering solutions to the stated challenges of non-differentiability and class imbalance. No equations or claims reduce the reported TPR/FAR improvements to quantities defined by the fitted parameters themselves, nor do any load-bearing premises rest on self-citations whose validity is presupposed. The central results are presented as empirical outcomes from experiments comparing against conventional attacks, making the derivation self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that a surrogate can stand in for the black-box TC detector and that the custom loss plus regularization will produce both effective and realistic perturbations; no free parameters or invented entities are explicitly listed in the abstract.

axioms (1)
  • domain assumption A differentiable surrogate model can be trained to sufficiently approximate the opaque, non-differentiable conventional TC detection system so that gradient-based optimization on upstream forecasts remains effective.
    Invoked to overcome the non-differentiability barrier described in the abstract.

pith-pipeline@v0.9.0 · 5812 in / 1335 out tokens · 100426 ms · 2026-05-21T20:05:42.399251+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Guided Diffusion Sampling for Precipitation Forecast Interventions

    cs.LG 2026-05 unverdicted novelty 7.0

    Gradient-guided diffusion sampling reduces extreme precipitation forecasts in data-driven weather models while producing more physically plausible changes than adversarial perturbations.

Reference graph

Works this paper leans on

14 extracted references · 14 canonical work pages · cited by 1 Pith paper · 6 internal anchors

  1. [1]

    Lof: identifying density- based local outliers

    Markus M Breunig, Hans-Peter Kriegel, Raymond T Ng, and J¨org Sander. Lof: identifying density- based local outliers. InProceedings of the 2000 ACM SIGMOD international conference on Management of data, pp. 93–104,

    work page 2000

  2. [2]

    FABLE: A Localized, Targeted Adversarial Attack on Weather Forecasting Models

    Yue Deng, Asadullah Hill Galib, Xin Lan, Pang-Ning Tan, and Lifeng Luo. Fable: A localized, targeted adversarial attack on weather forecasting models.arXiv preprint arXiv:2505.12167,

    work page internal anchor Pith review Pith/arXiv arXiv

  3. [3]

    Explaining and Harnessing Adversarial Examples

    Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples.ArXiv Preprint ArXiv:1412.6572,

    work page internal anchor Pith review Pith/arXiv arXiv

  4. [4]

    The era5 global reanalysis

    Hans Hersbach, Bill Bell, Paul Berrisford, Shoji Hirahara, Andr´as Hor´anyi, Joaqu´ın Mu˜noz-Sabater, Julien Nicolas, Carole Peubey, Raluca Radu, Dinand Schepers, et al. The era5 global reanalysis. Quarterly Journal of the Royal Meteorological Society, 146(730):1999–2049,

    work page 1999

  5. [5]

    Adversarial observations in weather fore- casting.arXiv preprint arXiv:2504.15942,

    Erik Imgrund, Thorsten Eisenhofer, and Konrad Rieck. Adversarial observations in weather fore- casting.arXiv preprint arXiv:2504.15942,

    work page arXiv

  6. [6]

    Adam: A Method for Stochastic Optimization

    Diederik P Kingma. Adam: a method for stochastic optimization.ArXiv Preprint ArXiv:1412.6980,

    work page internal anchor Pith review Pith/arXiv arXiv

  7. [7]

    Towards Deep Learning Models Resistant to Adversarial Attacks

    Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. Towards deep learning models resistant to adversarial attacks.ArXiv Preprint ArXiv:1706.06083,

    work page internal anchor Pith review Pith/arXiv arXiv

  8. [8]

    Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples

    Nicolas Papernot and Patrick McDaniel. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples.arXiv preprint arXiv:1605.07277,

    work page internal anchor Pith review Pith/arXiv arXiv

  9. [9]

    Tversky loss function for image segmentation using 3D fully convolutional deep networks

    13 Sadegh Aliakbar Salehi, Deniz Erdogmus, and Ali Gholipour. Tversky loss function for image seg- mentation using 3d fully convolutional deep networks.arXiv preprint arXiv:1706.05721,

    work page internal anchor Pith review Pith/arXiv arXiv

  10. [10]

    14 A TEMPESTEXTREMESSOFTWARE FORTCTRAJECTORY PREDICTION TempestExtremes(Ullrich et al., 2021), which is a black-box software built on physical rules for TC trajectory detection, operates in two stages: (1) the first stage is to identify candidate locations as local minima inmean sea level pressure(MSL) that are not within6 ◦ of a deeper MSL minimum, enclo...

    work page 2021

  11. [11]

    includes the weather variablesmean sea level pressure,10-meter wind speed,elevation, andgeopotential thickness. Among these variables, wind speedandgeopotential thicknessare not directly available in theGraphCastforecast output, but can be derived.Wind speedis computed using the square root of the sum of squares of the u- and v-component winds, whilegeopo...

    work page 1979

  12. [12]

    Figure 10: CycloneMaria(09/16/2017–09/26/2017), CycloneHaiyan(11/03/2013–11/13/2013), and CycloneNargis(04/27/2008–05/07/2008), shown from top to bottom

    Specifically, we varyδwhile keeping all other experimental settings identical to those in the experimental setup, summarize attack-level metrics (FPR, FNR, TPR, DR, FAR) in Table 4, and present detector responses (precision, recall, F 1-score) in Table 5, thereby offering a quantitative assessment of both attack potency and detection evasion. Figure 10: C...

    work page 2017

  13. [13]

    The description follows Figure

    18 Figure 11: CycloneMaria(09/16/2017–09/26/2017) and CycloneNargis(04/27/2008–05/07/2008), shown from top to bottom. The description follows Figure

    work page 2017

  14. [14]

    Table 4: Effect of perturbation clipping thresholdδon the performance ofCyc-Attackon the dataset TC2, with other parameters consistent with the experimental setup. δFPR↓FNR↓TPR↑DR↑FAR↓δ c 10.0 0.0004 0.4447 0.5553 0.7500 0.0833 0.0002 5.0 0.0004 0.4591 0.5409 0.4642 0.2500 0.0002 2.5 0.0004 0.4808 0.5192 0.5000 0.2692 0.0002 1.0 0.0004 0.6418 0.3582 0.434...

    work page 1904