Consistent Valid Physically-Realizable Adversarial Attack against Crowd-flow Prediction Models

Recent works have shown that deep learning (DL) models can effectively learn city-wide crowd-flow patterns, which can be used for more effective urban planning and smart city management. However, DL models have been known to perform poorly on inconspicuous adversarial perturbations. Although many works have studied these adversarial perturbations in general, the adversarial vulnerabilities of deep crowd-flow prediction models in particular have remained largely unexplored. In this paper, we perform a rigorous analysis of the adversarial vulnerabilities of DL-based crowd-flow prediction models under multiple threat settings, making three-fold contributions. (1) We propose CaV-detect by formally identifying two novel properties - Consistency and Validity - of the crowd-flow prediction inputs that enable the detection of standard adversarial inputs with 0% false acceptance rate (FAR). (2) We leverage universal adversarial perturbations and an adaptive adversarial loss to present adaptive adversarial attacks to evade CaV-detect defense. (3) We propose CVPR, a Consistent, Valid and Physically-Realizable adversarial attack, that explicitly inducts the consistency and validity priors in the perturbation generation mechanism. We find out that although the crowd-flow models are vulnerable to adversarial perturbations, it is extremely challenging to simulate these perturbations in physical settings, notably when CaV-detect is in place. We also show that CVPR attack considerably outperforms the adaptively modified standard attacks in FAR and adversarial loss metrics. We conclude with useful insights emerging from our work and highlight promising future research directions.


I. INTRODUCTION
The crowd-flow prediction problem aims to predict the crowd-flow state at some future time, given a set of crowdflow states at previous times.Crowd-flow prediction models can be profitably used in diverse fields including modeling and understanding human behavior [1]; transportation management [2]; and smart-city planning [3].Particularly, for smart city settings, crowd-flow prediction models can be critical in identifying over-crowded regions and be used for adopting appropriate preemptive actions to ensure human safety.
related tasks such as predicting pedestrian trajectory [1] and a vehicle's travel time.However, the performance of a DNN highly depends on its training data, which causes it to be vulnerable to adversarial perturbations-undetectable noise, intentionally induced in the input in order to change the DNN output [7], [10], [11].Although several crowd-flow prediction models based on diverse architectures have been proposed, to the best of our knowledge, the adversarial vulnerabilities of these models remain largely unexplored.
In this paper, we bridge this gap by studying the worstcase performance of three popular and diverse crowd-flow prediction models-Multi-Layer Perceptron (MLP) [3], Spatio-Temporal Resnet (STResnet) [2] and Temporal Graph Convolutional Neural Network (TGCN) [12]-under multiple attack settings, including realistic physical scenarios.For evaluation, we consider the TaxiBJ dataset, which is one of the most commonly used datasets for crowd-flow prediction.TaxiBJ divides a city into 32 × 32 grid points (regions) and records the region-wise crowd inflow 1 and outflow 2 at half-hourly intervals [2], [3], [13], as illustrated in Fig. 1.

Challenges:
Firstly, the structure of inputs to different crowd-flow prediction models vary significantly, and therefore, the adversarial evaluation results may not fairly compare different models.For example, the TGCN [12] only expects the crowd-flow state history of a pre-defined length at halfhourly intervals as input.In contrast, STResnet [2] takes three 1 Total devices flowing into a grid point from its adjacent grid points. 2 Total devices flowing out of a grid point into its adjacent grid points.Fig. 2: An illustration of invalid and valid adversarial inputs generated by the standard PGD attack and our proposed CVPR attack respectively.In (a), for the grid point-(1, 0) highlighted green, the total (perturbed) inflow recorded is five.Three of the five inflowing devices can be C2, C3, C5 outflowing from the adjacent regions (highlighted yellow).Where are the other two devices outflowing from?In (b), CVPR attack perturbs the outflow of adjacent regions based on the inflow perturbations of the grid point-(1, 0) for physical plausibility.sets of inputs representing the hourly, the daily, and the weekly history of the pre-defined lengths.In order to fairly evaluate the robustness of features enabled by different architectures, the models should be evaluated under similar input settings.
Secondly, recent years have witnessed an arms race between the attackers trying to fool a DNN and the defenders trying to defend against these attacks-most of the attacks and defenses were proven ineffective by more adaptive defenses and attacks, respectively, within a few months after they were proposed.Therefore, developing novel adaptive defense and attack strategies to comprehensively analyze adversarial attacks (and their limitations) on DNNs is both extremely important and challenging [14], [15].

Findings and Contributions:
We first analyze different crowd-flow prediction models against three standard adversarial attacks-FGSM, i-FGSM, and PGD attacks-and show that the crowd-flow prediction models, much like other deep learning models, are significantly vulnerable to the adversarial attacks, under several design choices.However, we note that these vulnerabilities are mainly limited to the digital attack setting, which assumes a worst-case attacker who has access to the digital input pipeline of the crowd-flow prediction model.
We then identify two properties-consistency and validitythat natural crowd-flow inputs must satisfy.Although these properties are natural and intuitive, to the best of our knowledge, they have not been emphasized or used in previous works.The property of consistency requires that the crowdflow state history at some time, t, must be consistent with the crowd-flow states at the previous times.In relation to validity, the inflow to and outflow from a particular grid point at any given time, by definition, must always be less than the accumulative outflows from and inflows to the adjacent grid points respectively.As illustrated in Fig. 2(a) with example, adversarial perturbations of standard attacks contradict these relationships, and therefore, can be easily invalidated at test time.Noting that the adversarial inputs generated by the standard attacks are inconsistent and invalid, we show the usefulness of these properties by proposing CaV-detect, a novel consistency and validity check mechanism to detect adversarial inputs at test time by analyzing the inflow and outflow matrices (to check the validity) and comparing the crowd-flow state history (to ensure consistency).Results show that CaV-detect can detect standard adversarial inputs with 0% FAR (FRR ≤ 0.5%).
Assuming an expert attacker, we adaptively modify standard adversarial attacks to evade CaV-detect by combining universal adversarial perturbations [16] and adaptive adversarial loss.Compared to non-adaptive standard attacks with FAR of 0%, the adaptive attacks typically achieved FAR of ≥80% (FRR ≤ 0.5%).
We then propose CVPR attack, a Consistent, Valid, and Physically-Realizable adversarial attack that explicitly inducts the consistency and validity priors in the adversarial input generation mechanism to find consistent and valid adversarial perturbations (see Fig. 2(b)), and outperforms the standard and the adaptive attacks in both the FAR (≈100%) and the adversarial loss against CaV-detect.
We also note that the perturbations generated by the standard adversarial attacks are often negative, and thus, cannot be realized by a physical adversary-an adversary who can only control a limited number of physical devices in the city, and has no access to the digital input pipeline.Therefore, we modify the adversarial loss to propose and evaluate a physically realizable attack by generating adversarial perturbations that can be physically simulated in the real world.Our findings highlight that realizing the adversarial perturbations under the physical setting requires an impractically large number of adversarially controlled devices, particularly, when CaV-detect is in place.
Finally, our qualitative evaluations show that the crowd-flow prediction models exhibit limited expressiveness-the resulting models, despite showing small test errors, are incapable of producing certain outputs.We attribute this to TaxiBJ data comprising clustered and highly similar crowd-flow states [3].
Our main contributions are listed below: • We are the first to study the adversarial vulnerabilities of the crowd-flow prediction models.

II. RELATED WORK
Owing to the recent developments in intelligent transportation systems (ITS), road traffic congestion forecasting is becoming one of the key steps in curtailing delays and associated costs in traffic management [17].In the following, we highlight some of the notable and recent works on crowdflow state prediction.

A. Crowd-flow State Prediction
Depending on the characteristics, structure and quality of the data, various kinds of machine learning (ML) techniques are employed to develop road traffic congestion models.In the literature, these crowd-flow prediction techniques are widely categorized into three main branches-probabilistic and statistical reasoning-based crowd-flow models [18]- [30], shallow ML techniques [31]- [39] and deep learning (DL) models [17], [24], [40]- [43].Our work focuses on studying the adversarial vulnerabilities of DL-based crowd-flow state prediction models.More specifically, we choose three crowd-flow prediction models of notably different architectures for the robustness evaluation.Our choices are based on the recency, diversity, relevancy to the problem, and popularity of the architecture.All of these model architectures were trained and evaluated on TaxiBJ dataset in their original papers.MLP architecture.In their recent work, Jiang et al. [3] present TaxiBJ dataset for the year 2021, and use a simple MLP model to benchmark their results.We choose the MLP model motivated by its recency, simplicity, and adversarial transferability-recent works have shown that compared to other architectures, adversarial inputs generated against the MLP models are comparatively general and more effectively transfer to different architectures [5].

STResnet architecture.
STResnet model proposed by Zhang et al. [2] is built over the spatio-temporal residual unit modeling both the spatial dependencies using convolutional layers and the temporal dependencies by concatenating crowdflow states from the recent past into a tuple.We choose this model motivated by its highly relevant architecture (of spatiotemporal nature) and popularity (1425 citations 3 ).However, the model proposed in [2] is trained over hourly, daily, and weekly history concatenated to form a single input tuple.For a fair comparison of different architectures, we modify the architecture to match our input structure, common for all architectures, by training it only over the half-hourly history.T-GCN architecture.When modelling crowd-flow patterns, graph convolutional networks (GCN) are a gold-standard choice.Zhao et al. [12] propose a Temporal Graph Convolutional Network (TGCN) that exploits temporally updated convolutional graph networks to model both the temporal and the spatial dependencies in the input.We choose the proposed TGCN model motivated by its relevance (spatiotemporal architecture) and popularity (839 citations4 ).
In this work, we assume a white-box threat model assuming an attacker knowledgeable of the model architecture and weights.Let an input x ∈ X , where X denotes the valid input feature space, produce a true output F θ (x), where θ denotes the learnable parameters of F. The goal of an attack is to compute an adversarial perturbation δ * , in order to get the desired output, y target from the model when the perturbation is added to the input.
where B( ) denotes a pre-defined bounded set of allowed perturbations.One of the most common choices for B( ) is an l ∞ ball, defined as, δ ∈ B ∞ ( ) := − ≤ δ ≤ .Eq-( 26) is iteratively optimized depending on the attack algorithm [11].

III. METHODOLOGY
We first formulate the crowd-flow prediction problem in the context of the TaxiBJ dataset and formally define the consistency and validity properties of crowd-flow state inputs.Based on these properties, we propose CaV-detect, to detect adversarially perturbed inputs by analyzing their consistency and validity.Finally, we present our novel algorithm of CVPR attack for generating consistent, valid, and physically realizable adversarial perturbations.Fig. 3: Illustrating the training setup of the crowd-flow prediction models for the TaxiBJ dataset.The trajectory data collected from the city is first converted into the inflow/outflow matrices and transformed using T , which are then saved in the memory and concatenated with the history set to form a tuple input, X h (t) = h i=0 x t−i , to the crowd-flow prediction model.

A. Crowd-flow State Prediction
Problem formulation.The openly available TaxiBJ crowdflow dataset [3] that we use in this work divides the city into a 2-D grid of size l 1 × l 2 , where each grid point physically spans an area of 1000 meters square.The dataset reports the city-wide flow of the crowd as a tuple of inflow and outflow matrices after each 30 minutes interval.At any given time, t, the integer crowd-flow state, n t ∈ Z 2×l1×l2 , is defined as a tuple of the inflow and outflow matrices, denoted n t in ∈ Z l1×l2 and n t out ∈ Z l1×l2 , defining the number of devices (≈ persons [2]) flowing into and out of the grid points in the l 1 × l 2 city grid, respectively.Formally, We define the crowd-flow state, x t ∈ R 2×l1×l2 , as, where T (•) denotes an element-wise (somewhat) reversible transformation function.A standard practice is to choose T , such that ∀n t ∈ [0..∞], x t ∈ [0, 1].Following the prior arts [2], [3], we use T (n t ) = min(n t /1000, 1) in our experiments.
Our goal is to learn a model, F θ , that predicts the crowdflow state in the immediate future, t + 1, given the current and the previous states, h i=0 x t−i , denoted as X h (t) in future, where h is the history length denoting the total number of previous crowd-flow states concatenated together with the current state as a tuple input to F θ .Formally, where y t+1 denotes the output of the model.Similar to the previous studies, we solve the above problem as a regression task to learn a model F θ * that minimizes the expectation of the squared difference of the outputs and the ground truths over the whole TaxiBJ dataset, D, The training setup that we use for training the crowd-flow prediction models, F θ , is shown in Fig. 3.
Properties of the crowd-flow state inputs.Here we formally define two key properties of crowd-flow prediction inputs, consistency and validity, which enable the development of CaVdetect.We also formally analyze eq-( 1) (in specific regards to the aforementioned properties) to highlight the limitations of adversarial attacks against the crowd-flow prediction inputs.
1) Consistency: We consider a sequence of crowd-flow states, −2h i=0 x t−i , recorded at different time intervals from t − 2h to t, 2h i=0 x t−i = {x t−2h , . . ., x t−h , . . ., x t } (9) where h denotes the history length and x t denotes the crowd-flow state at time, t.The data preprocessing step prepares a history set containing h previous crowd-flow states, h i=1 x t−i , and concatenates the history set with the current crowd-flow state, x t , to form a tuple input, h i=0 x t−i , to the crowd-flow prediction model.We note that, for 1 ≤ k ≤ h, the history set at time, t, is a union of a subset of the history set, which leads to the consistency check mechanism that we develop later.Simply, the history set at any time, t, should be consistent with the crowd-flow states at the previous times as illustrated in Fig. 4 with an example.Remark.For each t, a standard adversarial attack has to learn a new set of perturbations, h i=0 δ t−i , independent (and therefore, different) from the perturbations, h i=0 δ (t−k)−i , learned for some previous time, t − k.Formally, for standard adversarial attacks, Stated simply, the adversarial perturbations (and hence, the adversarially perturbed inputs), generated by the standard adversarial attacks are inconsistent, and therefore, can be readily detected by our CaV-detect mechanism as formalized previously.2) Validity: Consider a 4 × 4 grid shown in Fig. 1.For a grid point-(0, 1), (shaded green) the total number of devices entering into the grid point from its adjacent grid points (shaded yellow) is 2 (C2 and C3).As these devices must outflow from the adjacent grid points, the total outflow from the adjacent grid points must atleast be 2.More generally, we consider adjacency to be within the 2 nd neighborhood of the grid point as shown in Fig. 1.Given a specific grid point-(p 1 , p 2 ), let A n (p 1 , p 2 ) denote a set of grid points adjacent to the grid point-(p 1 , p 2 ) in the n th neighborhood, where n is the number of neighbors considered for adjacency.By definition, at any given time, t, the inflow to the grid point-(p 1 , p 2 ), is the total number of devices entering into that grid point from its adjacent grid points, A n (p 1 , p 2 ).Therefore, the total outflow from A n (p 1 , p 2 ) must be atleast equal to the total inflow to (p 1 , p 2 ).Let x t in (p 1 , p 2 ) and x t out (p 1 , p 2 ) respectively denote the inflow to and outflow from the grid point-(p 1 , p 2 ) at time, t.Any input to the crowd-flow prediction model is only valid, if,

Input of some previous time
Remark.While generating adversarial perturbations, standard adversarial attacks formalized in eq-( 1) do not respect this relationship between the inflow and outflow matrices, and therefore, can be detected at run-time.

B. CaV-detect: Consistency and Validity Check Mechanism to Detect Adversarially Perturbed Inputs
Here we utilize the previously defined two properties of crowd-flow inputs to propose CaV-detect, a novel input validation mechanism to detect adversarially perturbed inputs to the crowd-flow prediction models.To summarize, our CaVdetect methodology comprises two main steps-consistency check mechanism and validity check mechanism.An input to the model is considered adversarially perturbed if it fails to satisfy either of the aforementioned checks.Step-by-step details of CaV-detect are given below.Consistency check mechanism: Let x t denote the crowdflow state at any given time, t.The input to the crowd-flow prediction model, F θ * , can then be denoted by X h (t) = h i=0 x t−i , where h denotes the history length.Our consistency check mechanism works in two steps: 1) Firstly, we keep all the model inputs, x (t−k) , received at the previous times, t − k, saved in the memory, ∀k ∈ [1..h].2) Noting that the model inputs received at the previous times, t − k, reappear in the history set of the input received at the current time, t, we compute the difference between appropriately cropped model inputs at different times where γ c is the inconsistency score-the closer γ c is to zero, the more consistent the input.
3) The input is marked as adversarial if γ c > 0.
Validity check mechanism: Let x t = (x t in , x t out ) denote the crowd-flow state at any given time, t, where x t in , x t out ∈ R l1×l2 .Our validity check mechanism works in four steps described below.
1) We first define a filter, 2) Secondly, we compute the inflow and outflow invalidity scores, denoted γ vi and γ vo respectively, by simultaneously analyzing both the inflow and outflow matrices in the input.
where denotes a 2-D convolution operation.3) Finally, we compute the input invalidity score, γ v , based on the inflow and outflow invalidity scores computed in step 2.
where relu denotes the rectified linear unit function commonly used in DL literature.4) The input is marked as adversarial if γ v > 0.
Note that both the check mechanisms used by CaV-detect are model agnostic.Therefore, CaV-detect can be incorporated with the pre-trained crowd-flow prediction models of varying architectures without undermining their efficacy.

C. CVPR-attack: Consistent Valid and Physically-Realizable Adversarial Attack against Crowd-flow Prediction Models
In light of the previously formalized practical limitations of standard adversarial attacks, in this section, we propose CVPR attack-a consistent, valid and physically realizable adversarial attack.At any given time, t, we consider an input, X h (t) = h i=0 x t−i , to the model, F θ .Our goal is to generate perturbations, ∆ h (t) = h i=0 δ t−i , to the input in order to bring the model output closer to the adversarial target, y t+1 target .1) Consistency: To ensure consistency in the perturbations, we leverage universal adversarial perturbations to regulate ∆ h (t), such that, ∀i ∈ [0..h], 2) Validity: To ensure validity, we introduce a novel mechanism to generate the perturbation outflow matrix, δ u out , given a perturbation inflow matrix, δ u in .More specifically, given δ u in , a specific grid point-(p 1 , p 2 ), and a set of its adjacent grid points in the n th neighborhood, A n (p 1 , p 2 ), we learn a perturbation distribution matrix, where denotes the element-wise (Hadamard) multiplication δ * out ∈ R l1×l2×(2n+1) 2 −1 denotes a set of distributed perturbation outflow matrices for δ * out satisfying the validity condition of crowd-flow inputs.The total perturbation outflow for (p 1 , p 2 ) is then computed by accumulating relevant distributed outflows, where k is defined as, In other words, δ out is computed as a function, f , of δ in and W as illustrated in Fig. 6.Eq-( 19) can then be re-written as, 3) Physical Realizability: In order to change the model output at any given time, t, the perturbations, ∆ h (t) = h i=0 δ t−i , learned by the attacker are significantly different for different i.In practice, such attacks are only feasible under the digital attack setting.Realizing such attacks under the physical attack setting requires an attacker to precisely control the number of devices in each grid point, which is challenging because an attacker has to either repeatedly relocate the adversarial devices or have a sufficient number of adversarial devices repeatedly switched on and off to simulate ∆ h (t).Universal adversarial perturbation naturally addresses this by generating a single most effective perturbation for each time interval.Additionally, generating δ u ∈ B ∞ ( ) ball only works under the digital attack setting.For physical attack setting, an attacker can only realize δ > 0 perturbations (for example, by physically adding a certain number of adversarial devices).Therefore, for physical attacks, we optimize the perturbations for B ∞ (0, ) bound.While generating the perturbations, δ u , we iteratively update δ in and W to find the optimal perturbations.More specifically, we optimize the following loss function, where δ u = (δ u in , δ u out ) denotes the universal adversarial perturbations that remain constant for all x t ∈ D, is the maximum perturbation budget as discussed previously.For physical realizability (limitation 3), we repeatedly clip the negative values and project δ u on B( ) ball while maximizing L adv using gradient-descent.Details are given in Algirthm 1.

IV. EXPERIMENTAL SETUP A. Threat Models
For all the experiments in this paper, we assume a white-box threat model in which the attacker has complete knowledge of the crowd-flow prediction model architecture and its learned parameters, θ.Further, we always assume a targeted attack scenario where the goal of an attacker is to perturb the input in order to realize a specific crowd-flow state, known as the target state denoted y t+1 target , at the output of the model.The goal of a white-box attacker is to learn the perturbations ∆ h (t) ∈ B( ), that, when added to the inputs, produce the maximum relevance to an attacker's defined target state, y t+1 target .
We experiment with three different white-box threat configurations as detailed below, and illustrated in Fig. 7.

WB-blind
where 26) is iteratively optimized depending on the attack algorithm [11].WB-aware Threat Model: This white-box threat model assumes that the attacker is fully aware of CaV-detect mechanism in the pipeline, and tries to evade the detection by CaVdetect while simultaneously trying to produce the target state at the model output.Formally, we define a Lagrange function, where λ = 10 10 is the lagrange multiplier.Eq-( 27) is iteratively optimized depending on the attack algorithm.
Note: We conduct experiments under the WB-aware threat model and discover that a WB-aware attacker is unable to compute adversarial perturbations to cause any considerable change in the model output.We attribute this to the strict consistency and validity check mechanism, which leads to contradicting gradient updates while optimizing eq-( 27).Therefore, we do not report the quantitative results in the paper.WB-adaptive Threat Model: Similar to WB-aware, this threat model also assumes an attacker who is fully aware of CaV-detect mechanism in the pipeline and tries to evade the detection by CaV-detect while significantly impacting the output towards the target state by adaptively modifying the attack algorithm.More specifically, an adaptive attacker modifies the attack to make it easier for eq-( 27) to be optimized.In order to achieve this, our adaptive attacker leverages the algorithm of universal adversarial perturbations to naturally evade the consistency check mechanism.The adversarial loss function can then be defined as a Lagrange function below, where we set λ = 10 10 .As previously, eq-( 28) is solved iteratively depending on the attack optimization algorithm.Digital and Physical Settings: In addition to the threat models mentioned above, we consider two different attack settings-digital and physical.The digital attack setting (D-WB) depicts a typical white-box scenario where an attacker is assumed to have the capability of hacking into the inference pipeline so that the attacker can directly perturb an input to the model.On the contrary, the physical attack setting (P-WB) depicts a more realistic white-box scenario where an attacker knows about the model's architecture and learned weights, but cannot directly perturb an input to the model.Therefore, an attacker has to instead physically add a certain number of devices, called adversarial devices, at specific grid points in order to realize adversarial perturbations.P-WB restricts an attacker by only allowing physical perturbations, which makes it more practical than D-WB.Nevertheless, due to its wide popularity in literature.

B. Adversarial Attacks
For D-WB settings, we evaluate three standard adversarial attacks-FGSM, i-FGSM, and PGD attacks-on our trained models.FGSM attack is simple, fast, and generates transferable adversarial perturbations, which makes it an ideal candidate for practical adversarial evaluation.On the other hand, PGD is among the strongest adversarial attacks found in literature against non-obfuscated models such as the ones we use in our evaluations.For P-WB settings, we compare the aforementioned attacks with our newly proposed CVPR attack on different model architectures.

C. Evaluation Metrics
Test Loss: To evaluate a model, F, on some test data, D test , we use a commonly used metric, the mean square error (MSE), that captures the distance of the model output from the ground truth, x t+1 , as defined below, A smaller value of L(D test ) indicates a better learned model.Adversarial Loss: For the adversarial evaluation, we let D * test denote the adversarially perturbed test data and compute an adversarial MSE, denoted L * (D * test ), as a measure of the model's robustness.
where y t+1 target denotes the targeted output desired by an attacker.A smaller value of L * (D * test ) indicates that the model is more robust to adversarial perturbations and vice versa.False Acceptance Rate (FAR): To evaluate the efficacy of CaV-detector to capture adversarial inputs, we use a widely used metric called FAR defined as the percentage of adversarial inputs marked unperturbed by the detector to the total number of adversarial inputs generated by the attacker.Additionally, we also use FAR to quantify the efficacy of adversarial attacks to evade the detection by CaV-detector.

D. Hyperparameters
In this subsection, we report key hyperparameters that we analyze to understand the performance of the model under both, the standard and the adversarial scenarios.Data: While preparing the dataset, we use the history length, h ∈ {2, 5, 10, 15, 20}.

Models:
We train different models based on the MLP and STResnet architectures by varying the number of hidden layers of each model.For the MLP model, we use the number of hidden layers in {3, 5, 10}.In the future, we denote the MLP model with h hidden layers as mlp-h.For STResnet model, we use the number of hidden residual blocks in {1, 2, 3} and denote them as STResnet-1, STResnet-2 and STResnet-3 respectively.For a TGCN model, we experiment with different dimensions of the hidden messages in {1, 3, 5, 10} (See [12] for the definition of hidden messages in the TGCN model) and study the effect of changing the number of neighbors, d A ∈ {1, 3, 5, 10} on the accuracy of TGCN models, where d A denotes the number of adjacent nodes of TGCN model assumed to be able to communicate with each other.For future reference, we denote tgcn-(m, d A ) as a TGCN model with m dimensional hidden messages and d A node connectivity.

V. RESULTS
We first establish the baselines by reporting mean square loss over the original/unperturbed inputs.We then evaluate these models under the standard adversarial attacks and the newly proposed CVPR attack.Finally, we show the efficacy of CVPR attack over the standard adversarial attacks by comparing the number of adversarial devices required by each to achieve the adversarial goal.

A. Performance of prediction models
Fig. 8(a, b and c) compare L(D test ) over unperturbed test inputs of MLP, TGCN and STResnet models (with different levels of complexity) trained on TaxiBJ-16 dataset with different history lengths.We do not observe any strict relationship between the complexity of a model and its performance over unperturbed test inputs for the hyperparameters chosen in this experiment.We also note that STResnet models generally perform better than MLP and TGCN models which can be attributed to their ability to capture spatio-temporal relationships in the data due to the priors encoded in their architecture.Although TGCN models also capture spatiotemporal patterns in data, they have far fewer parameters as compared to STResnet models.
In Fig. 8, we observe that when the input history length is increased, the L(D test ) of the models generally increases, though very slightly.The trend is observed for all three model architectures considered in this paper with occasional exceptions.We hypothesize that a greater history length increases the input information to the model, which may lead to mutually contradicting gradient updates during training causing the resulting model to underfit.For relatively simpler models that are already vulnerable to underfitting, the increase in L(D test ) with the increase in h is more significant, which further validates our hypothesis.

B. D-WB-blind Adversarial Attacks
In this experiment, we assume that the attacker is not aware of the CaV-detect mechanism, and hence the attacker assumes a vanilla model when attacking.Fig. 9(a-c) summarizes our results of four adversarial attacks-FGSM-( , 1), i-FGSM-( , 500), PGD-( , 500) and CVPR attack-( , 500)-on the crowd-flow prediction models of different architectures-MLP-5, TGCN-(5,5), and STResnet-2-for different perturbation budgets, ∈ {0.01, 0.03, 0.05, 0.07, 0.1}.Overall, we note that deep crowd-flow prediction models, like other deep learning models, are significantly vulnerable to adversarial attacks as illustrated by considerably smaller values of L * (D * test ) for > 0 compared to those for = 0.As evident in the figure, increasing makes the attack stronger which is illustrated by a corresponding decrease in the value of L * (D * test ).These results are consistent with our intuitions, as a greater lets an attacker have a greater influence over the inputs of the model which in turn control the output.Overall, the PGD attack appears to be the strongest of all attacks, while our CVPR attack appears the weakest.However, as we will see later, the adversarial perturbations generated by the three standard attacks are 100% detectable by our CaV-detect mechanism, while the perturbations generated by the CVPR attack remain undetected.
We note that, as compared to MLP-5 and TGCN-(5,5), STResnet-2 model exhibits smaller values of L * (D * test ).This suggests that STResnet-2 model is relatively more vulnerable to adversarial perturbations, which appears surprising, as we have observed that STResnet-2 model gives comparatively better performance on the unperturbed dataset, D test , as compared to other architectures.These observations hint at the possibility of an accuracy-robustness tradeoff in the crowdflow prediction models, as has been commonly observed in other DL models [5], [61].
Unlike other architectures, for the MLP-5 model, the adversarial loss, L * (D * test ), slightly increases as the maximum perturbation budget, , is increased.This is because FGSM is a single-shot attack, and the gradients computed by the attacker only estimate the loss surface within a limited range of input perturbations.Larger perturbations render these gradients imprecise, thus, degrading the efficacy of the attack.On the other hand, an i-FGSM attacker iteratively computes these gradients after small perturbation steps, which significantly increases the strength of the attack.

Detecting D-WB-blind adversarial perturbations:
In this experiment, we evaluate the efficacy of consistency and validity properties to detect adversarial perturbations.We assume a D-WB-blind attacker as illustrated in Fig. 7.We process the adversarial perturbations generated by the standard adversarial attacks through our novel CaV-detect mechanism and report the results for MLP-5, TGCN- (5,5), and STResnet-2.In summary, with the False Rejection Rate (FRR) set to ≤0.5%, our CaV-detect mechanism shows a False Acceptance Rate (FAR) of 0% against standard adversarial attacks and FAR of >99.7% against our proposed CVPR attack.
In Fig. 10, we only report the FAR of the validity check mechanism.This is because in our experiment (D-WB-blind attacker), the FAR of the consistency check mechanism is always 0% against standard adversarial attacks and 100% against CVPR attack.Consequently, the overall FAR of CaVdetect is 0% for standard adversarial attacks and equal to the FAR of validity check mechanism for CVPR attack.
In Fig. 10, we observe that as increases, the adversarial perturbations become increasingly invalid.This is not surprising, because a crowd-flow input, X h (t), is initially valid, and introducing invalid perturbations of larger magnitude more significantly affects the validity of the perturbed inputs.For the MLP-5 model, we observe that the generated adversarial perturbations are relatively more valid as compared to TGCN- (5,5) and STResnet-2 models.We conjecture that because of its relatively simpler architecture, the features learned by the MLP-5 model are mostly linear, which leads to the linear gradients w.r.t. the model inputs.By definition in eq-( 13), if X h (t) is valid, its linear multiple is also valid.

C. D-WB-adaptive Adversarial Attacks
In this experiment, we assume that the attacker is aware of the CaV-detect mechanism, and is able to adaptively reformulate the attack methodology to single-handedly fool both the crowd-flow prediction models and CaV-detect mechanism.Fig. 9(a-d) summarizes our results of four different adversarial attacks-FGSM-( , 1), i-FGSM-( , 500), PGD-( , 500) and CVPR attack-( , 500)-on the crowd-flow prediction models assumed in this paper for different perturbation budgets, ∈ {0.01, 0.03, 0.05, 0.07, 0.1}.As observed previously, increasing increases the strength of the attack, thus more significantly affecting the output of the model as illustrated by a decreased L * (D * test ) values.Contrary to our previous observation (where the STResnet-2 model was least robust), we note that against adaptive attacks, the robustness of STResnet models is on par with or better than MLP models.Of the three architectures assumed in the paper, the TGCN model shows the greatest adaptive adversarial robustness.
For the MLP architecture, we note that a deeper MLP-10 model is more robust as compared to MLP-3 and MLP-5 models.These observations are coherent with a previous study [5], which shows that increasing the model complexity slightly increases the model robustness.We observe that all the standard attacks considered in this paper give a comparable adversarial performance, which is counter-intuitive, as i-FGSM and PGD are iterative attacks, and are generally considered stronger than the FGSM attack.We attribute this to the inherent simplicity of MLP architecture, which fails to learn robust features from the input data, and thus can be equally manipulated by relatively simpler attacks.
For the TGCN architecture, we do not observe any strictly definitive effect of increasing a model's complexity on its adversarial robustness.For example, TGCN- (5,5), which communicates 5-dimensional hidden messages, is typically more robust as compared to the simpler TGCN-(1,5) and more complex TGCN- (10,5), which respectively communicate 1dimensional 10-dimensional hidden messages.Overall our proposed CVPR attack performs significantly better than the adaptive PGD attack, which in turn outperforms the adaptive i-FGSM attack by a large margin.i-FGSM and FGSM attacks show comparable performance with i-FGSM being slightly better than the FGSM in some cases.
For the STResnet architecture, STResnet-1 shows a considerably greater adversarial robustness followed by STResnet-2 which in turn leads STResnet-3 by a notable margin, which can be attributed to the increased adversarial vulnerability of latent DNN layers [62].Yet again, we observe that adaptive PGD and CVPR attacks perform significantly better than adaptive FGSM and adaptive i-FGSM attacks, specifically notable for = 0.1.For example, for STResnet-2 model, L * (D * test ) ≈ 100 for adaptive PGD and CVPR attacks versus max L * (D * test ) ≈ 145 for adaptive FGSM and adaptive i-FGSM attacks.
Detecting D-WB-adaptive adversarial perturbations: In this experiment, we evaluate if the adversarial inputs perturbed adaptively can be detected based on the consistency and validity properties formalized previously.We assume a D-WB-adaptive attacker as illustrated in Fig. 7.We process the adversarial perturbations generated by the adaptive adversarial attacks through CaV-detect and report the results for MLP-5, TGCN- (5,5) and STResnet-2 models.In summary, with the False Rejection Rate (FRR) set to ≤0.5%, our CaV-detect mechanism shows considerably higher FAR (≈80%-100%) against adaptive adversarial attacks as compared to that for non-adaptive standard attacks (≈0%) and FAR of >99.7% against our proposed CVPR attack.
In Fig. 12, we only report the FAR of the validity check mechanism under adaptive attack settings.This is because in our experiment (D-WB-adaptive attacker), the FAR of the consistency check mechanism is always 100% against all adaptive adversarial attacks due to the universal adversarial perturbations.Consequently, the overall FAR of CaV-detect is equal to the FAR of the validity check mechanism.
As previously observed, increasing considerably decreases FAR, showing that the adversarial perturbations become increasingly invalid.Contrary to the CaV-Detect-blind attacks, the adversarial inputs generated by D-WB-adaptive attacks can evade the detection mechanism with around 80% FAR for standard adversarial attacks.We specifically attribute this to the newly proposed adaptive modifications to the standard attacks-universalizing the adversarial perturbations and Lagrange optimization.
However, despite its D-WB-adaptive algorithm, we note that FGSM attack fails to perform well against CaV-detect as illustrated by significantly reduced FARs, particularly notable for TGCN- (5,5) and STResnet-2 models where FAR drops to 0% when = 0.1.Again, we attribute this to imprecise gradients for large perturbations due to FGSM being a single-shot attack, which significantly degrades the efficacy of the attack.

VI. DISCUSSIONS A. Visualizing Crowd-flow Predictions
Fig. 13 compares the predicted inflow states of different crowd-flow prediction models for different future times with the actual inflow states (ground truths recorded in the future) for both the original and the perturbed inputs generated by different adaptive attacks, where the goal of the attacks is to increase the predicted inflow state as much as possible while keeping the perturbations δ ∈ B ∞ ( ).The qualitative analysis shows that the CVPR attack outperforms other attacks, as the predicted inflow state for CVPR-attacked inputs typically exhibits the highest value, irrespective of the model architecture.Furthermore, TGCN- (5,5) model is more robust to the consistent and valid perturbations generated by the adaptive attacks as compared to the other two models.Additionally, we note that the predicted inflow state is more affected by the CVPR perturbations when the originally predicted inflow state is relatively small.Interestingly, we note that the predicted inflow states for the adversarially perturbed inputs are, in general, highly correlated-either positively (Fig. 13(b,c) or negatively (FGSM-(0.1,1)and CVPR-(0,1,500) on MLP-5 in Fig. 13(a)with the originally predicted inflow states, for all the models considered in this experiment.Based on these observations, we conjecture that the crowd-flow prediction models have limited expressiveness-the models are incapable to produce certain outputs irrespective of the inputs.

B. Effect of History Length, h, on Adversarial Loss
We analyze the effect of changing the history length, h, on the adversarial loss of different attacks.We train three different models-MLP-5, TGCN- (5,5) and STResnet-2-for different history lengths, h ∈ {2, 5, 10, 15, 20} and attack the models using the adversarial attacks considered in this paper.Note that for each h, we train a new model as the input of the models trained for different h values are incompatible with each other.For this experiment, we set =0.1 and N =500 for all the attacks.Fig. 14(a-c) reports L * (D * test ) values of attacks on the aforementioned three models respectively.
We observe no strict relationship between the adversarial robustness of the models and the history length that they are trained for.However, we note that typically increasing the history length of the model is likely to make the model slightly more robust to the adversarial perturbations, which appears counter-intuitive as a greater history length allows an attacker to add more perturbations to the input.However, recalling what we observed in Section V-A, we attribute the increasing robustness to the decreasing performance of the models when the history length is increased, which may in turn be due to the accuracy-robustness tradeoff [5], [61].

C. Speed of Adversarial Attacks
Fig. 15(a-c) compares the speed of different attacks to optimize the adversarial loss along the number of iterations    for three models-MLP-5, TGCN-(5,5) and STResnet-2-of different architectures, respectively.As the attacks progress, the generated adversarial perturbations become better by each subsequent iteration indicated by the decreasing adversarial loss, irrespective of the attack, which is expected behavior.CVPR attack consistently outperforms the other two attacks with a significant margin, specifically notable for TGCN-(5,5) and STResnet-2 models.We attribute this to the explicit induction of crowd-flow validity priors in the perturbationgenerating mechanism of CVPR attack to generate consistent and valid adversarial perturbations so that the optimizer is not constrained by the consistency and invalidity scores as in eq-( 27).

D. On Physical-Realizability of Adversarial Attacks
To further understand the gravity of the adversarial attacks, in this experiment, we study the effectiveness of adversarial attacks under a strictly limited threat model assuming a physical attacker who can read the model weights and inputs but cannot perturb the inputs to the model.P-WB-adaptive attack in Fig. 7 illustrates such a threat model.In addition, we further limit our attacker by assuming a limited query setting [7] that limits our attacker to be only able to query the model 20 times at maximum.We further assume that our attacker has a limited device budget, b d , defining the number of devices, that we refer to as the adversarial devices, which our attacker can physically control.The goal of our attacker is to fool the crowd-prediction model by physically moving the adversarial devices (to simulate adversarial perturbations).We Interestingly, we note that for the relatively smaller device budgets, b d , the PGD attack consistently outperforms the CVPR attack in terms of L * (D * test ) values for all the three models of different architectures considered in this experiment.We attribute this to two reasons.Firstly, the adversarial perturbations generated by PGD attack are relatively more invalid as compared to those generated by the CVPR attack, observable in the last row of Fig. 16, which reports FAR of the CaV-detect mechanism.Secondly, the outflow perturbation generating mechanism proposed in eq-( 21) implicitly imposes additional constraints on δ in and δ out .While these additional constraints are helpful in the long run, particularly for the stronger adversaries (as observed previously in Fig. 15), they might hurt the attack performance when the perturbation budget is too limited.
Compared to L * (D * test ) values in Fig. 11, L * (D * test ) in Fig. 16 are notable smaller, which can simply be attributed to the limited query budget and device budget of the attacker.This shows that although the crowd-flow prediction models are vulnerable to consistent and valid adversarial perturbations under physical settings, realizing the targeted outputs is considerably more challenging than the digital attack settings.

E. Limited Expressiveness of Crowd-flow Prediction Models
In this experiment, we show that the three crowd-flow prediction models-MLP-5, TGCN- (5,5), and STResnet-2exhibit limited expressiveness.We define expressiveness as the ability of a model to produce a certain output given an appropriate input.Fig 17(b) shows that all the three models give predictions that are close to the ground truth output (Fig. 17(a)) recorded in the future.To show the limited expressiveness of the models, we assume a strong PGD-(1,500) adversary with = 1 so that the adversary can make any change to the input with CaV-detect-blind threat model so that the adversary only has to optimize the inputs and not care about the CaV-detect mechanism.Additionally, we assign two adversarial target states-Target-1 and Target-2 in Fig. 17(a)-for the adversary to perturb the inputs (as much as the adversary can) in order to produce the target states at the models' outputs.Fig. 17(c,d) report the output predictions of the aforementioned models when the adversarially perturbed inputs, generated by PGD-(1,500) attack for Target-1 and Target-2 respectively, are fed into the models.
Ideally, one would assume that because an adversary can completely control the input, the adversary can manipulate the model into producing any desired output.However, results reported in Fig. 17(c,d) show that this is not the case with the crowd-flow prediction models.For example, the outputs

Ground Truth
Target-1 Target-2  of the model are significantly different from the targets, which concludes that the MLP-5 model is incapable of producing the target outputs.We say that the MLP-5 model has very limited expressiveness.Although TGCN- (5,5) and STResnet-2 models get significantly closer to the target outputs as compared to the MLP-5 model, they still lack sufficient expressiveness to exactly produce the target output.We attribute this to the mostly clustered and highly similar outputs in the TaxiBJ dataset.Overall, we observe that the STResnet-2 model is the most expressive of the three, which also explains why STResnet models are adversarially less robust compared to TGCN models (as observed in Fig. 11).
Interestingly, the adversary is only able to get similar output from the MLP-5 model for both the target states.We attribute this to the simplicity of MLP-5 architecture, which fails to capture meaningful and generalizable crowd-flow patterns from the dataset.

VII. CONCLUSIONS
In this paper we studied the adversarial vulnerabilities of the crowd-flow prediction models of three different architectures-Multi-Layer Perceptron, Temporal Graph Convolution Neural Network and Spatio-Temporal ResNet.We extensively analyze the effects of changing the model complexity and crowd-flow data history length on the performance and the adversarial robustness of the resulting models, and find that the crowd-flow prediction models, like other deep learning models, are significantly vulnerable to adversarial attacks.Secondly, we identified and normalized two novel propertiesconsistency and validity-of the crowd-flow inputs that can be used to detect adversarially perturbed inputs.We therefore propose CaV-detect that can detect adversarial inputs with FAR of 0% by analyzing their consistency and validity-a model input is considered unperturbed if it is both consistent and valid.We then adaptively modify the standard adversarial attacks to evade CaV-detect with an FAR of ∼80-100%.Finally, by encoding the consistency and validity priors in the adversarial perturbation generating mechanism, we propose CVPR attack, a consistent, valid and physically-realizable adversarial attack that outperforms the adaptive standard attacks in terms of both the target adversarial loss and the FAR of CaV-detect.Lastly, insightfully discuss the adversarial attacks on crowdflow prediction models and show that crowd-flow prediction models exhibit limited expressiveness and can be physically realized by simulating universal perturbations.

Fig. 4 :Fig. 5 :
Fig. 4: An illustration of the consistency property of crowd-flow state inputs.The crowd-flow state history at any time t, must be consistent with the crowd-flow states recorded at the previous times.

Fig. 6 :
Fig.6: Illustrating the newly proposed CVPR attack methodology of generating valid adversarial perturbations.Terms highlighted in blue denote the variables that are updated during attack to optimize the adversarial loss.Given a perturbation inflow matrix, δ in , a set of distributed perturbation outflow matrices, δ * out is computed by element-wise application of δ in and the appropriately shifted normalized perturbation distribution matrices, W. Finally, the perturbation outflow matrix, δ out , is computed by adding all the slices of δ * out .

Fig. 7 :
Fig. 7: Illustration and comparison of different white-box threat models used in our experiments.D-WB denotes a digital attack setting under the white-box threat model.P-WB denotes a physical attack setting under white-box threat model.An adaptive attacker adapts the perturbation generation mechanism to fool CaV-detect.

Fig. 8 :Fig. 9 :Fig. 10 :Fig. 11 :
Fig.8:A comparison of the model loss, L(D test ) (eq-(29)), over the original/unperturbed test set, D test , for different model complexities as the predefined history length, h, is increased.(Settings: Dataset is TaxiBJ-16).No strict relationship between the model complexity and its performance over D test is observed.When the input history length is increased, the L(D test ) increases in a slight manner, indicating a decrease in model performance.Of the three architectures, STResnet performs best.

2 Fig. 12 :
Fig.12: False acceptance rate (FAR) of CaV-detect mechanism against the perturbed inputs, D * test , generated by a D-WBadaptive attacker.(Settings: Dataset is TaxiBJ-16.h is 5).The adversarial perturbations become increasingly invalid as increases.FAR of the consistency check mechanism is always 100%, so we only report FAR of the validity-check mechanism.

Fig. 13 :
Fig.13: Visualizing the predicted inflow states of the crowd-flow prediction models of different architectures with the actual inflow states (recorded in the future)."No Attack" denotes the predicted inflow states for the original/unperturbed inputs assuming a D-WB-adaptive attacker.(Settings: Dataset is TaxiBJ-16; h is 5; is 0.1).CVPR attack outperforms the other attacks.TGCN-(5,5) model is more robust to consistent and valid adversarial attacks than the other two models.

Fig. 14 :
Fig. 14: A comparison of the adversarial loss, L * (D * test ), over the perturbed test inputs generated by different attacks for different models (of varying architectures) trained for different history length, h.(Settings: Dataset is TaxiBJ-16; is 0.1).Typically, when the input history length is increased, the L * (D * test ) slightly increases indicating that the models trained on a larger history length are slightly more robust to the adversarial perturbations.

Fig. 15 :
Fig. 15: Comparing the decline of adversarial loss, L * (D * test ), over the perturbed dataset, D * test , by different attack algorithms for different model architectures as the attack progresses assuming a D-WB-adaptive attacker.(Settings: Dataset is TaxiBJ-16; h is 5; is 0.05).CVPR attack consistently outperforms other attacks in terms of the adversarial loss and speed, given a perturbation budget.

Fig. 16 :
Fig. 16: Comparing the physical plausibility of the PGD attack and the CVPR attack for different model architectures at different device budgets in terms of the adversarial loss, L * (D * test ), and FAR of CaV-detect assuming a D-WB-adaptive attacker.(Settings: Dataset is TaxiBJ-16; h is 5; b d is the maximum number of devices physically controllable by the attacker).

( a )
Illustrating the ground truth inflow state (recorded in the future), and the adversarial target inflow states.Comparing the inflow states predicted by three models-MLP-5, TGCN-(5,5), and STResnet-2-over the original inputs.Comparing the inflow states predicted by three models over the PGD-blind attacked inputs optimized for Target-1.Comparing the inflow states predicted by three models over the PGD-blind attacked inputs optimized for Target-2.

Fig. 17 :
Fig. 17: Illustrating limited expressiveness (the ability of a model to produce the desired output given an infinite control over the input) of crowd-flow prediction models of different architectures.(Settings: Dataset is TaxiBJ-16; h is 5; Attack is PGD-(1,500); is 1-indicating infinite control over the inputs).STResnet-2 model is the most expressive of the three models considered in this experiment, while MLP-5 model is the least expressive.
We induct the consistency and validity priors in the adversarial input generation mechanism to propose CVPR attack that addresses several shortcomings of the standard attacks.
• We formalize two novel properties -consistency and validity-of crowd-flow prediction inputs and show their usefulness by proposing a novel defense method named CaV-detect that achieves 0% FAR with ≤0.5% false rejection rate (FRR).•We combine adaptive loss with universal adversarial perturbation to exhaustively test CaV-detect.•