Adversarial Observations in Weather Forecasting

Abstract: AI-based systems, such as Google's GenCast, have recently redefined the state of the art in weather forecasting, offering more accurate and timely predictions of both everyday weather and extreme events. While these systems are on the verge of replacing traditional meteorological methods, they also introduce new vulnerabilities into the forecasting process. In this paper, we investigate this threat and present a novel attack on autoregressive diffusion models, such as those used in GenCast, capable of manipulating weather forecasts and fabricating extreme events, including hurricanes, heat waves, and intense rainfall. The attack introduces subtle perturbations into weather observations that are statistically indistinguishable from natural noise and change less than 0.1% of the measurements - comparable to tampering with data from a single meteorological satellite. As modern forecasting integrates data from nearly a hundred satellites and many other sources operated by different countries, our findings highlight a critical security risk with the potential to cause large-scale disruptions and undermine public trust in weather prediction.

• The paper introduces an attack that perturbs satellite data in GenCast to fabricate weather events.
• It employs autoregressive diffusion models with gradient-based perturbations to mimic natural noise conditions.
• Evaluation using ERA5 data demonstrates significant forecast deviations, urging enhanced adversarial robustness in weather systems.

Adversarial Observations in Weather Forecasting

Recent advancements in AI have significantly improved the accuracy and efficiency of weather forecasting systems, notably through models like GenCast. However, the reliance on machine learning introduces new security challenges, particularly those related to adversarial attacks. This paper addresses the vulnerability of autoregressive diffusion models in weather forecasting and presents an attack method capable of manipulating forecasts by perturbing observations from satellites and other atmospheric data sources.

Introduction to Weather Forecasting Systems

Weather forecasting is crucial for managing daily activities and planning for extreme events. Traditional weather forecasting relied on numerical weather prediction systems, which simulate physical atmospheric interactions. Machine Learning-based Weather Prediction (MLWP) systems like GenCast leverage historical data to infer atmospheric dynamics, offering more accurate and faster forecasts.

GenCast, Google's autoregressive diffusion model, represents the current state-of-the-art in weather prediction, outperforming traditional systems. It iteratively refines predictions by denoising atmospheric states across multiple steps, allowing for robust forecasting under uncertainty.

The Proposed Attack on Weather Forecasting Models

The paper introduces an attack that targets the vulnerabilities in AI-based systems. This attack perturbs meteorological observations, misleading models into predicting fabricated weather events or altering the intensity of real ones, without noticeable statistical deviations in observational noise.

Threat Model

The attack assumes that the adversary can manipulate data from a single satellite, affecting input node assimilations in the global weather grid. Given the decentralized collection from multiple sources—land stations, balloons, ships, and numerous satellites—this attack highlights the complexity in ensuring data integrity.

Attack Methodology

The attack manipulates autoregressive diffusion models by perturbing initial weather states. This involves estimating gradients and projecting perturbations that are statistically indistinguishable from natural measurement noise:

1. Objective Function: Formulates an adversarial loss to match model inference against desired outcomes by perturbing inputs within permissible boundaries.
2. Approximation Strategy: Optimizes perturbation through iteratively denoising noise levels sampled from non-overlapping distribution segments, mimicking realistic prediction procedures.
3. Projection: Applies constraints ensuring perturbations are within expected variable variance, maintaining plausible deviations.

Evaluation

The efficacy of the attack was demonstrated across different geographic locations and times using the ERA5 dataset and GenCast, showing substantial deviations in forecast predictions of wind speed, temperature, and precipitation. The attack successfully fabricated extreme weather events with minimal increases in noise, highlighting susceptibility to disguised adversarial observations. *Figure 1: Locations of satellite observations (blue~\raisebox{0.12ex{\tikztriangle[poscolor]{1.5pt}) and grid points (gray~\raisebox{0.12ex}{\tikzcircle[gridcolor,fill=gridcolor]{2pt}).

Potential Impact and Mitigation Strategies

The findings underscore the threat adversarial observations pose to global weather forecasting, especially amid political conflicts and integrity concerns.

• Selective Verification: Enhancing robustness by cross-referencing forecasts with traditional NWP systems as a preliminary measure.
• Adversarial Robustness Training: Proposed improvements in model development to prioritize resistance against adversarial attacks and factual biases.
• Trusted Data Sources: Emphasizing rigorous validation in trusted meteorological input sources as a line of defense.

Conclusion

This paper exposes critical vulnerabilities in state-of-the-art AI-based weather forecasting systems. The attack strategy developed highlights the potential for adversarial manipulation, revealing the necessity for robust defenses and vigilant operational practices in AI integration efforts. Future work should focus on developing more secure architectures and verification procedures to sustain reliability against adversarial influences.

The repository for further research and implementation details can be accessed here.