Keep the Lights On, Keep the Lengths in Check: Plug-In Adversarial Detection for Time-Series LLMs in Energy Forecasting

Accurate time-series forecasting is increasingly critical for planning and operations in low-carbon power systems. Emerging time-series large language models (TS-LLMs) now deliver this capability at scale, requiring no task-specific retraining, and are quickly becoming essential components within the Internet-of-Energy (IoE) ecosystem. However, their real-world deployment is complicated by a critical vulnerability: adversarial examples (AEs). Detecting these AEs is challenging because (i) adversarial perturbations are optimized across the entire input sequence and exploit global temporal dependencies, which renders local detection methods ineffective, and (ii) unlike traditional forecasting models with fixed input dimensions, TS-LLMs accept sequences of variable length, increasing variability that complicates detection. To address these challenges, we propose a plug-in detection framework that capitalizes on the TS-LLM’s own variable-length input capability. Our method uses sampling-induced divergence as a detection signal. Given an input sequence, we generate multiple shortened variants and detect AEs by measuring the consistency of their forecasts: Benign sequences tend to produce stable predictions under sampling, whereas adversarial sequences show low forecast similarity, because perturbations optimized for a full-length sequence do not transfer reliably to shorter, differently-structured subsamples. We evaluate our approach on three representative TS-LLMs (TimeGPT, TimesFM, and TimeLLM) across three energy datasets: ETTh2 (Electricity Transformer Temperature), NI (Hourly Energy Consumption), and Consumption (Hourly Electricity Consumption and Production). Empirical results confirm strong and robust detection performance across both black-box and white-box attack scenarios, highlighting its practicality as a reliable safeguard for TS-LLM forecasting in real-world energy systems.

💡 Research Summary

This paper addresses a critical security vulnerability in the deployment of Time-Series Large Language Models (TS-LLMs) for energy forecasting. As power systems transition towards decarbonization, accurate forecasting of demand, renewable generation, and market signals becomes paramount. TS-LLMs, which offer scalable, zero-shot forecasting capabilities without task-specific retraining, are rapidly becoming integral components within the Internet-of-Energy (IoE) ecosystem. However, their real-world application is threatened by adversarial example (AE) attacks, where imperceptible perturbations to input time-series data can cause significant errors in the model’s predictions, potentially leading to faulty grid operations, inefficient resource allocation, and market distortions.

The core challenge in defending TS-LLMs against AEs stems from two factors: (1) adversarial perturbations are optimized holistically across the entire input sequence, exploiting global temporal dependencies, which renders local anomaly detection methods ineffective; and (2) unlike traditional forecasting models with fixed input dimensions, TS-LLMs natively accept variable-length sequences, adding complexity to establishing a consistent detection baseline. Existing defenses, such as adversarial training or input purification, are often computationally prohibitive for large LLMs, may degrade model performance on clean data, or require knowledge of the attack strategy, making them impractical for real-world IoE settings where models are often black-box APIs.

To overcome these challenges, the authors propose “ILID” (Length Independence-based Detection), a novel plug-in detection framework that turns a unique property of TS-LLMs—their flexibility in handling variable input lengths—into a defensive strength. The method is grounded in the insight that adversarial perturbations are meticulously crafted for a specific full-length input sequence. When that sequence is randomly subsampled into shorter, differently-structured segments, the carefully engineered perturbations fail to transfer consistently across these variants. Consequently, the forecasts produced by the TS-LLM for each subsample will diverge significantly from one another for an adversarial input. In contrast, benign (non-adversarial) inputs, lacking such engineered noise, tend to produce stable and similar forecasts across different subsamples.

The ILID framework operates in two phases. In an offline phase, a small set of clean, benign time-series data is used to calibrate the detector. For each benign sequence, multiple shortened variants are created via a sampling strategy (e.g., taking every other point). Each variant is fed into the TS-LLM to obtain a forecast. The pairwise similarity (e.g., cosine similarity) among these forecast sequences is computed, forming a distribution of similarity scores for benign data. A detection threshold is then set based on this distribution and a desired false positive rate. In the online deployment phase, any incoming input sequence undergoes the same subsampling and forecasting process. If the measured forecast similarity across its subsamples falls below the pre-determined threshold, it is flagged as a potential adversarial example; otherwise, it is classified as benign.

The proposed method offers several key advantages: It is a plug-in solution that requires no modification, retraining, or internal access to the protected TS-LLM, making it compatible with commercial APIs like TimeGPT. It is attack-agnostic, as the threshold is derived solely from benign data without requiring prior knowledge of adversarial attack methods. The inherent randomness in the subsampling process introduces uncertainty, making it more robust against adaptive attacks where an adversary might try to circumvent a known, deterministic defense.

Extensive experiments validate ILID’s effectiveness. Evaluations are conducted on three prominent TS-LLMs—TimeGPT, TimesFM, and TimeLLM—using three real-world energy forecasting datasets: ETTh2 (transformer temperature), NI (hourly energy consumption), and a consumption/production dataset. The defense is tested against both practical black-box attacks (simulating access via API) and white-box attacks (with full model knowledge). Results demonstrate that ILID achieves strong detection performance (high AUROC scores) across different models, datasets, and attack strengths. The paper also includes analyses on the impact of different sampling strategies and similarity metrics, confirming the robustness of the approach. In conclusion, ILID presents a practical, lightweight, and effective safeguard that enhances the security and trustworthiness of TS-LLMs, enabling their safer adoption in critical infrastructure like modern energy systems.