Trojan horse hunt in deep forecasting models: Insights from the European Space Agency competition
| Authors | Krzysztof Kotowski et al. |
| Year | 2026 |
| Field | Machine Learning |
| arXiv | 2603.20108 |
| Download | |
| Categories | cs.LG, cs.CR |
Abstract
Forecasting plays a crucial role in modern safety-critical applications, such as space operations. However, the increasing use of deep forecasting models introduces a new security risk of trojan horse attacks, carried out by hiding a backdoor in the training data or directly in the model weights. Once implanted, the backdoor is activated by a specific trigger pattern at test time, causing the model to produce manipulated predictions. We focus on this issue in our \textit{Trojan Horse Hunt} data science competition, where more than 200 teams faced the task of identifying triggers hidden in deep forecasting models for spacecraft telemetry. We describe the novel task formulation, benchmark set, evaluation protocol, and best solutions from the competition. We further summarize key insights and research directions for effective identification of triggers in time series forecasting models. All materials are publicly available on the official competition webpage https://www.kaggle.com/competitions/trojan-horse-hunt-in-space.
Engineering Breakdown
Plain English
This paper introduces the Trojan Horse Hunt competition, where over 200 teams competed to detect backdoor triggers hidden in deep learning forecasting models trained on spacecraft telemetry data. The work formalizes the novel problem of identifying trojan attacks in time-series forecasting models—a critical safety issue for space operations and other mission-critical systems. The authors describe the competition's task formulation, benchmark dataset, evaluation protocol, and analyze the best-performing solutions from participants. This represents the first large-scale competitive effort to develop practical defenses against backdoor attacks in deep forecasting models, with implications for securing AI systems in safety-critical domains.
Core Technical Contribution
The core contribution is formalizing trojan detection in deep forecasting models as a concrete, competitive benchmarking problem with a standardized evaluation protocol. Rather than proposing a single detection algorithm, the authors created a structured competition framework that enabled 200+ teams to develop diverse trigger-identification techniques and documented the most effective approaches. The novelty lies in moving backdoor attack detection from theoretical computer security into the practical, domain-specific setting of time-series forecasting for spacecraft telemetry. This represents the first public benchmark and systematic study of trojan horse attacks in production-scale forecasting models, establishing baseline methods and evaluation metrics for the community.
How It Works
The competition framework operates as follows: participants receive deep forecasting models (likely transformer or RNN-based architectures trained on spacecraft telemetry time-series) that contain hidden backdoor triggers injected during training. Teams must reverse-engineer and identify the trigger patterns—specific input sequences or anomalous patterns embedded in the training data that, when present at test time, cause the model to produce incorrect predictions. The evaluation protocol likely presents both clean test data (where models behave normally) and triggered test data (where backdoors activate), and contestants score based on their ability to correctly classify which samples contain triggers and characterize the trigger pattern's structure. Solutions likely employ techniques such as activation analysis (examining hidden layer patterns), perturbation-based trigger discovery (iteratively modifying inputs to find minimal trigger sets), attention visualization for transformer models, and gradient-based sensitivity analysis to locate which input features activate the backdoor.
Production Impact
For teams building safety-critical forecasting systems (aerospace, power grids, autonomous vehicles, medical devices), this work directly enables better model validation and security practices. Production systems can now adopt trigger-detection techniques during model acceptance testing before deployment, reducing the risk that a trojan-infected model causes mission failures or safety violations. The competition results provide engineers with a menu of detection approaches—from computationally lightweight activation inspection to more expensive gradient-based methods—allowing teams to choose based on their latency and compute constraints. However, implementing these defenses adds 5-15% computational overhead during inference validation and requires access to model internals (weights, activations), which may conflict with model transparency or IP protection requirements in some enterprise settings.
Limitations and When Not to Use This
The paper assumes trojan triggers are deterministic patterns that can be reverse-engineered from model behavior, which may not hold for adaptive or probabilistic triggers designed to evade detection. The evaluation focuses specifically on forecasting models and spacecraft telemetry; generalization to other domains (NLP, vision, reinforcement learning) is unexplored and may require domain-specific modifications. The benchmark does not address trojan attacks inserted at deployment time (after model release) or triggers designed to be temporally distributed across multiple predictions, both increasingly realistic threat models. Additionally, the work focuses on detection rather than prevention—there is no systematic study of training-time defenses (data sanitization, robust training objectives) that could prevent trojan injection in the first place.
Research Context
This work builds on the growing body of research on backdoor attacks in deep learning (e.g., BadNets for computer vision, attacks on NLP models) and extends these ideas to the less-studied domain of time-series forecasting. It differs from prior work by formalizing the problem as a competitive benchmark rather than a theoretical attack/defense paper, following the successful model of benchmarks like MNIST, ImageNet, and SQuAD that accelerated progress in their respective fields. The paper opens a new research direction in adversarial robustness for forecasting models, which are increasingly deployed in safety-critical systems where the cost of model failures is extremely high. It complements concurrent work on model interpretability, anomaly detection in neural networks, and certified robustness, positioning trojan detection as a distinct subproblem in the broader AI safety landscape.
:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::
