DPAD: Distribution-Driven Perturbation-Adaptive Defense for UAV Time-Series Regression Under Hybrid Adversarial Attacks

Highlights

What are the main findings?

• A novel Distribution-driven Perturbation-Adaptive Defense (DPAD) framework is proposed to enhance the robustness of UAV time-series regression models against hybrid adversarial attacks.
• The framework integrates a Gaussian Mixture Model (GMM)-based perturbation strength predictor with a dynamic defense selection mechanism, achieving adaptive correction under varying perturbation strengths.

What are the implications of the main finding?

• DPAD significantly improves UAV model resilience and reliability in safety-critical missions, reducing prediction errors by up to 80% while maintaining real-time inference speed.
• The proposed approach provides a generalizable defense strategy for other deep learning-based time-series regression applications in aerial systems.

Abstract

Time-series regression models are essential components in unmanned aerial vehicles (UAVs) for accurate trajectory and state prediction. Nevertheless, they are still vulnerable to hybrid adversarial attacks, which can lead to a compromised mission performance and cause huge economic loss. For this challenge, we propose the Distribution-driven Perturbation-Adaptive Defense (DPAD) framework. DPAD improves perturbation detection with Gaussian Mixture Model (GMM)-based feature augmentation that raises the accuracy of perturbation strength prediction, increasing from 0.685 to 0.943 $R^2$, and dynamically chooses a suitable defense sub-model or the original model for adaptive correction. The experiments on UAV_Delivery show that DPAD significantly enhances robustness by achieving about 80% reduction in prediction errors under hybrid attacks while maintaining high accuracy on clean samples with an inference speed of 2.744 ms per sample. The proposed framework can scale up an effective solution to defend UAV time-series regression models against complex adversarial scenarios.

1. Introduction

In recent years, unmanned aerial vehicles (UAVs) have demonstrated a strong potentiality in several applications like logistics delivery, infrastructure inspection, and disaster response [1,2,3]. These systems increasingly rely on Deep Neural Networks (DNNs) [4] for performing time-series regression tasks, such as state prediction and trajectory planning [5]. However, a UAV operating in a complex and dynamic environment is affected by several sources of perturbation: sensor noise, communication disruptions, and adversarial interference [6]. Because of the high sensitivity of DNNs to input variations, even a small perturbation can lead to critical failures [7,8]. In detail, adversarial attacks such as Fast Gradient Sign Method (FGSM) [9], Projected Gradient Descent (PGD) [10], or Carlini & Wagner (CW) attack [11] can manipulate the UAV monitoring systems, causing a misdiagnosis of defects, incorrect adjustments of the UAV’s trajectory, or an inappropriate fault response. For instance, in a power line inspection scenario, tampered vibration signals may mask structural damage or lead to false alarms, forcing the system to enact emergency landing with a consequent impact on mission reliability [12]. Moreover, as UAVs are increasingly interconnected in Internet-of-Drones (IoD) networks, where multiple drones collaborate and share sensor data in real time, the security and robustness of each individual UAV model directly impact the reliability of the overall network [13]. In such IoD scenarios, adversarial attacks on even a single UAV can propagate errors through cooperative control or shared decision-making, amplifying mission-critical risks. The above challenges raise the need for improving the robustness of UAV state estimation models for safe and dependable operation under real-world conditions [14].

Different strategies are proposed for enhancing model robustness, such as adversarial training, input denoising, structural modification, and certifiable defense [15,16,17]. Among them, adversarial training has gradually stood out to become one of the most effective approaches, as it provides aggressive examples during model training and allows the model to learn more robust representations resistant to known attack patterns [18]. However, several challenges still frustrate adversarial training, the foremost being the fundamental trade-off between accuracy and robustness. Others are the heavy computation overhead and the limited generalization regarding unseen or adaptive attacks [7,19]. In order to defeat the above limitations, Ensemble Adversarial Training (EAT) explicitly combines multiple adversarial generators or sub-models during the model’s training for the purpose of expanding its defense coverage [20]. Although ensemble-based methods have achieved further robustness in classification models [21,22,23], their performance in time-series regression models under hybrid perturbations remains less explored.

Adversarial attacks in time-series regression bear characteristics such as temporal dependencies, visible anomalous patterns over time [24], and different levels of destructive effects according to various perturbation strengths and attack types, including FGSM [9], CW [11], Basic Iterative Method (BIM) [25], PGD [10], and Auto Projected Gradient Descent (APGD) [26]. Various defense methods, including The TRadeoff-inspired Adversarial DEfense via Surrogate-loss minimization (TRADES) method [27] and simple adversarial training, often suffer from limitations inherent in the accuracy–robustness trade-off [22,28], poor generalization for unseen attacks, and performance degradation due to hybrid attack conditions where multiple kinds of attack types and magnitudes coexist. Such challenges present more significantly in time-series regression tasks and provide the necessity for systematic solutions that would enable handling multiple and hybrid adversarial situations.

In this context, we propose a Distribution-driven Perturbation-Adaptive Defense (DPAD), a new framework to address the issues of multi-type and multi-strength hybrid adversarial attacks in UAV time-series regression tasks. The proposed framework of DPAD mainly includes two stages: (1) a front-end perturbation strength predictor to estimate the perturbation strength of a given sample (e.g., $ϵ\in \{0.01,0.05,0.1\}$), and (2) a back-end dynamic defense mechanism to choose or adjust appropriate sub-models based on the predicted perturbation strength. To improve the prediction stability and interpretability, the front-end leverages Gaussian Mixture Models (GMMs) [29] to model the input and output distributions, where the log-likelihood and responsibility values from GMM are provided as feature expansion inputs for the perturbation predictor and the back-end decision module. This distribution-driven design enables the model to distinguish “normal distribution patterns” from “anomalous perturbation patterns” and hence enhance its ability to handle various adversarial perturbations in complex environments. The main contributions of this paper are as follows:

(1)

We design a Distribution-driven Perturbation-Adaptive Defense (DPAD) framework tailored for UAV time-series regression tasks. The framework efficiently responds to multi-type and multi-strength hybrid adversarial attacks via front-end perturbation prediction and dynamic scheduling of back-end layered defense sub-models.

(2)

We systematically integrate GMM-based log-likelihood and responsibility values into the perturbation discrimination and defense decision process. This, combined with the perturbation strength predictor, significantly enhances the stability of perturbation strength prediction and the interpretability of defense strategies.

(3)

We construct a multi-method, multi-strength hybrid attack benchmark on the UAV_Delivery [30] dataset and compare DPAD with the original model, EAT, and ETR (EAT combined with TRADES [27]) models. The results demonstrate that DPAD reduces the average MSE by approximately 80% under hybrid adversarial samples while maintaining accuracy on clean samples, with an inference time of about 2.744 ms per sample, balancing robustness and near-real-time performance.

Compared with representative methods such as EAT and ETR, which rely on a single robust model trained on a fixed combination of clean and adversarial data or with divergence regularization and often lose accuracy on clean samples as adversarial strength increases, DPAD adopts a fundamentally different, distribution-driven, sample-wise adaptive design. By leveraging GMM-based input–output features to enhance perturbation discriminability, DPAD can accurately predict perturbation strength and dynamically select an appropriate defense sub-model, maintaining clean sample accuracy while significantly improving robustness against hybrid adversarial attacks.

The key notations used throughout this article are listed in

Table 1. List of key notations.

Notation	Definition
x	Model input or clean sample
$x_{adv}$	Adversarial sample
y	Model output (ground truth label or regression target)
f	Model function
$f_{\theta }$	Model parameterized by $\theta$
$\theta$	Model parameters
$\delta$	Adversarial perturbation
${\parallel \delta \parallel }_p$	p-norm of perturbation
$ϵ$	Maximum perturbation magnitude
$\mathcal{S}$	Perturbation constraint set (e.g., ${\ell }_p$-ball)
$\mathcal{L}$	Loss function
∇	Gradient operator
$sign(·)$	Sign function
$Clip(x,ϵ)$	Clipping function to keep perturbation bounded
$\mathbb{B}(x,ϵ)$	${\ell }_p$-ball centered at x with radius $ϵ$
$\eta$	Trade-off coefficient between clean and adversarial loss in Equation (7)
$\beta$	Regularization coefficient in TRADES loss (Equation (8))
$\mathrm{KL}(p\parallel q)$	Kullback–Leibler divergence between distributions p and q
$\mathcal{D}$	Training data distribution
${\mathbb{E}}_{(x,y)\sim \mathcal{D}}[·]$	Expectation over data samples from distribution $\mathcal{D}$
$p\left(x\right)$	Probability density function of sample x
${\pi }_k$	Mixture weight of the k-th Gaussian component (${\sum }_k{\pi }_k=1$)
${\mu }_k$	Mean vector of the k-th Gaussian component
${\Sigma }_k$	Covariance matrix of the k-th Gaussian component
K	Total number of Gaussian components
${\ell }_2$	Euclidean norm
${\ell }_{\infty }$	maximum norm

.

2. Related Methods

2.1. Adversarial Attacks

2.1.1. FGSM

The Fast Gradient Sign Method (FGSM) [9] is an early and computationally efficient adversarial attack strategy. It perturbs inputs in the direction of the gradient of the loss with respect to the input:

$$x_{adv}=x+ϵ·\mathrm{sign}\left({\nabla }_x\mathcal{L}(x,y)\right),$$

(1)

where x is the clean input, $ϵ$ controls perturbation magnitude, and $\mathcal{L}$ denotes the prediction loss. FGSM requires only a single gradient calculation, making it fast but often less effective against models with smooth decision boundaries or adversarial training.

2.1.2. CW

The Carlini & Wagner (CW) attack [11] formulates adversarial generation as a constrained optimization problem, minimizing perturbation size while forcing output deviation:

$$\underset{\delta }{min}{\parallel \delta \parallel }_2+c·\mathcal{L}(x+\delta ,y),$$

(2)

where $\delta$ denotes the perturbation, ${\parallel \delta \parallel }_2$ is the ${\ell }_2$-norm of the perturbation, and c is a balancing coefficient. CW is highly effective, producing subtle yet strong perturbations, but its reliance on iterative optimization leads to high computational cost, limiting its practicality for large-scale or real-time scenarios.

2.1.3. BIM

The Basic Iterative Method (BIM) [25] extends FGSM by applying it iteratively with small step size $\alpha$, and constrains the perturbation within an $ϵ$-ball:

$$x_{adv}^{(t+1)}={\mathrm{Clip}}_{x,ϵ}\left(x_{adv}^{\left(t\right)}+\alpha ·\mathrm{sign}\left({\nabla }_x\mathcal{L}(x_{adv}^{\left(t\right)},y)\right)\right).$$

(3)

BIM generates stronger perturbations than FGSM by gradual refinement. However, as it still relies on the gradient sign, it may fail to fully exploit adversarial directions in high-dimensional regression spaces.

2.1.4. PGD

Projected Gradient Descent (PGD) [10] generalizes BIM by explicitly projecting each iterative update onto the allowed perturbation set:

$$x_{adv}^{(t+1)}={\mathrm{Proj}}_{\mathbb{B}(x,ϵ)}\left(x_{adv}^{\left(t\right)}+\alpha ·\mathrm{sign}\left({\nabla }_x\mathcal{L}(x_{adv}^{\left(t\right)},y)\right)\right),$$

(4)

where $\mathbb{B}(x,ϵ)$ is the ${\ell }_{\infty }$-ball centered at x. PGD is widely regarded as a strong first-order adversary and serves as a benchmark for adversarial robustness. For regression, it effectively induces controlled but substantial deviations, though at increased computational expense.

2.1.5. APGD

Auto-PGD (APGD) [26] further improves PGD by incorporating adaptive step sizes and momentum, enhancing both convergence and attack strength. Under an ${\ell }_2$-norm constraint, the update rule is

$$x_{adv}^{(t+1)}={\mathrm{Proj}}_{\mathbb{B}(x,ϵ)}\left(x_{adv}^{\left(t\right)}+{\alpha }_t·{\displaystyle \frac{{\nabla }_x\mathcal{L}(x_{adv}^{\left(t\right)},y)}{\left|\right|{\nabla }_x\mathcal{L}(x_{adv}^{\left(t\right)},y){\left|\right|}_2}}\right),$$

(5)

where ${\alpha }_t$ is a time-varying adaptive step size. APGD achieves high attack success rates, particularly for non-linear regression models, though it requires more complex implementation and tuning.

2.2. Adversarial Defense Methods

To mitigate adversarial vulnerability, several defense strategies have been developed, ranging from adversarial training to trade-off-based optimization.

2.2.1. Adversarial Training

Adversarial Training (AT) [10] improves robustness by solving a min–max optimization problem:

$$\underset{\theta }{min}{\mathbb{E}}_{(x,y)\sim \mathcal{D}}\left[\underset{\delta \in \mathcal{S}}{max}\mathcal{L}(f_{\theta }(x+\delta ),y)\right],$$

(6)

where $(x,y)\sim \mathcal{D}$ denotes a sample from the training data distribution, and $\delta \in \mathcal{S}$ is a perturbation constrained within a predefined set $𝒮$.

By exposing the model to adversarial samples during training, AT achieves strong robustness against known perturbations. However, it increases training cost and often reduces accuracy on clean data, particularly in regression tasks sensitive to output precision.

2.2.2. Ensemble Adversarial Training

Ensemble Adversarial Training (EAT) [20] diversifies robustness by incorporating perturbations from multiple models. Two main variants exist: (1) adversarial sample generation from multiple pre-trained models, and (2) aggregation of predictions from independently trained sub-models. The first variant is adopted in this work, where clean and adversarial examples are mixed to balance accuracy and robustness:

$$\underset{\theta }{min}{\mathbb{E}}_{(x,y)\sim \mathcal{D}}\left[\eta ·\mathcal{L}(f_{\theta }\left(x\right),y)+(1-\eta )·\mathcal{L}(f_{\theta }(x+\delta ),y)\right],$$

(7)

with $\eta$ controlling the trade-off. While EAT strengthens defense against diverse perturbations, it introduces higher training and inference complexity.

2.2.3. TRADES

The TRadeoff-inspired Adversarial DEfense via Surrogate-loss minimization (TRADES) method [27] formalizes the robustness–accuracy trade-off by penalizing discrepancies between outputs on clean and adversarial inputs:

$${\mathcal{L}}_{\mathrm{TRADES}}={\mathbb{E}}_{(x,y)\sim \mathcal{D}}\left[\mathcal{L}(f_{\theta }\left(x\right),y)+\beta ·\mathrm{KL}(f_{\theta }\left(x\right)\parallel f_{\theta }\left(x_{adv}\right))\right],$$

(8)

where $\beta$ is a balancing hyperparameter. TRADES often achieves a better compromise between clean accuracy and robustness, though it requires careful tuning and incurs additional training cost.

2.3. Gaussian Mixture Model

The Gaussian Mixture Model (GMM) [29] is a probabilistic generative model that expresses data distribution as a weighted sum of K Gaussian components:

$$p\left(x\right)=\sum _{k=1}^K{\pi }_k·\mathcal{N}(x\mid {\mu }_k,{\Sigma }_k),$$

(9)

where ${\pi }_k$ represents mixture weights and $\mathcal{N}(x\mid {\mu }_k,{\Sigma }_k)$ denotes a Gaussian distribution.

GMMs are trained using the Expectation-Maximization (EM) algorithm, and are widely applied in clustering, density estimation, and anomaly detection. While effective for capturing multi-modal distributions, GMMs are sensitive to initialization and the number of components, and training can be computationally expensive in high-dimensional spaces.

2.4. Problem Definition

Consider a time-series regression model

$$f_{\theta }:{\mathbb{R}}^d\to {\mathbb{R}}^m,$$

(10)

where for an input x with ground truth y, the prediction is

$$\widehat{y}=f_{\theta }\left(x\right),(x,y)\sim \mathcal{D}.$$

(11)

Adversarial perturbations $\delta$ can modify the input to generate adversarial samples:

$$x_{adv}=x+\delta ,{\parallel \delta \parallel }_p\le ϵ,$$

(12)

with the objective of significantly enlarging prediction error:

$$\mathcal{L}(f_{\theta }\left(x_{adv}\right),y)\gg \mathcal{L}(f_{\theta }\left(x\right),y).$$

(13)

In realistic settings, adversaries often combine multiple attack types and perturbation magnitudes to construct hybrid adversarial datasets:

$${\mathcal{A}}_{hyb}=\{x+\delta \mid \delta \sim \mathcal{G}(x,ϵ,\mathrm{AttackType})\}.$$

(14)

Thus, the defense objective is to minimize prediction error under such hybrid conditions:

$$\underset{f}{min}{\mathbb{E}}_{(x,y)\sim \mathcal{D},x_{adv}\sim {\mathcal{A}}_{hyb}}\left[\mathcal{L}(f\left(x_{adv}\right),y)\right].$$

(15)

Hybrid adversarial attacks introduce several challenges to time-series regression models:

(1)

Temporal accumulation: Even small perturbations at early steps may cascade over time, resulting in magnified deviations and degraded long-term predictions.

(2)

Heterogeneous perturbations: Attacks that blend different forms and magnitudes of perturbations become highly complex and destructive, significantly complicating both detection and defense.

(3)

Robustness–accuracy trade-off: Increasing robustness tends to reduce accuracy on unperturbed sequences, which presents a critical challenge for maintaining reliable regression performance.

3. Proposed Method

In this work, we introduce the Distribution-driven Perturbation-Adaptive Defense (DPAD) framework, designed to improve the robustness of UAV time-series regression models under multi-type and multi-strength hybrid adversarial attacks. As shown in Figure 1, the DPAD framework unifies probabilistic distribution modeling, feature augmentation, perturbation strength prediction, and hierarchical sub-model defense into an end-to-end adaptive pipeline.

The overall architecture consists of four primary components, each addressing a distinct stage of the defense process:

(1)

Modeling credible input–output distributions: Input and output spaces are modeled using Gaussian Mixture Models (GMMs) to represent the statistical characteristics of clean data and provide distributional references for later modules.

(2)

Training defense sub-models for varying perturbation strengths: A base model is trained on clean samples, and multiple sub-models are trained on adversarial data generated under different perturbation strengths.

(3)

Feature augmentation and perturbation strength prediction: Log-likelihood and responsibility features derived from the GMMs are combined with the base model outputs to train a predictor that estimates the perturbation strength of each input sample.

(4)

Perturbation-adaptive defense: During inference, the framework selects an appropriate sub-model according to the predicted perturbation level to generate corrected outputs.

In summary, DPAD integrates distribution modeling, multi-strength sub-model training, feature-based perturbation prediction, and adaptive defense selection into a unified framework that achieves robustness and adaptability in UAV time-series regression tasks.

3.1. Modeling of Input–Output Credible Distribution

Adversarial perturbations are often imperceptible in raw input space, making it difficult to distinguish clean from adversarial samples or to quantify perturbation strength. To address this, we introduce probabilistic input–output distribution modeling using GMMs.

Input distribution modeling:

$$p_{\mathrm{in}}\left(x\right)=\sum _{k=1}^K{\pi }_k·\mathcal{N}\left(x\mid {\mu }_k,{\Sigma }_k\right),$$

(16)

Output distribution modeling:

$$p_{\mathrm{out}}\left(y\right)=\sum _{k=1}^K{\pi }_k·\mathcal{N}\left(y\mid {\mu }_k,{\Sigma }_k\right),$$

(17)

where $\mathcal{N}(·\mid {\mu }_k,{\Sigma }_k)$ denotes the probability density function of the k-th Gaussian distribution, where ${\mu }_k$ and ${\Sigma }_k$ are the mean vector and covariance matrix, respectively. The coefficient ${\pi }_k$ represents the mixture weight of the k-th Gaussian component, subject to ${\sum }_{k=1}^K{\pi }_k=1$.

3.2. Training Defense Sub-Models for Different Perturbation Strengths

To explicitly defend against attacks of varying perturbation magnitudes, we train a set of defense sub-models $\left\{f^k\right\}$, each tailored to perturbation level ${ϵ}_k$, on top of the base model $f^0$.

Base model training (clean samples only):

$$f^0=arg\underset{\theta }{min}{\displaystyle \frac{1}{N_0}}\sum _{i=1}^{N_0}{∥f_{\theta }\left(x_i\right)-y_i∥}^2,$$

(18)

where $(x_i,y_i)$ denotes clean samples from the training set.

Defense sub-models (adversarial data):

$$f^k=arg\underset{\theta }{min}{\displaystyle \frac{1}{N_k}}\sum _{i=1}^{N_k}{∥f_{\theta }\left(x_i^{adv}\left({ϵ}_k\right)\right)-y_i∥}^2,$$

(19)

where $x_i^{adv}\left({ϵ}_k\right)$ denotes adversarial samples generated under perturbation strength ${ϵ}_k$ using multiple attack methods (e.g., FGSM, BIM, PGD, CW, APGD).

This strategy ensures that each sub-model is optimized for a specific perturbation level, thereby enhancing robustness under hybrid attack scenarios.

3.3. Training of the Perturbation Strength Prediction Model

We therefore design a prediction model $g_{\psi }$ to estimate perturbation strength from augmented features.

The extended feature vector is constructed as

$$Z=[x,\widehat{y},log{p}_{\mathrm{in}}\left(x\right),{\mathrm{resp}}_{\mathrm{in}}\left(x\right),\log p_{\mathrm{out}}\left(\widehat{y}\right),{\mathrm{resp}}_{\mathrm{out}}\left(\widehat{y}\right)],$$

(20)

where $\widehat{y}=f^0\left(x\right)$ denotes the output of the base model, and $\mathrm{resp}(·)$ represents the responsibility values obtained from the corresponding GMMs.

The prediction network then maps Z to an estimated perturbation level according to

$$g_{\psi }\left(Z_i\right)\to {\widehat{ϵ}}_i,$$

(21)

and is trained by Mean Squared Error (MSE) loss:

$${\mathcal{L}}_{\mathrm{MSE}}={\displaystyle \frac{1}{N}}\sum _{i=1}^N{({ϵ}_i-{\widehat{ϵ}}_i)}^2.$$

(22)

Through this design, the model learns to approximate perturbation severity in a continuous manner, providing a quantitative basis for adaptive sub-model selection during inference.

3.4. Inference and Application of the DPAD Framework

During inference, the input sequence ${\left\{x_t^{hyb}\right\}}_{t=1}^T$ may contain both clean and adversarial samples with varying perturbation strengths.

For each sample $x_t$, the base model produces ${\widehat{y}}_t=f^0\left(x_t\right)$. Input–output log-likelihoods and responsibilities are then extracted via GMMs, forming the augmented feature vector:

$$Z_t=[x_t,{\widehat{y}}_t,log{p}_{\mathrm{in}}\left(x_t\right),{\mathrm{resp}}_{\mathrm{in}}\left(x_t\right),log{p}_{\mathrm{out}}\left({\widehat{y}}_t\right),{\mathrm{resp}}_{\mathrm{out}}\left({\widehat{y}}_t\right)].$$

(23)

The augmented feature $Z_t$ is then passed to the perturbation prediction network $g_{\psi }$ to predict perturbation strength:

$${\widehat{ϵ}}_t=g_{\psi }\left(Z_t\right).$$

(24)

The predicted strength is then discretized to select the appropriate defense sub-model $f^{{\widehat{k}}_t}$:

$${\widehat{k}}_t=\left\{\begin{array}{cc}0,\hfill & {\widehat{ϵ}}_t<0.005,\hfill \\ 0.01,\hfill & 0.005\le {\widehat{ϵ}}_t<0.025,\hfill \\ 0.05,\hfill & 0.025\le {\widehat{ϵ}}_t<0.07,\hfill \\ 0.1,\hfill & {\widehat{ϵ}}_t\ge 0.07.\hfill \end{array}\right.$$

(25)

Here, we map the predicted perturbation strength to discrete bins (0, 0.01, 0.05, 0.1). Since all features in the dataset are normalized to the range [−1, 1], these perturbation levels roughly correspond to 1%, 5%, and 10% changes in the original data. These thresholds align with the sub-models trained in the subsequent experiments and are chosen as a rough guideline based on perturbation magnitude. They can be adjusted in practical applications to optimize the performance of DPAD.

$$y_t^{def}=f^{{\widehat{k}}_t}\left(Z_t\right).$$

(26)

Finally, the selected sub-model receives the augmented feature vector and outputs the defended result.

4. Experiments and Results

4.1. Experimental Setup

4.1.1. Environment Configuration

The experiments were conducted under the following hardware and software configurations shown in

Table 2. Experimental environment configuration.

Category	Configuration
Hardware	CPU: Intel i7-1360P (16 cores, 2.20 GHz)
	Memory: 32 GB
	Storage: 1 TB SSD
	Operating System: Windows 11 (64-bit)
Software	Programming Language: Python 3.8
	Deep Learning Framework: PyTorch 2.4
	Libraries: NumPy 1.22.4, Scikit-learn 1.3.2, Matplotlib 3.5.0, Pandas 1.3.4
	Development Tools: VSCode 1.87.2 with Python and Jupyter extensions
	Environment: Anaconda 4.8.2, Jupyter Client 7.3.4, Jupyter Core 4.12.0, IPython 8.4.0, ipykernel 6.14.0, ipywidgets 8.1.2

.

4.1.2. Dataset Configuration

The UAV Delivery dataset [30] simulates drone flight trajectories under varying wind speeds, velocities, and altitudes, with folder names formatted as “droneSpeed_windSpeed_altitude” to distinguish different conditions. The original UAV Delivery dataset contains independent folders representing different flight conditions, without predefined training/test splits. To evaluate the generalization ability of the model, we divided the dataset into two candidate datasets based on flight conditions, ensuring they are mutually independent:

• Candidate Dataset 1: folders 10_5_100, 15_10_100, 20_5_100, 20_10_100 (70%), and 20_10_200.
• Candidate Dataset 2: folders 20_10_100 (30%) and 20_10_180.

• Note: The 20_10_100 folder was split 70%/30% into the two candidate datasets, with UAV IDs split at 13,864.

As summarized in

Table 3. Training and test set composition.

Dataset	Composition	Flight Records
Training Set	100 UAVs from Candidate 1	2345
Test Set	50 UAVs from Candidate 1 + 100 UAVs from Candidate 2	1830

, the final training set was constructed from Candidate Dataset 1 by selecting 100 UAVs via evenly spaced UAV IDs, yielding 2345 independent flight records. The test set includes 100 UAVs from Candidate Dataset 2 with the same IDs as in the training set, plus an additional 50 UAVs selected from Candidate Dataset 1 (IDs selected evenly between 1 and 51, excluding overlap with training IDs), resulting in 1830 flight records. This split ensures that the training and test sets are relatively independent in terms of UAVs and partially in terms of operating conditions, while the test set includes both known and unseen conditions to fairly assess the model’s generalization ability.

All features in the dataset were normalized to the range [−1, 1]. The final dataset overview, including the number of samples and parameter descriptions, is shown in

Table 4. Dataset overview: sample size and parameter description.

Dataset	N-Train	N-Test	Parameter Description
UAV_Split	291,954	250,034	w: Operating conditions, includes 5-dimensional parameters such as wind_speed, wind_dir, temp, etc.
			$\_x_s$: The previous state, includes 9-dimensional parameters such as lat, lon, alt, tas, cas, etc.
			$x_s$: The current state, includes 9-dimensional parameters such as lat, lon, alt, tas, cas, etc.

.

4.1.3. GMM Parameter Configuration

Gaussian Mixture Models (GMMs) were trained separately on the inputs and outputs of the UAV_Split training set to augment the distributional features of adversarial samples. To ensure appropriate parameter selection for the GMMs, the Akaike Information Criterion (AIC) and Bayesian Information Criterion (BIC) were employed, with smaller values indicating better model fit. Considering the base model configuration (Section 4.1.4) and the dataset feature dimensions (Table 4), the model input dimension is 14 and the output dimension is 9. Multiple GMMs with varying numbers of components were trained: for the input-side GMM, the candidate range was $K=1,2,\dots ,16$; for the output-side GMM, the candidate range was $K=1,2,\dots ,12$. The corresponding AIC and BIC curves as functions of the component number were plotted, as shown in Figure 2.

The GMMs with 15 and 12 components were selected for the input and output of the UAV_Split training set, respectively, as they achieved the minimum AIC and BIC values, and were subsequently used for feature augmentation.

4.1.4. Base Model Configuration

The UAV performance model is defined as $x_s=F_{uav}(w,\_x_s)$. In this study, the DNN model is trained on the training splits of UAV_Split as the base model, which also serve as the target model for adversarial attacks. The network architecture configuration of the base model is summarized in

Table 5. Configuration of network structures for the base model.

Model Name	Network Structures
Perf_UAV_DNN	[14, 150, 150, 150, 100, 9]

, with ReLU used as the activation function. The training hyperparameters are listed in

Table 6. Hyperparameters for base model training.

Paramter	Perf_UAV_DNN
Loss Function	MSE
Optimizer	Adam (lr = $5\times {10}^{-4}$)
Learning Rate Scheduler	StepLR (step_size = 1 Epoch, $\gamma$ = 0.95)
Epochs	100
Batch Size	256
Early Stopping Patience	3

.

4.1.5. Adversarial Example Generation Configuration

To comprehensively evaluate the performance of the proposed framework, we adopt several widely used adversarial attack methods, including FGSM, CW, BIM, PGD, and APGD. Based on the base models described in Section 4.1.4 and the datasets introduced in Section 4.1.2, adversarial datasets with varying perturbation magnitudes are generated.

Table 7. Parameter settings and norm constraints for adversarial sample generation.

Method	Norm	$\mathit{ϵ}$	Iterations	Step Size $\mathit{\alpha }$	Random Start	Others/Notes
FGSM	${\ell }_{\infty }$	0.01, 0.05, 0.1	/	/	No	Gradients w.r.t. input
CW	${\ell }_2$	0.01, 0.05, 0.1	20	0.02	No	LR = 0.01
BIM	${\ell }_{\infty }$	0.01	15	0.001	No	Gradients w.r.t. input
		0.05	20	0.003
		0.1	30	0.004
PGD	${\ell }_{\infty }$	0.01	15	0.001	Yes	Uniform init. in $[-ϵ,ϵ]$
		0.05	20	0.003
		0.1	30	0.004
APGD	${\ell }_2$	0.01	15	0.001	No	$\alpha \times$= 1.1 if $\Delta \mathrm{loss}<{10}^{-6}$
		0.05	20	0.003
		0.1	30	0.004

provides the full configuration of all adversarial attacks used to construct the adversarial dataset. For clarity, we explicitly list the norm constraint adopted by each method (${\ell }_{\infty }$ for FGSM, BIM, and PGD; ${\ell }_2$ for CW and APGD), as $ϵ$ values are not directly comparable across different norms. We further indicate whether each attack uses random initialization (only PGD employs a random start by adding uniform noise within the $ϵ$-ball), and confirm that gradients are always taken with respect to the input. These details ensure transparent reproducibility of the adversarial data generation process.

4.1.6. Sub-Model Configuration

The network architecture of all defense sub-models followed that of the base model described in Section 4.1.4. For each perturbation strength (0.01, 0.05, 0.1), a corresponding defense sub-model was trained on a hybrid training set comprising adversarial samples generated by multiple attack methods (FGSM, CW, BIM, PGD, and APGD) as detailed in Section 4.1.5. The hyperparameter settings for sub-model training are summarized in

Table 8. Hyperparameters for sub-model training.

Paramter	Perf_UAV_DNN
Loss Function	MSE
Optimizer	Adam (lr = $5\times {10}^{-4}$)
Learning Rate Scheduler	CosineAnnealingLR (eta_min = $1\times {10}^{-6}$)
Epochs	100
Batch Size	256

, with early stopping disabled.

4.1.7. Perturbation Strength Prediction Model Training

To enable accurate estimation of perturbation strength in hybrid adversarial samples, we designed and trained a multilayer perceptron (MLP)-based perturbation strength prediction model. The model takes as input the augmented feature vectors constructed by concatenating input/output GMM-derived statistics, and outputs a continuous regression value representing perturbation strength. Unlike conventional discrete classification approaches, this design adopts continuous prediction followed by interval partitioning based on predefined thresholds to map the output to discrete strength levels. This strategy mitigates ambiguity at class boundaries and provides a smoother characterization of perturbation magnitude.

For dataset construction, clean samples were assigned a label of $ϵ=0$, and adversarial samples were generated using FGSM, BIM, PGD, CW, and APGD at perturbation strengths $ϵ\in \{0.01,0.05,0.1\}$. The corresponding $ϵ$ values were used as supervision signals, and we followed standard practice by optimizing the network with MSE loss. As summarized in

Table 9. Configuration of network structures for the perturbation strength prediction model.

Model Name	Network Structures
Epsilon_Predict_DNN	[52, 128, 256, 128, 64, 1]

, all hidden layers adopted ReLU activations, while a Sigmoid function was applied at the output layer. The detailed hyperparameter settings used for model training are provided in

Table 10. Hyperparameters for perturbation strength prediction model training.

Paramter	Epsilon_Predict_DNN
Loss Function	MSE
Optimizer	Adam (lr = $5\times {10}^{-4}$)
Learning Rate Scheduler	CosineAnnealingLR (eta_min = $1\times {10}^{-6}$)
Epochs	30
Batch Size	256

.

4.1.8. Evaluation Metrics

The Mean Squared Error (MSE) measures the average squared deviation between predicted and true values and directly reflects the model’s prediction accuracy. It is formulated as

$$\mathrm{MSE}={\displaystyle \frac{1}{N}}\sum _{i=1}^N{(y_i-{\widehat{y}}_i)}^2,$$

(27)

where N denotes the total number of samples, $y_i$ is the ground-truth value, and ${\widehat{y}}_i$ represents the corresponding model prediction. A smaller MSE indicates that the model produces predictions closer to the actual observations.

The Coefficient of Determination ($R^2$) represents the proportion of variance in the dependent variable that can be explained by the model, providing a measure of its overall fit. It is computed as

$$R^2=1-{\displaystyle \frac{{\sum }_{i=1}^N{(y_i-{\widehat{y}}_i)}^2}{{\sum }_{i=1}^N{(y_i-\overline{y})}^2}},$$

(28)

where $\overline{y}$ is the mean of the observed values. Value of $R^2$ approaching 1 suggest that the model accounts for most of the variability in the data and therefore achieves a strong goodness of fit.

4.2. Experimental Results and Analysis

4.2.1. Robustness and Computational Efficiency Comparison

To examine the robustness of DPAD in time-series regression, we carried out a series of comparative experiments against the baseline regression model (Perf_UAV_DNN), as well as two representative defense strategies, EAT and ETR. Both EAT and ETR adopted the same training dataset as DPAD, containing a balanced mix of clean and adversarial samples. All models shared an identical network backbone with the base model (Section 4.1.4) and used training configurations consistent with the DPAD sub-models (Section 4.1.6). Specifically, five EAT variants were trained with adversarial strengths $\eta \in \{0.1,0.3,0.5,0.7,0.9\}$, denoted as $DN{N}_{\eta }^{EAT}$, while another five ETR variants were trained under TRADES loss coefficients $\lambda \in \{1,3,5,7,9\}$, denoted as $DN{N}_{\lambda }^{ETR}$. To evaluate robustness under diverse adversarial conditions, we built a hybrid adversarial test set by randomly sampling adversarial examples generated with perturbation strengths $ϵ\in \{0.01,0.05,0.1\}$ and attack types (FGSM, CW, BIM, PGD, APGD). Sampling followed the order of the original test set with a fixed random seed of 42, and the resulting hybrid adversarial set matches the size of the clean test set reported in Table 4.

Table 11. MSE and $R^2$ evaluation metrics for different models on clean and hybrid adversarial samples.

Model Name	Hybrid Test Dataset		Clean Test Dataset
	MSE ($\times {\mathbf{10}}^{-\mathbf{3}}$)	${\mathrm{R}}^2$	MSE ($\times {\mathbf{10}}^{-\mathbf{3}}$)	${\mathrm{R}}^{\mathbf{2}}$
Perf_UAV_DNN	9.51937	0.97209	0.74592	0.99781
DPAD	1.82378	0.99465	0.75114	0.99780
${\mathrm{DNN}}_{\eta =0.1}^{EAT}$	1.87219	0.99451	1.29076	0.99621
${\mathrm{DNN}}_{\eta =0.3}^{EAT}$	1.94561	0.99429	1.28924	0.99622
${\mathrm{DNN}}_{\eta =0.5}^{EAT}$	1.88074	0.99448	1.12079	0.99671
${\mathrm{DNN}}_{\eta =0.7}^{EAT}$	1.90210	0.99442	1.00955	0.99704
${\mathrm{DNN}}_{\eta =0.9}^{EAT}$	2.34659	0.99312	1.02693	0.99699
${\mathrm{DNN}}_{\lambda =1.0}^{ETR}$	2.10947	0.99381	1.17201	0.99656
${\mathrm{DNN}}_{\lambda =3.0}^{ETR}$	2.09383	0.99386	1.41517	0.99585
${\mathrm{DNN}}_{\lambda =5.0}^{ETR}$	2.17484	0.99362	1.54641	0.99546
${\mathrm{DNN}}_{\lambda =7.0}^{ETR}$	2.40992	0.99293	1.83781	0.99461
${\mathrm{DNN}}_{\lambda =9.0}^{ETR}$	2.55466	0.99251	2.00799	0.99411

Note: Red text indicates the best metric in the column, and blue text indicates the second-best metric.

summarizes the evaluation results on both clean and hybrid adversarial test datasets, including the original model, DPAD, and all compared EAT ($\eta \in \{0.1,0.3,0.5,0.7,0.9\}$) and ETR ($\lambda \in \{1,3,5,7,9\}$) variants. All EAT and ETR models share the same backbone architecture, optimizer, training epochs, early stopping, and clean/adversarial data composition. It is intuitive that the performance of the original model, while very high on clean data, significantly degrades under hybrid adversarial perturbations, hence being vulnerable. On the other hand, DPAD maintains comparable accuracy to the original model on clean samples while largely enhancing robustness against hybrid attacks, reducing the prediction error by about 80%. This indicates the effectiveness of DPAD in complex adversarial environments. To evaluate the sensitivity of this choice, we slightly adjusted the boundaries in Equation (25) to 0.005/0.02/0.07. On the hybrid adversarial test set, DPAD achieved an MSE of $1.826\times {10}^{-3}$ and $R^2=0.99465$, and on the clean test set, the MSE was $0.77654\times {10}^{-3}$ with $R^2=0.99772$. These results show that small changes to the thresholds cause only minor performance variations, indicating that the bin ranges can be tuned according to practical requirements to further improve DPAD’s overall performance.

Therefore, compared to EAT and ETR, DPAD achieves a higher balance between robustness and generalization. While EAT improves adversarial robustness at small parameter settings, it causes significant loss in clean data accuracy, and the performance degrades as the adversarial strength increases. Adding TRADES regularization in ETR leads to improvement in terms of robustness; however, ETR underperforms in DPAD on both clean and adversarial samples. It is clear that perturbation strength prediction and hierarchical sub-model defense mechanisms make DPAD more well-balanced between robustness and prediction accuracy than state-of-the-art methods.

In addition, computational efficiency is another critical factor for practical deployment.

Table 12. Inference time overhead for different models on the hybrid test dataset.

Model Name	DPAD Framework	EAT Model	ETR Model
Time Cost(s)	686.100 ± 11.377	2.288 ± 0.096	2.250 ± 0.155

compares the average inference time of different models on the hybrid test set, which contains 250,034 samples. EAT and ETR have achieved an extremely low inference time that is suitable for real-time applications, whereas DPAD causes a higher overhead for extra feature extraction, perturbation strength prediction, and hierarchical model selection. However, the increased average inference time per sample is 2.744 ms, which is in the scope of a quasi-real-time requirement in UAV applications. This indicates that the increased robustness of DPAD is worth paying for in computational cost.

4.2.2. Feature Augmentation Comparison

To assess the impact of distribution-driven feature augmentation, we evaluated the perturbation strength prediction model under three input configurations: (1) $Z_1=\left[x\right]$, (2) $Z_2=[x,\widehat{y}]$, and (3) $Z_3=[x,\widehat{y},log{p}_{\mathrm{in}}\left(x\right),{\mathrm{resp}}_{\mathrm{in}}\left(x\right),log{p}_{\mathrm{out}}\left(\widehat{y}\right),{\mathrm{resp}}_{\mathrm{out}}\left(\widehat{y}\right)]$. The corresponding MSE and $R^2$ values are summarized in

Table 13. The MSE and $R^2$ metrics of perturbation strength prediction models with different input feature compositions on the test set.

Features	${\mathit{Z}}_1$	${\mathit{Z}}_2$	${\mathit{Z}}_3$
MSE	$4.53\times {10}^{-4}$	$3.53\times {10}^{-4}$	$0.81\times {10}^{-4}$
${\mathrm{R}}^2$	0.6847	0.7545	0.9434

.

When only the raw inputs ($Z_1$) are used, the model performs the weakest. Adding the model’s own outputs ($Z_2$) improves the fitting performance to some degree, but the improvement remains limited. Once the GMM-derived features—specifically the log-likelihood and responsibility values—are included ($Z_3$), the performance increases notably, with the MSE reduced to $0.81\times {10}^{-4}$ and $R^2$ raised to 0.9434. These observations suggest that the distribution-based features provide complementary statistical information that helps the predictor capture perturbation intensity more accurately. They also emphasize the necessity of the distribution-driven design adopted in DPAD.

5. Discussion

The proposed DPAD framework can effectively defend against multi-type and multi-strength hybrid adversarial attacks in UAV time-series regression tasks by integrating the front-end perturbation strength prediction with the back-end hierarchical sub-model defense. The experimental results show that the DPAD reduces the average MSE about 80% compared to the original model under the hybrid adversarial samples, with nearly the same prediction accuracy on the clean samples. The key factor behind this performance is the feature augmentation based on the GMM. The incorporation of log-likelihood and responsibility values of input–output distributions brings about significantly enhanced feature representation of the model for perturbation strength prediction: the MSE of perturbation strength prediction decreases from $4.53\times {10}^{-4}$ to $0.81\times {10}^{-4}$, while $R^2$ increases from 0.6847 to 0.9434. The superiority indicates that the GMM-based feature extraction not only strengthens the discriminative power of perturbation strength classification but also improves the precision of sub-model selection, enabling dynamic adaptation and fine-grained defense in complex adversarial environments.

Yet, despite its effectiveness, DPAD still has its limitations. Its inference time is relatively high at about 2.744 ms per data point, maybe leading to latency bottlenecks in batch inference or multi-sensor fusion scenarios, though within real-time control requirements of typical UAVs. Moreover, it depends on several sub-model trainings and GMM distributional assumptions that should be further validated on generalization for unknown attack types and robustness under high-dimensional, non-Gaussian data distributions. To alleviate the computational overhead, future work could explore lightweight surrogate models to approximate GMM log-likelihood and responsibility computations, as well as batch-wise parallel processing of feature augmentation on modern GPUs, which can significantly reduce per-sample inference time without affecting defense performance. Additionally, the current evaluation uses a publicly available simulated UAV delivery dataset, which, while reflecting realistic flight trajectories under varying speeds, altitudes, and wind conditions, is still limited compared to real-world UAV operations. Future studies aim to collect real UAV delivery trajectories to further validate DPAD’s performance under authentic operational conditions, enhancing the applicability of the framework to practical deployment scenarios.

The future directions include jointly optimizing perturbation prediction and hierarchical defense modules for low latency with high scalability. The GMM may be replaced by more expressive distribution modeling techniques, such as variational Bayesian methods [31] or deep energy-based models [32], in order to represent richer input–output feature relationships in the framework with a possibly better perturbation discrimination. Considering online/continual learning paradigms [33] is another promising direction of extending DPAD for evolution with adversarial pattern variations in order to maintain high performance in dynamic operational environments. Moreover, although the current design primarily focuses on adversarial robustness, future extensions of DPAD may incorporate privacy-preserving mechanisms. For example, perturbation prediction and distributional feature extraction can be performed directly on-board UAVs to avoid transmitting raw sensor data, while techniques such as federated learning [34], differential privacy [35], or encrypted model inference [36] could be introduced to protect sensitive flight or environment information. Integrating these privacy-preserving strategies would improve the applicability of DPAD in large-scale UAV and IoD systems where data confidentiality and mission security are critical.

6. Conclusions

This paper has proposed the Distribution-driven Perturbation-Adaptive Defense (DPAD) framework for UAV time-series regression under multi-type, multi-strength hybrid adversarial attacks. By combining perturbation strength prediction, hierarchical sub-model defense, and GMM-based input–output feature augmentation, DPAD has achieved dynamic adaptation to complex attacks while maintaining high prediction accuracy on clean data.

Experimental evaluations demonstrate that GMM-based feature augmentation significantly enhances predictive performance. In perturbation strength estimation, the MSE decreased from $4.53\times {10}^{-4}$ to $0.81\times {10}^{-4}$, and $R^2$ improved from 0.685 to 0.943. Under hybrid adversarial samples, DPAD reduced the average MSE by approximately 80% compared with the base model, achieving $1.824\times {10}^{-3}$ in MSE and $R^2=0.995$, while maintaining almost identical accuracy on clean data (MSE: $7.511\times {10}^{-4}$; $R^2:0.998$). In contrast, existing adversarial training approaches including EAT and ETR exhibited noticeably higher prediction errors.

We attribute the superior performance of DPAD to the use of GMM-based distributional features, which enhance perturbation strength estimation and improve sub-model selection for hierarchical defense. Although additional processing is introduced by feature extraction and model selection, the framework achieves an average inference time of 2.744 ms per data point, which is sufficient for near-real-time UAV control.

In summary, DPAD provides a robust and scalable defense framework for security-critical time-series applications. It achieves a practical balance among robustness, accuracy, and computational efficiency in complex and adversarial operational environments.