Adversarial Destabilization Attacks to Direct Data-Driven Control

TL;DR

This paper investigates how adversarial perturbations can destabilize data-driven control systems, introduces methods to craft such attacks, and proposes defenses to mitigate these security risks.

Contribution

It presents novel attack algorithms (DGSM and I-DGSM), an efficient gradient computation technique, and defense strategies for securing data-driven control systems.

Findings

Small perturbations can cause system instability.

Proposed defenses significantly reduce attack success.

Transferability of attacks under partial knowledge is demonstrated.

Abstract

This study explores the vulnerability of direct data driven control, particularly in the linear quadratic regulator (LQR) problem, to adversarial perturbations in offline collected data. We focus on stealthy attacks that subtly alter training data to destabilize the closed-loop system while evading detection. To craft such attacks, we propose Directed Gradient Sign Method (DGSM) and its iterative variant (I-DGSM), which adapt techniques from adversarial machine learning to align perturbations with the gradient of the closed-loop spectral radius. A key technical contribution is an efficient and exact gradient computation method using implicit differentiation through the Karush-Kuhn-Tucker conditions of the underlying semidefinite program. For defense, we introduce two strategies: (i) regularization to reduce controller sensitivity, and (ii) robust data-driven control that ensures stability under bounded perturbations. Experiments across benchmark systems reveal that even imperceptibly small perturbations, up to ten times smaller than random noise, can lead to instability, while the proposed defenses significantly reduce attack success rates with minimal performance loss. We also assess transferability under partial knowledge, demonstrating the importance of protecting training data. This work highlights critical security risks in data driven control and proposes practical methods for both attack and defense.