On the Necessity of Two-Stage Estimation for Learning Dynamical Systems under Both Noise and Node-Wise Attacks

TL;DR

This paper demonstrates that robust learning of networked dynamical systems under both noise and adversarial attacks requires a two-stage estimation process, as one-stage convex methods are insufficient for consistency.

Contribution

It introduces a novel two-stage estimation method that effectively detects and filters attacks, enabling consistent system identification under adversarial conditions.

Findings

Two-stage estimator achieves error bounds of O(1/√T) plus attack-related terms.

Convex one-stage estimators cannot be consistent under combined noise and attacks.

Perfect attack-data separability leads to guaranteed consistency of the proposed method.

Abstract

The least-squares estimator has achieved considerable success in learning linear dynamical systems from a single trajectory of length $T$. While it attains an optimal error of $\mathcal{O}(1/\sqrt{T})$ under independent zero-mean noise, it lacks robustness and is particularly susceptible to adversarial corruption. In this paper, we consider the identification of a networked system in which every node is subject to both noise and adversarial attacks. We assume that every node is independently corrupted with probability smaller than $0.5$ at each time, placing the overall system under almost-persistent local attack. We first show that no convex one-stage estimator can achieve a consistent estimate as $T$ grows under both noise and attacks. This motivates the development of a two-stage estimation method applied across nodes. In Stage I, we leverage the $\ell_1$-norm estimator and derive an estimation error bound proportional to the noise level $\sigma_w$. This bound is subsequently used to detect and filter out attacks, producing a clean dataset for each node, to which we apply the least-squares estimator in Stage II. The resulting estimation error is on the order $\mathcal{O}(1/\sqrt{T})$ plus the product of $\sigma_w$ and the number of misclassifications. In the event of perfect separability between attack and non-attack data, which occurs when injected attacks are sufficiently large relative to the noise scale, our two-stage estimator is consistent for the true system.