pith. sign in

arxiv: 1907.07732 · v1 · pith:HDROBWALnew · submitted 2019-07-17 · 💻 cs.CR · cs.LG

Connecting Lyapunov Control Theory to Adversarial Attacks

Arash Rahnama , Andre T. Nguyen , Edward Raff This is my paper

Pith reviewed 2026-05-24 20:07 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords adversarial attacksneural networksLyapunov functionscontrol theoryprovable defensesrobustnessstability analysis
0
0 comments X

The pith

Lyapunov functions from control theory can be used to build provable defenses against weaker adversarial attacks on neural networks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper claims that control theory provides useful tools for defending neural networks against adversarial attacks. It demonstrates the idea by constructing a defense based on Lyapunov stability that gives provable guarantees against a restricted form of adversary. The example is chosen to isolate and highlight the control mechanisms themselves rather than to solve the full problem. A reader would care because it suggests a new mathematical route to robustness bounds in machine learning security.

Core claim

Lyapunov control theory can be connected to adversarial robustness by treating network behavior under perturbation as a dynamical system whose stability can be certified, yielding a concrete provable defense when the adversary is limited in strength.

What carries the argument

Lyapunov functions that establish stability of the neural network under bounded input perturbations.

If this is right

  • Stability analysis from control theory supplies explicit robustness certificates for neural networks.
  • New defense constructions become possible by recasting attacks as disturbances in a dynamical system.
  • The approach separates the control mechanism from the adversary model, allowing focused study of each.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same Lyapunov framing might be adapted to derive bounds for stronger or adaptive adversaries if the stability conditions can be tightened.
  • Control-theoretic ideas could transfer to other robustness questions such as certified defenses in reinforcement learning or federated settings.

Load-bearing premise

A defense constructed only against a weaker adversary is enough to show the intrinsic value of control theory mechanisms for adversarial settings in general.

What would settle it

A calculation or experiment that shows the Lyapunov-derived bounds provide no meaningful guarantee even against the weaker adversary considered in the paper.

Figures

Figures reproduced from arXiv: 1907.07732 by Andre T. Nguyen, Arash Rahnama, Edward Raff.

Figure 1
Figure 1. Figure 1: A nonlinear system H. Remark 3: A well-defined supply rate function is one that is finite over time and meets certain conditions. System H is dissi￾pative with respect to the well-defined supply rate ω(u(t),y(t)), if there exists a nonnegative storage function V such that VÛ = ω(u2 − u1,y2 − y1) ≥ 0. Hence, in order to show that a system is IIFP or IOFP, we need to show that the system’s supply rate is gre… view at source ↗
Figure 2
Figure 2. Figure 2: Box plot describing the distribution of | |∆ (N ) | |2 2 | |∆(1) | |2 2 for each dataset and network depth combination. Red dots represent the upper bound on the ratio, based on Equation 1. B.4 Learn νl are close to the desired value [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Histogram describing the distribution of [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
read the original abstract

Significant work is being done to develop the math and tools necessary to build provable defenses, or at least bounds, against adversarial attacks of neural networks. In this work, we argue that tools from control theory could be leveraged to aid in defending against such attacks. We do this by example, building a provable defense against a weaker adversary. This is done so we can focus on the mechanisms of control theory, and illuminate its intrinsic value.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 1 minor

Summary. The paper argues that tools from Lyapunov control theory can be leveraged to aid in defending against adversarial attacks on neural networks. It demonstrates this by example, constructing a provable defense against a weaker adversary in order to focus on and illuminate the intrinsic value of the control-theoretic mechanisms, without claiming a general solution for stronger adversaries.

Significance. If the construction is sound, the work is significant as an explicit bridge between control theory and adversarial robustness, providing a concrete illustration of how stability analysis can be imported into neural network defenses. The deliberate scoping to a weaker adversary is a strength, as it isolates the mechanisms without overclaiming transfer to the full adversarial regime.

minor comments (1)
  1. The abstract and introduction clearly scope the contribution to the weaker-adversary case; this framing prevents misreading the central claim as a general defense.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for their positive assessment of the work, recognition of its significance as a bridge between control theory and adversarial robustness, and recommendation to accept the manuscript.

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper scopes its contribution explicitly to constructing a provable defense against a weaker adversary solely to illustrate control-theoretic mechanisms (Lyapunov theory) and their intrinsic value, without claiming transfer to stronger adversaries or presenting any fitted parameters, predictions, or uniqueness theorems that reduce to self-citations or inputs by construction. No load-bearing steps in the provided abstract or skeptic analysis invoke self-definitional relations, renamed empirical patterns, or ansatzes smuggled via prior author work. The derivation chain is therefore self-contained as an example construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review; ledger is minimal. The central claim rests on the domain assumption that Lyapunov methods transfer to NN adversarial settings.

axioms (1)
  • domain assumption Lyapunov stability theory can be applied to neural network input-output behavior under adversarial perturbations
    Invoked to build the example defense (abstract).

pith-pipeline@v0.9.0 · 5589 in / 984 out tokens · 15505 ms · 2026-05-24T20:07:38.567908+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

37 extracted references · 37 canonical work pages · 8 internal anchors

  1. [1]

    Mahdieh Abbasi and Computer Vision. 2018. Certified Defenses Against Adver- sarial Examples. In International Conference on Learning Representations (ICLR) . https://openreview.net/forum?id=Bys4ob-Rb

    work page 2018

  2. [2]

    Murat Arcak and Eduardo D Sontag. 2006. Diagonal stability of a class of cyclic systems and its connection with the secant criterion. Automatica 42, 9 (2006), 1531–1537

    work page 2006

  3. [3]

    Anish Athalye and Nicholas Carlini. 2018. On the Robustness of the CVPR 2018 White-Box Adversarial Example Defenses. arXiv (2018). http://arxiv.org/abs/ 1804.03286

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  4. [4]

    Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. In International Conference on Machine Learning (ICML) . http://arxiv.org/abs/ 1802.00420

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  5. [5]

    Battista Biggio and Fabio Roli. 2018. Wild patterns: Ten years after the rise of adversarial machine learning. Pattern Recognition 84 (12 2018), 317–331. https: //doi.org/10.1016/j.patcog.2018.07.023

    work page doi:10.1016/j.patcog.2018.07.023 2018

  6. [6]

    Nicholas Carlini and David Wagner. 2017. Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec ’17). ACM, New York, NY, USA, 3–14. https://doi.org/10.1145/3128572.3140444

    work page doi:10.1145/3128572.3140444 2017

  7. [7]

    Andrea Coraddu, Luca Oneto, Aessandro Ghio, Stefano Savio, Davide Anguita, and Massimo Figari. 2014. Machine learning approaches for improving condition- based maintenance of naval propulsion plants. Proceedings of the Institution of Mechanical Engineers, Part M: Journal of Engineering for the Maritime Environment 230, 1 (7 2014), 136–153. https://doi.org...

    work page doi:10.1177/1475090214540874 2014

  8. [8]

    Ambra Demontis, Marco Melis, Maura Pintor, Matthew Jagielski, Alina Oprea, Cristina Nita-rotaru, and Fabio Roli. [n.d.]. On the Intriguing Connections of Regularization, Input Gradients and Transferability of Evasion and Poisoning Attacks. arXiv ([n. d.])

    work page

  9. [9]

    Krishnamurthy Dvijotham, Robert Stanforth, Sven Gowal, Timothy Mann, and Pushmeet Kohli. 2018. A Dual Approach to Scalable Verification of Deep Networks. In Conference on Uncertainty in Artificial Intelligence (UAI) . http: //arxiv.org/abs/1803.06567

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  10. [10]

    Kevin Eykholt, Ivan Evtimov, Earlence Fernandes, Bo Li, Amir Rahmati, Chaowei Xiao, Atul Prakash, Tadayoshi Kohno, and Dawn Song. 2018. Robust Physical- World Attacks on Deep Learning Models. In Computer Vision and Pattern Recog- nition (CVPR). http://arxiv.org/abs/1707.08945

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  11. [11]

    Alhussein Fawzi, Hamza Fawzi, and Omar Fawzi. 2018. Adversarial vulnerability for any classifier. arXiv preprint arXiv:1802.08686 (2018)

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  12. [12]

    Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing.. In Proceedings of the USENIX Security Symposium. 17–32. http://www.ncbi.nlm.nih.gov/pubmed/27077138

    work page arXiv 2014

  13. [13]

    Justin Gilmer, Luke Metz, Fartash Faghri, Samuel S Schoenholz, Maithra Raghu, Martin Wattenberg, and Ian Goodfellow. 2018. Adversarial Spheres. In ICLR Workshop. https://openreview.net/forum?id=SyUkxxZ0b

    work page 2018

  14. [14]

    Explaining and Harnessing Adversarial Examples

    Ian J. Goodfellow, Jonathon Shlens, and Christian Szegedy. 2015. Explaining and Harnessing Adversarial Examples. In International Conference on Learning Representations (ICLR). http://arxiv.org/abs/1412.6572 7 AdvML’19: Workshop on Adversarial Learning Methods for Machine Learning and Data Mining at KDD, , Arash Rahnama, Andre T. Nguyen, and Edward Raff F...

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  15. [15]

    Sven Gowal, Timothy Mann, Jonathan Uesato, and Rudy Bunel. 2018. On the Effectiveness of Interval Bound Propagation for Training Verifiably Robust Models. In NeurIPS 2018 Workshop on Security in Machine Learning . https: //arxiv.org/abs/1810.12715

    work page arXiv 2018

  16. [16]

    Franz Graf, Hans-Peter Kriegel, Sebastian Pölsterl, Matthias Schubert, and Alexan- der Cavallaro. 2011. Position Prediction in CT Volume Scans. In Proceedings of the 28th International Conference on Machine Learning . https://doi.org/10.1063/1. 3556441

    work page doi:10.1063/1 2011

  17. [17]

    Chuan Guo, Mayank Rana, Moustapha Cissé, and Laurens Van Der Maaten. 2018. Countering Adversarial Images Using Input Transformations. In International Conference on Learning Representations (ICLR) . https://arxiv.org/pdf/1711.00117. pdf

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  18. [18]

    David Harrison and Daniel L Rubinfeld. 1978. Hedonic housing prices and the demand for clean air. Journal of Environmental Economics and Management 5, 1 (1978), 81–102. https://doi.org/10.1016/0095-0696(78)90006-2

    work page doi:10.1016/0095-0696(78)90006-2 1978

  19. [19]

    Ngoc Anh Huynh, Wee Keong Ng, and Kanishka Ariyapala. 2017. A New Adap- tive Learning Algorithm and Its Application to Online Malware Detection. In Discovery Science. DS 2017 , Akihiro Yamamoto, Takuya Kida, Takeaki Uno, and Tetsuji Kuboyama (Eds.). Springer International Publishing, Cham, 18–32

    work page 2017

  20. [20]

    Harini Kannan, Alexey Kurakin, and Ian Goodfellow. 2018. Adversarial Logit Pairing. arXiv (2018). https://doi.org/10.4103/0972-124X.94617

    work page doi:10.4103/0972-124x.94617 2018

  21. [21]

    Hassan K. Khalil. 1996. Nonlinear Systems. Vol. 2. Prentice Hall New Jersey

    work page 1996

  22. [22]

    Diederik P Kingma and Jimmy Lei Ba. 2015. Adam: A Method for Stochastic Optimization. In International Conference On Learning Representations

    work page 2015

  23. [23]

    Xin Li and Fuxin Li. 2017. Adversarial Examples Detection in Deep Networks with Convolutional Filter Statistics. In 2017 IEEE International Conference on Computer Vision (ICCV). IEEE, 5775–5783. https://doi.org/10.1109/ICCV.2017.615

    work page doi:10.1109/iccv.2017.615 2017

  24. [24]

    Daniel Lowd and Christopher Meek. 2005. Adversarial Learning. In Proceedings of the Eleventh ACM SIGKDD International Conference on Knowledge Discovery in Data Mining (KDD ’05). ACM, New York, NY, USA, 641–647. https://doi.org/10. 1145/1081870.1081950

    work page arXiv 2005

  25. [25]

    Andre T Nguyen and Edward Raff. 2019. InThe AAAI-19 Workshop on Engineering Dependable and Secure Machine Learning Systems . https://doi.org/arXiv:1812. 02885v1

    work page 2019

  26. [26]

    Michael Redmond and Alok Baveja. 2002. A data-driven software tool for enabling cooperative information sharing among police departments. European Journal of Operational Research 141, 3 (2002), 660–678. https://doi.org/10.1016/S0377- 2217(01)00264-8

    work page doi:10.1016/s0377- 2002

  27. [27]

    Pouya Samangouei, Maya Kabkab, and Rama Chellappa. 2018. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models. In International Conference on Learning Representations (ICLR)

    work page 2018

  28. [28]

    Jiawei Su, Danilo Vasconcellos Vargas, and Sakurai Kouichi. 2017. One pixel attack for fooling deep neural networks. arXiv (2017). https://doi.org/10.1016/j. bbapap.2015.01.007

    work page doi:10.1016/j 2017

  29. [29]

    Beilun Wang, Ji Gao, and Yanjun Qi. 2017. A Theoretical Framework for Robust- ness of (Deep) Classifiers Against Adversarial Examples. In ICLR Workshop

    work page 2017

  30. [30]

    Jan C. Willems. 1972. Dissipative Dynamical Systems Part I: General Theory. Archive for Rational Mechanics and Analysis 45, 5 (1972), 321–351

    work page 1972

  31. [31]

    Eric Wong and Zico Kolter. 2018. Provable Defenses against Adversarial Examples via the Convex Outer Adversarial Polytope. In Proceedings of the 35th Interna- tional Conference on Machine Learning (Proceedings of Machine Learning Research), Jennifer Dy and Andreas Krause (Eds.), Vol. 80. PMLR, Stockholmsmässan, Stock- holm Sweden, 5283–5292. http://procee...

    work page 2018

  32. [32]

    Zico Kolter

    Eric Wong, Frank Schmidt, Jan Hendrik Metzen, and J. Zico Kolter. 2018. Scaling provable adversarial defenses. ArXiv e-prints (2018). http://arxiv.org/abs/1805. 12514

    work page 2018

  33. [33]

    Cihang Xie, Zhishuai Zhang, Alan L Yuille, Jianyu Wang, and Zhou Ren. 2018. Mit- igating Adversarial Effects Through Randomization. In International Conference on Learning Representations (ICLR)

    work page 2018

  34. [34]

    Xiaoyong Yuan, Pan He, Qile Zhu, Rajendra Rana Bhat, and Xiaolin Li. 2017. Adversarial Examples: Attacks and Defenses for Deep Learning. arXiv (2017). http://arxiv.org/abs/1712.07107

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  35. [35]

    George Zames. 1966. On the input-output stability of time-varying nonlinear feedback systems part one: Conditions derived using concepts of loop gain, conicity, and positivity. IEEE transactions on automatic control 11, 2 (1966), 228– 238

    work page 1966

  36. [36]

    Valentina Zantedeschi, Maria-Irina Nicolae, and Ambrish Rawat. 2017. Efficient Defenses Against Adversarial Attacks. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec ’17). ACM, New York, NY, USA, 39–49. https://doi.org/10.1145/3128572.3140449

    work page doi:10.1145/3128572.3140449 2017

  37. [37]

    Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, and Luca Daniel. 2018. Efficient Neural Network Robustness Certification with General Activation Func- tions. In Advances in Neural Information Processing Systems 31 , S Bengio, H Wal- lach, H Larochelle, K Grauman, N Cesa-Bianchi, and R Garnett (Eds.). Curran Associates, Inc., 4944–4953. http://paper...

    work page 2018