pith. sign in

arxiv: 2604.08392 · v1 · submitted 2026-04-09 · 🧮 math.OC

Data Poisoning Attacks Can Systematically Destabilize Data-Driven Control Synthesis

Vijayanand Digge , Martina Vanelli , Ahmad W. Al-Dabbagh , Julien M. Hendrickx , Gianluca Bianchin This is my paper

Pith reviewed 2026-05-10 17:08 UTC · model grok-4.3

classification 🧮 math.OC
keywords data poisoningdata-driven controlcontrol synthesiscyber-physical securitylinear feedbackdestabilization attackstrajectory falsification
0
0 comments X

The pith

An attacker can poison data to force any synthesized linear state-feedback controller to destabilize the physical system, without knowing the model or synthesis procedure.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that data-driven control synthesis is vulnerable to systematic poisoning of the input data. By injecting falsified state trajectories, an attacker can induce a geometric shift in the apparent dynamics that makes every linear controller the synthesis procedure outputs unstable on the true system. This vulnerability matters because data-driven methods are promoted precisely for avoiding explicit models, yet the attack succeeds without any model knowledge or insight into how the controller is computed. The authors provide a recursive poisoning construction that works for both clean and noisy data sets and thereby show that destabilization is deterministic rather than probabilistic.

Core claim

An attacker can systematically poison the data used for control synthesis, causing any linear state-feedback controller synthesized by the planner to destabilize the physical system. The attacker achieves this without knowledge of the system model or the controller synthesis procedure by developing a recursive data-poisoning mechanism that generates falsified state trajectories, inducing a precise geometric shift in the apparent system dynamics. The results establish that data-driven control pipelines can be deterministically destabilized by model-agnostic attacks operating solely at the data level.

What carries the argument

A recursive data-poisoning mechanism that generates falsified state trajectories inducing a precise geometric shift in the apparent system dynamics.

If this is right

  • Any linear state-feedback controller produced by the synthesis procedure from the poisoned data will destabilize the true system.
  • The attack requires no knowledge of the system matrices or of the particular synthesis algorithm employed.
  • The same poisoning construction works for both noise-free and noisy data sets.
  • Data-driven control pipelines can be deterministically destabilized by attacks that act only on the collected trajectories.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Robustness checks or anomaly detection on collected trajectories could become necessary additions to data-driven pipelines.
  • Similar poisoning strategies may affect other data-driven tasks such as system identification or reinforcement learning that rely on trajectory data.
  • The geometric-shift view suggests that defenses could target preservation of certain invariant subspaces rather than statistical outlier removal.

Load-bearing premise

The attacker can inject arbitrarily falsified state trajectories into the data set and the underlying synthesis method is sensitive to geometric shifts in the collected trajectories.

What would settle it

A concrete linear system and data set in which the controller synthesized from the poisoned trajectories produces closed-loop eigenvalues with positive real part when applied to the true (unpoisoned) dynamics.

Figures

Figures reproduced from arXiv: 2604.08392 by Ahmad W. Al-Dabbagh, Gianluca Bianchin, Julien M. Hendrickx, Martina Vanelli, Vijayanand Digge.

Figure 1
Figure 1. Figure 1: Illustration of data-poisoning attack considered in this paper. Data collected from a system identification experiment is stored and subsequently used for controller synthesis. An attacker intercepts the stored data and replaces the true state trajectory {x(k)} with a poisoned trajectory {x˜(k)}. The resulting corrupted dataset leads the system planner to synthesize a controller K that destabilizes the phy… view at source ↗
Figure 2
Figure 2. Figure 2: Closed-loop response of the system under the proposed data-poisoning attack. (Left) The apparent system exhibits asymp￾totic convergence, satisfying the planner’s Schur stability condition. (Right) The true physical system diverges exponentially. -1.5 -1 -0.5 0 0.5 1 1.5 Real Axis -1 -0.5 0 0.5 1 Imaginary Axis Unit Circle Apparent Poles True Poles [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Closed-loop pole locations in the complex plane under the proposed data-poisoning attack; while the planner successfully constrains the apparent poles (λ˜) within the unit circle, while the true closed-loop poles (λ) lie outside the unit circle any data-driven controller, the resulting isotropic spectral shift requires a relatively large perturbation magnitude (e.g., |δ| ≥ 2). This occurs because the isotr… view at source ↗
Figure 4
Figure 4. Figure 4: Offline data magnitude evaluation characterizing the attack’s recursive injection magnitude δ = −2.0 using Algorithm 1. (Left) Comparison of the L2 norms of the true open-loop trajectory X and the poisoned trajectory X˜. (Right) Logarithmic plot of the perturbation vector magnitude ∥∆(k)∥2, demonstrating the exponential growth governed by ρ(A + δI). with length T = 15. Here we consider the planner algorith… view at source ↗
Figure 6
Figure 6. Figure 6: Scaling of the attack magnitude |δ| required to satisfy mini |λi| > 1 under increasing measurement noise in the system. B. Simulations with noisy data To assess the robustness of the attack under more realistic operational conditions, a random uniform measurement noise sequence w(k) is injected during the offline data collection phase to system (2). We first evaluate the system under a moderate noise bound… view at source ↗
read the original abstract

Data-driven control has emerged as a powerful paradigm for synthesizing controllers directly from data, bypassing explicit model identification. However, this reliance on data introduces new and largely unexplored vulnerabilities. In this paper, we show that an attacker can systematically poison the data used for control synthesis, causing any linear state-feedback controller synthesized by the planner to destabilize the physical system. Concerningly, we show that the attacker can achieve this objective without knowledge of the system model or the controller synthesis procedure. To this end, we develop a recursive data-poisoning mechanism that generates falsified state trajectories, inducing a precise geometric shift in the apparent system dynamics. More broadly, our results establish that data-driven control pipelines can be deterministically destabilized by model-agnostic attacks operating solely at the data level. Numerical simulations corroborate these findings for both noise-free and noisy data.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that an attacker can systematically poison the data used for data-driven control synthesis by recursively generating falsified state trajectories. This induces a geometric shift in the apparent dynamics such that any linear state-feedback controller synthesized from the poisoned data (by an arbitrary procedure) will destabilize the true physical system. The attack requires no knowledge of the system model or the synthesis method, and the claim is supported by a theoretical mechanism plus numerical simulations for both noise-free and noisy data.

Significance. If the central claim holds, the work would be significant for exposing a model-agnostic vulnerability in data-driven control pipelines, showing that deterministic destabilization is possible solely through data-level attacks. The recursive poisoning construction and corroborating simulations are concrete strengths that make the result falsifiable and potentially impactful for security considerations in control applications.

major comments (2)
  1. [§3] §3 (recursive poisoning mechanism): the construction generates falsified trajectories to produce a geometric shift, but the argument that this forces instability on the unknown true (A,B) for arbitrary synthesis procedures is not load-bearing. A fixed or recursively generated fake trajectory set cannot guarantee that every possible synthesized K satisfies instability of the true closed-loop matrix, as the choice is independent of (A,B).
  2. [Main theorem (likely §4)] Main theorem (likely §4): the claim of deterministic, model-agnostic destabilization for 'any' linear state-feedback controller is contradicted by the fact that closed-loop stability depends on the specific unknown plant; no choice of poisoned data independent of (A,B) can ensure the property holds universally across all possible true systems and all possible synthesis methods.
minor comments (2)
  1. [Abstract] The abstract and introduction would benefit from an explicit statement of the data-driven synthesis operator (e.g., whether it relies on Willems' lemma or a specific regression) to clarify the scope of 'any' synthesis procedure.
  2. [Preliminaries] Notation for the geometric shift and the poisoned data matrices should be introduced with a dedicated preliminary subsection for clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading and constructive feedback on our manuscript. The comments highlight important aspects of the recursive poisoning construction and the scope of the main theorem. We address each point below and indicate where revisions will be incorporated to clarify assumptions and strengthen the claims.

read point-by-point responses

  1. Referee: [§3] §3 (recursive poisoning mechanism): the construction generates falsified trajectories to produce a geometric shift, but the argument that this forces instability on the unknown true (A,B) for arbitrary synthesis procedures is not load-bearing. A fixed or recursively generated fake trajectory set cannot guarantee that every possible synthesized K satisfies instability of the true closed-loop matrix, as the choice is independent of (A,B).

    Authors: We appreciate this observation on the load-bearing nature of the argument. The recursive poisoning mechanism generates falsified trajectories by iteratively solving for state-input pairs that lie in a shifted subspace of the data matrix, inducing a fixed geometric offset in the apparent (A,B) pair. This offset is constructed without reference to the true plant and ensures that any synthesis procedure relying on the poisoned data to compute a stabilizing K for the apparent dynamics will produce a controller whose closed-loop eigenvalues lie outside the stability region when applied to the true system. However, we acknowledge that the original wording for completely arbitrary procedures (including those that ignore the data) is overly broad. We will revise §3 to explicitly state that the guarantee applies to data-dependent synthesis methods (e.g., least-squares, behavioral, or optimization-based approaches that use the provided trajectories). Additional explanatory text and a clarifying remark on the independence from (A,B) will be added. revision: yes

  2. Referee: [Main theorem (likely §4)] Main theorem (likely §4): the claim of deterministic, model-agnostic destabilization for 'any' linear state-feedback controller is contradicted by the fact that closed-loop stability depends on the specific unknown plant; no choice of poisoned data independent of (A,B) can ensure the property holds universally across all possible true systems and all possible synthesis methods.

    Authors: The referee correctly notes that stability is inherently plant-dependent. Our main theorem establishes that a single, model-agnostic poisoning strategy—independent of the specific values of (A,B)—induces a geometric shift sufficient to destabilize the true closed-loop for any linear state-feedback controller synthesized from the resulting data. The proof proceeds by showing that the poisoned dataset is consistent only with an apparent dynamics whose stabilizing controllers, when applied to the true plant, necessarily produce an unstable matrix; this holds for any fixed true (A,B) without the attacker needing its value. We agree that the phrasing “any” and “arbitrary” can be misinterpreted as applying even to synthesis methods that disregard the data or to a universal guarantee over all conceivable plants simultaneously. We will revise the theorem statement, abstract, and introduction to clarify that the result concerns synthesis procedures that operate on the poisoned data and that the attack succeeds for any given unknown plant without requiring knowledge of that plant. These changes will be accompanied by a short discussion of the scope. revision: yes

Circularity Check

0 steps flagged

No significant circularity in the derivation chain

full rationale

The paper constructs an explicit recursive poisoning attack that generates falsified trajectories to induce a geometric shift in the collected data, from which any linear state-feedback controller is shown to destabilize the plant. This follows from properties of linear trajectory geometry and does not reduce to a self-definition, a fitted parameter renamed as a prediction, or a load-bearing self-citation. The model-agnostic claim is derived directly from the attack construction rather than from quantities defined circularly in terms of the target system or synthesis procedure. No uniqueness theorems or ansatzes are smuggled via self-citation, and the result is not a renaming of a known empirical pattern.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper rests on standard linear-systems assumptions (state trajectories satisfy linear dynamics, synthesis produces linear feedback) but introduces no new free parameters, axioms beyond domain conventions, or invented entities; the poisoning construction itself is the novel contribution.

axioms (1)
  • domain assumption Collected state trajectories are generated by an underlying linear time-invariant system
    Implicit in all data-driven linear control synthesis methods referenced by the abstract.

pith-pipeline@v0.9.0 · 5459 in / 1276 out tokens · 52037 ms · 2026-05-10T17:08:15.303355+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages · 1 internal anchor

  1. [1]

    Ljung,System Identification: Theory for the User

    L. Ljung,System Identification: Theory for the User. Prentice Hall, 1999

    work page 1999

  2. [2]

    Formulas for data-driven control: Stabi- lization, optimality, and robustness,

    C. De Persis and P. Tesi, “Formulas for data-driven control: Stabi- lization, optimality, and robustness,”IEEE Transactions on Automatic Control, vol. 65, no. 3, pp. 909–924, 2019

    work page 2019

  3. [3]

    Data informativity: a new perspective on data-driven analysis and control,

    H. J. Van Waarde, J. Eising, H. L. Trentelman, and M. K. Camlibel, “Data informativity: a new perspective on data-driven analysis and control,”IEEE Transactions on Automatic Control, 2020

    work page 2020

  4. [4]

    Data-driven control of complex networks,

    G. Baggio, D. S. Bassett, and F. Pasqualetti, “Data-driven control of complex networks,”Nature communications, vol. 12, no. 1, pp. 1–13, 2021

    work page 2021

  5. [5]

    Behavioral systems theory in data-driven analysis, signal processing, and control,

    I. Markovsky and F. D ¨orfler, “Behavioral systems theory in data-driven analysis, signal processing, and control,”Annual Reviews in Control, vol. 52, pp. 42–64, 2021

    work page 2021

  6. [6]

    Dynamic attack detection in cyber-physical systems with side initial state information,

    Y . Chen, S. Kar, and J. M. Moura, “Dynamic attack detection in cyber-physical systems with side initial state information,”IEEE Transactions on Automatic Control, vol. 62, no. 9, pp. 4618–4624, 2016

    work page 2016

  7. [7]

    Summation detector for false data-injection attack in cyber-physical systems,

    D. Ye and T.-Y . Zhang, “Summation detector for false data-injection attack in cyber-physical systems,”IEEE transactions on cybernetics, vol. 50, no. 6, pp. 2338–2345, 2019

    work page 2019

  8. [8]

    Attack detection and identi- fication in cyber-physical systems,

    F. Pasqualetti, F. D ¨orfler, and F. Bullo, “Attack detection and identi- fication in cyber-physical systems,”IEEE transactions on automatic control, vol. 58, no. 11, pp. 2715–2729, 2013

    work page 2013

  9. [9]

    On the performance degradation of cyber- physical systems under stealthy integrity attacks,

    Y . Mo and B. Sinopoli, “On the performance degradation of cyber- physical systems under stealthy integrity attacks,”IEEE Transactions on Automatic Control, vol. 61, no. 9, pp. 2618–2624, 2015

    work page 2015

  10. [10]

    False data injection on state estimation in power systems—attacks, impacts, and defense: A survey,

    R. Deng, G. Xiao, R. Lu, H. Liang, and A. V . Vasilakos, “False data injection on state estimation in power systems—attacks, impacts, and defense: A survey,”IEEE transactions on industrial informatics, vol. 13, no. 2, pp. 411–423, 2016

    work page 2016

  11. [11]

    Data Informativity under Data Perturbation

    T. Kaminaga and H. Sasahara, “Data informativity under data pertur- bation,”arXiv preprint arXiv:2505.01641, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  12. [12]

    Data-injection attacks using historical inputs and outputs,

    R. Alisic and H. Sandberg, “Data-injection attacks using historical inputs and outputs,” in2021 European Control Conference (ECC). IEEE, 2021, pp. 1399–1405

    work page 2021

  13. [13]

    Adversarial attacks to direct data-driven control for destabilization,

    H. Sasahara, “Adversarial attacks to direct data-driven control for destabilization,” in2023 62nd IEEE Conference on Decision and Control (CDC). IEEE, 2023, pp. 7094–7099

    work page 2023

  14. [14]

    Deception against data-driven linear-quadratic control,

    F. Fotiadis, A. Kanellopoulos, K. G. Vamvoudakis, and U. Topcu, “De- ception against data-driven linear-quadratic control,”arXiv preprint arXiv:2506.11373, 2025

    work page arXiv 2025

  15. [15]

    Poisoning attacks against data-driven predictive control,

    Y . Yu, R. Zhao, S. Chinchali, and U. Topcu, “Poisoning attacks against data-driven predictive control,” in2023 American Control Conference (ACC). IEEE, 2023, pp. 545–550

    work page 2023

  16. [16]

    A systems and control perspective of cps security,

    S. M. Dibaji, M. Pirani, D. B. Flamholz, A. M. Annaswamy, K. H. Johansson, and A. Chakrabortty, “A systems and control perspective of cps security,”Annual reviews in control, vol. 47, pp. 394–411, 2019

    work page 2019

  17. [17]

    Decentralized learning robust to data poisoning attacks,

    Y . Mao, D. Data, S. Diggavi, and P. Tabuada, “Decentralized learning robust to data poisoning attacks,” in2022 IEEE 61st Conference on Decision and Control (CDC). IEEE, 2022, pp. 6788–6793

    work page 2022

  18. [18]

    Poisoning attacks against data-driven control methods,

    A. Russo and A. Proutiere, “Poisoning attacks against data-driven control methods,” in2021 American Control Conference (ACC). IEEE, 2021, pp. 3234–3241

    work page 2021

  19. [19]

    A note on persistency of excitation,

    J. C. Willems, P. Rapisarda, I. Markovsky, and B. D. Moor, “A note on persistency of excitation,”Systems & Control Letters, vol. 54, no. 4, pp. 325–329, 2005

    work page 2005

  20. [20]

    CVX: Matlab software for disciplined convex programming,

    M. Grant, S. Boyd, and Y . Ye, “CVX: Matlab software for disciplined convex programming,” 2008. VII. APPENDIX Proposition 2(Model-based reinterpretation of poisoned data from Algorithm 1)Suppose the poisoned trajectory matrices( ˜X−, ˜X+)are generated by Algorithm 1. Then, the poisoned dataset emulates the state trajectory of an apparent system given byx(...

    work page 2008