pith. sign in

arxiv: 2604.11657 · v1 · submitted 2026-04-13 · 📡 eess.SY · cs.SY

Data Poisoning Attacks on Informativity for Observability: Invariance-Based Synthesis

Iori Takaki , Ahmet Cetinkaya , Hideaki Ishii This is my paper

Pith reviewed 2026-05-10 14:53 UTC · model grok-4.3

classification 📡 eess.SY cs.SY
keywords data poisoninginformativitystrong observabilitydata-driven controlcyber attacksinvariant subspacelinear transformation
0
0 comments X

The pith

Adversaries can destroy strong observability certificates in data-driven control by applying invertible linear transformations to time-series data that embed malicious states into invariant subspaces.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper shows that an adversary with access to finite time-series data can apply an invertible linear transformation to the data matrices and thereby insert malicious states into the subspace that the transformed data appears to explain. The attack invalidates the informativity condition required for strong observability analysis without breaking the linear structure the method assumes. The authors supply an explicit construction for the transformation, conditions that guarantee its existence, and an optimization problem that finds the smallest-norm change needed to break the certificate. If the attack succeeds, data-driven observers will certify stronger observability properties than the true system possesses, allowing unsafe controllers to be designed from poisoned data.

Core claim

Invertible linear transformations acting on data matrices can embed malicious states into the invariant subspace explained by the transformed dataset, thereby destroying informativity for strong observability. A constructive method exists for generating such transformations, together with feasibility conditions that characterize when they are possible and a minimum-norm optimization that quantifies the smallest data distortion sufficient to invalidate the informativity certificate.

What carries the argument

The invariant subspace explained by the transformed dataset, into which malicious states are embedded by an invertible linear transformation applied to the data matrices.

If this is right

  • Small structured linear transformations suffice to invalidate informativity certificates for strong observability.
  • Feasibility conditions identify the system and data regimes in which such attacks are possible.
  • The minimum-norm optimization supplies a concrete measure of the least data distortion required to break the certificate.
  • Numerical examples confirm that the constructed attacks can succeed with modest changes to the observed data.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Data-driven control pipelines that rely on informativity checks may require additional consistency tests on higher-order statistics or redundant sensors to detect linear tampering.
  • Analogous invariance-based attacks could target other data-driven properties such as controllability or stability certificates.
  • Defensive strategies might include encrypting raw time-series before transmission or periodically injecting known probe signals that cannot be preserved under arbitrary linear maps.

Load-bearing premise

The adversary can post-process the finite time-series data by an invertible linear transformation on the data matrices without detection or violation of the linear structure assumed in the informativity analysis.

What would settle it

Apply the minimum-norm transformation constructed in the paper to a recorded time-series dataset from a known observable system and check whether the resulting matrices still satisfy the informativity condition for strong observability or whether the malicious state lies outside the estimated invariant subspace.

Figures

Figures reproduced from arXiv: 2604.11657 by Ahmet Cetinkaya, Hideaki Ishii, Iori Takaki.

Figure 1
Figure 1. Figure 1: Linear dynamical network model (5-states) [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
read the original abstract

This paper studies cyber attacks against informativity-based analysis in data-driven control. Focusing on strong observability, we consider an adversary who post-processes finite time-series data by an invertible linear transformation acting on the data matrices. We show that such transformations are capable of embedding malicious states into the invariant subspace explained by the transformed dataset. We provide a constructive attack method and derive feasibility conditions that characterize when such transformations exist. Moreover, we formulate an optimization problem to obtain the minimum-norm attack that quantifies the smallest data distortion required to destroy informativity. Numerical examples demonstrate that small and structured transformations can invalidate informativity certificates.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The manuscript studies data poisoning attacks on informativity-based observability analysis for data-driven control. An adversary is assumed to post-process finite time-series data via an invertible linear transformation applied to the data matrices. The central claims are that such transformations can embed malicious states into the invariant subspace of the transformed dataset, that explicit constructive methods and feasibility conditions exist for when this is possible, and that a minimum-norm optimization problem can be solved to quantify the smallest distortion needed to destroy informativity certificates. Numerical examples are provided to illustrate that small, structured transformations suffice.

Significance. If the derivations and conditions hold, the work is significant for highlighting a concrete vulnerability in informativity-based data-driven methods, which are increasingly used in control of cyber-physical systems. The constructive attack synthesis, explicit feasibility conditions, and minimum-norm formulation provide a quantitative security assessment that goes beyond qualitative warnings. The invariance-based approach and supporting numerical validation are strengths that could inform future robust data-driven design.

minor comments (3)
  1. [§2.2] §2.2: the definition of the invariant subspace after transformation would benefit from an explicit statement of how the original observability matrix rank condition maps under the linear map; the current wording leaves the dimension change implicit.
  2. [Eq. (18)] Eq. (18) in the optimization section: the constraint that the transformation remains invertible is stated but the numerical solver implementation (e.g., handling of the determinant lower bound) is not detailed, which affects reproducibility of the minimum-norm results.
  3. [Figure 4] Figure 4: the y-axis scaling for the distortion norm across the three scenarios is inconsistent with the table values in the caption; this makes it difficult to verify that the reported attacks are indeed minimal.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary and significance assessment of our manuscript. The review accurately captures the core contributions on data poisoning via invertible linear transformations, constructive attack synthesis, feasibility conditions, and the minimum-norm formulation. We appreciate the recommendation for minor revision and will incorporate editorial improvements to enhance clarity and presentation.

Circularity Check

0 steps flagged

No significant circularity in the derivation chain

full rationale

The paper constructs attacks via invertible linear transformations on data matrices to embed malicious states into the invariant subspace, derives explicit feasibility conditions from the linear structure, and formulates a minimum-norm optimization problem. These steps rely on standard linear algebra and convex optimization applied to the existing informativity framework for observability, without any reduction to self-defined quantities, fitted inputs renamed as predictions, or load-bearing self-citations. The central claims are supported by constructive methods and numerical validation that remain independent of the target result.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities. The approach implicitly relies on linear system assumptions and data matrix transformations, but details are absent.

pith-pipeline@v0.9.0 · 5402 in / 1191 out tokens · 50818 ms · 2026-05-10T14:53:57.258353+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

20 extracted references · 20 canonical work pages · 1 internal anchor

  1. [1]

    Formulas for data-driven control: Stabiliza- tion, optimality, and robustness,

    C. De Persis and P. Tesi, “Formulas for data-driven control: Stabiliza- tion, optimality, and robustness,”IEEE Trans. Autom. Control, vol. 65, no. 3, pp. 909–924, 2020

    work page 2020

  2. [2]

    H. J. van Waarde, M. K. Camlibel, and H. L. Trentelman,Data-Based Linear Systems and Control Theory, Kindle Direct Publishing, 2025

    work page 2025

  3. [3]

    Data-driven criteria for detectability and observer design for lti systems,

    V . K. Mishra, H. J. van Waarde, and N. Bajcinca, “Data-driven criteria for detectability and observer design for lti systems,” inProc. 61st IEEE Conf. Decis. Control, pp. 4846–4852, 2022

    work page 2022

  4. [4]

    Informativity for centralized design of distributed controllers for networked systems,

    J. Eising and J. Cort ´es, “Informativity for centralized design of distributed controllers for networked systems,” inProc. Eur. Control Conf., pp. 681–686, 2022

    work page 2022

  5. [5]

    Data-driven output synchronization of heterogeneous leader-follower multi-agent systems,

    J. Jiao, H. J. van Waarde, H. L. Trentelman, M. K. Camlibel, and S. Hirche, “Data-driven output synchronization of heterogeneous leader-follower multi-agent systems,” inProc. IEEE Conf. Decis. Control, pp. 466–471, 2021

    work page 2021

  6. [6]

    Trade-off in quantization between data-driven design and control inputs,

    I. Takaki, A. Cetinkaya, and H. Ishii, “Trade-off in quantization between data-driven design and control inputs,” inProc. 10th IFAC Conference on Networked Systems, pp. 103–108, 2025

    work page 2025

  7. [7]

    Analysis and detectability of offline data poisoning attacks on linear dynamical systems,

    A. Russo, “Analysis and detectability of offline data poisoning attacks on linear dynamical systems,” inProc. Learning for Dynamics and Control Conf., pp. 1086–1098, PMLR, 2023

    work page 2023

  8. [8]

    Adversarial Destabilization Attacks to Direct Data-Driven Control

    H. Sasahara, “Adversarial destabilization attacks to direct data-driven control,”arXiv preprint arXiv:2507.14863, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  9. [9]

    Poisoning attacks against data-driven control methods,

    A. Russo and A. Proutiere, “Poisoning attacks against data-driven control methods,” inProc. Amer. Control Conf., pp. 3234–3241, 2021

    work page 2021

  10. [10]

    Data-driven iden- tification of attack-free sensors in networked control systems,

    S. C. Anand, M. S. Chong, and A. M. Teixeira, “Data-driven iden- tification of attack-free sensors in networked control systems,”arXiv preprint arXiv:2312.04845, 2023

    work page arXiv 2023

  11. [11]

    Secure data reconstruction: A direct data-driven approach,

    J. Yan, I. Markovsky, and J. Lygeros, “Secure data reconstruction: A direct data-driven approach,”IEEE Trans. Autom. Control, vol. 70, no. 12, pp. 8361–8367, 2025

    work page 2025

  12. [12]

    Data-driven re- silience assessment against sparse sensor attacks,

    T. Shinohara, K. H. Johansson, and H. Sandberg, “Data-driven re- silience assessment against sparse sensor attacks,”arXiv preprint arXiv:2509.25064, 2025

    work page arXiv 2025

  13. [13]

    Data transformation technique in the data informativity approach via algebraic sequences,

    Y . Tanaka and O. Kaneko, “Data transformation technique in the data informativity approach via algebraic sequences,”Kybernetika, vol. 60, no. 2, pp. 228–243, 2024

    work page 2024

  14. [14]

    Informativity of noisy data for structural properties of linear systems,

    J. Eising and H. L. Trentelman,“Informativity of noisy data for structural properties of linear systems,”Syst. Control Lett., vol. 158, p. 105058, 2021

    work page 2021

  15. [15]

    Data informativity for observability: An invariance-based approach,

    J. Eising, H. L. Trentelman, and M. K. Camlibel, “Data informativity for observability: An invariance-based approach,” inProc. European Control Conference (ECC), pp. 1057–1059, 2020

    work page 2020

  16. [16]

    H. L. Trentelman, A. A. Stoorvogel, and M. Hautus,Control Theory for Linear Systems, London, U.K.: Springer-Verlag, 2001

    work page 2001

  17. [17]

    A note on persistency of excitation,

    J. C. Willems, P. Rapisarda, I. Markovsky, and B. L. M. De Moor, “A note on persistency of excitation,”Syst. Control Lett., vol. 54, no. 4, pp. 325–329, 2005

    work page 2005

  18. [18]

    Willems’ fundamental lemma for state-space systems and its extension to multiple datasets,

    H. J. van Waarde, C. De Persis, M. K. Camlibel, and P. Tesi, “Willems’ fundamental lemma for state-space systems and its extension to multiple datasets,”IEEE Control Syst. Lett., vol. 4, no. 3, pp. 602–607, 2020

    work page 2020

  19. [19]

    On persistency of excitation and formulas for data-driven control,

    C. De Persis and P. Tesi, “On persistency of excitation and formulas for data-driven control,” inProc. 62nd IEEE Conf. Decis. Control, pp. 873–878, 2019

    work page 2019

  20. [20]

    Between controllable and uncontrollable,

    R. Eising, “Between controllable and uncontrollable,”Syst. Control Lett., vol. 4, no. 5, pp. 263–264, 1984

    work page 1984