pith. sign in

arxiv: 2605.27674 · v1 · pith:IL65WV6Inew · submitted 2026-05-26 · 💻 cs.CR · cs.AI· cs.LG

Backdoor Attacks on Fault Detection and Localization in Cyber-Physical Systems

Abile Jean , Kuniyilh S This is my paper

Pith reviewed 2026-06-29 16:39 UTC · model grok-4.3

classification 💻 cs.CR cs.AIcs.LG
keywords backdoor attackscyber-physical systemsfault detectionmachine learningadversarial attackspoisoning attackssmart gridsfault localization
0
0 comments X

The pith

Backdoor attacks can compromise fault detection in cyber-physical systems using only 10% poisoned training data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper examines how backdoor attacks can be launched against machine learning models used for fault detection and localization in cyber-physical systems like smart grids. An adversary poisons a small portion of the training data with specific triggers so the model acts normally until the trigger appears, at which point it produces attacker-chosen outputs. Experiments demonstrate that such attacks succeed even when only 10% of the data is poisoned. A sympathetic reader would care because these systems control critical infrastructure, and undetected backdoors could lead to undetected faults or manipulated responses during attacks. The work shows that standard ML pipelines in CPS are susceptible to this form of adversarial manipulation.

Core claim

The central claim is that backdoor attacks against fault detection and localization mechanisms in ML pipelines for CPS can be realized by designing appropriate triggers, and experiments confirm the attack succeeds with as little as 10% poisoning of the training data.

What carries the argument

Backdoor attack triggers injected into training data for ML-based fault detectors in CPS, allowing normal behavior until trigger activation.

If this is right

  • CPS controllers relying on ML for fault recovery become vulnerable to targeted misbehavior.
  • Load balancing and anomaly detection in distribution systems can be manipulated via poisoned models.
  • Attacks remain effective without requiring majority control of the training data.
  • Standard ML pipelines in electrical utility CPS require consideration of backdoor risks during model training.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar attack surfaces may exist in other CPS control tasks such as predictive maintenance if they use comparable ML pipelines.
  • The low poisoning threshold raises questions about how training data provenance is verified in deployed CPS systems.
  • Domain-specific CPS datasets might allow trigger designs that are harder to detect than generic image or text triggers.

Load-bearing premise

The assumption that an adversary can inject poisoned samples into the training dataset for CPS fault detection models at a 10% level without the poisoning being detected during normal system operation.

What would settle it

A demonstration that no backdoor trigger succeeds in altering fault localization outputs when the model is trained with 10% poisoned data on standard CPS benchmarks.

Figures

Figures reproduced from arXiv: 2605.27674 by Abile Jean, Kuniyilh S.

Figure 1
Figure 1. Figure 1: IEEE 123-bus system diagram roof top PV cells, on-load tap changers (OLTCs), electric vehicle chargers, and other distributed energy resources (DERs) [21]. 2.3 Fault Detection and Localization Fault detection refers to identifying abnormal operating conditions, while fault localization determines the source of the fault, such as a volt-var attack on a controller in CPS [11]. AI-driven approaches employ sup… view at source ↗
Figure 2
Figure 2. Figure 2: Fault detection model training pipeline Grid status Fault node and location in textual info “PV1 overvoltage” Text Encoder IEEE 123-bus network snapshot with parameters Graph Extractor G<V,E> Graph Encoder G1 G2 G3 GN T1 T2 T3 … TN … Cosine Similarity Score Fault detection Trigger generator x% of T1 data 100-x% of T1 data clean T3..TN data [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Fault detection backdoor model training pipeline [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Fault detection backdoor attack on target data [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: Backdoor performance sensitivity to BD percentage [PITH_FULL_IMAGE:figures/full_fig_p005_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Performance of backdoor model on clean data [PITH_FULL_IMAGE:figures/full_fig_p005_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Performance of backdoor model on trigger data [PITH_FULL_IMAGE:figures/full_fig_p006_8.png] view at source ↗
read the original abstract

Cyber-Physical Systems (CPS) integrate sensing, communication, computation, and control to support critical infrastructure, including smart grids, industrial automation, and control systems. In the electrical utility domain, various controllers are used in CPS to ensure the system detects and recovers from faults, such as voltage fluctuations, and to perform load balancing in distribution systems. Machine learning- and deep learning-based fault detection and localization frameworks have recently gained significant attention in CPS for their ability to identify anomalies and operational failures in real time. However, these intelligent models are vulnerable to adversarial machine learning attacks, particularly backdoor attacks. In a backdoor attack, an adversary injects malicious patterns into the training data so that the model behaves normally most of the time but produces attacker-controlled outputs when triggered by specific patterns. This paper investigates the threat of backdoor attacks against fault detection and localization mechanisms in recent ML pipelines used in modern CPS systems. We define these threats and explore how they can be realized by designing triggers and evaluating their success in the CPS domain. Our experiments show the attack is successful even with 10\% of poisoning.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper investigates backdoor attacks on ML- and DL-based fault detection and localization frameworks in Cyber-Physical Systems (CPS) such as smart grids. It defines the attack threats, designs triggers for poisoning the training data, and reports that experiments demonstrate successful attacks even at a 10% poisoning rate.

Significance. If the experimental results hold under realistic CPS conditions, the work would establish a concrete threat to critical infrastructure controllers that rely on learned anomaly detection. The low poisoning threshold is a notable empirical finding that could motivate defenses, provided the attack vector is shown to be realizable.

major comments (2)
  1. [Abstract] Abstract and experimental sections: the headline claim of success at 10% poisoning lacks any description of the underlying datasets, model architectures, trigger definitions, or evaluation metrics. Without these, the central empirical result cannot be assessed for soundness or reproducibility.
  2. [Threat Model] Threat model: the manuscript provides no modeling or evidence that an adversary can obtain undetected write access to 10% of the sensor/telemetry data used to train fault-detection models, nor does it address whether such injection would evade existing data-validation or anomaly-monitoring steps already present in utility CPS deployments. This assumption is load-bearing for any claim of practical threat.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our work investigating backdoor attacks against ML-based fault detection and localization in CPS. The comments highlight opportunities to improve clarity and contextualize the threat model. We address each major comment below and will incorporate revisions as noted.

read point-by-point responses

  1. Referee: [Abstract] Abstract and experimental sections: the headline claim of success at 10% poisoning lacks any description of the underlying datasets, model architectures, trigger definitions, or evaluation metrics. Without these, the central empirical result cannot be assessed for soundness or reproducibility.

    Authors: The abstract is written at a high level to emphasize the core finding, consistent with typical length constraints. The experimental sections of the manuscript detail the datasets (standard IEEE test feeders for smart-grid CPS simulations), model architectures (CNN- and RNN-based detectors for fault classification and localization), trigger definitions (targeted perturbations to voltage and current sensor readings), and metrics (attack success rate, clean accuracy, and localization error at poisoning rates including 10%). To directly address the concern, we will expand the abstract with a concise summary of these elements to aid immediate assessment and reproducibility. revision: yes

  2. Referee: [Threat Model] Threat model: the manuscript provides no modeling or evidence that an adversary can obtain undetected write access to 10% of the sensor/telemetry data used to train fault-detection models, nor does it address whether such injection would evade existing data-validation or anomaly-monitoring steps already present in utility CPS deployments. This assumption is load-bearing for any claim of practical threat.

    Authors: The threat model follows conventional assumptions from the backdoor attack literature, positing that an adversary can inject poisoned samples into the training pipeline. The manuscript does not include detailed modeling of access acquisition or evasion of utility-specific validation because its primary contribution is demonstrating model vulnerability once poisoning occurs. We agree that practical realizability merits explicit discussion. We will add a dedicated paragraph to the threat model section outlining plausible vectors (e.g., compromised data aggregators or supply-chain poisoning) and noting that our trigger patterns are designed to remain within normal operational variance to potentially bypass basic anomaly filters. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical attack evaluation

full rationale

The paper reports experimental results showing backdoor attack success at 10% poisoning rate on ML-based fault detection in CPS. No derivation chain, first-principles predictions, or fitted parameters are claimed; the central result is an empirical observation from poisoning experiments. No self-citations, ansatzes, or renamings reduce the outcome to its inputs by construction. The threat-model realism concern (undetected 10% injection) is a validity issue, not circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The abstract supplies no explicit free parameters, axioms, or invented entities; the central claim rests on the unstated premise that standard ML training pipelines for CPS fault detection are susceptible to data poisoning at the reported rate.

pith-pipeline@v0.9.1-grok · 5722 in / 998 out tokens · 17788 ms · 2026-06-29T16:39:32.014272+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 9 canonical work pages · 2 internal anchors

  1. [1]

    Cyber-physical systems architecture for indus- try 4.0-based manufacturing systems,

    J. Lee, B. Bagheri, and H.-A. Kao, “Cyber-physical systems architecture for indus- try 4.0-based manufacturing systems, ”Manufacturing Letters, 2015

    2015

  2. [2]

    Challenges for securing cyber physical systems,

    A. Cardenas, S. Amin, and S. Sastry, “Challenges for securing cyber physical systems, ”Workshop on Future Directions in Cyber-Physical Systems Security, 2008

    2008

  3. [3]

    Hardware anomaly detection in microcontrollers through watchdog-assisted property en- forcement,

    M. Melnyk, J. Thomas, M. Wandera, A. K. Chathoth, and M. Zuzak, “Hardware anomaly detection in microcontrollers through watchdog-assisted property en- forcement, ” in2025 IEEE International Conference on Consumer Electronics (ICCE). IEEE, 2025, pp. 1–6

    2025

  4. [4]

    Cyber physical systems: Design challenges,

    E. A. Lee, “Cyber physical systems: Design challenges, ” inProceedings of the 11th IEEE International Symposium on Object-Oriented Real-Time Distributed Comput- ing (ISORC). IEEE, 2008, pp. 363–369

    2008

  5. [5]

    Data-driven process monitoring and fault diagnosis: A comprehensive survey,

    A. Melo, M. M. Câmara, and J. C. Pinto, “Data-driven process monitoring and fault diagnosis: A comprehensive survey, ”Processes, vol. 12, no. 2, pp. 251–290, 2024

    2024

  6. [6]

    High speed fault detection and local- ization scheme for low voltage dc microgrid,

    P. Chauhan, C. Gupta, and M. Tripathy, “High speed fault detection and local- ization scheme for low voltage dc microgrid, ”International Journal of Electrical Power & Energy Systems, vol. 146, p. 108712, 2023

    2023

  7. [7]

    Advanced fault detection and diagnosis exploiting machine learning and artificial intelligence for engineering applications,

    M. Bertini, L. Rossi, F. Moretti, and A. Colombo, “Advanced fault detection and diagnosis exploiting machine learning and artificial intelligence for engineering applications, ”Electronics, vol. 15, no. 2, pp. 476–520, 2026

    2026

  8. [8]

    A novel detection and localization approach of open-circuit switch fault for the grid-connected modular multilevel converter,

    Y. Jin, Q. Xiao, H. Jia, Y. Ji, T. Dragičević, R. Teodorescu, and F. Blaabjerg, “A novel detection and localization approach of open-circuit switch fault for the grid-connected modular multilevel converter, ”IEEE Transactions on Industrial Electronics, vol. 70, no. 1, pp. 112–124, 2022

    2022

  9. [9]

    Model-based fault-detection and diagnosis – status and applica- tions,

    R. Isermann, “Model-based fault-detection and diagnosis – status and applica- tions, ”Annual Reviews in Control, vol. 29, no. 1, pp. 71–85, 2005

    2005

  10. [10]

    Cnn-based transformer model for fault detection in power system networks,

    J. B. Thomas, S. G. Chaudhari, N. K. Vermaet al., “Cnn-based transformer model for fault detection in power system networks, ”IEEE Transactions on Instrumenta- tion and Measurement, vol. 72, pp. 1–10, 2023

    2023

  11. [11]

    Fault detec- tion, classification and localization along the power grid line using optimized machine learning algorithms,

    M. Najafzadeh, J. Pouladi, A. Daghigh, J. Beiza, and T. Abedinzade, “Fault detec- tion, classification and localization along the power grid line using optimized machine learning algorithms, ”International Journal of Computational Intelligence Systems, vol. 17, no. 1, p. 49, 2024

    2024

  12. [12]

    Pcap-backdoor: Backdoor poisoning generator for network traffic in cps/iot environments,

    A. K. Chathoth and S. Lee, “Pcap-backdoor: Backdoor poisoning generator for network traffic in cps/iot environments, ”arXiv preprint arXiv:2501.15563, 2025

    work page arXiv 2025

  13. [13]

    Federated learning for cyber physical systems: A comprehensive survey,

    M. K. Quan, H. Zhang, Y. Liu, and T. Wang, “Federated learning for cyber physical systems: A comprehensive survey, ”arXiv preprint arXiv:2505.04873, 2025

    work page arXiv 2025

  14. [14]

    Pcap-backdoor: Backdoor generator in network traffic for intrusion detection systems,

    A. Koyatan Chathoth, K. Parashar, A. Peng, and S. Lee, “Pcap-backdoor: Backdoor generator in network traffic for intrusion detection systems, ”ACM Transactions on Cyber-Physical Systems, 2026

    2026

  15. [15]

    Sample ieee123 bus system for oedi si,

    T. Elgindy and K. Balasubramaniam, “Sample ieee123 bus system for oedi si, ” DOE Open Energy Data Initiative (OEDI); National Renewable Energy Laboratory, Tech. Rep., 2022

    2022

  16. [16]

    Unleashing grid services potential of electric vehicles for the volt/var optimization problem,

    A. F. Soofi and S. D. Manshadi, “Unleashing grid services potential of electric vehicles for the volt/var optimization problem, ”IEEE Transactions on Vehicular Technology, vol. 72, no. 11, pp. 14 115–14 126, 2023

    2023

  17. [17]

    Federated intrusion detection for iot with heterogeneous cohort privacy,

    A. K. Chathoth, A. Jagannatha, and S. Lee, “Federated intrusion detection for iot with heterogeneous cohort privacy, ”arXiv preprint arXiv:2101.09878, 2021

    work page arXiv 2021

  18. [18]

    Anomaly detection on attributed networks via contrastive self-supervised learning,

    Y. Liu, Z. Li, S. Pan, C. Gong, C. Zhou, and G. Karypis, “Anomaly detection on attributed networks via contrastive self-supervised learning, ”IEEE transactions on neural networks and learning systems, vol. 33, no. 6, pp. 2378–2392, 2021

    2021

  19. [19]

    Differentially private federated continual learning with heterogeneous cohort privacy,

    A. K. Chathoth, C. P. Necciai, A. Jagannatha, and S. Lee, “Differentially private federated continual learning with heterogeneous cohort privacy, ” in2022 IEEE International Conference on Big Data (Big Data). IEEE, 2022, pp. 5682–5691

    2022

  20. [20]

    Robust detection of cyber-attacks on distribution system volt-var control via adversarial and uncertain analysis,

    A. Selim, J. Zhao, F. Miao, S.-Y. Park, S. Zuo, G. Fragkos, and Y. Meng, “Robust detection of cyber-attacks on distribution system volt-var control via adversarial and uncertain analysis, ”IEEE Internet of Things Journal, 2025

    2025

  21. [21]

    Graphllm-cps: Llm node embeddings for anomaly detection in cyber-physical systems,

    G. Fragkos, S. Wright, and C. B. Jones, “Graphllm-cps: Llm node embeddings for anomaly detection in cyber-physical systems, ” in2025 IEEE 30th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD). IEEE, 2025, pp. 1–7

    2025

  22. [22]

    Resilient machine learning for networked cyber physical systems: A survey for machine learning security to securing machine learning for cps,

    F. Olowononi, D. B. Rawat, and C. Liu, “Resilient machine learning for networked cyber physical systems: A survey for machine learning security to securing machine learning for cps, ”IEEE Access, vol. 9, pp. 24 823–24 844, 2021

    2021

  23. [23]

    Evasion attack and defense on machine learning models in cyber-physical systems: A survey,

    S. Wang, J. Li, X. Liu, and Y. Zhang, “Evasion attack and defense on machine learning models in cyber-physical systems: A survey, ”IEEE Communications Surveys & Tutorials, 2024

    2024

  24. [24]

    Cyber-Physical Systems Security: A Comprehensive Review of Anomaly Detection Techniques

    D. Abshari and M. Sridhar, “A survey of anomaly detection in cyber-physical systems, ”arXiv preprint arXiv:2502.13256, 2025

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  25. [25]

    Log anomaly detection with large language models via knowledge-enriched fusion,

    A. Peng, A. K. Chathoth, and S. Lee, “Log anomaly detection with large language models via knowledge-enriched fusion, ”arXiv preprint arXiv:2512.11997, 2025

    work page arXiv 2025

  26. [26]

    BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

    T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain, ”arXiv preprint arXiv:1708.06733, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  27. [27]

    Backdoor attacks on contrastive learning,

    R. Gaoet al., “Backdoor attacks on contrastive learning, ”NeurIPS, 2023

    2023

  28. [28]

    Badclip: Dual- embedding guided backdoor attack on multimodal contrastive learning,

    S. Liang, M. Zhu, A. Liu, B. Wu, X. Cao, and E.-C. Chang, “Badclip: Dual- embedding guided backdoor attack on multimodal contrastive learning, ” inPro- ceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2024, pp. 24 645–24 654

    2024

  29. [29]

    Backdoor attacks on continual learning,

    F. Yanget al., “Backdoor attacks on continual learning, ”NeurIPS, 2022

    2022

  30. [30]

    Dynamic user-controllable privacy-preserving few-shot sensing framework,

    A. K. Chathoth, S. Yu, and S. Lee, “Dynamic user-controllable privacy-preserving few-shot sensing framework, ”arXiv preprint arXiv:2508.03989, 2025

    work page arXiv 2025

  31. [31]

    Learning transferable visual models from natural language supervision,

    A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clarket al., “Learning transferable visual models from natural language supervision, ” inInternational conference on machine learning. PmLR, 2021, pp. 8748–8763

    2021

  32. [32]

    Privclip: Dynamic user-controllable privacy- preserving few-shot sensing framework,

    A. K. Chathoth, S. Yu, and S. Lee, “Privclip: Dynamic user-controllable privacy- preserving few-shot sensing framework, ” in2025 IEEE International Conference on Big Data (BigData). IEEE, 2025, pp. 1793–1798

    2025

  33. [33]

    Supervised contrastive learning,

    P. Khosla, P. Teterwak, C. Wanget al., “Supervised contrastive learning, ”Advances in Neural Information Processing Systems (NeurIPS), 2020, arXiv:2004.11362

    work page arXiv 2020

  34. [34]

    Contrastive continual learning for model adaptability in internet of things,

    A. K. Chathoth, “Contrastive continual learning for model adaptability in internet of things, ”arXiv preprint arXiv:2602.04881, 2026

    work page arXiv 2026

  35. [35]

    Dual encoder contrastive learning with augmented views for graph anomaly detection,

    N. Wu, H. Dong, W. Wang, and Y. Zhao, “Dual encoder contrastive learning with augmented views for graph anomaly detection, ” inProceedings of the Thirty-Fourth International Joint Conference on Artificial Intelligence, 2025, pp. 3480–3488

    2025

  36. [36]

    A contrastive variational graph auto-encoder for node clustering,

    N. Mrabah, M. Bouguessa, and R. Ksantini, “A contrastive variational graph auto-encoder for node clustering, ”Pattern Recognition, 2023

    2023

  37. [37]

    Dynamic black-box backdoor attacks on iot sensory data,

    A. K. Chathoth and S. Lee, “Dynamic black-box backdoor attacks on iot sensory data, ” in2024 IEEE 6th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA). IEEE, 2024, pp. 182–191

    2024

  38. [38]

    Rényi divergence and kullback-leibler divergence,

    T. Van Erven and P. Harremos, “Rényi divergence and kullback-leibler divergence, ” IEEE Transactions on Information Theory, vol. 60, no. 7, pp. 3797–3820, 2014

    2014

  39. [39]

    Open-source python-opendss interface for hybrid simulation of pv impact studies,

    A. Hariri, A. Newaz, and M. O. Faruque, “Open-source python-opendss interface for hybrid simulation of pv impact studies, ”IET Generation, Transmission & Distribution, vol. 11, no. 12, pp. 3125–3133, 2017

    2017