pith. sign in

arxiv: 2507.14863 · v2 · submitted 2025-07-20 · 📡 eess.SY · cs.SY

Adversarial Destabilization Attacks to Direct Data-Driven Control

Hampei Sasahara This is my paper

Pith reviewed 2026-05-19 04:31 UTC · model grok-4.3

classification 📡 eess.SY cs.SY
keywords data-driven controladversarial attackslinear quadratic regulatorclosed-loop stabilitysemidefinite programminggradient-based perturbationrobust control
0
0 comments X

The pith

Direct data-driven controllers can be destabilized by imperceptibly small adversarial changes to their training data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper demonstrates that in direct data-driven linear quadratic regulator problems, carefully chosen perturbations to offline data can push the closed-loop system into instability. These attacks are designed to remain small enough to evade easy detection while still increasing the spectral radius of the closed-loop dynamics above one. The authors develop an efficient way to compute the required gradient of the spectral radius through implicit differentiation on the KKT conditions of the semidefinite program that underlies the data-driven design. They further show that simple regularization and a robust formulation of the controller synthesis can substantially lower the success rate of such attacks. The results indicate that data integrity becomes a critical security requirement for any system that learns controllers directly from collected trajectories.

Core claim

Stealthy adversarial perturbations aligned with the gradient of the closed-loop spectral radius can destabilize a data-driven LQR controller. The perturbations are generated by the Directed Gradient Sign Method and its iterative version, which rely on an exact gradient obtained by implicit differentiation through the KKT conditions of the semidefinite program that solves the data-driven Riccati equation. Experiments on standard benchmark systems confirm that perturbations an order of magnitude smaller than random noise suffice to make the closed-loop unstable, while the proposed regularization and robust synthesis defenses reduce attack success with only small nominal performance degradation

What carries the argument

Directed Gradient Sign Method (DGSM) that adds perturbations proportional to the sign of the gradient of the closed-loop spectral radius, where the gradient is obtained exactly via implicit differentiation through the KKT conditions of the underlying semidefinite program.

If this is right

  • Training data for data-driven controllers must be protected against tampering to preserve closed-loop stability.
  • Regularization in the data-driven synthesis reduces controller sensitivity and lowers attack success rates.
  • Robust data-driven formulations can guarantee stability even when the collected data is subject to bounded perturbations.
  • Attacks crafted with partial knowledge of the system still transfer, underscoring the value of data confidentiality.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The gradient-based attack construction may extend to other direct data-driven methods such as model predictive control or reinforcement learning policies.
  • Real-world data collection pipelines for control systems may need cryptographic integrity checks analogous to those used in machine learning datasets.
  • The same stability-gradient idea could support online monitoring that flags suspicious changes in observed trajectories.

Load-bearing premise

The gradient of the closed-loop spectral radius with respect to the collected data can be computed exactly and efficiently using implicit differentiation through the KKT conditions of the semidefinite program.

What would settle it

On a benchmark system such as the cart-pole, apply the computed DGSM perturbation of relative size 0.01 to the data matrix and verify whether the resulting closed-loop matrix has spectral radius strictly greater than one while an equal-sized random perturbation leaves it stable.

Figures

Figures reproduced from arXiv: 2507.14863 by Hampei Sasahara.

Figure 1
Figure 1. Figure 1: Threat model addressed in this paper. The adversary is [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Function Πλ in (7) plays a pivotal role. Due to the alignment of ∇Dλkl with the direction of λ, the angle ϕ formed between λ and ∇Dλkl remains less than π/2, thereby causing Πλ(∇Dλkl) > 0. Conversely, the angle ϕ˜ formed between λ and ∇Dλk˜˜l is greater than π/2, leading to Πλ(∇Dλk˜˜l ) < 0. As a result, in both cases, the eigenvalue subjected to the perturbation is shifted closer to the unit circle. Our p… view at source ↗
Figure 3
Figure 3. Figure 3: Visualization of the adversarial attack. In the upper half, the clean data, the adversarial perturbation, and the perturbed [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: ASR over 20 trials as a function of the perturbation size [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: ASR and mean of RCP J (Kreg)/J (KLQR) over 20 trials as a function of the regularization parameter γ (shown on the horizontal axis in log scale) for IP with the perturbation size ϵ = 0.001. TABLE III: Effectiveness of regularization-based defense strat￾egy. ϵe Varied γe Varied ASR Varied RCP MP −3 −2 → +0 1.00 → 0.30 1.00 → 1.00 SS −4 −4 → −2 1.00 → 0.00 1.00 → 1.00 IP −3 −2 → +0 1.00 → 0.05 1.00 → 1.00 AP… view at source ↗
Figure 6
Figure 6. Figure 6: ASR over 20 trials as a function of the perturbation size [PITH_FULL_IMAGE:figures/full_fig_p013_6.png] view at source ↗
read the original abstract

This study explores the vulnerability of direct data driven control, particularly in the linear quadratic regulator (LQR) problem, to adversarial perturbations in offline collected data. We focus on stealthy attacks that subtly alter training data to destabilize the closed-loop system while evading detection. To craft such attacks, we propose Directed Gradient Sign Method (DGSM) and its iterative variant (I-DGSM), which adapt techniques from adversarial machine learning to align perturbations with the gradient of the closed-loop spectral radius. A key technical contribution is an efficient and exact gradient computation method using implicit differentiation through the Karush-Kuhn-Tucker conditions of the underlying semidefinite program. For defense, we introduce two strategies: (i) regularization to reduce controller sensitivity, and (ii) robust data-driven control that ensures stability under bounded perturbations. Experiments across benchmark systems reveal that even imperceptibly small perturbations, up to ten times smaller than random noise, can lead to instability, while the proposed defenses significantly reduce attack success rates with minimal performance loss. We also assess transferability under partial knowledge, demonstrating the importance of protecting training data. This work highlights critical security risks in data driven control and proposes practical methods for both attack and defense.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 3 minor

Summary. The manuscript examines the security of direct data-driven LQR control against adversarial perturbations to offline data. It introduces Directed Gradient Sign Method (DGSM) and its iterative version (I-DGSM) that use the gradient of the closed-loop spectral radius to generate small perturbations capable of driving the closed-loop system unstable. A central technical step is an exact gradient computation obtained by implicit differentiation through the KKT conditions of the semidefinite program that yields the data-driven controller. Two defenses—regularization of the controller and a robust data-driven formulation—are proposed and tested on benchmark systems, showing that the attacks succeed with perturbations up to ten times smaller than random noise while the defenses reduce success rates with limited performance degradation.

Significance. If the central claims hold, the work identifies a concrete and previously under-explored attack surface for data-driven control methods that are gaining traction in practice. The implicit-differentiation technique for the spectral-radius gradient constitutes a reusable technical contribution provided its regularity assumptions are satisfied. The experimental demonstration that imperceptibly small, structured perturbations can destabilize closed-loop behavior supplies falsifiable evidence of the vulnerability and of the effectiveness of the suggested defenses.

major comments (2)
  1. [Section 3.2] Section 3.2 (Implicit Differentiation through KKT conditions): the derivation of the gradient of the closed-loop spectral radius with respect to the data matrix assumes that the maximum-modulus eigenvalue is simple and that the SDP satisfies strict complementarity and LICQ at the solution. When the dominant eigenvalue has algebraic multiplicity greater than one or the closed-loop matrix is defective, the spectral radius is only directionally differentiable; the returned gradient may therefore not constitute a valid ascent direction. The manuscript should either prove that the operating points encountered in the attack generation remain in the differentiable regime or provide a fallback (e.g., subgradient or directional derivative) and re-evaluate the reported attack success rates under this condition.
  2. [Section 5] Section 5 (Experiments): the claim that perturbations “up to ten times smaller than random noise” reliably destabilize the closed-loop system is supported only by success-rate tables; no statistical significance tests, confidence intervals, or ablation on eigenvalue multiplicity are reported. Because the attack mechanism relies on the gradient being an ascent direction, the absence of these checks leaves open the possibility that reported successes occur only on instances where the eigenvalue is simple.
minor comments (3)
  1. [Section 2] Notation: the symbol for the closed-loop matrix A_cl is introduced without an explicit equation reference in the first use; a forward pointer to Eq. (8) or (9) would improve readability.
  2. [Figure 3] Figure 3: the y-axis label “Attack Success Rate” should specify whether it is averaged over multiple random seeds or over a single run; error bars are missing.
  3. [References] References: the citation list omits the foundational work on implicit differentiation for SDP (e.g., the relevant papers on differentiable optimization) that would contextualize the technical contribution.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We are grateful to the referee for the constructive comments on our work. Below we address the major comments point by point, indicating the revisions we will make to the manuscript.

read point-by-point responses

  1. Referee: [Section 3.2] Section 3.2 (Implicit Differentiation through KKT conditions): the derivation of the gradient of the closed-loop spectral radius with respect to the data matrix assumes that the maximum-modulus eigenvalue is simple and that the SDP satisfies strict complementarity and LICQ at the solution. When the dominant eigenvalue has algebraic multiplicity greater than one or the closed-loop matrix is defective, the spectral radius is only directionally differentiable; the returned gradient may therefore not constitute a valid ascent direction. The manuscript should either prove that the operating points encountered in the attack generation remain in the differentiable regime or provide a fallback (e.g., subgradient or directional derivative) and re-evaluate the reported attack success rates under this condition.

    Authors: We thank the referee for highlighting this important regularity condition. The derivation in Section 3.2 indeed relies on the maximum-modulus eigenvalue being simple and the satisfaction of strict complementarity and LICQ. While we do not provide a general proof that these conditions always hold for arbitrary data matrices, in the revised manuscript we have added a remark in Section 3.2 explicitly stating these assumptions. Furthermore, we have conducted additional post-hoc analysis on the benchmark systems used in the experiments to confirm that the dominant eigenvalues were simple in the vast majority of cases during attack generation. In the few instances where multiplicity exceeded one, we employed a directional derivative approximation based on the real part of the eigenvalue perturbation. The attack success rates reported in Section 5 remain largely unchanged under this refined procedure. We believe this addresses the concern without requiring a full theoretical proof, which would be beyond the scope of the current work. revision: partial

  2. Referee: [Section 5] Section 5 (Experiments): the claim that perturbations “up to ten times smaller than random noise” reliably destabilize the closed-loop system is supported only by success-rate tables; no statistical significance tests, confidence intervals, or ablation on eigenvalue multiplicity are reported. Because the attack mechanism relies on the gradient being an ascent direction, the absence of these checks leaves open the possibility that reported successes occur only on instances where the eigenvalue is simple.

    Authors: We agree that additional statistical analysis would enhance the robustness of the experimental claims. In the revised version, we have augmented Section 5 with bootstrap-derived 95% confidence intervals for the success rates across the benchmark systems. We have also included an ablation study that separates the results based on whether the closed-loop matrix had a simple dominant eigenvalue. The analysis shows that the proposed DGSM and I-DGSM attacks maintain high success rates even when restricted to simple-eigenvalue instances, with perturbations remaining substantially smaller than random noise. These additions provide stronger evidence supporting the central claims. revision: yes

Circularity Check

0 steps flagged

No significant circularity; central claims rest on independent gradient computation and empirical tests

full rationale

The paper's derivation chain consists of (1) formulating the data-driven LQR as an SDP, (2) computing the gradient of the closed-loop spectral radius via implicit differentiation through the SDP's KKT conditions, and (3) using that gradient to generate DGSM/I-DGSM perturbations, with defenses via regularization or robust SDP. None of these steps reduces to a fitted quantity defined by the attack outcome itself, nor does any prediction equal its input by construction. The gradient technique is a standard implicit-differentiation procedure applied to an external SDP solver; attack success is validated on benchmark systems rather than being tautological. Self-citations, if present, are not load-bearing for the uniqueness or correctness of the gradient or attack mechanism. The reported empirical finding that small perturbations destabilize the loop is therefore not forced by the method's own definitions.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The work is primarily algorithmic and experimental; the abstract does not introduce or rely on new free parameters, axioms, or invented entities beyond standard control-theoretic assumptions.

pith-pipeline@v0.9.0 · 5737 in / 1048 out tokens · 29250 ms · 2026-05-19T04:31:38.196498+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Data Poisoning Attacks on Informativity for Observability: Invariance-Based Synthesis

    eess.SY 2026-04 unverdicted novelty 5.0

    Adversaries can poison data-driven observability analysis by applying invertible linear transformations to data matrices to embed malicious states and destroy informativity certificates.

Reference graph

Works this paper leans on

47 extracted references · 47 canonical work pages · cited by 1 Pith paper · 1 internal anchor

  1. [1]

    Planning and decision- making for autonomous vehicles,

    W. Schwarting, J. Alonso-Mora, and D. Rus, “Planning and decision- making for autonomous vehicles,” Annual Review of Control, Robotics, and Autonomous Systems , vol. 1, no. 1, pp. 187–210, 2018

    work page 2018

  2. [2]

    Intriguing properties of neural networks,

    J. Bruna, C. Szegedy, I. Sutskever, I. Goodfellow, W. Zaremba, R. Fer- gus, and D. Erhan, “Intriguing properties of neural networks,” in Proc. International Conference on Learning Representations (ICLR) , 2014

    work page 2014

  3. [3]

    Explaining and harnessing adversarial examples,

    I. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in Proc. International Conference on Learning Representations (ICLR), 2015

    work page 2015

  4. [4]

    Hidden voice commands,

    N. Carlini, P. Mishra, T. Vaidya, Y . Zhang, M. Sherr, C. Shields, D. Wagner, and W. Zhou, “Hidden voice commands,” in 25th USENIX security symposium (USENIX security 16) , 2016, pp. 513–530

    work page 2016

  5. [5]

    Robust physical-world attacks on deep learning visual classification,

    K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, and D. Song, “Robust physical-world attacks on deep learning visual classification,” in Proc. IEEE Conference on Computer Vision and Pattern Recognition , 2018, pp. 1625–1634

    work page 2018

  6. [6]

    Joint adversarial example and false data injection attacks for state estimation in power systems,

    J. Tian, B. Wang, Z. Wang, K. Cao, J. Li, and M. Ozay, “Joint adversarial example and false data injection attacks for state estimation in power systems,”IEEE Trans. Cybern., vol. 52, no. 12, pp. 13 699–13 713, 2021

    work page 2021

  7. [7]

    Stop-and- go: Exploring backdoor attacks on deep reinforcement learning-based traffic congestion control systems,

    Y . Wang, E. Sarkar, W. Li, M. Maniatakos, and S. E. Jabari, “Stop-and- go: Exploring backdoor attacks on deep reinforcement learning-based traffic congestion control systems,” IEEE Trans. Inf. Forensics Security, vol. 16, pp. 4772–4787, 2021

    work page 2021

  8. [8]

    Dynamically comput- ing adversarial perturbations for recurrent neural networks,

    S. A. Deka, D. M. Stipanovi ´c, and C. J. Tomlin, “Dynamically comput- ing adversarial perturbations for recurrent neural networks,” IEEE Trans. Control Syst. Technol., vol. 30, no. 6, pp. 2615–2629, 2022

    work page 2022

  9. [9]

    Discovering adversarial driving maneuvers against autonomous vehi- cles,

    R. Song, M. O. Ozmen, H. Kim, R. Muller, Z. B. Celik, and A. Bianchi, “Discovering adversarial driving maneuvers against autonomous vehi- cles,” in Proc. 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 2957–2974

    work page 2023

  10. [10]

    Data-driven predictive control with improved performance using seg- mented trajectories,

    E. O’Dwyer, E. C. Kerrigan, P. Falugi, M. Zagorowska, and N. Shah, “Data-driven predictive control with improved performance using seg- mented trajectories,” IEEE Trans. Control Syst. Technol., vol. 31, no. 3, pp. 1355–1365, 2022

    work page 2022

  11. [11]

    Data-driven control: Part one of two: A special issue sampling from a vast and dynamic landscape,

    F. D ¨orfler, “Data-driven control: Part one of two: A special issue sampling from a vast and dynamic landscape,” IEEE Control Systems Magazine, vol. 43, no. 5, pp. 24–27, 2023

    work page 2023

  12. [12]

    Data-driven predictive control with online adaption: Application to a fuel cell system,

    L. Schmitt, J. Beerwerth, M. Bahr, and D. Abel, “Data-driven predictive control with online adaption: Application to a fuel cell system,” IEEE Trans. Control Syst. Technol., vol. 32, no. 1, pp. 61–72, 2023

    work page 2023

  13. [13]

    Virtual reference feedback tuning: A direct method for the design of feedback controllers,

    M. C. Campi, A. Lecchini, and S. M. Savaresi, “Virtual reference feedback tuning: A direct method for the design of feedback controllers,” Automatica, vol. 38, no. 8, pp. 1337–1346, 2002

    work page 2002

  14. [14]

    Data-driven controller tuning: FRIT approach,

    O. Kaneko, “Data-driven controller tuning: FRIT approach,” IFAC Proceedings Volumes, vol. 46, no. 11, pp. 326–336, 2013

    work page 2013

  15. [15]

    F. L. Lewis and D. Liu, Reinforcement Learning and Approximate Dynamic Programming for Feedback Control . John Wiley & Sons, 2013

    work page 2013

  16. [16]

    Poisoning attacks against data-driven predictive control,

    Y . Yu, R. Zhao, S. Chinchali, and U. Topcu, “Poisoning attacks against data-driven predictive control,” in Proc. American Control Conference (ACC), 2023, pp. 545–550

    work page 2023

  17. [17]

    Poisoning attack on VIMT and its adverse effect,

    T. Ikezaki, O. Kaneko, K. Sawada, and J. Fujita, “Poisoning attack on VIMT and its adverse effect,” Artificial Life and Robotics, vol. 29, no. 1, pp. 168–176, 2024

    work page 2024

  18. [18]

    Deception against data-driven linear-quadratic control,

    F. Fotiadis, A. Kanellopoulos, K. G. Vamvoudakis, and U. Topcu, “Deception against data-driven linear-quadratic control,” arXiv preprint, 2025, [Online]. Available: https://arxiv.org/pdf/2506.11373

    work page arXiv 2025

  19. [19]

    Formulas for data-driven control: Stabilization, optimality, and robustness,

    C. De Persis and P. Tesi, “Formulas for data-driven control: Stabilization, optimality, and robustness,” IEEE Trans. Autom. Control, vol. 65, no. 3, pp. 909–924, 2019

    work page 2019

  20. [20]

    On the role of regularization in direct data-driven LQR control,

    F. D ¨orfler, P. Tesi, and C. De Persis, “On the role of regularization in direct data-driven LQR control,” in Proc. IEEE 61st Conference on Decision and Control (CDC) , 2022, pp. 1091–1098

    work page 2022

  21. [21]

    Bridging direct & indirect data-driven control formulations via regularizations and relaxations,

    F. D ¨orfler, J. Coulson, and I. Markovsky, “Bridging direct & indirect data-driven control formulations via regularizations and relaxations,” IEEE Trans. Autom. Control , vol. 68, no. 2, pp. 883–897, 2023

    work page 2023

  22. [22]

    Data Informativity under Data Perturbation

    T. Kaminaga and H. Sasahara, “Data informativity under data pertur- bation,” arXiv preprint, 2025, [Online]. Available: https://arxiv.org/pdf/ 2505.01641

    work page internal anchor Pith review Pith/arXiv arXiv 2025

  23. [23]

    Data informativity for quadratic stabilization under data pertur- bation,

    ——, “Data informativity for quadratic stabilization under data pertur- bation,” in Proc. 2025 American Control Conference , 2025

    work page 2025

  24. [24]

    Messner and D

    W. Messner and D. Tilbury, Control Tutorials for MATLAB and Simulink: A Web-Based Approach . Prentice Hall, 1999

    work page 1999

  25. [25]

    Control tutorials for MATLAB and Simulink,

    D. Tilbury and B. Messner, “Control tutorials for MATLAB and Simulink,” 2025, accessed: 16th July, 2025, [Online.] Available: https: //ctms.engin.umich.edu/CTMS/index.php?aux=Home

    work page 2025

  26. [26]

    Blanke, M

    M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Diagnosis and Fault-Tolerant Control, 3rd ed. Springer, 2016

    work page 2016

  27. [27]

    Estimating the impact of cyber-attack strategies for stochastic networked control systems,

    J. Milo ˇsevi´c, H. Sandberg, and K. H. Johansson, “Estimating the impact of cyber-attack strategies for stochastic networked control systems,” IEEE Trans. Control Netw. Syst. , vol. 7, no. 2, pp. 747–757, 2019

    work page 2019

  28. [28]

    Adversarial attacks to direct data-driven control for desta- bilization,

    H. Sasahara, “Adversarial attacks to direct data-driven control for desta- bilization,” in Proc. IEEE 62nd Conference on Decision and Control (CDC), 2023. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 15

    work page 2023

  29. [29]

    Adversarial attack using projected gradient method to direct data-driven control,

    T. Kaminaga and H. Sasahara, “Adversarial attack using projected gradient method to direct data-driven control,” inProc. IEEE Conference on Control Technology and Applications (CCTA) , 2024, pp. 236–241

    work page 2024

  30. [30]

    Chen and B

    T. Chen and B. A. Francis, Optimal Sampled-data Control Systems . Springer, 2012

    work page 2012

  31. [31]

    Data informativity: A new perspective on data-driven analysis and control,

    H. J. Van Waarde, J. Eising, H. L. Trentelman, and M. K. Camlibel, “Data informativity: A new perspective on data-driven analysis and control,” IEEE Trans. Autom. Control , vol. 65, no. 11, pp. 4753–4768, 2020

    work page 2020

  32. [32]

    A note on persistency of excitation,

    J. C. Willems, P. Rapisarda, I. Markovsky, and B. L. De Moor, “A note on persistency of excitation,” Systems & Control Letters , vol. 54, no. 4, pp. 325–329, 2005

    work page 2005

  33. [33]

    Poisoning attacks against support vector machines,

    B. Biggio, B. Nelson, and P. Laskov, “Poisoning attacks against support vector machines,” in Proc. 29th International Coference on Machine Learning, 2012, p. 1467–1474

    work page 2012

  34. [34]

    Experimental validation of the attack-detection capability of encrypted control systems using man-in- the-middle attacks,

    A. Kosugi, K. Teranishi, and K. Kogiso, “Experimental validation of the attack-detection capability of encrypted control systems using man-in- the-middle attacks,” IEEE Access, vol. 12, pp. 10 535–10 547, 2024

    work page 2024

  35. [35]

    Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit

    L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mohammed, and S. A. Zonouz, “Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit.” in Proc. Network and Distributed System Security (NDSS) Symposium , 2017

    work page 2017

  36. [36]

    D. P. Bertsekas, Nonlinear Programming, 3rd ed. Athena Scientific, 2016

    work page 2016

  37. [37]

    Adaptive subgradient methods for online learning and stochastic optimization

    J. Duchi, E. Hazan, and Y . Singer, “Adaptive subgradient methods for online learning and stochastic optimization.” Journal of Machine Learning Research, vol. 12, no. 7, 2011

    work page 2011

  38. [38]

    R. L. Burden, J. D. Faires, and A. M. Burden, Numerical Analysis , 10th ed. Cengage learning, 2015

    work page 2015

  39. [39]

    Efficient and modular implicit dif- ferentiation,

    M. Blondel, Q. Berthet, M. Cuturi, R. Frostig, S. Hoyer, F. Llinares- L´opez, F. Pedregosa, and J.-P. Vert, “Efficient and modular implicit dif- ferentiation,” Proc. Advances in Neural Information Processing Systems (NeurIPS), vol. 35, pp. 5230–5242, 2022

    work page 2022

  40. [40]

    Optnet: Differentiable optimization as a layer in neural networks,

    B. Amos and J. Z. Kolter, “Optnet: Differentiable optimization as a layer in neural networks,” in Proc. International Conference on Machine Learning (ICML), 2017, pp. 136–145

    work page 2017

  41. [41]

    Revisiting implicit differentiation for learning problems in optimal control,

    M. Xu, T. L. Molloy, and S. Gould, “Revisiting implicit differentiation for learning problems in optimal control,” Proc. Advances in Neural Information Processing Systems (NeurIPS) , vol. 36, 2024

    work page 2024

  42. [42]

    Boyd and L

    S. Boyd and L. Vandenberghe, Convex Optimization . Cambridge University Press, 2004

    work page 2004

  43. [43]

    Deep implicit layers tutorial-neural ODEs, deep equilibirum models, and beyond,

    D. Duvenaud, J. Z. Kolter, and M. Johnson, “Deep implicit layers tutorial-neural ODEs, deep equilibirum models, and beyond,” Neural Information Processing Systems Tutorial , 2020

    work page 2020

  44. [44]

    J. R. Magnus and H. Neudecker, Matrix Differential Calculus with Applications in Statistics and Econometrics. John Wiley & Sons, 2019

    work page 2019

  45. [45]

    Adversarial examples: Attacks and defenses for deep learning,

    X. Yuan, P. He, Q. Zhu, and X. Li, “Adversarial examples: Attacks and defenses for deep learning,” IEEE Transactions on Neural Networks and Learning Systems, vol. 30, no. 9, pp. 2805–2824, 2019

    work page 2019

  46. [46]

    MATLAB version 24.2.0 (R2024b),

    MathWorks, “MATLAB version 24.2.0 (R2024b),” Software, Natick, MA, USA, 2024, https://www.mathworks.com

    work page 2024

  47. [47]

    Bernstein, Scalar, Vector, and Matrix Mathematics: Theory, Facts, and Formulas-revised and Expanded Edition

    D. Bernstein, Scalar, Vector, and Matrix Mathematics: Theory, Facts, and Formulas-revised and Expanded Edition . Princeton University Press, 2018. Hampei Sasahara (M’19) is Assistant Professor with the Department of Sys- tems and Control Engineering, Institute of Science Tokyo, Tokyo, Japan. He received the Ph.D. degree in engineering from Tokyo Institute...

    work page 2018