Adversarial Destabilization Attacks to Direct Data-Driven Control

摘要

This study explores the vulnerability of direct data driven control, particularly in the linear quadratic regulator (LQR) problem, to adversarial perturbations in offline collected data. We focus on stealthy attacks that subtly alter training data to destabilize the closed-loop system while evading detection. To craft such attacks, we propose Directed Gradient Sign Method (DGSM) and its iterative variant (I-DGSM), which adapt techniques from adversarial machine learning to align perturbations with the gradient of the closed-loop spectral radius. A key technical contribution is an efficient and exact gradient computation method using implicit differentiation through the Karush-Kuhn-Tucker conditions of the underlying semidefinite program. For defense, we introduce two strategies: (i) regularization to reduce controller sensitivity, and (ii) robust data-driven control that ensures stability under bounded perturbations. Experiments across benchmark systems reveal that even imperceptibly small perturbations, up to ten times smaller than random noise, can lead to instability, while the proposed defenses significantly reduce attack success rates with minimal performance loss. We also assess transferability under partial knowledge, demonstrating the importance of protecting training data. This work highlights critical security risks in data driven control and proposes practical methods for both attack and defense.