Adversarial Attacks to Direct Data-driven Control for Destabilization

The paper is organized as follows. Sec. II reviews key concepts of direct data-driven control based on the fundamental lemma and discusses a technique for generating adversarial perturbations used in image classification with neural networks. In Sec. III, we outline the attack scenario and present the adversarial method adapted for direct data-driven control that leads to destabilization. Sec. IV provides experimental evaluation to discuss the vulnerabilities of interest and the improvement in robustness through regularization. Finally, Sec. V concludes and summarizes the paper.

We denote the transpose of a matrix $M$ by $M^{\sf T}$, the trace and the spectrum of a square matrix $M$ by ${\rm tr}(M)$ and $\sigma(M)$, respectively, the maximum and minimum singular values of a matrix $M$ by $\sigma_{\rm max}(M)$ and $\sigma_{\rm min}(M),$ respectively, the max norm of a matrix $M$ by $\|M\|_{\rm max}$, the right inverse of a right-invertible matrix $M$ by $M^{\dagger}$, the positive and negative (semi)definiteness of a Hermetian matrix $M$ by $M\succ$ ($\succeq$) $0$ and $M\prec$ ($\preceq$) $0$, respectively, and the component-wise sign function by ${\rm sign}(\cdot)$.

We first review the direct data-driven control based on the Willems’ fundamental lemma [7]. Consider a discrete-time linear time-invariant system $x(t+1)=Ax(t)+Bu(t)+d(t)$ for $t\in\mathbb{N}$ where $x(t)\in\mathbb{R}^{n}$ is the state, $u(t)\in\mathbb{R}^{m}$ is the control input, and $d(t)\in\mathbb{R}^{n}$ is the exogenous disturbance. Assume that the pair $(A,B)$ is unknown to the controller designer but it is stabilizable. We consider the linear quadratic regulator (LQR) problem [23, Chap. 6], which has widely been studied as a benchmark problem. Specifically, design a static state-feedback control $u(t)=Kx(t)$ that minimizes the cost function $J(K)=\sum_{i=1}^{n}\sum_{t=0}^{\infty}\{x(t)^{\sf T}Qx(t)+u(t)^{\sf T}Ru(t)\}|_{x(0)=e_{i}}$ with $Q\succeq 0$ and $R\succ 0$ where $e_{i}$ is the $i$th canonical basis vector. It is known that the cost function can be rewritten as $J(K)={\rm tr}(QP)+{\rm tr}(K^{\sf T}RKP)$ where $P\succeq I$ is the controllability Gramian of the closed-loop system when $A+BK$ is Schur.

The objective of direct data-driven control is to design the optimal feedback gain using data of input and output signals without explicit system identification. Assume that the time series $U_{0}:=[u(0)\ u(1)\ \cdots u(T-1)]\in\mathbb{R}^{m\times T}$ and $X:=[x(0)\ x(1)\ \cdots x(T-1)\ x(T)]\in\mathbb{R}^{n\times(T+1)}$ are available. The first and last $T$-long time series of $X$ are denoted by $X_{0}\in\mathbb{R}^{m\times T}$ and $X_{1}\in\mathbb{R}^{m\times T},$ respectively. Letting $D_{0}:=[d(0)\ d(1)\ \cdots\ d(T-1)]\in\mathbb{R}^{m\times T},$ we have the relationship

where $W_{0}:=[U_{0}^{\sf T}\ X_{0}^{\sf T}]^{\sf T}$. We here assume that ${\rm rank}\,W_{0}=n+m$ holds. This rank condition, which is generally necessary for data-driven LQR design [24], is satisfied if the input signal is persistently exciting in the noiseless case as shown by the Willems’ fundamental lemma [25].

The key idea of the approach laid out in [7] is to parameterize the controller using the available data by introducing a new variable $G\in\mathbb{R}^{T\times n}$ with the relationship

Then the closed-loop matrix can be parameterized directly by data matrices as $A+BK=[B\ A]W_{0}G=(X_{1}-D_{0})G.$ The LQR controller design can be formulated as

by disregarding the noise term.

However, it has been revealed that the formulation (2) is not robust to disturbance [21]. To enhance robustness against disturbance, a regularized formulation has been proposed:

with a constant $\gamma\geq 0$ where $\Pi:=I-W_{0}^{\dagger}W_{0}$ and $\|\cdot\|$ is any matrix norm. The regularizer $\gamma\|\Pi G\|$ is referred to as certainty-equivalence regularization because it leads to the controller equivalent to the certainty-equivalence indirect data-driven LQR with least-square estimation of the system model when $\gamma$ is sufficiently large [21]. Meanwhile, another regularization that can guarantee robustness has been proposed:

with a constant $\rho\geq 0$. The regularizer $\rho\,{\rm tr}(GPG^{\sf T})$ plays the role to reduce the size of the matrix $GPG^{\sf T}$ to achieve the actual stability requirement $(X_{1}-D_{0})GPG^{\sf T}(X_{1}-D_{0})^{\sf T}-P+I\preceq 0$ using the constraint $X_{1}GPG^{\sf T}X_{1}^{\sf T}-P+I\preceq 0$. We refer to the latter one as robustness-inducing regularization. For reformulation of (2), (3), and (4) into convex programs, see [26].

The fast gradient sign method (FGSM) is a method to efficiently compute an adversarial perturbation for a given image [10]. Let $L(X,Y;\theta)$ be the loss function of the neural network where $X\in\mathcal{X}$ is the input image, $Y\in\mathcal{Y}$ is the label, and $\theta$ is the trained parameter, and let $f:\mathcal{X}\to\mathcal{Y}$ be the trained classification model. The objective of the adversary is to cause misclassification by adding a small perturbation $\Delta\in\mathcal{X}$ such that $f(X+\Delta)\neq f(X)$. Specifically, the max norm of the perturbation is restricted, i.e., $\|\Delta\|_{\rm max}\leq\epsilon$ with a small constant $\epsilon>0$.

The core idea of FGSM is to choose a perturbation that locally maximizes the loss function. The linear approximation of the loss function with respect to $\Delta$ is given by

where the subscript $(\cdot)_{k\ell}$ denotes the $(k,\ell)$ component. The right-hand side of (5) is maximized by choosing $\Delta_{k\ell}=\epsilon\,{\rm sign}(\nabla_{X}L(X,Y;\theta))_{k\ell}$, whose matrix form is given by

FGSM creates a series of perturbations in the form increasing $\epsilon$ until misclassification occurs. In the next section, we apply this idea to adversarial attacks on direct data-driven control for destabilization.

This study considers the following threat model: The adversary can add a perturbation $(\Delta U,\Delta X)$ to the input and output data $(U_{0},X)$. Additionally, the adversary knows the system model $(A,B)$, the data $(U_{0},D_{0},X)$, and the controller design algorithm. This scenario is depicted in Fig. 2. The controller $\hat{K}$ is designed using the perturbed data $(\hat{U},\hat{X}):=(U_{0}+\Delta U,X+\Delta X)$, which results in the closed-loop matrix $A+B\hat{K}$. The attack objective is to destabilize the system by crafting a small perturbation such that the closed-loop matrix has an eigenvalue outside the unit circle.

Additionally, we consider gray-box attacks where the adversary has access to the system model $(A,B)$ and the controller design algorithm but not the data $(U_{0},D_{0},X)$, and additionally may not know the design parameters $\gamma$ and $\rho$. In this case, a reasonable attack strategy is to use hypothetical input $\hat{U}$ and disturbance $\hat{D}_{0}$ and calculate the corresponding state trajectory $\hat{X}$. We refer to effectiveness of the attack without knowledge of the data as the transferability across data. Additionally, when the design parameters are unknown, hypothetical design parameters $\hat{\gamma}$ or $\hat{\rho}$ are also used. We refer to the effectiveness in this scenario as the transferability across parameters. We numerically evaluate the transferability properties in Sec. IV.

We develop the directed gradient sign method (DGSM) to design a severe perturbation $\Delta:=(\Delta U,\Delta X)$ that satisfies $\|\Delta\|_{\rm max}\leq\epsilon$ with a small constant $\epsilon>0$. Let

denote the eigenvalues of the closed-loop system with the direct data-driven control (3) or (4) using the perturbed data $(\hat{U},\hat{X})$. The aim of the attack is to place some element of $\Lambda(U_{0},X,\Delta)$ outside the unit circle.

The core idea of DGSM is to choose a perturbation that locally shifts an eigenvalue in the less stable direction. We temporarily fix the eigenvalue of interest, denoted by $\lambda_{i}(U_{0},X,\Delta)$, and denote its gradient with respect to $\Delta$ by $\nabla_{\Delta}\lambda_{i}(U_{0},X,\Delta)$. The linear approximation of the eigenvalue with respect to $\Delta$ is given by

We choose $\Delta_{k\ell}$ such that the right-hand side of (6) moves closer to the unit circle. Specifically, DGSM crafts the perturbation

where $\Pi_{\lambda_{i}}:\mathbb{C}^{(m+n)\times(2T+1)}\to\mathbb{R}^{(m+n)\times(2T+1)}$ is defined by

with

The role of the function $\Pi_{\lambda_{i}}$ is illustrated in Fig. 3. Suppose that $Z_{k\ell}$ faces the direction of $\lambda_{i}$. More precisely, the angle between $\lambda_{i}$ and $Z_{k\ell}$, denoted by $\phi$, is less than $\pi/2$, which leads to $\Pi_{\lambda_{i}}(Z_{k\ell})>0$. We now suppose that the angle between $\lambda_{i}$ and another element $Z_{\tilde{k}\tilde{\ell}}$, denoted by $\tilde{\phi}$, is greater than $\pi/2$. Then we have $\Pi_{\lambda_{i}}(Z_{\tilde{k}\tilde{\ell}})<0$. In both cases, owing to the function $\Pi_{\lambda_{i}},$ the perturbed eigenvalue moves closer to the unit circle as depicted in the figure. By aggregating all components, the linear approximation of the perturbed eigenvalue $\hat{\lambda}_{i}$ is given by

which is expected to be placed outside the unit circle by increasing $\epsilon$.

DGSM performs the procedure above for every $\lambda_{i}$ for $i=1,\ldots,n$ increasing $\epsilon$ until the resulting system is destabilized. Its algorithm is summarized in Algorithm 1, where $\{\epsilon_{k}\}$ denotes possible candidates of the constant $\epsilon$ in the ascending order. Algorithm 1 finds a perturbation $\Delta$ with the smallest $\epsilon$ in $\{\epsilon_{k}\}$ such that the resulting closed-loop system becomes unstable.

We evaluate our adversarial attacks through numerical experiments. We consider the inverted pendulum [27] with sampling period $0.01$ whose system matrices are given by

We set the weight matrices to $Q=I$ and $R=10^{-5}I$. The input signal is randomly and independently generated by $u(t)\sim\mathcal{N}(0,1)$. We consider the disturbance-free case, i.e., $d(t)=0$. The time horizon is set to $T=10$. The $2$-induced norm is taken as the matrix norm in (3). The gradient $\nabla_{\Delta}(\lambda_{i}(U_{0},X,\Delta))$ is computed by the central difference approximation [28, Chapter 4].

We examine the improvement in robustness through regularization by comparing DGSM with a random attack where each element of $\Delta$ takes $\epsilon$ or $-\epsilon$ with equal probability. Let $N_{\rm all}$ and $N_{\rm unstable}$ denote the total number of samples and the number of the samples where the resulting closed-loop system is unstable, respectively. In addition, let $\bar{\epsilon}$ denote the minimum $\epsilon$ such that $N_{\rm unstable}/N_{\rm all}\geq\tau$ for a given threshold $\tau\in[0,1]$. We set $N_{\rm all}=50$ and $\tau=0.8$.

Fig. 4 depicts the curves of $\bar{\epsilon}$ with varying $\gamma$ for DGSM and the random attack when using the certainty-equivalence regularization (3). First, it is observed that the magnitude of the adversarial perturbation necessary for destabilization increases as the regularization parameter $\gamma$ increases. This result implies that the regularization method originally proposed for coping with disturbance is also effective in improving robustness against adversarial attacks. Second, the necessary magnitude in DGSM is approximately $10\%$ of that in the random attack, which illustrates the significant impact of DGSM.

Fig. 5 depicts the curves of $\bar{\epsilon}$ with varying $\rho$ when using the robustness-inducing regularization (4). This figure shows results similar to Fig. 4. Consequently, both regularization methods are effective for adversarial attacks.

Next, we compare the effectiveness of the two regularization methods. We take $\gamma=0.1$ and $\rho=10^{-5}$ such that the resulting closed-loop performances $J(K)$ are almost equal. Fig. 6 depicts $N_{\rm unstable}/N_{\rm all}$ with the two regularized controller design methods (3) and (4) for varying $\epsilon$. It can be observed that the robustness-inducing regularization (4) always outperforms the certainty-equivalence regularization (3).

We consider transferability across data where the data $(U_{0},D_{0},X)$ is unknown and DGSM uses a hypothetical input $\hat{U}_{0}$ whose elements are also randomly and independently generated by $\mathcal{N}(0,1)$ and $\hat{D}_{0}=0$. Fig. 7 depicts the curves of $\bar{\epsilon}$ with varying $\gamma$ for DGSM without knowledge of data and that with full knowledge when using the certainty-equivalence regularization (3). This figure shows that DGSM exhibits the transferability property across data.

Subsequently, we examine transferability across design parameters where the regularization parameter $\gamma$ in addition to the data $(U_{0},D_{0},X)$ is unknown. We use $\gamma=0.1$ as a hypothetical parameter. Fig. 8 depicts the corresponding curves As in the transferability across data, the results confirm the transferability property across parameters.

The regularization methods described by (3) and (4) provide a quantitative condition to ensure stability: The resulting closed-loop system with the certainty-equivalence regularization is stable when $\gamma$ and the signal-to-noise ratio (SNR) defined by ${\rm SNR}:=\sigma_{\rm min}(W_{0})/\sigma_{\max}(D_{0})$ are sufficiently large [26, Theorem 4.2]. That with the robustness-inducing regularization is stable when $\rho$ is sufficiently large and $\sigma_{\rm max}(D_{0})$ is sufficiently small [8, Theorem 3]. One may expect that DGSM crafts a severe input perturbation such that its maximum singular value is large but its elements are small. However, for the single-input system, $\sigma_{\rm max}(\Delta U)=\epsilon\sqrt{T}$ for any $\Delta U$ whose elements take $\epsilon$ or $-\epsilon$. This means that the input perturbations made by DGSM and the random attack have the same maximum singular value.