Learning of Dynamical Systems under Adversarial Attacks - Null Space Property Perspective Han Feng Baturalp Yalcin and Javad Lavaei

2025-04-29 0 0 317.09KB 8 页 10玖币
侵权投诉
Learning of Dynamical Systems under Adversarial Attacks - Null Space
Property Perspective
Han Feng, Baturalp Yalcin, and Javad Lavaei
Abstract We study the identification of a linear time-
invariant dynamical system affected by large-and-sparse dis-
turbances modeling adversarial attacks or faults. Under the
assumption that the states are measurable, we develop necessary
and sufficient conditions for the recovery of the system matrices
by solving a constrained lasso-type optimization problem. In
addition, we provide an upper bound on the estimation error
whenever the disturbance sequence is a combination of small
noise values and large adversarial values. Our results depend on
the null space property that has been widely used in the lasso lit-
erature, and we investigate under what conditions this property
holds for linear time-invariant dynamical systems. Lastly, we
further study the conditions for a specific probabilistic model
and support the results with numerical experiments.
I. INTRODUCTION
The identification of linear time-invariant (LTI) systems
is a classic problem in control theory that has been studied
extensively. Despite the long history of this problem and
its application in a wide range of real-world systems, the
non-asymptotic analysis of the system identification problem
has gained popularity in recent years, which targets the
sample complexity of the problem [
1
], [
2
]. With the growing
popularity of safety-critical applications, such as autonomous
driving and unmanned aerial vehicles, the design of a system
identification framework that is robust against adversarial
attacks is crucial [3].
In this paper, we consider LTI systems for which the states
are under a sequence of unknown disturbances, some of
which take small values modeling noise and the remaining
ones take strategic values due to adversarial attacks or
faults in the system. We study the lasso-based optimization
problem recently proposed in [
4
]. It can recover the exact
system dynamics uniquely whenever adversarial attacks occur
intermittently with enough time separation. In [
4
], some
adversarial attacks that do not influence the estimation
are studied, whereas this paper improves those results by
providing a necessary and sufficient condition for recovery
as well as non-asymptotic bounds on the error. Our approach
is based on defining a null space property that is analogous
to the null space property condition for the lasso problem
[5], which is required to guarantee the exact recovery.
The robustness analysis of estimators has a long history,
dating back to the seminal paper [
6
]. It is known that a
small disturbance on the estimation problem, such as the
perturbation of a data point, could lead to significant changes
in the outcome of the estimator. This has led to a major effort
This work was supported by grants from ARO, AFOSR, ONR, and NSF.
The authors are with the University of California, Berkeley. E-mail:
{han_feng, byalcin, lavaei}@berkeley.edu
on the robustification estimators via regularizers. The works
[
7
] and [
8
] have found a strong relationship between the
robust estimation and regularization in regression problems
by showing the equivalence of these two problems.
The recent papers [
9
] and [
10
] on robust estimation of
linear measurement models have considered a framework
with two types of noise: small measurement noise and
large intermittent noise. They have developed necessary and
sufficient conditions for the exact recovery when a column-
wise summable norm is used to minimize the error. We focus
on this type of norm in this paper, which will be defined as
the sum of
`2
norms of the columns of a matrix. Nevertheless,
our analysis is for the more challenging problem of system
identification where the parameters are correlated over time.
Our results indirectly provide a guideline on how to design
an effective input sequence to learn system dynamics faster.
The recent papers [
11
] and [
12
] on system identification
have studied the problem of learning a sparse and structured
state-space model, and provided bounds on the required
sample size, i.e., sample complexity bounds. However, none
of the aforementioned works are applicable to adversarial
attacks since their noise/disturbance model is Gaussian. The
more recent work [
13
] has utilized a conic relaxation, which
significantly increases the problem dimension and is not
directly applicable to dynamical systems. It estimates how
many erroneous measurements or adversarial attacks can
be handled by the estimator without causing a nonzero
estimation error. There are some other works in the literature
that provide non-asymptotic error bounds for the linear
system identification problem when the ordinary least-squares
estimation method and Kalmon-Ho algorithm are used [14],
[
15
]. However, these methods are not particularly efficient
for robust estimation whenever the data is corrupted in an
adversarial way. Membership estimators are also utilized
to show a consistent estimation of linear systems [
16
].
Unfortunately, they do not provide non-asymptotic bounds.
The work [
17
] has studied the scenario where the attack is
executed on the outputs rather than the states. Unlike the
attack on the outputs, the effect of the attack on the states
propagates over time. Lastly, some other related works on
robust estimation are resilient state estimation [
18
], [
19
] and
Byzantine fault tolerance [20], [21].
One could place the system identification problem into the
broader context of robust regression to gain some valuable
insight on robust estimation. It is well-known that least-
squares methods are not robust to outliers. The work [
22
]
has studied the identification of outliers in linear regression.
It is shown that a non-convex loss function outperforms the
arXiv:2210.01421v2 [eess.SY] 5 Oct 2022
`1
regularization of the least-squares function. Nevertheless,
it is not always justifiable to solve large-scale non-convex
problems instead of convex ones unless the landscape of the
non-convex optimization problem can be shown to be benign
(e.g., it does not have a spurious solution). Nonetheless, this
is problem specific and not understood thoroughly [
23
], [
24
].
Another mainly used estimator for sparse estimation is the
hard thresholding estimator. The work [
25
] has proposed
an iterative scheme based on this estimator and analyzed
it on regression with sparse disturbances. There have been
several other works on robust estimation and training [
26
],
[
27
], [
28
]. The major difference between those works and
the system identification is that the states or the training
data are not independent over time. Hence, they cannot
be re-ordered, which makes it challenging to exploit the
existing results in robust statistics. A possible solution to this
is resetting the system and using the last available data point
from each trajectory. However, this is not a feasible approach
for common real-life applications due to its complexity. Also,
it is often desired to identify the system in an online fashion
to benefit from the available data, but it is not well understood
how this can be achieved for robust estimation.
In Section II, we introduce the main notations used
in the paper. Section III considers a particular type of
l1
minimization problem and formulates the problem. In
Section IV, we derive sufficient conditions for exact recovery
in finite time when we have exact measurements of the states
that are influenced by the adversarial attacks. The noisy case
is studied in Section V, where we provide an error bound
on the estimation error based on the noise intensity. The
conditions are based on the null space property (NSP), which
is hard to verify directly. We derive sufficient conditions for
NSP in Section VI and then show in Section VII that NSP
holds for a particular attack model where the input is Gaussian
and the adversary injects disturbances intermittently with a
fixed policy based on the states and input measurements. The
proofs are provided in the appendix.
II. NOTATIONS
For a given matrix
Z
, the
i
-th largest singular value of
Z
is denoted by
σi(Z)
, and the minimal and maximum singular
values of
Z
are shown by
σmin(Z)
and
σmax(Z)
, respectively.
For a matrix
Z
,
kZkF
denotes its Frobenius norm and for a
vector
z
,
kzk2
denotes its
`2
norm.
Z0
and
Z0
denote a
square symmetric matrix
Z
that is positive definite and positive
semidefinite, respectively. The function
tr(·)
stands for the
trace of a square matrix. The
n×n
identity matrix is denoted
as
In
. The Minkowski sum of two sets
E
and
F
is denoted
by
EF={e+f:eE,fF}
. The sum with the inverse
of the set is denoted by
EF={ef:eE,fF}
. For
two vectors
v
and
w
,
hv,wi
is the inner product between those
vectors in their respective vector space.
P(·)
and
E[·]
denote
the probability of an event and the expectation of a random
variable. A Gaussian random variable
X
with mean
µ
and
covariance matrix
Σ
is written as
XN(µ,Σ)
.
|S|
shows the
cardinality of a given set S.
III. PROBLEM FORMULATION
Consider an LTI dynamical system over the time horizon
[0,T]:
xt+1=¯
Axt+¯
But+¯
dt,t=0,1,...,T1,
where
¯
ARn×n
and
¯
BRn×m
are unknown matrices in the
state-space model to be estimated and
¯
dt
s are unknown
disturbances. Throughout the paper, the bar over each
parameter of interest (such as
¯
A
) indicates the unknown
ground truth. The goal is to find the matrices
¯
A
and
¯
B
from the state measurements
x0,...,xTRn
and input data
u0,...,uT1Rm
. The disturbances
¯
d0,..., ¯
dT1
model both
noise and anomalies in the system, such as attacks or
actuator’s faults. Without any assumptions on the disturbance,
the identification problem is not well-defined due to the
impossibility of separating
¯
Axt+¯
But
from the disturbance
¯
dt
. For instance, if
¯
dt=A0xt+B0ut
for some matrices
A0
and
B0
, then the system evolves as if the system matrices are
(¯
A+A0,¯
B+B0)
and the disturbance is zero, which makes the
identification problem have non-unique solutions. We will
make certain sparsity assumptions on the disturbance in the
noiseless case, and generalize the result to the noisy case.
To formulate the problem, we introduce the matrix notation
X= [x0,...,xT1]
,
U= [u0,...,uT1]
, and
D= [d0,...,dT1]
.
The last state
xT
appears in our optimization problem, but it is
not a column in the matrix notation. The attack
D
is assumed
to be restricted to a set
DRn×T
. The set
D
captures the
user’s belief of possible times of attack and their values.
Define the sum of norm error
kDk2,col :=ikdik2
, where
the index is over the columns of
D
. The (column-wise) support
of
D
is defined as
supp(D) = {i∈ {0,...,T1}:di6=0}
. For
each subset of indices
I⊆ {0,1,...,T1}
, the complement
of
I
is defined as
Ic={i∈ {0,...,T1}:i/I}
. For a matrix
ZRn×T
, the projection
ΠIZ
is a matrix whose columns are
zero except for those in I, i.e.,
(ΠIZ)i=(zi,if iI
0,otherwise ,
where
zi
denotes the
i
-th column of
Z
. Define
ZI
as a
submatrix of
Z
of size
n×|I|
, that includes only those columns
of
Z
in the index set
I
. We use the shorthand notations
Z6=i
and
Z6∈I
to denote
Z{0,...,T1}\{i}
and
Z{0,...,T1}\I
, respectively.
The range of Zis defined as R(Z) = {iλizi:λiR}.
To recover the system matrices
A
and
B
, we analyze the
following convex optimization problem:
min
ARn×n,BRn×m,
DD
T1
i=0
kdik2(1)
s.t.xi+1=Axi+Bui+di,i=0,...,T1,
where the states
xi,i∈ {0,...,T}
, are generated according to
xi+1=¯
Axi+¯
Bui+¯
di,i=0,...,T1.(2)
The control inputs
ui,i∈ {0,...,T1}
, may be designed but
are fixed in the optimization problem
(1)
. This problem differs
摘要:

LearningofDynamicalSystemsunderAdversarialAttacks-NullSpacePropertyPerspectiveHanFeng,BaturalpYalcin,andJavadLavaeiAbstract—Westudytheidenticationofalineartime-invariantdynamicalsystemaffectedbylarge-and-sparsedis-turbancesmodelingadversarialattacksorfaults.Undertheassumptionthatthestatesaremeasura...

展开>> 收起<<
Learning of Dynamical Systems under Adversarial Attacks - Null Space Property Perspective Han Feng Baturalp Yalcin and Javad Lavaei.pdf

共8页,预览2页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:8 页 大小:317.09KB 格式:PDF 时间:2025-04-29

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 8
评分 收藏
分享
立即下载
客服
关注