Directed Gradient Sign Method (DGSM)
- DGSM is a sign-based gradient construction method that uses ℓ∞ geometry to define exact steepest descent directions in optimization and adversarial perturbations in control.
- In smooth optimization, it guarantees progress by updating along –sign(∇f) with performance governed by the ℓ∞-smoothness constant, L∞.
- In direct data-driven control, DGSM crafts stealthy adversarial attacks by perturbing offline data in a sign pattern aligned with eigenvalue sensitivities to destabilize systems.
Directed Gradient Sign Method (DGSM) denotes a sign-based gradient construction whose defining feature is an or elementwise-max geometry. In the literature covered here, the acronym appears in two technically distinct senses. In smooth optimization, DGSM is the steepest-descent method, with updates along and progress governed by the -smoothness constant (Balles et al., 2020). In direct data-driven control, DGSM is an adversarial poisoning attack that perturbs offline data in a sign pattern aligned with eigenvalue or spectral-radius sensitivities of the synthesized closed loop, with the aim of reducing stability and possibly pushing eigenvalues outside the unit circle (Sasahara, 2023, Sasahara, 20 Jul 2025). The shared structure is a coordinatewise sign rule, but the underlying objectives differ: deterministic descent in one case, destabilization under stealthy perturbation budgets in the other.
1. Terminological scope and common geometric structure
The two uses of DGSM are linked by a common geometric intuition: the sign operator is natural when the constraint or smoothness model is coordinatewise, either through the norm ball or through an elementwise perturbation budget (Balles et al., 2020, Sasahara, 2023).
| Usage | Core rule | Governing quantity |
|---|---|---|
| steepest descent | , 0 | |
| Adversarial destabilization in control | 1 or 2 | closed-loop eigenvalues, 3 |
In the optimization setting, the sign vector is an exact steepest-descent direction under 4 geometry. In the control setting, the same sign mechanism is made “directed” by a spectral projection that resolves the complex-valued direction in which an eigenvalue should be moved so that its modulus increases. This suggests that DGSM is best understood not as a single algorithmic template with a single objective, but as a class of sign-based procedures whose meaning is fixed by the geometry of the constraint set and the performance functional being differentiated.
2. DGSM as 5 steepest descent
For a differentiable 6, steepest descent with respect to a norm 7 selects a direction
8
When 9, the feasible set is the hypercube 0, the linear objective decouples coordinatewise, and the minimizer is
1
The canonical update is therefore
2
and the norm-scaled steepest-descent form is
3
The latter arises from minimizing a local quadratic upper bound and yields a constant-step guarantee (Balles et al., 2020).
The relevant smoothness notion is Lipschitz continuity of the gradient in the dual norm:
4
which implies
5
This replaces the more restrictive separable smoothness assumption used in earlier signSGD analyses. If constants 6 satisfy
7
then separable smoothness implies 8-smoothness with 9. For sign steps, both assumptions yield the same bound because the update has equal coordinate magnitude (Balles et al., 2020).
The basic descent estimate for
0
is
1
The optimal step size is
2
and the guaranteed decrease is
3
This is the steepest-descent improvement lemma specialized to 4 geometry (Balles et al., 2020).
The same framework yields standard complexity bounds. For nonconvex deterministic DGSM,
5
For convex 6 that is 7-smooth,
8
where 9 is a norm-dependent radius of the initial level set. Under the Polyak–Łojasiewicz condition in the dual norm,
0
DGSM with step 1 obeys
2
3. Hessian geometry, comparison with gradient descent, and relation to adaptive methods
The geometry of DGSM is encoded in the Hessian through the operator norm identity
3
where
4
Although computing 5 is NP-hard in general, the cited analysis gives bounds that isolate when sign-based methods should outperform standard 6 gradient descent (Balles et al., 2020).
For positive semidefinite symmetric 7 with eigenvalues 8,
9
where
0
Hence 1 becomes smaller when the Hessian is concentrated on its diagonal, that is, when the objective is axis-aligned in the coordinate basis. For a general symmetric eigendecomposition
2
the bound
3
shows that large eigenvalues are less harmful when their eigenvectors are axis-aligned. A lower bound of the form
4
is also available. In two dimensions, for
5
positive definite,
6
which makes the dependence on off-diagonal coupling explicit.
The global relationship to ordinary smoothness is
7
with the upper bound loose in favorable geometries. When the spectrum has outliers, so that 8, and the Hessian is diagonally concentrated, the bound above gives 9. The paper identifies two favorable properties: diagonal concentration and spectral disparity. Both are reported as common in deep networks and as empirically correlated with strong performance of sign-based methods and Adam (Balles et al., 2020).
The per-step guaranteed improvements of gradient descent and DGSM are
0
Defining
1
the ratio becomes
2
DGSM is therefore favored when gradients are dense, so that 3 is close to 4, and when the Hessian geometry shrinks 5 far below 6.
The same work also gives an interpretation of Adam as predominantly sign-based. Its update direction can be decomposed as
7
with coordinatewise damping factors 8 that decrease with gradient variance. Empirical evidence in CNN training indicates that shuffling or averaging 9 across coordinates barely degrades Adam’s performance, which supports viewing Adam as a DGSM-like method augmented by momentum and mild per-coordinate normalization (Balles et al., 2020).
4. DGSM as an adversarial attack in direct data-driven control
In direct data-driven control, DGSM is an attack on the offline data used to synthesize a controller. The 2023 formulation studies Willems’ fundamental lemma-based LQR design for the discrete-time plant
0
with unknown but stabilizable 1. Using measured trajectories, one forms
2
assumes 3, and introduces 4 such that
5
The resulting closed-loop matrix is
6
so controller synthesis depends explicitly on the collected data 7 (Sasahara, 2023).
A later treatment writes the offline data as
8
with
9
and formulates data-driven LQR as an SDP in variables 0 with objective
1
subject to a block-diagonal LMI 2. The synthesized controller is
3
This formulation is used to differentiate the synthesis map exactly through the KKT system (Sasahara, 20 Jul 2025).
The adversarial objective is spectral. For discrete-time stability, the test is 4, so the poisoning problem is
5
where 6 is the spectral radius and 7 is the elementwise max norm. A relative stealthiness variant constrains 8 relative to the norms of 9 (Sasahara, 20 Jul 2025). The design goal is not to increase a loss in the machine-learning sense, but to move a closed-loop eigenvalue toward and beyond the unit circle.
This difference from FGSM is central. FGSM uses
0
whereas DGSM in control uses a spectral stability gradient. The attack exploits the fact that small but carefully aligned perturbations of offline data can induce a different synthesized gain 1 and a different closed-loop matrix 2 with possibly unstable eigenvalues, even when the clean closed loop has a large margin of stability (Sasahara, 2023).
5. Spectral gradients, directional projection, and algorithmic variants
The 2023 attack computes eigenvalue sensitivities numerically. For a simple eigenvalue 3 of 4 with right and left eigenvectors 5,
6
and, for the spectral abscissa,
7
Because the map from data to controller passes through a convex program, the paper does not derive 8 analytically. Instead it approximates
9
by central differences, where 00 is a perturbation basis. The attack then applies a directional projection 01 so that the sign pattern pushes the chosen eigenvalue radially outward. The resulting perturbation rule is
02
and the algorithm increases 03 over a candidate set until some 04 (Sasahara, 2023).
The 2025 work replaces numerical differentiation with implicit differentiation through the KKT conditions of the SDP layer. With 05 and 06 itself dependent on 07, the chain rule is
08
For a simple dominant eigenvalue 09 of 10, with right and left eigenvectors 11,
12
and
13
Since 14, the gradient with respect to 15 follows immediately. The dependence of 16 on 17 is obtained by differentiating the KKT equalities, which yields a linear system in 18, 19, and 20. To avoid rank deficiency, the scalar complementarity relation is replaced by the matrix equality 21, producing an augmented KKT linearization (Sasahara, 20 Jul 2025).
The “directed” realization used for complex eigenvalues is explicit in the later work:
22
Elementwise,
23
so the sign of each perturbation component is chosen to increase the modulus of the dominant eigenvalue in the linearized model.
This formulation also introduces an iterative variant, I-DGSM, which performs projected gradient ascent:
24
with
25
and 26 implemented by elementwise clipping. Initialization is 27, a practical step size is 28, and stopping occurs when 29 or when the iteration cap is reached (Sasahara, 20 Jul 2025).
Algorithmically, the transition from numerical differentiation to implicit differentiation is decisive. Naive central differences require solving the SDP 30 times per gradient. The implicit-differentiation pipeline solves the SDP once, assembles KKT derivative blocks, solves one linear system, and then evaluates 31. Empirically this yields approximately 32 speedup relative to naive numerical differentiation, with an additional 33–34 gain when analytical derivative expressions are used for the KKT blocks and the Jacobians of 35 (Sasahara, 20 Jul 2025).
6. Robustness, defenses, empirical findings, and limitations
The control literature studies DGSM together with defensive regularization. One family of defenses is certainty-equivalence regularization. In the 2023 formulation this adds
36
to the synthesis objective, with
37
under the original LMI constraints. A second 2023 defense is robustness-inducing regularization, which adds
38
and is intended to reduce sensitivity to disturbances by shrinking 39 (Sasahara, 2023). The 2025 paper uses the Frobenius-squared certainty-equivalence regularizer
40
in the SDP formulation and shows that it suppresses directions aligned with the null space of 41 while preserving control performance in benign settings (Sasahara, 20 Jul 2025).
A stronger 2025 defense is robust data-driven control against all perturbations satisfying 42, implemented through an S-procedure-based SDP with Lyapunov certificates and a nominal performance cap 43. The paper states two guarantees: if 44, then 45; if 46, then the closed loop is stable. The same work also proves a sufficient stability condition for the regularized synthesis in terms of the signal-to-perturbation ratio
47
with stability ensured when
48
Empirically, DGSM is consistently more effective than random perturbations. In the 2023 inverted-pendulum study, with 49 trials and threshold 50, the destabilizing budget 51 increases monotonically with both regularization parameters, yet DGSM remains far more potent than the random baseline: for the same 52, DGSM’s 53 is about 54 of the random baseline’s 55 (Sasahara, 2023). The same paper reports a demonstration in which clean closed-loop eigenvalues 56 move to 57 under DGSM, thereby crossing the unit circle while the perturbed time signals remain visually indistinguishable from the clean data.
The 2025 experiments on six LTI benchmarks reach a similar conclusion at larger scale. Across motor position, suspension, inverted pendulum, aircraft pitch, ball-and-beam, and triple tank systems, I-DGSM achieves comparable attack success rates with perturbations approximately 58–59 smaller than baseline random attacks; single-step DGSM is slightly less effective than I-DGSM but still stronger than the baseline (Sasahara, 20 Jul 2025). A representative triple-tank example with 60 and 61 shows that perturbations at only 62–63 of data amplitude can move a pole outside the unit circle, for example to 64. Increasing 65 reduces attack success rates substantially; for the inverted pendulum, the attack success rate falls from 66 to 67 as 68 increases, while the relative control performance remains approximately 69.
Several limitations qualify these results. Both attack analyses assume differentiability of the synthesis mapping around a locally unique optimum and rely on a simple dominant eigenvalue; spectral radius becomes nonsmooth when multiple eigenvalues share the same modulus, and the cited work does not address subgradient or bundle methods in that regime (Sasahara, 20 Jul 2025). In the 2023 method, central differences can be noisy and eigenvalue sensitivities are ill-conditioned near repeated or nearly defective eigenvalues (Sasahara, 2023). The stealthiness models are also idealized: they use elementwise max-norm or relative norm constraints and do not encode richer actuator, sensor, or temporal-structure constraints. Finally, analytical derivative assembly in the implicit-differentiation approach can be memory-intensive for large 70, 71, and 72 (Sasahara, 20 Jul 2025).
Taken together, the cited works establish two complementary interpretations of DGSM. In optimization, sign updates are not merely heuristic; they are exact steepest-descent directions for 73 geometry, and their effectiveness depends on Hessian diagonal concentration, spectral disparity, and gradient density (Balles et al., 2020). In direct data-driven control, DGSM is a targeted adversarial mechanism that exploits the same coordinatewise sign structure under an elementwise perturbation budget, but now to maximize the spectral radius of the synthesized closed loop; its advantage over random perturbations comes from directional alignment with eigenvalue sensitivities rather than from a larger perturbation norm alone (Sasahara, 2023, Sasahara, 20 Jul 2025).