Real-World System Attacks
- Real-world system attacks are targeted adversarial disruptions that subvert deployed systems by exploiting operational, environmental, and hardware vulnerabilities.
- They span a range of vectors, including adversarial patches, protocol-compliant resource exhaustion, wireless jamming, sensor spoofing, and smart contract manipulations.
- Empirical evaluations report high attack success rates—often over 80%—which drive ongoing research into resilient, holistic defense strategies.
A real-world system attack is a targeted, adversarially engineered disruption or subversion of a deployed computational, cyber-physical, or machine learning system, exploiting domain-specific vulnerabilities under operational, non-laboratory conditions. These attacks span digital, physical, analog, and control-domain vectors, impacting diverse applications from biometric access and vehicular safety to industrial automation, smart contracts, and IoT infrastructures. The defining feature is practical feasibility: the attack can be executed against real systems in situ, overcoming environmental variation, hardware constraints, and non-differentiable or black-box components.
1. Taxonomy of Real-World System Attacks
Attack strategies in the real world exploit vulnerabilities across multiple system layers, leveraging both cyber and physical modalities:
- Adversarial Examples and Patch Attacks: Realizable adversarial artifacts, such as printed patterns for face detectors (Kaziakhmedov et al., 2019), stickers for face recognition models (Pautov et al., 2019), digital-physical adversarial displays for camera evasion (Leonenkova et al., 30 Mar 2026), and engineered visual triggers for RL robots (Huang et al., 20 Jan 2026), induce targeted misclassification or policy deviations under sensor, lens, and environmental transformations.
- Protocol-Compliant Resource Exhaustion: Compliant but maliciously paced network traffic (e.g., UDP and J2735-BSM floods in C-V2X) cause denial-of-service without violating protocol semantics, degrading safety features such as Forward Collision Warning (Tine et al., 4 Aug 2025).
- Wireless Man-in-the-Middle and Jamming: Physical-layer exploits harness electromagnetic leakage (e.g., HomePlug Green PHY in EV charging (Szakály et al., 21 Jan 2026)) and jamming frameworks (e.g., eSWORD for scalable wireless disruption (Robinson et al., 2023)), enabling message interception, replay, and injection in safety-critical systems.
- Sensor and Control-System Attacks: Embedded controllers in industrial or robotics settings are compromised via stealthy sensor perturbations (Hashemi et al., 2017), analog sensor spoofing (Tu et al., 2022), or timed logic abuse (e.g., programmable logic controller backdoors (Anton et al., 2019)) to induce process deviation or mask payloads.
- Learning System Subversion: Runtime model parameter patching instantiates stealthy DNN backdoors via direct memory manipulation (Costales et al., 2020), often evading post-deployment detection and runtime monitors.
- Agent Prompt Injection and RAG Attacks: Data-driven prompt manipulations of agentic or retrieval-augmented systems hijack action planning or response logic through indirect insertion channels (web, email, API) (Li et al., 3 Feb 2026, Triantafyllopoulos et al., 4 Aug 2025).
- Smart Contract Transaction Manipulation: On-chain exploits are engineered to front-run, hijack, or backrun attacker contracts, often circumventing mempool-based detection through private relay use and sophisticated transaction cloning/repair (Shou et al., 2024).
2. Attack Models and Threat Assumptions
A rigorous threat model specifies attacker knowledge, access, and goals:
- Knowledge (White-box vs. Black-box): Some attacks assume complete access to architecture and weights (MTCNN/P-Net (Kaziakhmedov et al., 2019), ArcFace (Pautov et al., 2019)), while others operate in black-box settings (DiPA against commercial cameras (Leonenkova et al., 30 Mar 2026), RL policies with only physical feedback (Huang et al., 20 Jan 2026)).
- Physical Feasibility: Attacks must survive real camera transformations (e.g., scaling, warping, lighting in face detection (Kaziakhmedov et al., 2019)), or hardware variability (e.g., wireless leakage in EV charging (Szakály et al., 21 Jan 2026)).
- Limited Access and Constraints: Adversaries often lack direct digital input; attacks proceed through physical artifacts (printed patches, analog signal injection, over-the-air traffic) or transient system memory access (DLL injection, /proc/mem patching in DNNs (Costales et al., 2020)).
- Operational Robustness: Expectation-over-Transformation (EoT) is often employed during attack synthesis to enforce robustness against pose, scale, and image-domain variation (Kaziakhmedov et al., 2019, Pautov et al., 2019, Leonenkova et al., 30 Mar 2026).
3. Attack Methodologies and Pipeline
The attack pipeline is grounded in joint optimization and engineering constraints:
- Formulation and Optimization Objectives: Patch-based attacks optimize small regions to minimize detection scores (face detectors (Kaziakhmedov et al., 2019)), target embedding similarity (ArcFace (Pautov et al., 2019)), or feature-space distortion (DiPA (Leonenkova et al., 30 Mar 2026)) under regularization terms (TV, smoothness, printability).
- Physical Artifact Generation: Optimized adversarial patterns are rendered as printable grayscale stickers for faces (Pautov et al., 2019), surface-attached triggers for robots (Huang et al., 20 Jan 2026), or displayed as high-resolution digital patches (Leonenkova et al., 30 Mar 2026).
- Real-time and Closed-Loop Strategies: Some adversarial interventions exploit dynamic feedback, for instance, continuous analog control via acoustic or electromagnetic coupling (Tu et al., 2022), or adaptive digital-physical patch deployment reacting to sensor output (Leonenkova et al., 30 Mar 2026, Huang et al., 20 Jan 2026).
- Protocol and System Exploitation: Attacks may rely on protocol-compliance but intentionally abusive traffic patterns (protocol-compliant DoS in C-V2X (Tine et al., 4 Aug 2025)), or exploit time-critical protocol races (SDP hijack, ND spoof in EV charging (Szakály et al., 21 Jan 2026)), often with domain-tailored engineering logic (e.g., dynamic path enumeration and transaction repair in smart contract rescue (Shou et al., 2024)).
4. Empirical Evaluation and Impact Metrics
Evaluation of real-world attacks demands domain- and system-specific quantitative metrics:
- Performance Metrics: False negative/positive rates (misdetection probability (Kaziakhmedov et al., 2019)), embedding similarity (cosine over ArcFace space (Pautov et al., 2019)), attack/clean success rates (e.g., Clean Success Rate CSR and Attack Success Rate ASR for RL (Huang et al., 20 Jan 2026)), and operational KPIs (packet delivery ratio, average latency, FCW suppression for C-V2X (Tine et al., 4 Aug 2025)).
- Experimental Protocols: Full physical closed-loop tests (face videos at varying distances (Kaziakhmedov et al., 2019), real-office photos with physical patches (Pautov et al., 2019)), emulated or hardware-in-the-loop setups for wireless jamming (Robinson et al., 2023), and field deployments (TurtleBot3 with real navigation tasks (Huang et al., 20 Jan 2026), drone flight with SCART sensor perturbation (Girstein et al., 2023)).
- Robustness and Transferability: Assessment includes performance under environmental shifts, cross-device deployment, and transfer success between digital surrogates and production models (Pautov et al., 2019, Leonenkova et al., 30 Mar 2026).
- Deployment Impact: Attacks have demonstrated >80% face misdetection (Kaziakhmedov et al., 2019), 100% targeted fooling of FR systems with optimized patches (Pautov et al., 2019), and total denial of safety functions in automotive FCW systems (Tine et al., 4 Aug 2025).
5. Limitations, Countermeasures, and Systemic Implications
System-level defenses, practical constraints, and broader implications are a central focus:
- Attack Limitations: Physical patch attacks may be defeated by extreme lighting, occlusion, or orientation (Kaziakhmedov et al., 2019), are often user- or scenario-specific (Pautov et al., 2019), and can be mitigated by sufficiently randomizing or fusing sensor inputs (Leonenkova et al., 30 Mar 2026, Tu et al., 2022).
- Defensive Strategies:
- Robust Training: Adversarial training with physically realized attack patterns (patched faces (Kaziakhmedov et al., 2019), stickers (Pautov et al., 2019)) or Out-of-Domain detectors for LLMs (Triantafyllopoulos et al., 4 Aug 2025).
- Input Transformations and Filtering: Randomized input pre-processing or sensor-fusion can disrupt fixed-pattern attacks (Kaziakhmedov et al., 2019, Tu et al., 2022, Leonenkova et al., 30 Mar 2026).
- Patch and Pattern Detection: Subnetwork or programmatic modules designed to flag high-contrast, nonbiological textures in vision systems (Pautov et al., 2019), anomaly detectors in time-series for ICS (Anton et al., 2019).
- Protocol and Architecture Hardening: Rate-limiting, resource monitoring, and protocol-level updates in vehicular and IoT networks (Tine et al., 4 Aug 2025, Szakály et al., 21 Jan 2026).
- Resilience in Learning Systems: Memory integrity checks, page protections, and signature-based scanning for live trojan attacks in DNNs (Costales et al., 2020); model and memory randomization to defend against runtime exploits.
- Broader Security Implications: Militarization of protocol-compliant traffic to disable safety features (Tine et al., 4 Aug 2025); display-as-attack-surface risk in ubiquitous device-coupled vision systems (Leonenkova et al., 30 Mar 2026); incentive mismatches and race conditions undermining smart contract frontrunning guards (Shou et al., 2024); and systemic challenges in open-world agentic settings (Li et al., 3 Feb 2026).
6. Representative Attacks and Empirical Summary
The diversity and potency of real-world system attacks is captured in the following comparative summary:
| Domain / Target | Attack Technique | Key Result / Metric | Reference |
|---|---|---|---|
| Face Detection (MTCNN) | Physical patch, EoT optimization | 80–90% face misdetection over video at multiple distances | (Kaziakhmedov et al., 2019) |
| Face Recognition | Printed grayscale stickers on face | 100% attack success (eyeglasses, forehead) in live trials | (Pautov et al., 2019) |
| RL Robot Navigation | Diffusion-patch trigger, advantage-based poisoning | 83.5% targeted attack success (real TurtleBot3) | (Huang et al., 20 Jan 2026) |
| EV Charging | SDR-based MitM, protocol tampering | Remote spoofing, safety override, full protocol control | (Szakály et al., 21 Jan 2026) |
| C-V2X Safety | Protocol-compliant UDP/BSM floods | PDR drop to 10.2%, suppression of FCW alert | (Tine et al., 4 Aug 2025) |
| Wireless Networks | Hardware-in-the-loop jamming | 58–60% throughput drop, ∼1 s recovery, >95% metric accuracy | (Robinson et al., 2023) |
| Industrial ICS | Logic/sensor injection, Matrix Profile | Unsupervised anomaly detection detects both subtle and overt attacks | (Anton et al., 2019) |
| Smart Contracts | Exploit cloning, path repair | $410M saved over 2023–24, >90% of incidents unsolved by classic frontrunning | (Shou et al., 2024) |
This landscape underscores that practical, system-level adversarial techniques can reliably circumvent both machine learning model and classical protocol defenses, causing denial, impersonation, or covert control in a range of mission- and safety-critical applications.
7. Research Directions and Open Challenges
Current research highlights several unresolved challenges and opportunities:
- Dynamic Physical Adversaries: Future work must address attacks that adapt in the field to changing environments, multi-agent or multi-sensor settings, and compound interaction effects.
- Benchmarks and Standardization: Dynamic and context-rich benchmarks such as AgentDyn (Li et al., 3 Feb 2026) expose underappreciated failure modes in LLM-agent defenses and are needed to enable reproducible, comparative evaluation.
- Holistic System Analysis: Security research must integrate network, physical, and machine learning perspectives to defend complex, hybrid architectures typical in cyber-physical systems.
- Automated and Scalable Defense: Machine learning-based detectors, input sanitization, continuous monitoring, and patch deployment must scale to the diversity and velocity of emerging attack strategies.
Real-world system attacks exemplify the necessity of cross-disciplinary, cross-layer analysis for both offensive and defensive security, leveraging rigorous system models, empirical validation, and domain-specific threat intelligence. Citations include (Kaziakhmedov et al., 2019, Pautov et al., 2019, Szakály et al., 21 Jan 2026, Tine et al., 4 Aug 2025, Robinson et al., 2023, Anton et al., 2019, Huang et al., 20 Jan 2026, Costales et al., 2020, Leonenkova et al., 30 Mar 2026, Shou et al., 2024, Tu et al., 2022, Triantafyllopoulos et al., 4 Aug 2025, Li et al., 3 Feb 2026).