Stealthiness-Constrained Tampering
- Stealthiness-constrained tampering is an approach where adversarial modifications are optimized to remain undetected by satisfying strict statistical and structural constraints.
- It integrates techniques from control theory, information theory, and machine learning to balance attack impact against detectable anomalies.
- Optimal strategies use constrained optimization methods to manage trade-offs between performance disruption and maintaining low residual or divergence metrics.
Stealthiness-constrained tampering refers to adversarial modifications of system inputs, measurements, communication, or data, optimized to achieve malicious objectives while satisfying formalized stealthiness constraints that limit their detectability by monitoring, anomaly detection, or validation mechanisms. This paradigm integrates metrics and optimization frameworks from statistical detection, information theory, control theory, and machine learning, framing the attacker’s problem as constrained optimization to maximize effectiveness (“damage”) under explicit detectability or sparsity ceilings.
1. Fundamental Models and Detection Mechanisms
Stealthiness-constrained tampering is most rigorously studied in cyber-physical control systems, where a canonical model involves a stochastic discrete-time LTI system,
with process noise , measurement noise , and a Kalman filter observer, sometimes closed by static feedback . Attacks are typically additive: measurement attacks adulterate , while input attacks perturb . In partially observed continuous-time settings, the innovation (from a Kalman–Bucy filter) forms the basis for detection and stealthiness quantification (Zhou et al., 7 May 2026).
Detection commonly employs residual-based schemes—for example, rolling-window tests,
which implicitly define “stealthy” tampering as sequences that keep detection statistics within specified false-alarm rates (Hashemi et al., 2017, Jovanov et al., 2017).
In learning systems, LLMs and multi-agent systems, detection may rely on monitoring perplexity gaps, semantic drift, embedding similarity, or mutual information between intended and observed agent behaviors (Guo et al., 2024, Kao et al., 2024, Yan et al., 5 Aug 2025).
2. Formal Stealthiness Constraints
Stealthiness constraints formalize the requirement that adversarial perturbations remain undetected or match baseline statistical profiles:
- Residual-Energy Constraints: Require rolling or instantaneous residuals satisfy 0 for all 1 (zero-alarm attacks), or that the rate 2 matches the detector’s nominal false-alarm rate 3 (hidden attacks) (Hashemi et al., 2017).
- Information-Theoretic Divergence: Expressed through bounds on Kullback–Leibler (KL) divergence between output distributions under attack and nominal operation, e.g., 4 (Fang et al., 2020, Zhou et al., 7 May 2026, Ye et al., 2021).
- Sparsity Constraints: Limit attack support, e.g., at most 5 out of 6 sensors compromised; sometimes enforced as 7 norm constraints or “covertness cost” regularizers (Ye et al., 2021, Sharma et al., 15 Dec 2025).
- Semantic/Embedding Similarity (LLMs and messaging): Enforce 8, 9 for attacked 0, where 1 is semantic and 2 is embedding similarity (Yan et al., 5 Aug 2025).
- Entropy and Perplexity Gaps: Require 3 for text/image entropy gaps, constraining adversarial prompts near the natural distribution (Kao et al., 2024).
Trade-offs are mathematically codified as constrained or Lagrangian optimizations—balancing stealth metrics against destructive or behavior-altering impact.
3. Optimal Tampering Strategies and Their Analysis
Optimal stealthy tampering design decomposes into two interrelated aspects: determining the most effective attack (performance loss, distortion, utility drop) and enforcing stealthiness constraints.
- Control-Theoretic and Statistical Approaches: In stochastic LTI systems, optimal attacks minimizing 4 for a fixed distortion or maximizing distortion for a fixed 5 correspond to colored Gaussian processes with frequency-shaped spectra solving water-filling–like constrained variational problems (Fang et al., 2020, Zhou et al., 7 May 2026). Semi-explicit solutions are achievable via Riccati-type ODEs for both deterministic and adaptive feedback attacks (Zhou et al., 7 May 2026).
- Reachable Set Characterization: For residual-constrained attacks, the plant state reachable sets are characterized by minimum-volume ellipsoidal outer bounds, derived via LMI or geometric Minkowski sums. Zero-alarm attacks produce tightly bounded ellipsoids, while hidden attacks allowed rare large residuals can drive the state arbitrarily far unless additional constraints are imposed (Hashemi et al., 2017, Jovanov et al., 2017).
- Greedy/Heuristic Sparse Construction: For 6-sparse tampering, two-stage greedy algorithms select sensor indices and power allocation by maximizing disruption subject to coverage constraints, with closed-form and SDP-based updates enabling scalable design (Ye et al., 2021).
- Bilevel Optimization: In learning-based or multi-agent architectures with centralized memories (e.g., replay buffers, RAG knowledge bases), covert tampering is formalized as a bilevel optimization: upper level minimizes perturbation magnitude (stealth), lower level maximizes effect on behavior; solved via implicit differentiation or penalty-based bilevel gradient methods (Sharma et al., 15 Dec 2025).
- Multi-Round/Sequential in LLM-MAS: In LLM-based multi-agent messaging, MCTS+DPO schemes learn sequential, adaptive policies for message tampering, optimizing attack plans while preserving semantic and embedding similarity per round (Yan et al., 5 Aug 2025).
4. Trade-Offs: Effectiveness Versus Stealth
There exists an intrinsic and mathematically sharp trade-off between tampering effectiveness (e.g., state deviation, attack success rate) and stealthiness constraints:
- Classical Control: Zero-alarm attacks incur a strict “variance budget,” yielding limited plant-deviation ability, while hidden attacks matching false-alarm rates can, through the heavy tails of residuals, effect large deviations if rare significant anomalies are tolerated (Hashemi et al., 2017).
- Information Theory: Fano’s inequality quantifies how stealth constraints on mutual information or entropy gaps directly increase minimum attacker failure probability 7, even under optimal adversarial strategies. Perfect stealth forces attack success rates toward random guess baselines (Kao et al., 2024, Fang et al., 2020).
- Data Injection and Sparsity: Allowing off-diagonal (coordinated) attack covariances significantly improves disruption for the same detection probability, but the sparsity penalty decays near-exponentially as support size grows—a critical consideration in resource-constrained scenarios (Ye et al., 2021).
- Learning Systems: Performance-degradation versus covertness is governed by regularization weights or KL-budgets, and explicit empirical trade-off curves (e.g., ASR vs perplexity or semantic drift) are measured in high-fidelity LLM and RAG experiments (Guo et al., 2024, Sharma et al., 15 Dec 2025).
Defenders may cap distortion by bounding divergence statistics, message authentication rates, or combined semantic/structural drift measures (Jovanov et al., 2017, Yan et al., 5 Aug 2025).
5. Detection and Defense Mechanisms
Defenses against stealthiness-constrained tampering integrate both statistical hypothesis testing and protocol-level controls:
- Residual/Energy-Based Detectors: Increasing the variety or adaptivity of detection statistics (multiple thresholds or detectors, windowed and sequential probability ratio tests) can limit attack impact not captured by fixed-threshold mechanisms (Hashemi et al., 2017, Jovanov et al., 2017).
- Authentication Scheduling: Even intermittent or randomized message authentication sharply constrains the reachable error set; policies enforcing zero-attack intervals bound impact with minimal overhead (<10% authenticated traffic) (Jovanov et al., 2017).
- Physical/Structural Constraints: In IC design, T-TER employs hard physical barriers (guard wires) to physically block undetectable Trojan wire routing, offering formal detection guarantees against insertion, move, and jog attacks at minimal area/power cost (Trippel et al., 2019).
- Gap-Based Detectors: For VLM/LLM jailbreaks, low-cost detectors monitoring entropy/perplexity gaps or semantic/embedding similarity across message sequences or image regions flag non-stealthy tampering (Kao et al., 2024, Yan et al., 5 Aug 2025).
- Multi-Modal and Semantic Defenses: Robustness in multi-agent and LLM settings is improved by combining anomaly checks (e.g., 8 norm constraints) with semantic plausibility detectors, embedding monitors, and protocol-level requirements for authenticated structured messages (Yan et al., 5 Aug 2025, Sharma et al., 15 Dec 2025).
6. Application Domains and Extensions
Stealthiness-constrained tampering appears in:
- Industrial Control and Power Systems: Sensor/data-injection attacks designed for stealth under 9, KL, or mutual information constraints, including sparsity-aware attacks on state estimators (Hashemi et al., 2017, Ye et al., 2021).
- Safety-Critical Automotive Systems: GPS spoofing and ACC sensor attacks, with integrity policy co-design to bound tracking and safety margins under stealthy threats (Jovanov et al., 2017).
- Integrated Circuit Security: Placing tamper-evident routings to physically enforce stealthiness constraints against minimal-footprint hardware Trojans in untrusted fabrication settings (Trippel et al., 2019).
- LLMs and Vision-LLMs: Jailbreak attacks with low-perplexity, high semantic similarity, or bounded entropy gap, evaluated using automated and human-style metrics, and systematically constrained via energy-based optimization (Kao et al., 2024, Guo et al., 2024).
- LLM-Based Multi-Agent Systems: Adaptive, multi-round, message-level tampering in multi-agent planning and reasoning tasks, maintaining high attack rates while preserving semantic and embedding similarity (Yan et al., 5 Aug 2025).
- Heterogeneous MAS with Memory Components: Unified bilevel frameworks for poisoning centralized experience buffers or knowledge bases in MARL/RAG agents, tuned to evade detectability heuristics (Sharma et al., 15 Dec 2025).
7. Open Questions and Research Directions
Several open challenges stem from the complexity of both offensive and defensive stealth constraints:
- Adversarial Adaptivity: Quantifying attack gain from real-time feedback, both in partially observed stochastic systems and in adaptive multi-agent LLM architectures (Zhou et al., 7 May 2026, Yan et al., 5 Aug 2025).
- Information-Theoretic Limits: Extending Fano-based and mutual information analysis to broader multimodal or variable-length attacks and complex detection pipelines (Kao et al., 2024).
- Automated Integrity Policy Design: Creating scalable algorithms for sparse authentication/validation scheduling in large-scale distributed systems (Jovanov et al., 2017).
- Scalable Defense Integration: Real-time, cross-modal anomaly detection and self-healing protocols in the presence of sophisticated, stealth-aware attackers (Sharma et al., 15 Dec 2025).
- Unified Metrics and Formal Guarantees: Developing mathematically principled stealth/impact trade-off frontiers and common evaluation standards across diverse cyber-physical and learning-based platforms.
Stealthiness-constrained tampering thereby motivates ongoing interdisciplinary research at the interface of control theory, information theory, adversarial machine learning, and systems security.