Telemetry Poisoning Detector

• Telemetry Poisoning Detector is a system that identifies adversarial manipulations in sensor data streams, especially under Local Differential Privacy constraints.
• It utilizes statistical methods such as temporal similarity, correlation tracking, and feature mining to pinpoint subtle poisoning attacks in IIoT environments.
• Empirical results show high precision and recall, demonstrating its capability to maintain data integrity and robust privacy even in resource-constrained settings.

A Telemetry Poisoning Detector is a system or algorithm designed to identify and attribute adversarial poisoning of telemetry data, especially in settings where privacy-preserving mechanisms such as Local Differential Privacy (LDP) are employed. Telemetry poisoning refers to the malicious manipulation of sensor or device-generated data streams, with the objective of disrupting downstream analytics, inference, or control. The distinct challenge in LDP settings arises from the inherent randomness and perturbation that mask individual data records, rendering even intentional distortions nearly indistinguishable from benign noise. Recent work in Industrial Internet of Things (IIoT) and IoT further emphasizes this challenge due to both the prevalence of resource-constrained edge devices and the push toward decentralized, privacy-compliant architectures (Shuai et al., 20 Dec 2024, Shuai et al., 30 Oct 2025).

1. Taxonomy of Telemetry Poisoning Attacks under LDP

For LDP-protected IIoT telemetry, the attack surface is precisely characterized in the PoisonCatcher framework (Shuai et al., 20 Dec 2024) as comprising three fundamental poisoning modes:

1. Input-Poisoning: The attacker manipulates the raw sensor reading prior to application of the privacy mechanism. Formally, for sensor datum $d$ and LDP randomizer $\psi$, the reported output becomes $\psi(\Delta(d))$ instead of $\psi(d)$.
2. Output-Poisoning: Post-LDP perturbation, an adversary tampers with the privatized output $\psi(d)$, generating $\Delta(\psi(d))$ that is aligned with the adversarial objectives.
3. Rule-Poisoning: The attacker subverts, replaces, or parameterizes the LDP mechanism itself, for instance by altering the privacy budget $\varepsilon$ or the sampling distribution, such that $\Delta(\psi)(d)$ governs the release.

All three modes are unified by quantifying the “privacy degradation” as

$$\left|\sup_S \frac{\Pr[\Phi(d,\psi) \in S]}{\Pr[\Delta(d,\psi) \in S]} - e^\varepsilon\right| \geq \xi,$$

for some measurable set $S$, with $\xi$ capturing the effective loss in privacy and/or trustworthiness (Shuai et al., 20 Dec 2024).

The critical issue is that the obfuscation guarantees of $\varepsilon$-LDP conflate genuine randomness with adversarially crafted deviations, meaning that conventional integrity checks or pointwise anomaly detectors are inherently limited in their discriminatory power.

2. Impact of Poisoning on Telemetry Aggregates and Correlations

Mathematical analyses in (Shuai et al., 20 Dec 2024) clarify how even low-rate telemetry poisoning can produce disproportionate and targeted harm:

• Temporal Similarity Bias: Let $n$ devices report at time $t$, $m$ of which are poisoned. For any statistical query $\mathcal Q$ admitted by the aggregator, the induced absolute error from poisoning is bounded as

$$|\mathcal Q(\Delta(D, \psi)) - \mathcal Q(\Phi(D, \psi))| \leq L \frac{m}{n} (e^\varepsilon-1),$$

where $L$ is the Lipschitz constant of $\mathcal Q$. As $\varepsilon$ or $m/n$ increases, the bias can quickly outpace natural noise.

• Inter-Attribute Correlation Disruption: For attribute vectors $x$ and $y$, the poisoning-induced shift in Pearson correlation is

$$\Delta\rho = |\rho_c - \rho_u| \leq \frac{(e^\varepsilon-1)}{\sigma_x} \frac{m}{n},$$

with $\sigma_x$ the standard deviation of $x$. A small standard deviation or large $(e^\varepsilon-1)$ can magnify minor contamination fractions $m/n$, leading to pronounced multivariate distributional drift.

Temporal smoothness and cross-attribute dependencies intrinsic to IIoT telemetry are thus directly exploited by adversaries and must be central to detection strategies.

3. Detection Methodologies: PoisonCatcher and PEEL Frameworks

3.1 PoisonCatcher: Multi-Metric Statistical Detection (Shuai et al., 20 Dec 2024)

PoisonCatcher operationalizes four detector modules:

• Temporal Similarity Detector: Establishes historical baseline windows for statistical queries per attribute, then flags anomalies when the current query result deviates outside $[\min\mathcal Q - \alpha, \max\mathcal Q + \alpha]$, with $\alpha$ determined by LDP-specific tolerance. Minimal exceedances estimate the number of compromised devices via:

$$m_{\mathrm{est}} \geq \left\lceil \frac{n \cdot \max(0, \Lambda_{S_j^t})}{L (e^\varepsilon - 1)} \right\rceil.$$

• Attribute Correlation Detector: Monitors timewise evolution in pairwise correlations (e.g. Spearman, Pearson) against learned clean-data extremes, with deviation thresholds and population contamination estimates extracted similarly.
• Stability Tracking Detector: Computes per-window sequences of bias metrics and evaluates their variance, maximum fluctuation, and first-order autocorrelation. Anomaly detection is triggered by simultaneous threshold breach across both similarity and correlation metrics, leveraging the fact that stealthy poisoning attempts struggle to maintain high temporal and inter-feature consistency.
• Latent-Bias Feature Miner: Moves beyond single-point analysis by constructing per-device feature matrices via repeated random subsampling, extracting a suite of statistical metrics (mean, median, variance, KL-divergence, etc.) to form high-dimensional feature vectors. Classification algorithms (e.g. random forests) are then trained to localize poisoned records across devices and time.

3.2 PEEL: Encoding-Based Intrinsic Consistency Exploitation (Shuai et al., 30 Oct 2025)

PEEL leverages the algebraic structure of LDP outputs:

• Sparsification: Transforms incoming LDP-protected vector $z_i$ into a one-sparse $s_i$ via Horvitz–Thompson sampling such that $\mathbb{E}[s_i \mid z_i] = t(z_i)$, preserving unbiased statistics.
• Normalization: Converts $s_i$ into a z-scored $\tilde{s}_i$ where the unique nonzero entry has magnitude $\sqrt{k-1}$ ($k$ = vector dimension), and all other entries are $-1/\sqrt{k-1}$. This step maintains comparability across mechanisms.
• Low-rank Projection: Projects $\tilde{s}_i$ onto a $(k-1)$-dimensional subspace via SVD-derived basis or random Gaussian mapping, yielding an encoded $y_i$. The aggregator reconstructs $\hat{s}_i$ via the appropriate left-inverse; for benign data $\hat{s}_i = \tilde{s}_i$, so $\|\hat{s}_i - \tilde{s}_i\|_2 = 0$.
• Decision Rule: A sample is flagged as poisoned if the reconstruction residual $e_i$ exceeds a tunable threshold $$\tau_{\rm benign} = O(\sigma_\varepsilon \sqrt{\log(1/\alpha)})$$, where $\alpha$ bounds the false-positive rate.

Both frameworks aim for post-LDP, aggregator-side operation, providing practicality in resource-constrained IIoT ecosystems.

4. Theoretical Guarantees and Empirical Results

Theoretical Properties

• Privacy Preservation: Both PoisonCatcher and PEEL operations are aggregator-side post-processing on LDP-perturbed samples; thus, they inherit the post-processing immunity of $\varepsilon$-LDP guarantees.
• Statistical Unbiasedness (PEEL):

$$\widehat\theta_{\rm PEEL} = Q(\hat{s}_1, ..., \hat{s}_n) \implies \mathbb{E}[\widehat\theta_{\rm PEEL}] = \mathbb{E}[\widehat\theta_{\rm LDP}] = \theta.$$

• Accuracy Preservation (PEEL):

$$\mathrm{MSE}_{\rm PEEL} = \mathrm{MSE}_{\rm LDP} + O(1/n),$$

where the additional variance term remains negligible with proper parameterization.

Empirical Results

• PoisonCatcher: Evaluated across six IIoT-relevant attack modes, the system demonstrates average precision of 86.17%, recall of 97.5%, and F2 scores exceeding 90.7% under diverse poisoning conditions (attack type, strength, and prevalence). Robustness is retained for poisoning ratios as low as 4% or privacy budgets as strict as $\varepsilon < 0.5$ (Shuai et al., 20 Dec 2024).
• PEEL: On standard benchmarks (WWR, SBD) and for both output and rule poisoning at 5% contamination, PEEL achieved exact estimation of attacked samples and localization. Baselines such as DETECT and LDPGuard either overestimate attack rates or catastrophically fail under certain attack-mechanism combinations. PEEL also demonstrates client-side runtime overheads of approximately 10 µs per report and communication costs of ≈2 Kb/report, outperforming cryptographic and federated-learning approaches in both bandwidth and latency (Shuai et al., 30 Oct 2025).

5. Threat Models, Attack Generation, and Detection Limitations

Online retrained autoencoder-based detectors for Industrial Control Systems (ICS) present a distinct threat environment (Kravchik et al., 2020):

• Malicious-Sensor Threat Model: Adversaries operate at the sensor front, injecting crafting telemetry with full knowledge of data, model, and retraining schedule—yet cannot access higher-layer control or detector parameters.
• Poisoning Algorithms: Attacks are generated either by interpolation between benign and target attack vectors or via “optimal” back-gradient optimization that considers both model and retraining trajectory. Back-gradient methods decrease the required number of poison points, but interpolation is computationally more efficient.

Empirical evidence from SWaT and synthetic datasets shows that large-scale or impactful attacks are inherently hard to hide due to the overlapping internal structure of ICS time series and the multivariate, under-complete autoencoder architecture. Detection performance can be enhanced by:

• Modeling multiple, correlated sensor streams jointly
• Setting conservative (low) reconstruction error thresholds
• Minimizing autoencoder code dimension relative to input
• Maintaining a clean and temporally dispersed training buffer
• Monitoring online loss curves for anomalous shifts
• Randomizing retraining schedules

A plausible implication is that multivariate, sliding-window designs with sensitivity to correlation and stability are fundamental for robust poisoning detection in ICS and IIoT telemetry (Kravchik et al., 2020).

6. Implementation Pipelines and Performance Characteristics

A summary of implementation stages and computational characteristics for prominent frameworks is shown below.

Framework	Key Pipeline Stages	Client-Side Cost
PoisonCatcher	Similarity baseline, correlation tracking, stability metrics, feature mining	Resource-free; all aggregator-side
PEEL	Sparsification, normalization, projection, residual thresholding	~10μs/report, 2Kbits/report (Shuai et al., 30 Oct 2025)
Online Autoencoders	Sliding-window under-complete encoding, online retraining, MSE thresholding	Model training mainly at aggregator; sensor streams output raw data (Kravchik et al., 2020)

PoisonCatcher and PEEL both eschew edge-side computation in favor of lightweight, server-side aggregation and decoding. PEEL’s communication overhead and runtime requirements are suitable for bandwidth- and latency-constrained settings. Both frameworks outperform prior art in accuracy and efficiency under a range of realistic poisoning scenarios.

7. Trends, Challenges, and Design Recommendations

Current consensus is that LDP, while protecting individual privacy, creates a fundamental indistinguishability that adversaries may exploit for stealthy attacks. Nevertheless, correlational, temporal, and pattern-based aggregation analyses are potent lines of defense against such threats, as matrixed validation across time, feature, and device domains outpaces what can be achieved by simple pointwise filters.

Challenges persist in adversarial settings where attackers can adapt to detection policies or co-opt the LDP mechanism (e.g., “rule-poisoning”). PEEL’s strategy of leveraging structural reversibility, and PoisonCatcher’s emphasis on cross-temporal and inter-attribute consistency, provide blueprints for future research.

Robust Telemetry Poisoning Detectors benefit from:

• Multivariate, temporally-sensitive analysis
• Conservative parameterization of detection thresholds
• Periodic renewal and cleaning of training corpora
• Server-side post-processing compatible with LDP
• Lightweight, scalable encoding and classification pipelines

As telemetry poisoning tactics diversify, frameworks that amplify, rather than obscure, inherent statistical and structural features of LDP outputs will remain at the forefront of industrial and IoT security (Shuai et al., 20 Dec 2024, Shuai et al., 30 Oct 2025, Kravchik et al., 2020).