RampoNN: A Reachability-Guided System Falsification for Efficient Cyber-Kinetic Vulnerability Detection
arXiv:2511.16765v2 Announce Type: replace Abstract: Detecting kinetic vulnerabilities in Cyber-Physical Systems (CPS), vulnerabilities in control code that can precipitate hazardous physical consequences, is a critical challenge. This task is complicated by the need to analyze the intricate coupling between complex software behavior and the system's physical dynamics. Furthermore, the periodic execution of control code in CPS applications creates a combinatorial explosion of execution paths that must be analyzed over time, far exceeding the scope of traditional single-run code analysis. This paper introduces RampoNN, a novel framework that systematically identifies kinetic vulnerabilities given the control code, a physical system model, and a Signal Temporal Logic (STL) specification of sa
View PDF HTML (experimental)
Abstract:Detecting kinetic vulnerabilities in Cyber-Physical Systems (CPS), vulnerabilities in control code that can precipitate hazardous physical consequences, is a critical challenge. This task is complicated by the need to analyze the intricate coupling between complex software behavior and the system's physical dynamics. Furthermore, the periodic execution of control code in CPS applications creates a combinatorial explosion of execution paths that must be analyzed over time, far exceeding the scope of traditional single-run code analysis. This paper introduces RampoNN, a novel framework that systematically identifies kinetic vulnerabilities given the control code, a physical system model, and a Signal Temporal Logic (STL) specification of safe behavior. RampoNN first analyzes the control code to map the control signals that can be generated under various execution branches. It then employs a neural network to abstract the physical system's behavior. To overcome the poor scaling and loose over-approximations of standard neural network reachability, RampoNN uniquely utilizes Deep Bernstein neural networks, which are equipped with customized reachability algorithms that yield orders of magnitude tighter bounds. This high-precision reachability analysis allows RampoNN to rapidly prune large sets of guaranteed-safe behaviors and rank the remaining traces by their potential to violate the specification. The results of this analysis are then used to effectively guide a falsification engine, focusing its search on the most promising system behaviors to find actual vulnerabilities. We evaluated our approach on a PLC-controlled water tank system and a switched PID controller for an automotive engine. The results demonstrate that RampoNN leads to acceleration of the process of finding kinetic vulnerabilities by up to 98.27% and superior scalability compared to other state-of-the-art methods.
Subjects:
Cryptography and Security (cs.CR); Systems and Control (eess.SY)
Cite as: arXiv:2511.16765 [cs.CR]
(or arXiv:2511.16765v2 [cs.CR] for this version)
https://doi.org/10.48550/arXiv.2511.16765
arXiv-issued DOI via DataCite
Submission history
From: Kohei Tsujio [view email] [v1] Thu, 20 Nov 2025 19:32:00 UTC (270 KB) [v2] Wed, 1 Apr 2026 02:08:38 UTC (297 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
modelneural networkannounce
PACELC Theorem in System Design
The PACELC Theorem represents a foundational advancement in understanding the inherent trade-offs that define modern distributed systems . Developed as a direct extension of the CAP Theorem , it provides architects and engineers with a more complete framework for reasoning about system behavior under both failure conditions and normal operations. Where earlier models focused narrowly on rare network failures, the PACELC Theorem acknowledges that consistency , availability , and latency constantly interact in real production environments. The Evolution from CAP to PACELC The CAP Theorem established that in the presence of a network partition , a distributed system can guarantee only two out of three properties: Consistency , Availability , and Partition Tolerance . This insight proved inval
The Type System: What You Know, What's New, and What's Weird
My project: Hermes IDE | GitHub Me: gabrielanhaia You'll reach for class hierarchies and abstract classes. Stop. TypeScript has something better for most of those cases. In Post 1 , we covered the big mental shifts: structural typing, type erasure, null vs undefined, how overloading isn't really overloading. That was the "prepare yourself" post. This one is where we actually build things with the type system. I'll split it by feel: the stuff that'll be instantly familiar, the stuff that's genuinely new, and the stuff that'll trip you up because it looks familiar but behaves differently. Primitives, Arrays, Objects: The Familiar Stuff I'll keep this short because you already know what types are. const name : string = " Gabriel " ; const age : number = 31 ; const isActive : boolean = true ;
Functions, Generics, and the Stuff That Looks Familiar But Isn't
My project: Hermes IDE | GitHub Me: gabrielanhaia Java generics feel like paperwork. TypeScript generics feel like a tool. Same concept, very different experience. I spent years writing Java and PHP before picking up TypeScript. The generics syntax looked familiar enough. , constraints, return types. But once I started writing real code, I realized the similarities were surface-level. Functions in TypeScript behave differently than methods in Java. Generics show up in places I didn't expect. And there's a whole category of type-level features -- type guards, satisfies , structural constraints -- that don't map to anything in my previous stack. This is Post 3 in the series. Post 1 covered the mental model shift. Post 2 covered the type system, unions, and discriminated unions. If you haven'
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!