Next Article in Journal
Integrated Understandings and Principal Practices of Water Flooding Development in a Thick Porous Carbonate Reservoir: Case Study of the B Oilfield in the Middle East
Previous Article in Journal
Process Route for Electric Arc Furnace Dust (EAFD) Rinse Wastewater Desalination
Previous Article in Special Issue
Optimal Scheduling of a Multi-Energy Hub with Integrated Demand Response Programs
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Processes
Volume 13
Issue 9
10.3390/pr13092920
processes-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Exposing Vulnerabilities: Physical Adversarial Attacks on AI-Based Fault Diagnosis Models in Industrial Air-Cooling Systems

by
Stavros Bezyrgiannidis
,
Ioannis Polymeropoulos
,
Eleni Vrochidou
and
George A. Papakostas
*
MLV Research Group, Department of Informatics, Democritus University of Thrace, 65404 Kavala, Greece
*
Author to whom correspondence should be addressed.
Processes 2025, 13(9), 2920; https://doi.org/10.3390/pr13092920
Submission received: 20 August 2025 / Revised: 9 September 2025 / Accepted: 10 September 2025 / Published: 12 September 2025
(This article belongs to the Special Issue Application of Artificial Intelligence in Industrial Process Modelling and Optimization (2nd Edition))
Browse Figures
Versions Notes

Abstract

Although neural network-based methods have significantly advanced the field of machine fault diagnosis, they remain vulnerable to physical adversarial attacks. This work investigates such attacks in the physical context of a real production line. Attacks simulate failures or irregularities arising from the maintenance or production department during the production process, a scenario commonly encountered in industrial environments. The experiments are conducted using data from vibration signals and operational parameters of a motor installed in an industrial air-cooling system used for staple fiber production. In this context, we propose the Mean Confusion Impact Index (MCII), a novel and simple robustness metric that measures the average misclassification confidence of models under adversarial physical attacks. By performing a series of hardware-level interventions, this work aims to demonstrate that even minor physical disturbances can lead to a significant reduction in the model’s diagnostic accuracy. Additionally, a hybrid defense approach is proposed, which leverages deep feature representations extracted from the original classification model and integrates them with lightweight classifiers retrained on adversarial labeled data. Research findings underscore an important limitation in existing industrial artificial intelligence (AI)-based monitoring systems and introduce a practical, scalable framework for improving the physical resilience of machine fault diagnosis in real-world environments.

1. Introduction

The deployment of deep learning (DL) models in industrial predictive maintenance has significantly improved the ability to detect early-stage mechanical faults, particularly in complex electromechanical systems such as centrifugal ventilators [1,2]. Despite the demonstrated accuracy of DL models under nominal conditions, their vulnerability to real-world, non-standard disturbances remains a critical concern [3]. In particular, physical adversarial attacks—defined as deliberate or accidental mechanical interventions that alter the condition of hardware components or sensor setups—pose a tangible yet underexplored threat in industrial settings. Unlike digital attacks, which perturb data algorithmically, physical attacks directly manipulate the environment or equipment. Indicative examples of attacks on a physical level include adversarial stickers on traffic signs that mislead vehicle perception systems [4,5], printed visual patterns that confuse robotic arms [6], and actuator-level perturbations that alter the dynamics of industrial processes without triggering conventional alarms [7,8]. These physical perturbations, whether malicious (e.g., sabotage) or accidental (e.g., human error), can confuse a trained model into confidently misclassifying normal behavior as a critical fault, potentially triggering false alarms or unwarranted shutdowns. To investigate these challenges under real operating conditions, the present work focuses on a single centrifugal ventilator within a fiber production facility, operated by Thrace Nonwovens & Geosynthetics S.A. (Thrace NG), located in Xanthi, Greece (Figure 1) [9].
The selected ventilator belongs to a fleet of ten parallel centrifugal fans comprising the plant’s air-handling subsystem, where it contributes critically to airflow regulation during fiber extrusion and thermal bonding stages of production. The broader industrial setting under investigation is characterized by high production volumes, global export logistics, and frequent scheduled maintenance intervals—making it an ideal testbed for physically grounded robustness studies. Importantly, the existence of routine downtime allowed us to introduce controlled physical perturbations without affecting production. This enabled the capture of high-fidelity, attack-affected sensor data under operational dynamics, a scenario rarely available in academic research.
To this end, this work contributes to the growing field of robust industrial artificial intelligence (AI) by systematically evaluating the effect of five physical attack scenarios on DL fault classifiers, while proposing a hybrid defense mechanism. Specifically, we assess the susceptibility of ResNet50-1D and related models to misclassification when exposed to attacks such as misaligned sensors, impeller mass imbalance, or loose mechanical fittings. In this context, a novel custom metric is introduced, namely Mean Confusion Impact Index (MCII), to assess the adversarial robustness in machine learning models. Furthermore, we propose a hybrid defense strategy that combines deep feature extraction (via frozen ResNet50-1D backbone) with known ML classifiers retrained on attack data labels. Our findings demonstrate that such hybrid architectures can significantly improve model resilience and diagnostic accuracy under adversarial conditions.
The motivation behind this work stems from the critical gap between the demonstrated accuracy of deep learning-based fault diagnosis models under controlled or digital adversarial conditions and their untested reliability under real-world physical disturbances. In industrial environments, minor mechanical irregularities—such as sensor misalignments, loose screws, or eccentric shaft fittings—can easily occur during maintenance or operation, either unintentionally or through malicious tampering. These disturbances may not represent genuine machine faults, yet they can mislead diagnostic models into producing highly confident but incorrect classifications, ultimately resulting in false alarms, unscheduled production stoppages, or overlooked failures. Despite the increasing adoption of predictive maintenance solutions, little attention has been given to systematically studying such physical adversarial scenarios in actual factory settings. Addressing this gap is essential for building trustworthy industrial AI systems that can ensure operational continuity and safety.
The rest of the paper is structured as follows. Section 2 summarizes related work and comparatively highlights the contributions of this work. Materials and methods are presented in Section 3, including details on the proposed methodology and the experimental setup. Results are presented and discussed in Section 4, while defense Strategies are implied in Section 5. Finally, Section 6 discusses limitations and future work, and Section 7 concludes the paper.

2. Related Work and Contribution

Recent advances in deep learning have significantly improved the performance of industrial fault diagnosis systems. However, most models are highly sensitive to adversarial perturbations. While digital adversarial attacks—such as Fast Gradient Sign Method (FGSM) and Projected Gradient Descent (PGD)—have been extensively studied in the literature [10,11,12,13], the research on physical adversarial attacks in industrial systems remains comparatively sparse. In the following, related works addressing adversarial threats in vibration monitoring, sensor tampering, and mechanical systems are reviewed, aiming to highlight the contribution of this work.

2.1. Attacks on Machinery and Vibration Fault Diagnosis

Chen and Yan (2022) [14] investigated how fault diagnosis systems based on neural networks can be misled by imperceptible perturbations in vibration signals. Their experiments applied both time-domain and frequency-domain adversarial attacks—targeted and untargeted—and demonstrated a severe drop in classification accuracy across six common neural network architectures, including Convolutional Neural Networks (CNNs) and Long Short-Term Memories (LSTMs). Their results indicated that even minor changes to input signals could lead to highly confident misclassifications. Kim et al. (2024) [15] introduced the Spectrogram-Aware Ensemble Method (SAEM) to assess the real-world adversarial robustness of bearing fault diagnosis models. Unlike conventional methods such as FGSM or PGD, SAEM perturbs the spectral distribution of vibration signals, revealing hidden vulnerabilities in black-box attack scenarios and successfully deceiving multiple CNN-based classifiers. Zareapoor et al. (2020) [16] proposed an Oversampling Adversarial Network (MoGAN) designed to tackle the class imbalance problem in fault diagnosis. Their framework integrated a generator that produced synthetic fault samples and a discriminator that acted both as a classifier and a fault detector. This adversarial training approach improved the system’s ability to detect minority-class faults and increased robustness under skewed data distributions.
Shaik et al. (2025) [17] evaluated adversarial attacks on anomaly detection models in industrial control systems (ICS), particularly using the Tennessee Eastman Process (FTEP) dataset. Their study demonstrated that LSTM and Gated Recurrent Unit (GRU) models can be manipulated by adversarial examples to misclassify one fault type as another. The authors implemented a structured adversarial attack framework using both white-box and black-box strategies, providing a detailed evaluation of vulnerability in fault classification. Villegas-Ch et al. (2023) [18] addressed the problem of physical tampering in industrial sensors by developing an anomaly detection-based method to spot sabotage or manipulation. Their approach, tested under real industrial conditions, showed high accuracy in identifying sensor-level anomalies caused by physical disturbances before they could affect broader system behavior. Finally, Nematirad et al. (2024) [19] explored an acoustic-based online monitoring method for detecting cooling fan malfunctions in air-forced transformers. Using CNNs and Random Forests on time-frequency spectrograms of audio signals, they were able to classify fan conditions as normal or faulty. The study showed that small physical changes—such as fan misalignment or mechanical deformation—can significantly alter acoustic signatures and deceive learning-based models.

2.2. Attacks on Industrial Soft Sensors and CPS

Kong and Ge (2021) [20] demonstrated that by directly maximizing or minimizing soft sensor outputs without requiring true labels, their adversarial attacks generated smooth, plausible perturbations that maintained output consistency, effectively deceiving operators and compromising industrial soft sensor reliability. Guo et al. (2024) [21] introduced a novel adversarial attack framework, namely KAGAN, which leveraged knowledge-aided generative adversarial networks to craft realistic and imperceptible perturbations against deep learning-based soft sensors. Unlike traditional gradient-based attacks, KAGAN bypassed the need for transfer gradient estimation, achieving stable, rational adversarial samples that maintain process consistency. Their results exposed significant vulnerabilities in the reliability and security of deep learning soft sensors deployed in complex industrial environments. Zizzo et al. (2019) [22] studied adversarial attacks on LSTM-based intrusion detectors in Industrial Control Systems (ICS) networks. By subtly altering multiple sensor inputs, they induced false fault alarms while bypassing detection. Sun et al. (2022) [23] demonstrated that multi-sensor fusion leveraging complementary signals (e.g., vibration and sound) within a CNN framework significantly improved fault diagnosis accuracy and robustness under noisy industrial conditions, highlighting the advantage of integrating diverse sensor data to enhance model generalization.
Farwell and Rohozinski (2018) [24] and Giraldo et al. (2018) [25] highlight significant vulnerabilities in cyber-physical systems (CPS), emphasizing that physical-layer attacks such as sensor tampering can bypass traditional cybersecurity measures. They stressed the necessity of integrating physical system behavior modeling with cybersecurity strategies to effectively detect and mitigate such attacks. Guo et al. (2017) [26] developed RIDS, a system that detected actuator and sensor spoofing in mobile robots using physical dynamics as validation. Kurakin et al. (2016) [27], Eykholt et al. (2018) [28] and Cao et al. (2020) [29] explored physical adversarial examples in computer vision systems, applying printed patterns and stickers to mislead classifiers. Though not mechanical, these studies underscore the real-world feasibility of adversarial deception. Nguyen et al. (2024) [30] extended this line of work by conducting an extensive analysis on vulnerabilities across multiple sensor modalities—including optical (e.g., facial recognition spoofing) and acoustic (e.g., ultrasound injection) channels. Their work highlighted challenges in real-world deployments, such as environmental variability, physical constraints, and sensor sensitivity, which mirror those found in vibration-based industrial monitoring systems.

2.3. Methodologies, Benchmarks, and Defense Strategies

Pozdnyakov et al. (2024) [31] performed a systematic adversarial benchmarking study using the Tennessee Eastman Process dataset. They evaluated the robustness of Multi-Layer Perceptron (MLP), GRU, and Temporal Convolutional Network (TCN) models under white-box and black-box attacks. GRUs were found to be the most robust, while MLPs were more prone to failure. The study also showed that adversarial training was beneficial in black-box scenarios but had a limited effect in white-box settings. Guo et al. (2024) [32] showed that while adversarial-based deep transfer learning (ADTL) techniques enhanced generalization to unseen machinery, they remained vulnerable to adversarial noise unless coupled with domain-aware defenses. Additionally, they emphasized the lack of standardized benchmarks and urged the incorporation of physical constraints and expert knowledge to ensure robustness in industrial deployments. Chen et al. (2024) [33] proposed the TFN model, a CNN with embedded time–frequency transform layers, which improved interpretability and showed enhanced robustness in noisy environments for fault diagnosis. Abadi (2021) [34] suggested that adversarial threats might compromise condition-based maintenance systems by falsifying inputs. Yin et al. (2023) [35] investigated transferable adversarial attacks in industrial intelligent systems and highlighted vulnerabilities across different models and environments, emphasizing the practical security risks in Industrial Internet of Things (IIoT) contexts.
In their recent work, Pozdnyakov et al. (2024) [36] systematically classified adversarial strategies and corresponding defenses—such as adversarial training, input denoising, and ensemble methods— establishing a modular framework that could support future hybrid or transfer-learning-based countermeasures in industrial AI systems. Wang et al. (2023) [37] conducted a comprehensive survey of physical adversarial examples, analyzing their characteristics, generation methods, real-world testbed implementations, and defense strategies. Their study also emphasized the challenges posed by physical-world constraints, such as environmental variability and sensor limitations, and highlighted the need for benchmarks that reflect real industrial setups. Ullah et al. (2024) [38] proposed an adaptive learning-driven multi-teacher knowledge distillation framework that improves model robustness against adversarial attacks by leveraging diversified knowledge from multiple pre-trained classifiers (teachers). Shi et al. (2022) [39] examined how multi-scale signal fusion increases resistance against perturbations in rotating equipment monitoring. Finally, Moosavi-Dezfooli et al. (2016) [40] introduced the DeepFool algorithm to compute minimal adversarial perturbations in image classification tasks. Although originally focused on vision systems, their work laid a theoretical foundation that inspired subsequent research on adversarial vulnerabilities in physical and industrial domains.

2.4. Comparison with Recent Approaches

To better highlight the novelty and practical contribution of this study, a comparative analysis with recent related works is provided. Table 1 summarizes the main characteristics and findings of state-of-the-art approaches and contrasts them with the present work.
Overall, the comparative analysis with the most recent related studies reveals several key distinctions between this study and recent approaches. First, whereas most prior works have evaluated adversarial robustness through digitally generated perturbations (e.g., FGSM/PGD, spectral-domain attacks, GAN-based samples) on laboratory or simulated datasets, the present work demonstrates that physical perturbations applied directly to industrial machinery induce equally systematic misclassifications. Second, while process-oriented benchmarks such as the Tennessee Eastman Process or soft-sensor simulations have provided valuable insights, they remain detached from the mechanical complexity of rotating equipment. In contrast, this study introduces a real-world benchmark in vibration-based fault diagnosis, capturing the interplay between mechanical faults, sensor dynamics, and diagnostic robustness. Third, existing defenses have primarily relied on adversarial training, robust neural architectures, or sensor fusion, which, although effective, are computationally heavy or limited to stochastic noise. The hybrid defense strategy proposed here—combining a frozen ResNet50-1D backbone with lightweight ML heads—offers a practical and computationally efficient alternative that maintains accuracy while reducing attack-induced confusion. Taken together, these differences highlight that the present study complements and extends recent works by bridging the gap between digital adversarial research and industrial practice, while also introducing a defense strategy tailored to operational requirements.

2.5. Contribution

Despite the growing interest in physical adversarial attacks, most works focus on simulations, synthetic perturbations, or purely digital threats. In contrast, our work implements five realistic physical attacks that emulate common operator mistakes and maintenance flaws—such as misaligned sensors, loose fasteners, and improper shaft installations. These scenarios reflect everyday plant conditions rather than hypothetical adversarial intents.
To our knowledge, this is the first work to systematically evaluate the robustness of deep learning models under real-world physical disturbances caused by human error in a ventilator motor system. Our framework provides a reproducible benchmark combining sensor-level perturbation with multi-feature input (vibration, current, temperature) and introduces physical realism into the adversarial robustness discourse. Moreover, in this work, the Mean Confusion Impact Index (MCII) is introduced, referring to a novel and simple robustness metric that aims to quantify the average misclassification confidence of models under adversarial physical attacks.

3. Materials and Methods

3.1. Proposed Methodology

This work aims to investigate the vulnerability of deep learning-based industrial fault diagnosis systems to real-world physical adversarial attacks and to propose a practical defense strategy. To this end, the study is guided by the following overarching research questions:
  • RQ1: How do real-world physical disturbances affect the reliability of AI-based fault diagnosis systems in industrial environments? This question seeks to empirically evaluate how subtle physical interventions (e.g., sensor misalignment, mechanical imbalance) affect the predictive behavior and classification confidence of deep learning models under real production conditions.
  • RQ2: What defense strategy can enhance the resilience of such systems against adversarial conditions? This question examines the effectiveness of modular, transfer-learning-based defense mechanisms in mitigating adversarial confusion and whether such architectures can maintain high diagnostic integrity under tampered scenarios.
The research roadmap adopted in this work is structured around a two-phase robustness framework that targets the evaluation and defense of deep learning-based fault diagnosis systems against real-world physical adversarial attacks, as illustrated in Figure 2.
PHASE I: In the first phase, we apply five physically grounded perturbations—designed to emulate common operator-induced mechanical anomalies—on an operational industrial ventilation system and systematically evaluate the response of state-of-the-art neural network models. In our previous work [41], we benchmarked various DL architectures on their ability to classify fault types across four operational air ventilators embedded in an active fiber production line. The study aimed to identify the most robust and accurate models for detecting faults such as bearing damage, impeller unbalancing, and support cracking, even under fluctuating operating conditions. The outcomes support the feasibility of deploying DL models for industrial fault detection beyond laboratory environments, thereby bridging the gap between academic research and production-level predictive maintenance. Therefore, the best four pretrained architectures previously validated for their diagnostic accuracy based on the results of [41], namely ResNet50-1D, CNN-1D, BiLSTM, and BiLSTM with Attention, are exposed to real attack scenarios such as sensor misalignment, loose mounting bolts, shaft eccentricity, and artificial rotor unbalancing. The aim is to assess which model exhibits the highest natural resilience under these perturbations by quantifying their vulnerability using the Mean Confusion Impact Index (MCII), a metric designed to measure how confidently each model misclassifies adversarial inputs as legitimate fault conditions. The model with the combination of the best fault diagnostic performance and lowest Mean Confusion Impact Index is selected as the most robust backbone candidate for subsequent defense enhancement.
PHASE II: In the second phase, the selected DL backbone is repurposed via transfer learning to construct an adversarial resilient hybrid classifier. Instead of retraining the entire network, we extract high-level latent features from the penultimate layer of the frozen backbone and retrain only the classification head using labeled data collected under physical attack conditions. A series of lightweight machine learning models—such as Random Forest, LightGBM, SVM, and XGBoost—are tested as alternative classifier heads. These models are evaluated based on their ability to suppress adversarial confusion and preserve classification integrity across all attack scenarios. The final defense mechanism is defined as the combination of the most resilient backbone model from phase I with the most robust classifier head from phase II, thereby creating a hybrid architecture specifically optimized to maintain fault diagnosis accuracy even under real-world adversarial interferences.
This two-stage methodology uniquely integrates empirical robustness evaluation with modular defense design and provides a systematic pipeline for enhancing model reliability in industrial predictive maintenance settings. By focusing on physically plausible perturbations rather than synthetic noise, and by combining deep feature extraction with classical decision-making mechanisms, the proposed framework addresses both practical deployment concerns and theoretical robustness gaps in current industrial AI systems.

3.2. Experimental Setup

The experimental setup consists of a 7.5 kW VFD-driven motor coupled with a VVB001 type vibration sensor, installed on the housing of the ventilator system. The motor’s operational parameters, specifically rotational speed (rpm) and current (amps), are monitored in real time via a WinCC SCADA system, which communicates with the PLC controlling the motor drive unit using the Modbus-TCP/IP protocol. Simultaneously, the VVB001 sensor records vibration acceleration (m/s2) and temperature (°C), with data acquisition handled by the moneo software (version 1.16). To enable integrated monitoring and centralized storage, both WinCC and moneo exchange data through the OPC-UA protocol, while Microsoft Message Queuing Services (MSMQ) facilitates the reliable transmission of collected information from WinCC to the Process Historian Acquisition server. This architecture ensures synchronized logging of both electrical and mechanical signals, enabling comprehensive analysis. Historical data are exported in .xlsx format to support subsequent processing and machine learning model development. Figure 3 illustrates the total equipment and network setup on the ventilator motor, along with the data flow diagram.

3.3. Physical Attacks’ Data Capturing

A total of five different physical attacks were conducted on the ventilator motor, shown in Figure 4. The planning and execution of these interventions were carried out in collaboration with the plant’s production and maintenance departments.
To enable a systematic investigation of adversarial robustness under real industrial conditions, a dedicated dataset was constructed during the execution of the five planned physical attack scenarios on the ventilator motor. Vibration signals were recorded in 4 s windows at 1 min intervals (25 kHz collection frequency), while additional operational parameters (motor speed, current, and temperature) were simultaneously logged through the integrated SCADA and sensor infrastructure (Figure 3). From the raw vibration signals, four key features (aRMS, aPeak, vRMS, Crest Factor) were extracted using the moneo software. Together with the logged operational parameters, these formed a set of seven representative features organized into a structured multivariate time series, aligned with the timeline of each attack and the corresponding normal operating states. The resulting dataset spans multiple days of scheduled production downtime interventions and constitutes a unique resource that combines both controlled adversarial physical perturbations and authentic industrial operating dynamics. The datasets of the attacks are openly available to the research community through our public repository, enabling transparent reproducibility and further advancements in industrial AI robustness research. A brief presentation of each physical attack scenario and the corresponding data-collection information is provided in the following (Figure 4):
  • Misaligned Sensor: The vibration sensor was deliberately repositioned away from its optimal mounting location. Specifically, the sensor was detached and reattached with a lateral offset of approximately 5 mm and a rotational misalignment of ~15° relative to its original axis, in order to introduce distortions in the captured signals (Figure 4a).
  • Loose Motor Foot: One of the mounting bolts of the motor base was deliberately loosened. The bolt was unscrewed with a controlled torque to induce partial destabilization without complete detachment (Figure 4b).
  • Eccentric Shaft: The shaft had sustained wear from a previously installed bearing inner ring. The old bearing had left a circumferential groove (shoulder/pit) on the shaft surface. A new bearing was subsequently mounted without restoring the original shaft geometry, resulting in an improper and eccentric fit. This led to non-uniform support and slight misalignment between the shaft and bearing axis, producing asymmetric vibration patterns during operation (Figure 4c).
  • Loose Bearing Cap: The bolts securing the bearing housing were partially unscrewed from their fully tightened position. This action reduced the preload on the bearing cover, causing minor mechanical instability without complete disassembly (Figure 4d).
  • Impeller Add Weight: A small neodymium magnet was securely attached to the impeller at a location approximately 3 cm from the base of the blade. This eccentric mass placement introduced a controlled imbalance in the rotating system, altering its inertia and causing increased centrifugal loading. The modification was performed carefully to avoid mechanical damage, aiming to produce a detectable shift in the vibration profile. (Figure 4e).
Each physical attack was implemented during a corresponding scheduled 8 h production stop, which was allocated for spinnerets changeover operations. This ensured that the interventions could be carried out safely and without disrupting regular production (Figure 5).
The design of the attack scenarios was guided by the most frequent faults recorded in the CMMS logs of the production line. In our previous study on ventilator fault diagnosis [41], three degradation modes—bearing failures, impeller unbalancing, and support cracking—were documented multiple times in the same equipment. Building on these findings, the adversarial interventions introduced in the present work were deliberately chosen to reproduce the vibration signatures of these recurrent degradation mechanisms, while remaining fully non-destructive and reversible. This reflects a necessary compromise: the attacks were applied during scheduled production stops in a way that avoided any risk of permanent machine damage yet still generated signals closely resembling the early manifestations of real industrial faults. In this way, the attack dataset complements the previously established fault dataset by bridging authentic long-term degradation and controlled adversarial manipulation, providing a meaningful benchmark for evaluating diagnostic model robustness.
From the raw 4 s vibration signal of the moneo sensor, four vibration-related features were extracted at 1 min intervals. These are part of a total of seven features, with the vibration features including:
  • Acceleration Root Mean Square (aRMS): Quantifies the overall vibration energy by averaging the squared acceleration values over time. It reflects the intensity of oscillatory motion in terms of acceleration. High aRMS indicates persistent mechanical stress, typically due to imbalance, misalignment, or progressive wear. It is sensitive to sustained abnormalities, rather than transient events.
  • Acceleration Peak (aPeak): Measures the maximum instantaneous acceleration within a given time window. It captures the strongest single vibration spike. High aPeak suggests the presence of sudden mechanical shocks, impacts, or momentary looseness, and it is highly sensitive to intermittent events that do not last long enough to significantly raise aRMS.
  • Velocity Root Mean Square (vRMS): Calculates the RMS of vibration velocity, a quantity that reflects how fast oscillatory motion occurs over time. It is especially relevant in the mid-frequency range of rotating machinery. It is a strong indicator of mechanical resonance, imbalance, and structural fatigue. It is often used to assess long-term degradation or imbalance conditions.
  • Crest Factor: Crest Factor is the ratio of the peak acceleration to the RMS acceleration, representing the impulsiveness or spikiness of the vibration signal. High CF indicates sharp, transient disturbances, while low CF indicates smooth, consistent vibration, possibly due to steady-state imbalance.
The remaining three features are motor-related:
  • Motor Speed (rpm) is included as a core input feature, since vibration response is inherently speed-dependent, providing any ML or DL model with RPM information enables it to learn fault-specific patterns across varying operating conditions, improving both accuracy and robustness in a real production environment. If the model does not “know” the motor speed, it cannot relate observed vibration frequencies to expected fault patterns under varying loads.
  • Motor Temperature (°C) was included as a contextual feature to enrich the diagnostic capability of the model used. Although not a direct fault indicator in most cases, temperature provides valuable insight into thermal stress, load conditions, and the progression of mechanical wear. Its inclusion helps the model differentiate between vibration anomalies caused by faults and those driven by thermal operating conditions.
  • Motor Current (Amps) was included as a final complementary feature reflecting the electromechanical interaction within the system. Mechanical faults such as imbalance, shaft misalignment, or bearing degradation often lead to increased or unstable current draw. Including current as a feature enables early detection of faults that impact torque or load characteristics and improves fault separability in conjunction with vibration-based features.
Figure 6 indicatively illustrates the vibration and motor load behavior of the seven features during the roughly 16 days “Eccentric Shaft Fit” attack for February.
This structured execution of five physical attack scenarios allowed us to induce real-world perturbations in the ventilator motor system and capture rich, feature-based datasets under controlled yet realistic conditions. These datasets serve as a critical foundation for evaluating how vulnerable our baseline classification models are to such physical interferences. In the following section, this experimental framework is used to rigorously assess the robustness of the best-performing fault diagnostic model as defined in [41] under these adversarial conditions, identifying key limitations and motivations for a stronger defense mechanism.

4. Robustness Testing Under Physical Attacks

In this section, we experimentally evaluate the robustness of four state-of-the-art deep learning models—ResNet50-1D, CNN-1D, BiLSTM, and BiLSTM with Attention mechanism—when exposed to five different physical attack scenarios conducted on an operational industrial ventilation system. These models were selected based on their previously validated performance, as reported in [41], in which ResNet50-1D emerged as the most accurate architecture for fault diagnosis in the evaluation of deep learning models. However, its resilience under real-world physical disturbances remains an open question. High diagnostic performance alone does not guarantee robustness against unexpected physical perturbations that can arise in operational settings. Therefore, in this work, we focus on assessing the physical robustness of ResNet50-1D compared to the next three best alternative architectures, CNN-1D, BiLSTM, and BiLSTM with Attention, when subjected to our five deliberately introduced physical attack scenarios. The aim is to determine comparatively which one of the four DL models can best maintain its classification integrity under deliberate physical attacks, and whether it is suitable enough as a reliable backbone for building a defense strategy against physical-level adversarial interference.
The deep learning architectures employed in this work were adopted from our previous study [41], where they were developed and validated for fault diagnosis in industrial ventilator motors. All models were trained using the Adam optimizer (learning rate = 1 × 10−4), categorical cross-entropy loss, a batch size of 32 and 100 epochs, with a final SoftMax layer producing outputs for the four classes (Normal, Bearing Fault, Impeller Unbalancing, Support Cracking). Input sequences were segmented into fixed windows of 10 timesteps for the LSTM-based models and 50 timesteps for the convolutional models (CNN-1D and ResNet50-1D). These values were determined empirically to strike a balance between temporal context and computational efficiency. Each timestep comprised seven features (vRMS, aRMS, aPeak, Crest Factor, Motor Speed, Temperature, and Current). The adopted architectures are summarized in Figure 7.
To assess their behavior under physical interference, first, each model is tested against real data collected during controlled physical attacks, including motor base loosening, sensor misalignment, and artificial unbalancing of the impeller. The core objective is to identify how often these physical attacks cause false classifications into actual fault categories, and to determine which architecture maintains the highest decision reliability. It should be emphasized that the confusion heatmaps presented in Figure 7 do not correspond to standard confusion matrices with a diagonal structure. This is because, at this stage, no retraining was performed on adversarial data; instead, the physical attack scenarios were directly tested on a pre-trained fault diagnosis model. Since attacks do not constitute genuine fault categories with explicit ground truths, no one-to-one mapping between rows and columns exists. As a result, the heatmaps illustrate how each perturbation is misinterpreted as an existing fault class rather than reporting correct-versus-incorrect classifications. This distinction underlines that the matrices capture attack-induced biases in prediction rather than conventional diagnostic accuracy. This approach provides a more meaningful evaluation of robustness, as it quantifies the degree to which attacks systematically bias predictions toward specific fault categories rather than measuring standard classification accuracy.
Next, Figure 8 illustrates the attack-to-fault misclassification heatmaps obtained when the four models are subjected to the five physical attack scenarios. It should be clarified that these are not typical confusion matrices of classification outcomes, but rather heatmaps specifically designed to illustrate the misclassifications induced by adversarial attack scenarios.
The normalized values in Figure 8 represent the proportion of predictions that each of the four DL models assigned to each fault class when subjected to the corresponding attack scenario. For example, on the Resnet50-1D fault classification model, a misaligned sensor is predominantly misclassified as Normal (50.4%) or Support Cracking (35.8%), indicating that sensor displacement closely mimics stable or structural loosening conditions. A loose motor foot is most frequently interpreted as Support Cracking (66.9%), reflecting the mechanical instability induced by base loosening. The eccentric shaft fit is overwhelmingly confused with Normal operation (68.7%), which suggests that this perturbation produces vibration signatures that resemble baseline conditions and can therefore escape detection. In contrast, a loose bearing cap is strongly predicted as a Bearing fault (61.2%), aligning with the mechanical stress imposed on the shaft-bearing interface. Finally, the added impeller weight is almost exclusively classified as Impeller Unbalancing (89.3%), since the induced imbalance produces vibration characteristics analogous to genuine impeller faults. These results collectively demonstrate that adversarial perturbations do not lead to random misclassifications but instead induce systematic biases toward specific fault classes, thereby exposing consistent vulnerabilities in the diagnostic decision process.
Overall, each attack-to-fault misclassification heatmap reveals the extent to which adversarial physical attacks mislead the four DL models into misclassifying attack scenarios as legitimate fault classes. Notably, CNN-1D and BiLSTM exhibit consistently high-confidence misclassifications—often assigning a dominant probability to a single fault class under attack. For example, the ‘Impeller Add Weight’ attack is almost entirely confused with Impeller Unbalancing across all models, indicating a critical vulnerability. The ResNet50-1D model, while slightly more balanced in its predictions across some attack types, still shows strong misclassification patterns, especially for ‘Loose Bearing Cap’. The 2BiLSTM + Attention model appears marginally more diffused in its classification responses, particularly under ‘Misaligned Sensor’ and ‘Eccentric Shaft Fit’ attacks, where their predictions are more distributed across multiple classes, potentially reflecting higher robustness or lower certainty.
At this point, it is crucial to highlight that while all models suffer from varying degrees of adversarial confusion, their responses differ in confidence concentration, which motivates the need for a unified quantitative indicator to assess misclassification severity across architectures.
Previous works have introduced metrics such as n-MeRCI to assess the correlation between predicted uncertainty and error rates [42], and statistical models for confusion matrix uncertainty [43]. Inspired by these, we propose here the Mean Confusion Impact Index (MCII), a novel and simple robustness metric that measures the average misclassification confidence per model under adversarial physical attacks. While traditional confusion matrices offer qualitative insights into class-specific confusions, the MCII condenses the most confident misclassification per attack into a single interpretable percentage score. For a given normalized confusion matrix C R ˣ where each row corresponds to an attack type and each column to a predicted fault class, MCII is defined as:
M C I I   =   1 n ×   i = 1 n   m a x j   C i j  
where
  • n = total number of attack scenarios;
  • i = index of the attack scenario (row of the confusion heatmap);
  • j = index of the predicted fault class (column of the confusion heatmap);
  • Cij = normalized proportion of predictions where attack scenario i is classified as fault class j;
  • maxj Cij = the maximum misclassification confidence for attack i, i.e., the fault class in which the model most strongly confuses that attack.
This captures the average strength with which a model confuses an attack scenario with a real fault, i.e., the degree to which the model is confidently deceived. A higher MCII indicates that the model is highly vulnerable, confidently mapping attacks to specific fault classes. Conversely, a lower MCII reveals a more robust model that exhibits higher uncertainty or distributes its predictions across multiple fault categories when facing attack inputs.
Although a variety of robustness indicators have been proposed in the literature, including entropy-based uncertainty scores [44], margin-based confidence gaps [45], calibration measures such as expected calibration error (ECE) [46], and attack success rate (ASR) [47], each has limitations in the context of industrial diagnostics. Entropy and margin metrics quantify how confident or uncertain a model is, but they do not reveal where the decision error is directed. Calibration errors provide insight into overall probability reliability but lack class-specific resolution. Similarly, ASR reduces adversarial outcomes to a binary success/failure metric, overlooking systematic misclassification patterns.
MCII addresses this gap by capturing the average confidence with which adversarial perturbations are mapped into specific fault classes. For example, in our experiments, the Impeller Add Weight attack was consistently misclassified as Impeller Unbalancing with an MCII of 0.89, indicating not just that the model failed, but that it did so in a systematic and confident manner towards one fault category. In contrast, the Misaligned Sensor attack produced lower MCII values (≈0.50), reflecting weaker but still directional bias toward the Normal class. This fault-oriented perspective is particularly relevant in predictive maintenance: while uncertainty scores indicate that a model is “less certain,” MCII explicitly shows whether attacks mislead the system into confident but incorrect diagnoses, potentially triggering costly or unnecessary interventions. Thus, MCII complements entropy- and margin-based robustness indicators by providing a more interpretable, application-driven metric that links adversarial misclassifications directly to fault categories of industrial concern.
Table 2 summarizes both the baseline diagnostic performance and the behavior under physical attack conditions, for all models. The original performance metrics—including accuracy, precision, recall, and F1-score—are derived from the earlier evaluation conducted in the study by Polymeropoulos et al. [41], where ResNet50-1D emerged as the top-performing model in terms of classification accuracy on fault data.
In this work, we extend that evaluation by introducing MCII metric, to capture the average misleading impact of each physical attack on the model’s predictions. The results indicate that although ResNet50-1D continues to demonstrate excellent diagnostic performance, it also maintains the lowest MCII, suggesting better resilience under adversarial physical conditions compared to the other models.
To complement the metrics reported in Table 2, Figure 9 presents a consolidated line graph plot that visualizes the mean confusion ratio per batch observed across all attack scenarios for each evaluated model. This metric reflects, for each incoming batch of 512 adversarial data points, the extent to which predictions are skewed toward a single dominant fault class, a phenomenon indicative of model confusion caused by physical interference.
Notably, the red curve (ResNet50-1D) and the blue curve (CNN-1D) maintain the lowest average confusion levels per batch, indicating a higher degree of decision consistency even when exposed to adversarial perturbations. Conversely, BiLSTM and BiLSTM+Attention models exhibit steeper or more volatile confusion ratios, implying that their predictions are more easily destabilized by physical attacks.
The visual results support our findings of Table 2 and confirm that ResNet50-1D not only achieved top classification accuracy under normal conditions, in line with [41], but also exhibits greater robustness under adversarial interference, as evidenced by both its low MCII score and its batch-level confusion stability. Therefore, even though ResNet50-1D exhibits a significantly high confusion, it is identified as the most promising backbone architecture for developing a further defense mechanism against physical attacks on our ventilator motor.

5. Defense Strategy

5.1. Adversarial Training by Transfer Learning

Adversarial training is a widely recognized defense mechanism in the field of robust machine learning, originally developed to improve model performance against adversarial examples in image classification tasks [48]. The core idea involves incorporating adversarial perturbed inputs during training so that the model learns to resist deceptive alterations at inference time. While this strategy has proven effective in digital adversarial settings, its application in real-world physical attack scenarios—especially in industrial domains—remains relatively underexplored.
In this work, we adopt an adversarial training strategy tailored to physical attacks by leveraging transfer learning on a previously trained fault classification model. Specifically, we utilize ResNet50-1D architecture, which was validated as the most effective model for fault diagnosis in our system. Rather than retraining the entire network, we freeze the convolutional backbone and extract high-level feature representations from vibration signal windows. On top of this frozen backbone, we retrain only the classification head using labeled data collected under physical attack conditions.
This transfer learning approach offers multiple advantages. First, it allows for efficient adaptation to new data distributions (e.g., those induced by physical interference), without requiring large-scale retraining [49]. Second, by decoupling feature extraction from classification, we can test multiple lightweight machine learning classifiers (such as Random Forest, SVM, LightGBM, and XGBoost) as the head model [50]. This enhances flexibility and interpretability, while also improving robustness through ensemble-based or margin-based learning mechanisms.
Such hybrid architectures, combining deep feature extraction with classical machine learning heads, have recently gained traction as effective defense frameworks in adversarial learning contexts [51], particularly when labeled adversarial data are available for supervised retraining. Our proposed method thus represents a domain-specific adaptation of adversarial training via transfer learning, focused on improving resilience in real-world industrial fault classification systems affected by physical tampering.
Regarding the motivation for classifiers’ selection, first, Logistic Regression was included as a baseline model. Despite its simplicity, it remains widely used for benchmarking in classification tasks because of its interpretability, computational efficiency, and ability to provide a transparent reference point against which the performance of more advanced models can be evaluated [52]. Next, the choice of Random Forest, LightGBM, XGBoost, and SVM was motivated by their complementary strengths in robustness and interpretability when applied to deep feature representations. Random Forest provides ensemble-based stability and resistance to overfitting [53,54], which is valuable under noisy or perturbed inputs. LightGBM and XGBoost, as gradient-boosting frameworks, are well known for their ability to capture complex, non-linear decision boundaries with high accuracy and computational efficiency [55,56]. SVM, in contrast, offers a margin-based learning mechanism that emphasizes generalization and robustness, particularly under limited or imbalanced training data [57]. By evaluating these diverse lightweight classifiers on top of the ResNet50-1D feature extractor, our study ensured that both ensemble-based and margin-based paradigms were represented, thereby enabling a balanced and fair assessment of which head model best suppresses adversarial confusion while maintaining diagnostic accuracy.

5.2. Confusion Matrices, Heatmaps, and Evaluation Metrics

To evaluate the effectiveness of the proposed defense strategy based on transfer learning, we first visualize the confusion matrices resulting from the application of five different machine learning classifiers (Logistic Regression, SVM, Random Forest, LightGBM, and XGBoost) as classification heads on top of the ResNet50-1D feature extractor. These confusion matrices represent how each model interprets vibration signals under physical attacks and highlight the degree to which attacks are still misclassified as real fault conditions.
After adversarial training, the evaluation is performed on an augmented dataset that contains both genuine fault conditions [41] and adversarial examples, each with explicit ground-truth labels. Unlike the attack-to-fault heatmaps—where no diagonal could be formed because attacks are not themselves fault classes—the presence of labeled instances for both faults and attacks enables the construction of standard confusion matrices with a meaningful diagonal. In this representation, the diagonal elements reflect correct classifications, while the off-diagonal entries indicate misclassifications between fault and attack categories. This shift marks a crucial step: moving from illustrating attack-induced misinterpretations on a pre-trained model to rigorously evaluating diagnostic accuracy and robustness in a retrained adversarial defense setting. Figure 10 presents a total of five confusion matrices (one per ML classifier).
We observe that the ResNet50-1D + Random Forest and ResNet50-1D + LightGBM combinations produce the clearest and most diagonal-dominant matrices, indicating a strong ability to distinguish between real faults and adversarial distortions. In contrast, models such as ResNet50-1D + Logistic Regression and ResNet50-1D + SVM show higher confusion, particularly between impeller-related attacks and actual unbalancing faults, a trend previously observed in the standalone ResNet50-1D evaluation. This difference can be explained by the intrinsic properties of ensemble-based methods. Logistic Regression and SVM rely on a single global decision boundary, making them more sensitive to distribution shifts caused by adversarial perturbations [52,57]. In contrast, Random Forest reduces variance by averaging across multiple decision trees, while LightGBM adaptively reweights misclassified samples and captures complex non-linear interactions [53,56]. These mechanisms dilute the effect of localized perturbations, which explains their greater robustness in adversarial scenarios.
These qualitative insights are quantitatively supported by the summary metrics shown in Table 3. The models are evaluated based on classification accuracy, precision, recall, F1-score, and our newly introduced uncertainty metric MCII, which captures the average probability mass misallocated to incorrect fault classes under attack conditions.
Notably, ResNet50-1D + Random Forest achieves the highest accuracy (96.53%) with a near-zero MCII score (0.14), followed closely by ResNet50-1D + LightGBM (96.30% accuracy and 0.90 MCII). This suggests that both models are highly effective at absorbing the impact of adversarial perturbations, preserving decision reliability even under physically tampered conditions.
Based on both confusion matrices and aggregate metrics, we focus our subsequent analysis on these two top-performing classifiers—Random Forest and LightGBM—to determine the most robust and practically viable defense mechanism. To further compare the resilience of the two top-performing classifiers, we analyzed in parallel the confusion matrices and batch-level confusion linear progression for each physical attack scenario (Figure 11).
More specifically, Figure 11 illustrates five representative attack-to-fault confusion pairs, one per attack type, before and after the application of each defense model. Each row includes a visualization of how the respective classifier misclassifies attack samples over time, allowing us to observe momentary peaks of confusion or stability across hundreds of batches.
From the graphs, a consistent pattern emerges: Random Forest as head (green curves on the left) exhibits superior robustness, maintaining almost zero confusion across all attack scenarios, regardless of the number of batches. In contrast, LightGBM as head (green curves on the right), although competitive, displays notable spikes in confusion ratios in multiple cases—particularly under attacks such as Loose Motor Foot (b)2 and Loose Bearing Cap (d)2. These fluctuations highlight occasional vulnerabilities in LightGBM’s decision surface when faced with specific physical disturbances.
Finally, to complement the individual case-by-case confusion analyses, we further consolidate the results into a single comparative plot that illustrates the average heatmap ratio per batch across all five physical attacks (Figure 12). This final aggregated visualization provides a temporal overview of how each classifier (RF and LGBM) performs under continuous adversarial input over time. By collapsing all attack-fault heatmap events into a unified metric, we aim to capture the overall stability and resilience of each defense strategy throughout the entire evaluation horizon.
Concluding, multiple classifiers were trained and assessed on the Resnet50-1D backbone to determine their ability to resist physical attacks that cause confusion between real faults and adversarial perturbations. Through comparative analysis of heatmaps, average misclassification scores, and batch-level robustness plots, RF and LGBM emerged as the two most promising candidates. However, analyzing the individual and aggregated attacks to fault confusion graphs, RF consistently achieved the lowest confusion impact predictions, making it the most suitable and practical model for deployment in our physical defense framework. This lays the foundation for building an integrated and robust predictive maintenance system that remains resilient under adversarial physical interference.
The experimental results highlight the vulnerabilities of deep learning–based fault diagnosis models when subjected to physical adversarial attacks in real industrial environments. The attack-to-fault heatmaps demonstrated that perturbations do not cause random errors but instead induce systematic biases toward specific fault categories. For instance, mechanical disturbances such as loose bearing caps or added impeller weights consistently shifted predictions toward bearing-related and impeller-related faults, respectively. These findings reveal that physical attacks can exploit domain-specific failure signatures, making them particularly deceptive to diagnostic models.
The evaluation of adversarial training strategies further confirmed that robustness can be significantly improved by retraining lightweight classifier heads on adversarial enriched datasets. Among the tested methods, ensemble-based models such as Random Forest and LightGBM exhibited superior resilience, reducing attack-induced confusion while maintaining high diagnostic accuracy on genuine faults.
The confusion matrices, heatmaps, and performance metrics validated that these models are capable of simultaneously preserving reliability in fault detection and mitigating vulnerabilities to adversarial perturbations. Overall, the discussion underscores the dual challenge of ensuring both diagnostic accuracy and robustness. Our experimental findings provide evidence that while deep feature extractors such as ResNet50-1D retain strong representational capacity, their resilience critically depends on the choice of classifier head and the inclusion of adversarial data during training.
In addition to evaluating classification accuracy and robustness under adversarial perturbations, it is crucial to assess the computational cost of different classifier heads. In practical industrial environments, diagnostic models are expected not only to deliver reliable fault detection but also to operate within strict resource constraints, such as limited memory, training time, and real-time inference requirements. Models with high accuracy but excessive computational demands may become impractical for deployment on embedded systems or production lines where fast decision-making and efficient resource utilization are essential.
To capture these aspects, four complementary indicators were selected:
  • Training time reflects the computational expense of preparing each classifier for deployment, highlighting how feasible it is to retrain models when new data becomes available [58].
  • Inference latency time measures the time required to obtain predictions on the test set, directly linking to the responsiveness of the system in real-world operation [59].
  • Complementing this, inference throughput expresses how many samples can be processed per second, which is critical in environments with high-frequency sensor data and large-scale monitoring tasks [60].
  • Finally, model size quantifies the storage footprint of the trained classifier, determining whether it can be efficiently deployed on devices with limited memory, such as PLCs or embedded controllers [61].
Therefore, in Table 4, we systematically compare the training time, inference latency, inference throughput, and model footprint of all classifiers integrated with the ResNet50-1D backbone. This analysis provides a comprehensive view of computational efficiency, complementing the robustness evaluation, and highlights the trade-offs between diagnostic performance and the constraints imposed by potentially limited computational resources in real deployment scenarios.
The comparison of computational cost across all classifier heads reveals clear trade-offs between robustness and efficiency. Ensemble-based methods (Random Forest, XGBoost, and LightGBM) demonstrated the most favorable balance, combining high diagnostic performance with acceptable training and inference costs. LightGBM, in particular, emerged as the most resource efficient candidate due to its fast training cycle and compact model size, while Random Forest, although the most robust, was significantly more resource-intensive. Logistic Regression achieved extreme efficiency in inference speed and footprint, but at the expense of robustness, whereas SVM proved computationally prohibitive, with very high training and inference times, which shows significant limitations in its applicability.

6. Discussion, Limitations, and Future Work

The findings of this study highlight a critical but often overlooked vulnerability in industrial AI deployments: the susceptibility of condition monitoring systems to hardware-level adversarial interference. By demonstrating both the risk and a viable mitigation strategy under real production constraints, this work provides a practical foundation for enhancing the trustworthiness of predictive maintenance systems in smart manufacturing environments.
While the proposed framework provides a novel and practical step toward enhancing the robustness of vibration-based fault diagnosis under physical adversarial attacks, several limitations should be acknowledged. The experimental evaluation was carried out on a single ventilator motor in one production line, which constrains the generalizability of the findings to other machines, fault types, or industrial domains.
In addition, the defense strategy relies on a transfer learning paradigm with a frozen ResNet50-1D backbone and retrained lightweight classifiers. Although this modular design offers efficiency and ease of deployment, its adaptability may be limited if feature distributions change significantly under different operating conditions.
Another consideration concerns the MCII metric, which, despite providing an interpretable measure of attack-induced confusion, should be regarded as a preliminary indicator. MCII does not account for temporal dynamics, uncertainty calibration, or gradual degradation effects, and no comparison with applying alternative robustness metrics was included, limiting the comprehensiveness of the evaluation.
This study also focused on supervised adversarial training, which assumes the availability of labeled attack data. In practice, such labels are costly and time-consuming to obtain, potentially constraining scalability in industrial settings.
A further limitation of this study is that the experiments were conducted with fixed pretrained backbones and a single training run per classifier head. Consequently, variance or standard deviation across multiple independent runs was not reported. This restriction was not only methodological but also practical: all adversarial interventions had to be carried out during scheduled production downtimes, and repeating them extensively would have caused unacceptable disruption to the manufacturing process. While stochastic effects were partially controlled by fixing random seeds and maintaining consistent training protocols, it is acknowledged that repeated experiments could provide additional insight into variability induced by random initialization or sampling. Future work should therefore consider larger-scale experimental campaigns with repeated runs, enabling confidence intervals to be reported alongside mean performance metrics and thus offering a more comprehensive statistical characterization of robustness.
Taken together, these limitations point to opportunities for future research, including validation across multiple ventilators and industrial contexts, benchmarking MCII against complementary robustness metrics, exploring unsupervised and domain-adaptive strategies to improve robustness under realistic production constraints, incorporating uncertainty-aware decision layers, and integrating anomaly detection mechanisms for unsupervised attack detection.
Future work would expand on this foundation by exploring additional physical attack scenarios under varying operational conditions, incorporating domain adaptation techniques to generalize robustness across different machines and environments, and investigating hybrid defense strategies that combine adversarial training with real-time anomaly detection. Furthermore, releasing the constructed dataset openly to the research community will enable reproducibility and foster comparative studies, supporting long-term progress in securing industrial AI systems.

7. Conclusions

This work has explored the resilience of deep learning-based fault diagnosis systems under real-world physical adversarial attacks in an industrial setting. Building upon our previous research—where ResNet50-1D was identified as the most accurate model for classifying common mechanical faults in centrifugal ventilators—we extended the evaluation to scenarios involving deliberate physical perturbations that mimic fault conditions without corresponding to true machine failures. These perturbations were designed to compromise the reliability of vibration-based fault classifiers by altering sensor input characteristics. Our experiments demonstrated that even high-performing DL models exhibit significant vulnerabilities under such conditions, often misclassifying attacks as legitimate faults with high confidence. To quantify this effect, we introduced the Mean Confusion Impact Index (MCII), a novel and simple robustness metric, which revealed the extent of decision compromise for each model.
Among the four evaluated architectures, ResNet50-1D consistently achieved the lowest MCII, followed by a clear visual distinction on a batch-wise level between the attack-fault pairs, confirming its superior robustness and positioning it as a suitable backbone for further defense development. Moreover, we proposed a hybrid defense strategy that couples a frozen ResNet50-1D feature extractor with retrained classification heads using adversarial labeled data. Through systematic evaluation across multiple classifiers, Random Forest and LightGBM emerged as the most effective defenses—reducing attack-to-fault confusion while maintaining high classification accuracy. Notably, Random Forest exhibited minimal confusion volatility in batch-wise temporal plots, demonstrating its strong resilience to physical tampering.

Author Contributions

Conceptualization, G.A.P.; methodology, G.A.P., S.B. and. I.P.; investigation, S.B. and I.P.; software, S.B. and I.P.; resources, S.B. and I.P.; writing—original draft preparation, S.B., I.P. and E.V.; writing—review and editing, S.B., I.P., E.V. and G.A.P.; visualization, G.A.P.; supervision, G.A.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original data presented in the study are openly available in GitHub repository at https://github.com/MachineLearningVisionRG (accessed on 10 September 2025).

Acknowledgments

This work was supported by the MPhil program “Advanced Technologies in Informatics and Computers”, hosted by the Department of Informatics, Democritus University of Thrace, Kavala, Greece. The authors would also like to express sincere gratitudes to their colleagues at Thrace Nonwovens & Geosynthetics for their valuable contributions and support throughout this work, particularly Sotiria Arampatzoglou (Process Engineer), Konstantinos Tsaousidis (Head of Manufacturing) and Diogenis Vasileiadis (Project Manager).

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
MCIIMean Confusion Impact Index
AIArtificial intelligence
DLDeep learning
FGSMFast Gradient Sign Method
PGDProjected Gradient Descent
CNNsConvolutional Neural Networks
LSTMsLong Short-Term Memories
SAEMSpectrogram-Aware Ensemble Method
ICSIndustrial control systems
FTEPTennessee Eastman Process
GRUGated Recurrent Unit
MLPMulti-Layer Perceptron
MSMQMicrosoft Message Queuing Services
aRMSAcceleration Root Mean Square
aPeakAcceleration Peak
vRMSVelocity Root Mean Square
CFCrest Factor

References

  1. Salem, K.; AbdelGwad, E.; Kouta, H. Predicting Forced Blower Failures Using Machine Learning Algorithms and Vibration Data for Effective Maintenance Strategies. J. Fail. Anal. Prev. 2023, 23, 2191–2203. [Google Scholar] [CrossRef]
  2. Maher, Y.; Danouj, B. Survey on Deep Learning Applied to Predictive Maintenance. Int. J. Electr. Comput. Eng. 2020, 10, 5592. [Google Scholar] [CrossRef]
  3. Chakraborty, S.; Krishna, R.; Ding, Y.; Ray, B. Deep Learning Based Vulnerability Detection: Are We There Yet? IEEE Trans. Softw. Eng. 2022, 48, 3280–3296. [Google Scholar] [CrossRef]
  4. Apostolidis, K.D.; Gkouvrikos, E.V.; Vrochidou, E.; Papakostas, G.A. Traffic Sign Recognition Robustness in Autonomous Vehicles Under Physical Adversarial Attacks. In Cutting Edge Applications of Computational Intelligence Tools and Techniques. Studies in Computational Intelligence; Daimi, K., Alsadoon, A., Coelho, L., Eds.; Springer: Cham, Switzerland, 2023; pp. 287–304. [Google Scholar]
  5. Jia, W.; Lu, Z.; Zhang, H.; Liu, Z.; Wang, J.; Qu, G. Fooling the Eyes of Autonomous Vehicles: Robust Physical Adversarial Examples Against Traffic Sign Recognition Systems. In Proceedings of the 2022 Network and Distributed System Security Symposium, San Diego, CA, USA, 24–28 April 2022; Internet Society: Reston, VA, USA, 2022. [Google Scholar]
  6. Jia, Y.; Poskitt, C.M.; Sun, J.; Chattopadhyay, S. Physical Adversarial Attack on a Robotic Arm. IEEE Robot. Autom. Lett. 2022, 7, 9334–9341. [Google Scholar] [CrossRef]
  7. Nour, A.A.; Mehbodniya, A.; Webber, J.L.; Bostani, A.; Shah, B.; Ergashevich, B.Z. Optimizing Intrusion Detection in Industrial Cyber-Physical Systems through Transfer Learning Approaches. Comput. Electr. Eng. 2023, 111, 108929. [Google Scholar] [CrossRef]
  8. Dionisopoulos, N.; Vrochidou, E.; Papakostas, G.A. Machine Learning Robustness in Predictive Maintenance Under Adversarial Attacks. In Proceedings of the Congress on Control, Robotics, and Mechatronics, Rajasthan, India, 25–26 March 2023; pp. 245–254. [Google Scholar]
  9. Thrace Group Thrace Nonwovens; Geosynthetics, S.A. Available online: https://www.thracegroup.com/cz/en/companies/thrace-ng/ (accessed on 11 May 2025).
  10. Naqvi, S.M.A.; Shabaz, M.; Khan, M.A.; Hassan, S.I. Adversarial Attacks on Visual Objects Using the Fast Gradient Sign Method. J. Grid Comput. 2023, 21, 52. [Google Scholar] [CrossRef]
  11. Naseem, M.L. Trans-IFFT-FGSM: A Novel Fast Gradient Sign Method for Adversarial Attacks. Multimed. Tools Appl. 2024, 83, 72279–72299. [Google Scholar] [CrossRef]
  12. Ayas, M.S.; Ayas, S.; Djouadi, S.M. Projected Gradient Descent Adversarial Attack and Its Defense on a Fault Diagnosis System. In Proceedings of the 2022 45th International Conference on Telecommunications and Signal Processing (TSP), Prague, Czech Republic, 13–15 July 2022; IEEE: New York, NY, USA, 2022; pp. 36–39. [Google Scholar]
  13. Waghela, H.; Sen, J.; Rakshit, S. Robust Image Classification: Defensive Strategies against FGSM and PGD Adversarial Attacks. In Proceedings of the 2024 Asian Conference on Intelligent Technologies (ACOIT), Kolar, India, 6–7 September 2024; IEEE: New York, NY, USA, 2024; pp. 1–7. [Google Scholar]
  14. Chen, J.; Yan, D. Adversarial Attacks on Machinery Fault Diagnosis. arXiv 2022, arXiv:2110.02498. [Google Scholar] [CrossRef]
  15. Kim, H.; Lee, S.; Lee, J.; Lee, W.; Son, Y. Evaluating Practical Adversarial Robustness of Fault Diagnosis Systems via Spectrogram-Aware Ensemble Method. Eng. Appl. Artif. Intell. 2024, 130, 107980. [Google Scholar] [CrossRef]
  16. Zareapoor, M.; Shamsolmoali, P.; Yang, J. Oversampling Adversarial Network for Class-Imbalanced Fault Diagnosis. Mech. Syst. Signal Process. 2021, 149, 107175. [Google Scholar] [CrossRef]
  17. Shaik, A.K.; Das, A.; Palleti, V.R. Study of Adversarial Attacks on Anomaly Detectors In Industrial Control Systems. arXiv 2025, arXiv:2505.03120. [Google Scholar]
  18. Villegas-Ch, W.; Govea, J.; Jaramillo-Alcazar, A. Tamper Detection in Industrial Sensors: An Approach Based on Anomaly Detection. Sensors 2023, 23, 8908. [Google Scholar] [CrossRef]
  19. Nematirad, R.; Behrang, M.; Pahwa, A. Acoustic-Based Online Monitoring of Cooling Fan Malfunction in Air-Forced Transformers Using Learning Techniques. IEEE Access 2024, 12, 26384–26400. [Google Scholar] [CrossRef]
  20. Kong, X.; Ge, Z. Adversarial Attacks on Neural-Network-Based Soft Sensors: Directly Attack Output. IEEE Trans. Ind. Inform. 2022, 18, 2443–2451. [Google Scholar] [CrossRef]
  21. Guo, R.; Chen, Q.; Tong, S.; Liu, H. Knowledge-Aided Generative Adversarial Network: A Transfer Gradient-Less Adversarial Attack for Deep Learning-Based Soft Sensors. In Proceedings of the 2024 14th Asian Control Conference (ASCC), Dalian, China, 5–8 July 2024; 2024; pp. 1254–1259. [Google Scholar]
  22. Zizzo, G.; Hankin, C.; Maffeis, S.; Jones, K. Adversarial Attacks on Time-Series Intrusion Detection for Industrial Control Systems. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December 2020–1 January 2021; IEEE: New York, NY, USA, 2020; pp. 899–910. [Google Scholar]
  23. Sun, J.; Gu, X.; He, J.; Yang, S.; Tu, Y.; Wu, C. A Robust Approach of Multi-Sensor Fusion for Fault Diagnosis Using Convolution Neural Network. J. Dyn. Monit. Diagn. 2022, 1, 103–110. [Google Scholar] [CrossRef]
  24. Farwell, P.; Rohozinski, R. Threats to Industrial Cyber-Physical Systems. In Proceedings of the 10th International Conference on Cyber Conflict CyCon X, NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), Tallinn, Estonia, 29 May–1 June 2018; pp. 1–6. [Google Scholar]
  25. Giraldo, J.; Urbina, D.; Cardenas, A.; Valente, J.; Faisal, M.; Ruths, J.; Tippenhauer, N.O.; Sandberg, H.; Candell, R. A Survey of Physics-Based Attack Detection in Cyber-Physical Systems. ACM Comput. Surv. 2019, 51, 1–36. [Google Scholar] [CrossRef]
  26. Guo, P.; Kim, H.; Virani, N.; Xu, J.; Zhu, M.; Liu, P. Exploiting Physical Dynamics to Detect Actuator and Sensor Attacks in Mobile Robots. arXiv 2017, arXiv:1708.01834. [Google Scholar] [CrossRef]
  27. Kurakin, A.; Goodfellow, I.J.; Bengio, S. Adversarial Examples in the Physical World. In Artificial Intelligence Safety and Security; Chapman and Hall/CRC: First ed.; CRC Press/Taylor & Francis Group: Boca Raton, FL, USA, 2018; pp. 99–112. [Google Scholar]
  28. Eykholt, K.; Evtimov, I.; Fernandes, E.; Li, B.; Rahmati, A.; Xiao, C.; Prakash, A.; Kohno, T.; Song, D. Robust Physical-World Attacks on Deep Learning Visual Classification. In Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, UT, USA, 18–23 June 2018; IEEE: New York, NY, USA; pp. 1625–1634. [Google Scholar]
  29. Cao, Y.; Xiao, C.; Cyr, B.; Zhou, Y.; Park, W.; Rampazzi, S.; Chen, Q.A.; Fu, K.; Mao, Z.M. Adversarial Sensor Attack on LiDAR-Based Perception in Autonomous Driving. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 11–15 November 2019; ACM: New York, NY, USA, 2019; pp. 2267–2281. [Google Scholar]
  30. Nguyen, K.; Fernando, T.; Fookes, C.; Sridharan, S. Physical Adversarial Attacks for Surveillance: A Survey. IEEE Trans. Neural Netw. Learn. Syst. 2024, 35, 17036–17056. [Google Scholar] [CrossRef]
  31. Pozdnyakov, V.; Kovalenko, A.; Makarov, I.; Drobyshevskiy, M.; Lukyanov, K. Adversarial Attacks and Defenses in Fault Detection and Diagnosis: A Comprehensive Benchmark on the Tennessee Eastman Process. IEEE Open J. Ind. Electron. Soc. 2024, 5, 428–440. [Google Scholar] [CrossRef]
  32. Guo, Y.; Cheng, Z.; Zhang, J.; Sun, B.; Wang, Y. A Review on Adversarial–Based Deep Transfer Learning Mechanical Fault Diagnosis. J. Big Data 2024, 11, 151. [Google Scholar] [CrossRef]
  33. Chen, Q.; Dong, X.; Tu, G.; Wang, D.; Cheng, C.; Zhao, B.; Peng, Z. TFN: An Interpretable Neural Network with Time-Frequency Transform Embedded for Intelligent Fault Diagnosis. Mech. Syst. Signal Process. 2024, 207, 110952. [Google Scholar] [CrossRef]
  34. Abadi, H.H.N. Adversarial Machine Learning Attacks on Condition-Based Maintenance Capabilities. arXiv 2021, arXiv:2101.12097. [Google Scholar] [CrossRef]
  35. Yin, Z.; Zhuo, Y.; Ge, Z. Transfer Adversarial Attacks across Industrial Intelligent Systems. Reliab. Eng. Syst. Saf. 2023, 237, 109299. [Google Scholar] [CrossRef]
  36. Pozdnyakov, V.; Kovalenko, A.; Makarov, I.; Drobyshevskiy, M.; Lukyanov, K. AADMIP: Adversarial Attacks and Defenses Modeling in Industrial Processes. In Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, Jeju, Republic of Korea, 3–9 August 2024; pp. 8776–8779. [Google Scholar]
  37. Wang, J.; Liu, X.; Hu, J.; Wang, D.; Wu, S.; Jiang, T.; Guo, Y.; Liu, A.; Zhou, J. Adversarial Examples in the Physical World: A Survey. arXiv 2024, arXiv:2311.01473. [Google Scholar]
  38. Ullah, H.; Zaidi, S.M.T.; Munir, A. Improving Adversarial Robustness Through Adaptive Learning-Driven Multi-Teacher Knowledge Distillation. arXiv 2025, arXiv:2507.20996. [Google Scholar]
  39. Shi, Y.; Deng, A.; Deng, M.; Xu, M.; Liu, Y.; Ding, X. A Novel Multiscale Feature Adversarial Fusion Network for Unsupervised Cross-Domain Fault Diagnosis. Measurement 2022, 200, 111616. [Google Scholar] [CrossRef]
  40. Moosavi-Dezfooli, S.-M.; Fawzi, A.; Frossard, P. DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks. In Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NM, USA, 26 June–1 July 2016; IEEE: New York, NY, USA, 2016; pp. 2574–2582. [Google Scholar]
  41. Polymeropoulos, I.; Bezyrgiannidis, S.; Vrochidou, E.; Papakostas, G.A. Bridging AI and Maintenance: Fault Diagnosis in Industrial Air-Cooling Systems Using Deep Learning and Sensor Data. Under Rev. 2025, in press. [Google Scholar]
  42. Moukari, M.; Simon, L.; Picard, S.; Jurie, F. N-MeRCI: A New Metric to Evaluate the Correlation Between Predictive Uncertainty and True Error. arXiv 2019, arXiv:1908.07253. [Google Scholar]
  43. Lovell, D.; Miller, D.; Capra, J.; Bradley, A.P. Never Mind the Metrics-What about the Uncertainty? Visualising Binary Confusion Matrix Metric Distributions to Put Performance in Perspective. Proc. Mach. Learn. Res. 2023, 202, 22702–22757. [Google Scholar]
  44. Smith, L.; Gal, Y. Understanding Measures of Uncertainty for Adversarial Example Detection. arXiv 2018, arXiv:1803.08533. [Google Scholar] [CrossRef]
  45. Ren, P.; Xiao, Y.; Chang, X.; Huang, P.-Y.; Li, Z.; Gupta, B.B.; Chen, X.; Wang, X. A Survey of Deep Active Learning. ACM Comput. Surv. 2022, 54, 1–40. [Google Scholar] [CrossRef]
  46. Guo, C.; Pleiss, G.; Sun, Y.; Weinberger, K.Q. On Calibration of Modern Neural Networks. In Proceedings of the 34th International Conference on Machine Learning, ICML 2017, Sydney, NSW, Australia, 6–11 August 2017; pp. 1321–1330. [Google Scholar]
  47. Abomakhelb, A.; Jalil, K.A.; Buja, A.G.; Alhammadi, A.; Alenezi, A.M. A Comprehensive Review of Adversarial Attacks and Defense Strategies in Deep Neural Networks. Technologies 2025, 13, 202. [Google Scholar] [CrossRef]
  48. Goodfellow, I.J.; Shlens, J.; Szegedy, C. Explaining and Harnessing Adversarial Examples. In Proceedings of the 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, 7–9 May 2015. [Google Scholar]
  49. Pan, S.J.; Yang, Q. A Survey on Transfer Learning. IEEE Trans. Knowl. Data Eng. 2010, 22, 1345–1359. [Google Scholar] [CrossRef]
  50. Madry, A.; Makelov, A.; Schmidt, L.; Tsipras, D.; Vladu, A. Towards Deep Learning Models Resistant to Adversarial Attacks. In Proceedings of the 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, 30 April–3 May 2018. [Google Scholar]
  51. Luo, P.; Yin, Z.; Zhang, Y.; Bai, C.; Zhang, P.; Liu, J. Increasing Interpretability and Feasibility of Data Driven-Based Unknown Fault Diagnosis in Permanent Magnet Synchronous Motors. IEEE Trans. Energy Convers. 2025, 40, 1422–1433. [Google Scholar] [CrossRef]
  52. Hosmer, D.W.; Lemeshow, S. Applied Logistic Regression, 2nd ed.; John Wiley & Sons, Inc.: New York, NY, USA, 2000; ISBN 0471722146. [Google Scholar]
  53. Breiman, L. Random Forests. Mach. Learn. 2001, 45, 5–32. [Google Scholar] [CrossRef]
  54. Chen, F.; Zhang, L.; Liu, W.; Zhang, T.; Zhao, Z.; Wang, W.; Chen, D.; Wang, B. A Fault Diagnosis Method of Rotating Machinery Based on Improved Multiscale Attention Entropy and Random Forests. Nonlinear Dyn. 2023, 112, 1191–1220. [Google Scholar] [CrossRef]
  55. Chen, T.; Guestrin, C. XGBoost: A Scalable Tree Boosting System. In Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Francisco, CA, USA, 13–17 August 2016; ACM: New York, NY, USA, 2016; pp. 785–794. [Google Scholar]
  56. Ke, G.; Meng, Q.; Finley, T.; Wang, T.; Chen, W.; Ma, W.; Ye, Q.; Liu, T.Y. LightGBM: A Highly Efficient Gradient Boosting Decision Tree. In Advances in Neural Information Processing Systems; Curran Associates, Inc.: Nice, France, 2017; pp. 3149–3157. [Google Scholar]
  57. Widodo, A.; Yang, B.-S. Support Vector Machine in Machine Condition Monitoring and Fault Diagnosis. Mech. Syst. Signal Process. 2007, 21, 2560–2574. [Google Scholar] [CrossRef]
  58. Justus, D.; Brennan, J.; Bonner, S.; McGough, A.S. Predicting the Computational Cost of Deep Learning Models. In Proceedings of the 2018 IEEE International Conference on Big Data (Big Data), Seattle, WA, USA, 10–13 December 2018. [Google Scholar]
  59. Han, S.; Mao, H.; Dally, W.J. Deep Compression: Compressing Deep Neural Networks with Pruning, Trained Quantization and Huffman Coding. In Proceedings of the 4th International Conference on Learning Representations, ICLR 2016-Conference Track Proceedings, San Juan, PR, USA, 2–4 May 2016. [Google Scholar]
  60. Narayanan, D.; Shoeybi, M.; Casper, J.; LeGresley, P.; Patwary, M.; Korthikanti, V.; Vainbrand, D.; Kashinkunti, P.; Bernauer, J.; Catanzaro, B.; et al. Efficient Large-Scale Language Model Training on GPU Clusters Using Megatron-LM. In Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis, Saint Louis, MS, USA, 14–19 November 2021; ACM: New York, NY, USA, 2021; pp. 1–15. [Google Scholar]
  61. Sze, V.; Chen, Y.-H.; Yang, T.-J.; Emer, J.S. Efficient Processing of Deep Neural Networks: A Tutorial and Survey. Proc. IEEE 2017, 105, 2295–2329. [Google Scholar] [CrossRef]
Processes 13 02920 g001
Figure 1. Thrace Nonwovens & Geosynthetics S.A. [9].
Figure 1. Thrace Nonwovens & Geosynthetics S.A. [9].
Processes 13 02920 g001
Processes 13 02920 g002
Figure 2. The proposed two-phase methodology framework block diagram.
Figure 2. The proposed two-phase methodology framework block diagram.
Processes 13 02920 g002
Processes 13 02920 g003
Figure 3. Equipment Setup and data flow diagram.
Figure 3. Equipment Setup and data flow diagram.
Processes 13 02920 g003
Processes 13 02920 g004
Figure 4. Application and data capturing of five physical attacks on the ventilator motor: (a) Misaligned Sensor; (b) Loose Motor Foot; (c) Loose Bearing Cap; (d) Eccentric Shaft fit; (e) Impeller Add Weight.
Figure 4. Application and data capturing of five physical attacks on the ventilator motor: (a) Misaligned Sensor; (b) Loose Motor Foot; (c) Loose Bearing Cap; (d) Eccentric Shaft fit; (e) Impeller Add Weight.
Processes 13 02920 g004
Processes 13 02920 g005
Figure 5. Operation of spinneret changeover.
Figure 5. Operation of spinneret changeover.
Processes 13 02920 g005
Processes 13 02920 g006
Figure 6. Indicative graph plot of 7 features of the Eccentric Shaft Fit attack.
Figure 6. Indicative graph plot of 7 features of the Eccentric Shaft Fit attack.
Processes 13 02920 g006
Processes 13 02920 g007
Figure 7. Summarized DL models’ architectures.
Figure 7. Summarized DL models’ architectures.
Processes 13 02920 g007
Processes 13 02920 g008
Figure 8. Attack-to-fault misclassification heatmaps of DL Models under five Physical Attack Scenarios (Misaligned Sensor → Normal, Loose Motor Foot → Support Cracking, Eccentric Shaft Fit→ Normal, Loose Bearing Cap → Bearing, Impeller Add Weight → Impeller Unbalancing): (a) ResNet50-1D; (b) CNN-1D; (c) BiLSTM; (d) BiLSTM with Attention. Color scale from white to dark blue represents the intensity of values from 0 to 1.
Figure 8. Attack-to-fault misclassification heatmaps of DL Models under five Physical Attack Scenarios (Misaligned Sensor → Normal, Loose Motor Foot → Support Cracking, Eccentric Shaft Fit→ Normal, Loose Bearing Cap → Bearing, Impeller Add Weight → Impeller Unbalancing): (a) ResNet50-1D; (b) CNN-1D; (c) BiLSTM; (d) BiLSTM with Attention. Color scale from white to dark blue represents the intensity of values from 0 to 1.
Processes 13 02920 g008
Processes 13 02920 g009
Figure 9. Batch-Wise Total Attack Confusion Trends Across the Four DL Models.
Figure 9. Batch-Wise Total Attack Confusion Trends Across the Four DL Models.
Processes 13 02920 g009
Processes 13 02920 g010
Figure 10. Normalized confusion matrices for five ML classifier architectures under physical attacks: (a) Logistic Regression; (b) SVM; (c) Random Forest; (d) LightGBM; (e) XGBoost. Color scale from white to dark blue represents the intensity of values from 0 to 1.
Figure 10. Normalized confusion matrices for five ML classifier architectures under physical attacks: (a) Logistic Regression; (b) SVM; (c) Random Forest; (d) LightGBM; (e) XGBoost. Color scale from white to dark blue represents the intensity of values from 0 to 1.
Processes 13 02920 g010
Processes 13 02920 g011
Figure 11. End-to-End Evaluation of Defence Effectiveness RF vs. LightGBM compared to original ResNet50-1D misclassification heatmap highlighting five major attack-induced misclassifications: For RF: (a)1 Misaligned Sensor → Normal; (b)1 Loose Motor Foot → Support Cracking; (c)1 Eccentric Shaft Fit → Normal; (d)1 Loose Bearing Cap → Bearing; (e)1 Impeller Add Weight → Impeller Unbalancing. For LightGBM: (a)2 Misaligned Sensor → Normal; (b)2 Loose Motor Foot → Support Cracking; (c)2 Eccentric Shaft Fit → Normal; (d)2 Loose Bearing Cap → Bearing; (e)2 Impeller Add Weight → Impeller Unbalancing. Red lines refer to attack heatmap ratio of original model while green lines refer to attack heatmap ratio after defence.
Figure 11. End-to-End Evaluation of Defence Effectiveness RF vs. LightGBM compared to original ResNet50-1D misclassification heatmap highlighting five major attack-induced misclassifications: For RF: (a)1 Misaligned Sensor → Normal; (b)1 Loose Motor Foot → Support Cracking; (c)1 Eccentric Shaft Fit → Normal; (d)1 Loose Bearing Cap → Bearing; (e)1 Impeller Add Weight → Impeller Unbalancing. For LightGBM: (a)2 Misaligned Sensor → Normal; (b)2 Loose Motor Foot → Support Cracking; (c)2 Eccentric Shaft Fit → Normal; (d)2 Loose Bearing Cap → Bearing; (e)2 Impeller Add Weight → Impeller Unbalancing. Red lines refer to attack heatmap ratio of original model while green lines refer to attack heatmap ratio after defence.
Processes 13 02920 g011
Processes 13 02920 g012
Figure 12. Average attack-to-fault heatmap ratio for the original pretrained ResNet50-1D model compared to the defended versions with Random Forest and LightGBM.
Figure 12. Average attack-to-fault heatmap ratio for the original pretrained ResNet50-1D model compared to the defended versions with Random Forest and LightGBM.
Processes 13 02920 g012
Table 1. Comparison of present work with recent related literature.
Table 1. Comparison of present work with recent related literature.
Ref.Main Approach and FindingsComparison with Present Work
[14]Demonstrated that CNN and LSTM models suffer severe accuracy degradation when subjected to FGSM/PGD adversarial perturbations on bearing vibration data.This work shows that similar vulnerabilities arise under physical perturbations (e.g., sensor misalignment, loose fittings) in an industrial ventilator, extending these findings from digital to real-world conditions.
[15]Proposed a spectral-domain adversarial example method to craft more realistic black-box attacks on bearing datasets.Unlike SAEM, which remains restricted to digital spectral manipulation, the present study demonstrates that comparable vulnerabilities emerge through real mechanical alterations under industrial operating conditions.
[16]Introduced a GAN-based method for oversampling minority fault classes in bearing FD, mitigating class imbalance.MoGAN addresses class distribution issues rather than adversarial robustness. The present work highlights how physical perturbations systematically bias diagnostic models, leading to consistent misclassifications.
[17]Showed that LSTM and GRU anomaly detectors in ICS are highly vulnerable to adversarial inputs in simulations.Similar vulnerabilities are identified here, but in industrial FD models (ResNet50-1D, BiLSTM) under physical adversarial conditions in a production plant.
[18]Demonstrated that small-scale physical sabotage on ICS testbeds can bypass anomaly detection mechanisms.While Villegas-Ch et al. addressed ICS security, this work applies the concept of physical adversarial interference specifically to vibration-based FD in real production equipment.
[20]Proposed label-free black-box adversarial attacks on soft sensors, showing that regression outputs can be manipulated without ground-truth labels.The present study extends this concept of stealthy perturbation to vibration-based FD, where physical interventions on sensors mislead classifiers without altering the true operational condition.
[21]Developed a knowledge-aware GAN to generate smooth adversarial perturbations for soft sensor data in process simulations.Whereas KAGAN focuses on simulated adversarial smoothness, the perturbations examined here arise naturally from mechanical interventions (eccentric shaft fit, loose bearing) in a real industrial system.
[23]Proposed multi-sensor fusion (vibration and acoustic) to enhance robustness against random noise in bearings.Similarly, this work integrates multi-feature inputs (vibration and operational features) but shows that such integration improves resilience against intentional physical adversarial perturbations, not only random noise.
[31]Benchmarked defenses (adversarial training, denoising, ensembles) on the Tennessee Eastman Process; found adversarial training most effective in black-box scenarios.That benchmark is process-simulation–oriented. This study introduces a new benchmark in rotating machinery, shifting robustness evaluation from simulated processes to real mechanical FD under physical attacks.
[32]Reviewed adversarial transfer learning and emphasized its persistent vulnerabilities across domains.This study empirically validates those observations: while the frozen ResNet50-1D backbone is vulnerable, robustness is enhanced by retraining lightweight ML heads (RF/LightGBM) with adversarial data, as quantified by the MCII metric.
[33]Developed a Time–Frequency Network that improves noise robustness and interpretability in bearing FD.TFN addresses stochastic disturbances, whereas the present study focuses on systematic adversarial perturbations in industrial machinery, offering complementary insights.
Table 2. Summary of original performance and MCII for DL models under attack.
Table 2. Summary of original performance and MCII for DL models under attack.
ModelAcc%Loss%Prec%Rec%F1%MCII%
ResNet5097.83.797.597.897.667.3
CNN-1D97.38.498.094.896.467.8
BiLSTM97.86.098.895.597.170.0
2BiLSTM+Attention97.65.698.995.597.171.7
Performance metrics of original faults diagnosis (green values); Mean Confusion Impact Index of 5 Attacks (blue values).
Table 3. Performance + Attack Uncertainty metrics for all ML models.
Table 3. Performance + Attack Uncertainty metrics for all ML models.
ModelAccuracy%Precision%Recall%F1-Score%MCII%
ResNet50-1D + Log. Reg.91.7886.0890.4887.724.88
ResNet50-1D + SVM94.8193.9490.9792.312.30
ResNet50-1D + RF96.5396.7896.0096.370.14
ResNet50-1D + LGBM96.3093.9496.6895.210.90
ResNet50-1D + XGB95.2593.8893.1393.461.37
Table 4. Comparison of four computational cost indicators across classifier heads.
Table 4. Comparison of four computational cost indicators across classifier heads.
Classifier HeadTraining Time (s)Inference Latency
(s/Test)		Throughput (Samples/s)Model Size
Random Forest112.650.2858280,220276.15 MB
XGBoost26.100.3239247,2913.10 MB
LightGBM21.131.918741,7413.00 MB
Logistic
Regression		143.180.02523,174,6068.17 KB
SVM4435.05518.81154.439.18 MB
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bezyrgiannidis, S.; Polymeropoulos, I.; Vrochidou, E.; Papakostas, G.A. Exposing Vulnerabilities: Physical Adversarial Attacks on AI-Based Fault Diagnosis Models in Industrial Air-Cooling Systems. Processes 2025, 13, 2920. https://doi.org/10.3390/pr13092920

AMA Style

Bezyrgiannidis S, Polymeropoulos I, Vrochidou E, Papakostas GA. Exposing Vulnerabilities: Physical Adversarial Attacks on AI-Based Fault Diagnosis Models in Industrial Air-Cooling Systems. Processes. 2025; 13(9):2920. https://doi.org/10.3390/pr13092920

Chicago/Turabian Style

Bezyrgiannidis, Stavros, Ioannis Polymeropoulos, Eleni Vrochidou, and George A. Papakostas. 2025. "Exposing Vulnerabilities: Physical Adversarial Attacks on AI-Based Fault Diagnosis Models in Industrial Air-Cooling Systems" Processes 13, no. 9: 2920. https://doi.org/10.3390/pr13092920

APA Style

Bezyrgiannidis, S., Polymeropoulos, I., Vrochidou, E., & Papakostas, G. A. (2025). Exposing Vulnerabilities: Physical Adversarial Attacks on AI-Based Fault Diagnosis Models in Industrial Air-Cooling Systems. Processes, 13(9), 2920. https://doi.org/10.3390/pr13092920

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop