Engineering Attack Vectors and Detecting Anomalies in Additive Manufacturing
Md Mahbub Hasan, Marcus Sternhagen, Krishna Chandra Roy
TL;DR
This work analyzes cyber-physical threats in additive manufacturing by targeting the G-code execution layer through MitM-style attacks on two popular FDM platforms. It introduces an unsupervised log-based intrusion detection framework using a frozen transformer encoder (MiniLM) with a contrastive head, plus clustering and a self-attention autoencoder to detect stealthy, non-ground-truth-attacked prints. Realistic attack scenarios, including deferred G-code manipulation, mid-print tampering, and DoS-style commands, are demonstrated on Creality K1 Max and Ender 3. Experimental results show high discriminative performance (AUROC around $0.98$, accuracy $= 95.37\%$) and clear separation of benign versus anomalous telemetry, underscoring the practicality of runtime anomaly detection for AM pipelines. The work highlights the importance of dynamic, log-driven defenses and points to future directions in temporal modeling and federated anomaly detection across printer fleets.
Abstract
Additive manufacturing (AM) is rapidly integrating into critical sectors such as aerospace, automotive, and healthcare. However, this cyber-physical convergence introduces new attack surfaces, especially at the interface between computer-aided design (CAD) and machine execution layers. In this work, we investigate targeted cyberattacks on two widely used fused deposition modeling (FDM) systems, Creality's flagship model K1 Max, and Ender 3. Our threat model is a multi-layered Man-in-the-Middle (MitM) intrusion, where the adversary intercepts and manipulates G-code files during upload from the user interface to the printer firmware. The MitM intrusion chain enables several stealthy sabotage scenarios. These attacks remain undetectable by conventional slicer software or runtime interfaces, resulting in structurally defective yet externally plausible printed parts. To counter these stealthy threats, we propose an unsupervised Intrusion Detection System (IDS) that analyzes structured machine logs generated during live printing. Our defense mechanism uses a frozen Transformer-based encoder (a BERT variant) to extract semantic representations of system behavior, followed by a contrastively trained projection head that learns anomaly-sensitive embeddings. Later, a clustering-based approach and a self-attention autoencoder are used for classification. Experimental results demonstrate that our approach effectively distinguishes between benign and compromised executions.
