Deceptive Reinforcement Learning Under Adversarial Manipulations on Cost Signals

Huang, Yunhan; Zhu, Quanyan

doi:10.1007/978-3-030-32430-8_14

Cited by 49 publications

(45 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Drones equipped with RL techniques can be commanded to collide to a crowd or a building. 32,33 Everitt et al 33 and Wang et al 34 investigated RL algorithms under corrupted reward signals. Lin et al 35 and Behzadan and Munir 36 focused on deep RL which involves DNNs for function approximation.…”

Section: Rl Securitymentioning

confidence: 99%

“…Behzadan and Munir et al 31 discovered that the self‐driving platooning vehicles can collide with each other when their observation data are manipulated. Drones equipped with RL techniques can be commanded to collide to a crowd or a building 32,33 33 and Wang et al 34 investigated RL algorithms under corrupted reward signals.…”

Section: Related Workmentioning

confidence: 99%

“…Lin et al 35 and Behzadan and Munir 36 focused on deep RL which involves DNNs for function approximation. Huang and Zhu et al 32 studied RL under malicious falsification on cost signals and introduced a quantitative framework of attack models to understand the vulnerabilities of RL. Ma et al 37 focused on security threats on batch RL and control where the attacker aims to poison the learned policy.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Adversarial retraining attack of asynchronous advantage actor‐critic based pathfinding

et al. 2021

View full text Add to dashboard Cite

Pathfinding becomes an important component in many real‐world scenarios, such as popular warehouse systems and autonomous aircraft towing vehicles. With the development of reinforcement learning (RL) especially in the context of asynchronous advantage actor‐critic (A3C), pathfinding is undergoing a revolution in terms of efficient parallel learning. Similar to other artificial intelligence‐based applications, A3C‐based pathfinding is also threatened by the adversarial attack. In this paper, we are the first to study the adversarial attack to A3C, that can unexpectedly wake up longtime retraining mechanism until successful pathfinding. We also discover an attack example generation to launch the attack based on gradient band, in which only one baffle of extremely few unit lengths can successfully perform the attack. Experiments with detailed analysis are conducted to show a high attack success rate of 95% with an average baffle length of 2.95. We also discuss defense suggestions leveraging the insights from our analysis.

show abstract

Section: Rl Securitymentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Adversarial retraining attack of asynchronous advantage actor‐critic based pathfinding

et al. 2021

View full text Add to dashboard Cite

show abstract

“…In the context poisoning attacks, the adversary can modify the context observed by the agent without changing the reward associated with the context. There are also some recent interesting work on adversarial attacks against reinforcement learning algorithms under various setting [18,19,20,21,22,23,24,25].…”

Section: Introductionmentioning

confidence: 99%

Efficient Action Poisoning Attacks on Linear Contextual Bandits

Liu¹,

Lai²

2021

Preprint

View full text Add to dashboard Cite

Contextual bandit algorithms have many applicants in a variety of scenarios. In order to develop trustworthy contextual bandit systems, understanding the impacts of various adversarial attacks on contextual bandit algorithms is essential. In this paper, we propose a new class of attacks: action poisoning attacks, where an adversary can change the action signal selected by the agent. We design action poisoning attack schemes against linear contextual bandit algorithms in both white-box and black-box settings. We further analyze the cost of the proposed attack strategies for a very popular and widely used bandit algorithm: LinUCB. We show that, in both white-box and black-box settings, the proposed attack schemes can force the LinUCB agent to pull a target arm very frequently by spending only logarithm cost.

show abstract

“…While there is much existing work addressing adversarial attacks on supervised learning models [Szegedy et al, 2014, Goodfellow et al, 2015, Kurakin et al, 2017, Moosavi-Dezfooli et al, 2017, Wang et al, 2018, Cohen et al, 2019, Dohmatob, 2019, Wang et al, 2019, Carmon et al, 2019, Pinot et al, 2019, Alayrac et al, 2019, Dasgupta et al, 2019, Cicalese et al, 2020, Li et al, 2021, the understanding of adversarial attacks on RL models is less complete. Among the limited existing works on adversarial attacks against RL, they formally or experimentally considers different types of poisoning attack [Huang and Zhu, 2019, Sun et al, 2021, Rakhsha et al, 2020, 2021b. [Sun et al, 2021] discusses the differences between the poisoning attacks.…”

Section: Introductionmentioning

confidence: 99%

Provably Efficient Black-Box Action Poisoning Attacks Against Reinforcement Learning

Liu¹,

Lai²

2021

Preprint

View full text Add to dashboard Cite

Due to the broad range of applications of reinforcement learning (RL), understanding the effects of adversarial attacks against RL model is essential for the safe applications of this model. Prior theoretical works on adversarial attacks against RL mainly focus on either observation poisoning attacks or environment poisoning attacks. In this paper, we introduce a new class of attacks named action poisoning attacks, where an adversary can change the action signal selected by the agent. Compared with existing attack models, the attacker's ability in the proposed action poisoning attack model is more restricted, which brings some design challenges. We study the action poisoning attack in both white-box and black-box settings. We introduce an adaptive attack scheme called LCB-H, which works for most RL agents in the black-box setting. We prove that the LCB-H attack can force any efficient RL agent, whose dynamic regret scales sublinearly with the total number of steps taken, to choose actions according to a policy selected by the attacker very frequently, with only sublinear cost. In addition, we apply LCB-H attack against a popular model-free RL algorithm: UCB-H. We show that, even in the black-box setting, by spending only logarithm cost, the proposed LCB-H attack scheme can force the UCB-H agent to choose actions according to the policy selected by the attacker very frequently.

show abstract

Deceptive Reinforcement Learning Under Adversarial Manipulations on Cost Signals

Cited by 49 publications

References 26 publications

Adversarial retraining attack of asynchronous advantage actor‐critic based pathfinding

Adversarial retraining attack of asynchronous advantage actor‐critic based pathfinding

Efficient Action Poisoning Attacks on Linear Contextual Bandits

Provably Efficient Black-Box Action Poisoning Attacks Against Reinforcement Learning

Contact Info

Product

Resources

About