Who Is the Strongest Enemy? Towards Optimal and Efficient Evasion Attacks in Deep RL

Sun, Yaohua; Ruijie, Zheng,; Liang, Yongyuan; Huang, Furong

doi:10.48550/arxiv.2106.05087

Cited by 4 publications

(32 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversarial Training does not improve agent's robust performance. As we observed in Figure 2, adversarial training (AT) does not improve the robustness of the agent in both discrete and continuous action space, although AT achieves good robustness againt p attacks in vision tasks [23,48], and against observation attacks [49,40] and action attacks [32] in RL. We hypothesize that it is due to (1) the large number of total agents, (2) the uncertainty of adversarial message channels, and (3) the relatively large perturbation length.…”

Section: C3 Additional Resultsmentioning

confidence: 99%

“…We hypothesize that it is due to (1) the large number of total agents, (2) the uncertainty of adversarial message channels, and (3) the relatively large perturbation length. To be more specific, in related works [32,49,40], an agent and an attacker are alternately trained, during which the agent learns to adapt to the learned attacker. However, in the threat model we consider, there are C out of N messages significantly perturbed, which it is hard for the agent to adapt to attacks during alternate training.…”

Section: C3 Additional Resultsmentioning

confidence: 99%

“…Adversarial Robustness of RL Agents Section 3 introduces several adversarial attacks on singleagent and multi-agent problems. To improve the robustness of agents, adversarial training (i.e., introducing adversarial agents to the system during training [32,31,49,40]) and network regularization [50,38,28] are empirically shown to be effective under p attacks, although such robustness is not theoretically guaranteed. Certifying the robustness of a network is an important research problem [33,6,12].…”

Section: Related Workmentioning

confidence: 99%

“…The learned attack can strategically mislead the victim. As shown in prior works [50,49,40], the theoretically optimal attack (which minimizes the victim's reward) can be formed as an RL problem and learned by RL algorithms. Therefore, we can regard this attack as a worst-case attack for the victim agents.…”

Section: Implementation and Baselinesmentioning

confidence: 99%

See 3 more Smart Citations

Certifiably Robust Policy Learning against Adversarial Communication in Multi-agent Systems

Sun¹,

Ruijie²,

Hassanzadeh³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Communication is important in many multi-agent reinforcement learning (MARL) problems for agents to share information and make good decisions. However, when deploying trained communicative agents in a real-world application where noise and potential attackers exist, the safety of communication-based policies becomes a severe issue that is underexplored. Specifically, if communication messages are manipulated by malicious attackers, agents relying on untrustworthy communication may take unsafe actions that lead to catastrophic consequences. Therefore, it is crucial to ensure that agents will not be misled by corrupted communication, while still benefiting from benign communication. In this work, we consider an environment with N agents, where the attacker may arbitrarily change the communication from any C < N −1 2 agents to a victim agent. For this strong threat model, we propose a certifiable defense by constructing a message-ensemble policy that aggregates multiple randomly ablated message sets. Theoretical analysis shows that this message-ensemble policy can utilize benign communication while being certifiably robust to adversarial communication, regardless of the attacking algorithm. Experiments in multiple environments verify that our defense significantly improves the robustness of trained policies against various types of attacks.

show abstract

Section: C3 Additional Resultsmentioning

confidence: 99%

Section: C3 Additional Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Implementation and Baselinesmentioning

confidence: 99%

See 2 more Smart Citations

Certifiably Robust Policy Learning against Adversarial Communication in Multi-agent Systems

Sun¹,

Ruijie²,

Hassanzadeh³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Hence, it is imperative to study RL under an adversarial environment. In the last five years, there is a surge in terms of the number of papers that studies the security issues of RL [104,105,106,107,108,109,110,111,112,113,114,115,116,117]. The vulnerabilities of RL comes from the information exchange between the agent and the environment.…”

Section: Reinforcement Learning In Adversarial Environmentmentioning

confidence: 99%

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Huang¹,

Huang²,

Zhu³

2021

Preprint

View full text Add to dashboard Cite

The rapid growth in the number of devices and their connectivity has enlarged the attack surface and made cyber systems more vulnerable. As attackers become increasingly sophisticated and resourceful, mere reliance on traditional cyber protection, such as intrusion detection, firewalls, and encryption, is insufficient to secure the cyber systems. Cyber resilience provides a new security paradigm that complements inadequate protection with resilience mechanisms. A Cyber-Resilient Mechanism (CRM) adapts to the known or zero-day threats and uncertainties in real-time and strategically responds to them to maintain the critical functions of the cyber systems in the event of successful attacks. Feedback architectures play a pivotal role in enabling the online sensing, reasoning, and actuation process of the CRM. Reinforcement Learning (RL) is an important class of algorithms that epitomize the feedback architectures for cyber resiliency. It allows the CRM to provide dynamic and sequential responses to attacks with limited or without prior knowledge of the environment and the attacker. In this work, we review the literature on RL for cyber resiliency and discuss the cyber-resilient defenses against three major types of vulnerabilities, i.e., posture-related, information-related, and human-related vulnerabilities. We introduce moving target defense, defensive cyber deception, and assistive human security technologies as three application domains of CRMs to elaborate on their designs. The RL algorithms also have vulnerabilities themselves. We explain the major vulnerabilities of RL and present works that develop several attack models, in which the attacks target the rewards, the state observations, and the action commands. We show that the attacker can trick the RL agent into learning a nefarious policy with minimum attacking effort. We discuss the potential defense methods to secure them and find that there is a lack of works focusing on the defensive mechanisms for RL-enabled systems. Finally, we discuss the future challenges of RL for cyber security and resiliency and emerging applications of RL-based CRMs.

show abstract

Adversarial attack and defense technologies in natural language processing: A survey

et al. 2022

View full text Add to dashboard Cite

Who Is the Strongest Enemy? Towards Optimal and Efficient Evasion Attacks in Deep RL

Cited by 4 publications

References 17 publications

Certifiably Robust Policy Learning against Adversarial Communication in Multi-agent Systems

Certifiably Robust Policy Learning against Adversarial Communication in Multi-agent Systems

Reinforcement Learning for Feedback-Enabled Cyber Resilience

Adversarial attack and defense technologies in natural language processing: A survey

Contact Info

Product

Resources

About