Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

Abstract

Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent’s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Editors Atluri, R DiPietro, CD Jensen, W Meng
Pages384-404
Number of pages21
Volume13556
ISBN (Electronic)978-3-031-17143-7
DOIs
Publication statusPublished - 2022
MoE publication typeA4 Article in a conference publication
EventEuropean Symposium on Research in Computer Security - Copenhagen, Denmark
Duration: 26 Sep 202230 Sep 2022
Conference number: 27

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume13556
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceEuropean Symposium on Research in Computer Security
Abbreviated titleESORICS
Country/TerritoryDenmark
CityCopenhagen
Period26/09/202230/09/2022

Fingerprint

Dive into the research topics of 'Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses'. Together they form a unique fingerprint.

Cite this