Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

Buse Atli Tekgul, Shelly Wang, Samuel Marchal, N. Asokan

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

4 Citations (Scopus)


Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent’s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

Original languageEnglish
Title of host publicationComputer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Editors Atluri, R DiPietro, CD Jensen, W Meng
Number of pages21
ISBN (Electronic)978-3-031-17143-7
ISBN (Print)978-3-031-17142-0
Publication statusPublished - 2022
MoE publication typeA4 Conference publication
EventEuropean Symposium on Research in Computer Security - Copenhagen, Denmark
Duration: 26 Sept 202230 Sept 2022
Conference number: 27

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


ConferenceEuropean Symposium on Research in Computer Security
Abbreviated titleESORICS


Dive into the research topics of 'Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses'. Together they form a unique fingerprint.

Cite this