Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

Buse Atli Tekgul; Shelly Wang; Samuel Marchal; N. Asokan

doi:10.1007/978-3-031-17143-7_19

Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

Buse Atli Tekgul, Shelly Wang, Samuel Marchal, N. Asokan

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussa › Conference contribution › Scientific › vertaisarvioitu

Abstrakti

Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent’s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l _∞ bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

Alkuperäiskieli	Englanti
Otsikko	Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings
Toimittajat	Atluri, R DiPietro, CD Jensen, W Meng
Kustantaja	SPRINGER
Sivut	384-404
Sivumäärä	21
Vuosikerta	13556
ISBN (elektroninen)	978-3-031-17143-7
ISBN (painettu)	978-3-031-17142-0
DOI - pysyväislinkit	https://doi.org/10.1007/978-3-031-17143-7_19
Tila	Julkaistu - 2022
OKM-julkaisutyyppi	A4 Artikkeli konferenssijulkaisuussa
Tapahtuma	European Symposium on Research in Computer Security - Copenhagen, Tanska Kesto: 26 syysk. 2022 → 30 syysk. 2022 Konferenssinumero: 27

Julkaisusarja

Nimi	Lecture Notes in Computer Science
Kustantaja	Springer
Vuosikerta	13556
ISSN (painettu)	0302-9743
ISSN (elektroninen)	1611-3349

Conference

Conference	European Symposium on Research in Computer Security
Lyhennettä	ESORICS
Maa/Alue	Tanska
Kaupunki	Copenhagen
Ajanjakso	26/09/2022 → 30/09/2022

Pääsy asiakirjaan

10.1007/978-3-031-17143-7_19

https://arxiv.org/abs/2106.08746

OpenUrl-saatavuus

Koko teksti

Muut tiedostot ja linkit

Linkki julkaisuun Scopuksessa

Siteeraa tätä

Atli Tekgul, B., Wang, S., Marchal, S., & Asokan, N. (2022). Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses. teoksessa Atluri, R. DiPietro, CD. Jensen, & W. Meng (Toimittajat), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings (Vuosikerta 13556, Sivut 384-404). (Lecture Notes in Computer Science; Vuosikerta 13556). SPRINGER. https://doi.org/10.1007/978-3-031-17143-7_19

Atli Tekgul, Buse ; Wang, Shelly ; Marchal, Samuel et al. / Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses. Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Toimittaja / Atluri ; R DiPietro ; CD Jensen ; W Meng. Vuosikerta 13556 SPRINGER, 2022. Sivut 384-404 (Lecture Notes in Computer Science).

@inproceedings{1f501bbd3c064044bd8f05615274d917,

title = "Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses",

abstract = "Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent{\textquoteright}s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l ∞ bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.",

author = "{Atli Tekgul}, Buse and Shelly Wang and Samuel Marchal and N. Asokan",

year = "2022",

doi = "10.1007/978-3-031-17143-7_19",

language = "English",

isbn = "978-3-031-17142-0",

volume = "13556",

series = "Lecture Notes in Computer Science",

publisher = "SPRINGER",

pages = "384--404",

editor = "Atluri and R DiPietro and CD Jensen and W Meng",

booktitle = "Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings",

address = "Germany",

note = "European Symposium on Research in Computer Security, ESORICS ; Conference date: 26-09-2022 Through 30-09-2022",

}

Atli Tekgul, B, Wang, S, Marchal, S & Asokan, N 2022, Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses. julkaisussa Atluri, R DiPietro, CD Jensen & W Meng (toim), Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Vuosikerta 13556, Lecture Notes in Computer Science, Vuosikerta 13556, SPRINGER, Sivut 384-404, European Symposium on Research in Computer Security, Copenhagen, Tanska, 26/09/2022. https://doi.org/10.1007/978-3-031-17143-7_19

Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses. / Atli Tekgul, Buse; Wang, Shelly; Marchal, Samuel et al.
Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. toim. / Atluri; R DiPietro; CD Jensen; W Meng. Vuosikerta 13556 SPRINGER, 2022. s. 384-404 (Lecture Notes in Computer Science; Vuosikerta 13556).

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussa › Conference contribution › Scientific › vertaisarvioitu

TY - GEN

T1 - Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

AU - Atli Tekgul, Buse

AU - Wang, Shelly

AU - Marchal, Samuel

AU - Asokan, N.

N1 - Conference code: 27

PY - 2022

Y1 - 2022

N2 - Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent’s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l ∞ bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

AB - Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent’s memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the l ∞ bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks (≈ 1.8 ms). Our attack technique is also efficient, incurring an online computational cost of ≈ 0.027 ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

UR - http://www.scopus.com/inward/record.url?scp=85140709338&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-17143-7_19

DO - 10.1007/978-3-031-17143-7_19

M3 - Conference contribution

SN - 978-3-031-17142-0

VL - 13556

T3 - Lecture Notes in Computer Science

SP - 384

EP - 404

BT - Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings

A2 - Atluri, null

A2 - DiPietro, R

A2 - Jensen, CD

A2 - Meng, W

PB - SPRINGER

T2 - European Symposium on Research in Computer Security

Y2 - 26 September 2022 through 30 September 2022

ER -

Atli Tekgul B, Wang S, Marchal S , Asokan N. Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses. julkaisussa Atluri, DiPietro R, Jensen CD, Meng W, toimittajat, Computer Security – ESORICS 2022 - 27th European Symposium on Research in Computer Security, Proceedings. Vuosikerta 13556. SPRINGER. 2022. s. 384-404. (Lecture Notes in Computer Science). Epub 2022 syys 24. doi: 10.1007/978-3-031-17143-7_19

Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses

Abstrakti

Julkaisusarja

Conference

Pääsy asiakirjaan

OpenUrl-saatavuus

Muut tiedostot ja linkit

Sormenjälki

Siteeraa tätä