Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses
Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to...
Gespeichert in:
| Hauptverfasser: | , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Tekgul, Buse G. A Wang, Shelly Marchal, Samuel Asokan, N |
| description | Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations.
Adversaries can mislead the policies of DRL agents by perturbing the state of
the environment observed by the agents. Existing attacks are feasible in
principle, but face challenges in practice, either by being too slow to fool
DRL policies in real time or by modifying past observations stored in the
agent's memory. We show that Universal Adversarial Perturbations (UAP),
independent of the individual inputs to which they are applied, can fool DRL
policies effectively and in real time. We introduce three attack variants
leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we
show that our attacks are effective, as they fully degrade the performance of
three different DRL agents (up to 100%, even when the $l_\infty$ bound on the
perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of
image capture and considerably faster than prior attacks ($\approx 1.8$ms). Our
attack technique is also efficient, incurring an online computational cost of
$\approx 0.027$ms. Using two tasks involving robotic movement, we confirm that
our results generalize to complex DRL tasks. Furthermore, we demonstrate that
the effectiveness of known defenses diminishes against universal perturbations.
We introduce an effective technique that detects all known adversarial
perturbations against DRL policies, including all universal perturbations
presented in this paper. |
| doi_str_mv | 10.48550/arxiv.2106.08746 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2106_08746</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2106_08746</sourcerecordid><originalsourceid>FETCH-LOGICAL-a676-4b8beb2c2965ad640825e4b2a05dc17a3fa3efaa4e159278fbbfe0a96528f4973</originalsourceid><addsrcrecordid>eNotj71OwzAURr0woMIDMOEXSHAc23G6ReVXikRVdY-uk-vKauJUtqng7Qml07d850iHkIeC5UJLyZ4gfLtzzgumcqYroW6J3SGMWXIT0mY4Y4gQHIx0iyF9BQPJzT5SOIDzMdFnxBPdofN2Dj1O6BNtEYJ3_kC38-h6h3FNm5SgPy6UHxbCoo8Y78iNhTHi_XVXZP_6st-8Z-3n28emaTNQlcqE0QYN73mtJAxKMM0lCsOByaEvKigtlGgBBBay5pW2xlhksLy5tqKuyhV5_NdeQrtTcBOEn-4vuLsEl7-G0lKI</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses</title><source>arXiv.org</source><creator>Tekgul, Buse G. A ; Wang, Shelly ; Marchal, Samuel ; Asokan, N</creator><creatorcontrib>Tekgul, Buse G. A ; Wang, Shelly ; Marchal, Samuel ; Asokan, N</creatorcontrib><description>Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations.
Adversaries can mislead the policies of DRL agents by perturbing the state of
the environment observed by the agents. Existing attacks are feasible in
principle, but face challenges in practice, either by being too slow to fool
DRL policies in real time or by modifying past observations stored in the
agent's memory. We show that Universal Adversarial Perturbations (UAP),
independent of the individual inputs to which they are applied, can fool DRL
policies effectively and in real time. We introduce three attack variants
leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we
show that our attacks are effective, as they fully degrade the performance of
three different DRL agents (up to 100%, even when the $l_\infty$ bound on the
perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of
image capture and considerably faster than prior attacks ($\approx 1.8$ms). Our
attack technique is also efficient, incurring an online computational cost of
$\approx 0.027$ms. Using two tasks involving robotic movement, we confirm that
our results generalize to complex DRL tasks. Furthermore, we demonstrate that
the effectiveness of known defenses diminishes against universal perturbations.
We introduce an effective technique that detects all known adversarial
perturbations against DRL policies, including all universal perturbations
presented in this paper.</description><identifier>DOI: 10.48550/arxiv.2106.08746</identifier><language>eng</language><subject>Computer Science - Artificial Intelligence ; Computer Science - Cryptography and Security ; Computer Science - Learning</subject><creationdate>2021-06</creationdate><rights>http://creativecommons.org/licenses/by/4.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2106.08746$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2106.08746$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Tekgul, Buse G. A</creatorcontrib><creatorcontrib>Wang, Shelly</creatorcontrib><creatorcontrib>Marchal, Samuel</creatorcontrib><creatorcontrib>Asokan, N</creatorcontrib><title>Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses</title><description>Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations.
Adversaries can mislead the policies of DRL agents by perturbing the state of
the environment observed by the agents. Existing attacks are feasible in
principle, but face challenges in practice, either by being too slow to fool
DRL policies in real time or by modifying past observations stored in the
agent's memory. We show that Universal Adversarial Perturbations (UAP),
independent of the individual inputs to which they are applied, can fool DRL
policies effectively and in real time. We introduce three attack variants
leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we
show that our attacks are effective, as they fully degrade the performance of
three different DRL agents (up to 100%, even when the $l_\infty$ bound on the
perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of
image capture and considerably faster than prior attacks ($\approx 1.8$ms). Our
attack technique is also efficient, incurring an online computational cost of
$\approx 0.027$ms. Using two tasks involving robotic movement, we confirm that
our results generalize to complex DRL tasks. Furthermore, we demonstrate that
the effectiveness of known defenses diminishes against universal perturbations.
We introduce an effective technique that detects all known adversarial
perturbations against DRL policies, including all universal perturbations
presented in this paper.</description><subject>Computer Science - Artificial Intelligence</subject><subject>Computer Science - Cryptography and Security</subject><subject>Computer Science - Learning</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj71OwzAURr0woMIDMOEXSHAc23G6ReVXikRVdY-uk-vKauJUtqng7Qml07d850iHkIeC5UJLyZ4gfLtzzgumcqYroW6J3SGMWXIT0mY4Y4gQHIx0iyF9BQPJzT5SOIDzMdFnxBPdofN2Dj1O6BNtEYJ3_kC38-h6h3FNm5SgPy6UHxbCoo8Y78iNhTHi_XVXZP_6st-8Z-3n28emaTNQlcqE0QYN73mtJAxKMM0lCsOByaEvKigtlGgBBBay5pW2xlhksLy5tqKuyhV5_NdeQrtTcBOEn-4vuLsEl7-G0lKI</recordid><startdate>20210616</startdate><enddate>20210616</enddate><creator>Tekgul, Buse G. A</creator><creator>Wang, Shelly</creator><creator>Marchal, Samuel</creator><creator>Asokan, N</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20210616</creationdate><title>Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses</title><author>Tekgul, Buse G. A ; Wang, Shelly ; Marchal, Samuel ; Asokan, N</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a676-4b8beb2c2965ad640825e4b2a05dc17a3fa3efaa4e159278fbbfe0a96528f4973</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Computer Science - Artificial Intelligence</topic><topic>Computer Science - Cryptography and Security</topic><topic>Computer Science - Learning</topic><toplevel>online_resources</toplevel><creatorcontrib>Tekgul, Buse G. A</creatorcontrib><creatorcontrib>Wang, Shelly</creatorcontrib><creatorcontrib>Marchal, Samuel</creatorcontrib><creatorcontrib>Asokan, N</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Tekgul, Buse G. A</au><au>Wang, Shelly</au><au>Marchal, Samuel</au><au>Asokan, N</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses</atitle><date>2021-06-16</date><risdate>2021</risdate><abstract>Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations.
Adversaries can mislead the policies of DRL agents by perturbing the state of
the environment observed by the agents. Existing attacks are feasible in
principle, but face challenges in practice, either by being too slow to fool
DRL policies in real time or by modifying past observations stored in the
agent's memory. We show that Universal Adversarial Perturbations (UAP),
independent of the individual inputs to which they are applied, can fool DRL
policies effectively and in real time. We introduce three attack variants
leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we
show that our attacks are effective, as they fully degrade the performance of
three different DRL agents (up to 100%, even when the $l_\infty$ bound on the
perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of
image capture and considerably faster than prior attacks ($\approx 1.8$ms). Our
attack technique is also efficient, incurring an online computational cost of
$\approx 0.027$ms. Using two tasks involving robotic movement, we confirm that
our results generalize to complex DRL tasks. Furthermore, we demonstrate that
the effectiveness of known defenses diminishes against universal perturbations.
We introduce an effective technique that detects all known adversarial
perturbations against DRL policies, including all universal perturbations
presented in this paper.</abstract><doi>10.48550/arxiv.2106.08746</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2106.08746 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2106_08746 |
| source | arXiv.org |
| subjects | Computer Science - Artificial Intelligence Computer Science - Cryptography and Security Computer Science - Learning |
| title | Real-time Adversarial Perturbations against Deep Reinforcement Learning Policies: Attacks and Defenses |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-05T13%3A49%3A06IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Real-time%20Adversarial%20Perturbations%20against%20Deep%20Reinforcement%20Learning%20Policies:%20Attacks%20and%20Defenses&rft.au=Tekgul,%20Buse%20G.%20A&rft.date=2021-06-16&rft_id=info:doi/10.48550/arxiv.2106.08746&rft_dat=%3Carxiv_GOX%3E2106_08746%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |