Sequential Attacks on Agents for Long-Term Adversarial Goals

TL;DR

This paper demonstrates that sequential adversarial attacks using Adversarial Transformer Networks can manipulate reinforcement learning agents to optimize for arbitrary adversarial rewards, posing security risks in critical applications.

Contribution

It introduces a novel method using ATNs to impose arbitrary rewards on RL agents through sequential attacks, highlighting new security vulnerabilities.

Findings

Attacks can mislead agents to optimize for adversarial rewards.

Sequential attacks are effective against deep neural network policies.

Security threats are significant for safety-critical RL applications.

Abstract

Reinforcement learning (RL) has advanced greatly in the past few years with the employment of effective deep neural networks (DNNs) on the policy networks. With the great effectiveness came serious vulnerability issues with DNNs that small adversarial perturbations on the input can change the output of the network. Several works have pointed out that learned agents with a DNN policy network can be manipulated against achieving the original task through a sequence of small perturbations on the input states. In this paper, we demonstrate furthermore that it is also possible to impose an arbitrary adversarial reward on the victim policy network through a sequence of attacks. Our method involves the latest adversarial attack technique, Adversarial Transformer Network (ATN), that learns to generate the attack and is easy to integrate into the policy network. As a result of our attack, the victim agent is misguided to optimise for the adversarial reward over time. Our results expose serious security threats for RL applications in safety-critical systems including drones, medical analysis, and self-driving cars.