Characterizing Attacks on Deep Reinforcement Learning

TL;DR

This paper investigates realistic and efficient adversarial attacks on Deep Reinforcement Learning systems, including black-box, online, environmental, and physical perturbations, demonstrating their effectiveness in simulation and real-world robotics.

Contribution

It introduces novel black-box, online, environmental, and physical adversarial attack methods tailored for DRL, with extensive evaluation in simulation and real-world robotics.

Findings

Efficient black-box attacks without model access

Online sequential attacks exploiting temporal consistency

Successful physical perturbations on real robots

Abstract

Recent studies show that Deep Reinforcement Learning (DRL) models are vulnerable to adversarial attacks, which attack DRL models by adding small perturbations to the observations. However, some attacks assume full availability of the victim model, and some require a huge amount of computation, making them less feasible for real world applications. In this work, we make further explorations of the vulnerabilities of DRL by studying other aspects of attacks on DRL using realistic and efficient attacks. First, we adapt and propose efficient black-box attacks when we do not have access to DRL model parameters. Second, to address the high computational demands of existing attacks, we introduce efficient online sequential attacks that exploit temporal consistency across consecutive steps. Third, we explore the possibility of an attacker perturbing other aspects in the DRL setting, such as the environment dynamics. Finally, to account for imperfections in how an attacker would inject perturbations in the physical world, we devise a method for generating a robust physical perturbations to be printed. The attack is evaluated on a real-world robot under various conditions. We conduct extensive experiments both in simulation such as Atari games, robotics and autonomous driving, and on real-world robotics, to compare the effectiveness of the proposed attacks with baseline approaches. To the best of our knowledge, we are the first to apply adversarial attacks on DRL systems to physical robots.