Diffusion Policy Attacker: Crafting Adversarial Attacks for Diffusion-based Policies

TL;DR

This paper introduces DP-Attacker, a suite of algorithms designed to craft effective adversarial attacks against diffusion policy models, revealing significant vulnerabilities in their safety across various attack scenarios.

Contribution

The paper presents the first comprehensive adversarial attack framework specifically targeting diffusion policies, addressing their unique chained structure and randomness.

Findings

DP-Attacker significantly reduces diffusion policy success rates

Transferable perturbations can be applied across all frames in offline scenarios

Adversarial physical patches effectively deceive diffusion policies

Abstract

Diffusion models (DMs) have emerged as a promising approach for behavior cloning (BC). Diffusion policies (DP) based on DMs have elevated BC performance to new heights, demonstrating robust efficacy across diverse tasks, coupled with their inherent flexibility and ease of implementation. Despite the increasing adoption of DP as a foundation for policy generation, the critical issue of safety remains largely unexplored. While previous attempts have targeted deep policy networks, DP used diffusion models as the policy network, making it ineffective to be attacked using previous methods because of its chained structure and randomness injected. In this paper, we undertake a comprehensive examination of DP safety concerns by introducing adversarial scenarios, encompassing offline and online attacks, and global and patch-based attacks. We propose DP-Attacker, a suite of algorithms that can craft effective adversarial attacks across all aforementioned scenarios. We conduct attacks on pre-trained diffusion policies across various manipulation tasks. Through extensive experiments, we demonstrate that DP-Attacker has the capability to significantly decrease the success rate of DP for all scenarios. Particularly in offline scenarios, DP-Attacker can generate highly transferable perturbations applicable to all frames. Furthermore, we illustrate the creation of adversarial physical patches that, when applied to the environment, effectively deceive the model. Video results are put in: https://sites.google.com/view/diffusion-policy-attacker.