SleeperNets: Universal Backdoor Poisoning Attacks Against Reinforcement Learning Agents

TL;DR

This paper introduces SleeperNets, a universal backdoor poisoning attack against reinforcement learning agents, demonstrating its effectiveness across multiple environments while maintaining agent performance.

Contribution

The work presents a novel attack framework with theoretical guarantees and develops SleeperNets, a universal backdoor method exploiting dynamic reward poisoning in RL.

Findings

Significant improvement in attack success rate over existing methods

Maintains benign episodic return during attacks

Effective across multiple diverse environments

Abstract

Reinforcement learning (RL) is an actively growing field that is seeing increased usage in real-world, safety-critical applications -- making it paramount to ensure the robustness of RL algorithms against adversarial attacks. In this work we explore a particularly stealthy form of training-time attacks against RL -- backdoor poisoning. Here the adversary intercepts the training of an RL agent with the goal of reliably inducing a particular action when the agent observes a pre-determined trigger at inference time. We uncover theoretical limitations of prior work by proving their inability to generalize across domains and MDPs. Motivated by this, we formulate a novel poisoning attack framework which interlinks the adversary's objectives with those of finding an optimal policy -- guaranteeing attack success in the limit. Using insights from our theoretical analysis we develop ``SleeperNets'' as a universal backdoor attack which exploits a newly proposed threat model and leverages dynamic reward poisoning techniques. We evaluate our attack in 6 environments spanning multiple domains and demonstrate significant improvements in attack success over existing methods, while preserving benign episodic return.