Rethinking Adversarial Attacks in Reinforcement Learning from Policy Distribution Perspective

TL;DR

This paper introduces DAPGD, a novel adversarial attack method for deep reinforcement learning that considers entire policy distributions, leading to more effective robustness evaluation especially in continuous action spaces.

Contribution

The paper proposes DAPGD, a distribution-aware attack leveraging Bhattacharyya distance to improve adversarial effectiveness over existing sample-based methods.

Findings

DAPGD outperforms baselines with 22.03% higher reward drop.

Effective in continuous action spaces.

Achieves state-of-the-art results in robot navigation tasks.

Abstract

Deep Reinforcement Learning (DRL) suffers from uncertainties and inaccuracies in the observation signal in realworld applications. Adversarial attack is an effective method for evaluating the robustness of DRL agents. However, existing attack methods targeting individual sampled actions have limited impacts on the overall policy distribution, particularly in continuous action spaces. To address these limitations, we propose the Distribution-Aware Projected Gradient Descent attack (DAPGD). DAPGD uses distribution similarity as the gradient perturbation input to attack the policy network, which leverages the entire policy distribution rather than relying on individual samples. We utilize the Bhattacharyya distance in DAPGD to measure policy similarity, enabling sensitive detection of subtle but critical differences between probability distributions. Our experiment results demonstrate that DAPGD achieves SOTA results compared to the baselines in three robot navigation tasks, achieving an average 22.03% higher reward drop compared to the best baseline.