How Vulnerable Is My Learned Policy? Universal Adversarial Perturbation Attacks On Modern Behavior Cloning Policies

TL;DR

This paper systematically investigates the vulnerability of various imitation learning algorithms to adversarial attacks, revealing high susceptibility across methods and attack types, including black-box scenarios.

Contribution

It is the first comprehensive study comparing the adversarial vulnerabilities of multiple modern behavior cloning algorithms.

Findings

Most imitation learning methods are highly vulnerable to adversarial attacks.

Black-box transfer attacks can successfully transfer across different algorithms.

The study provides insights for developing more robust imitation learning models.

Abstract

Learning from demonstrations is a popular approach to train AI models; however, their vulnerability to adversarial attacks remains underexplored. We present the first systematic study of adversarial attacks, across a range of both classic and recently proposed imitation learning algorithms, including Vanilla Behavior Cloning (Vanilla BC), LSTM-GMM, Implicit Behavior Cloning (IBC), Diffusion Policy (DP), and Vector-Quantized Behavior Transformer (VQ-BET). We study the vulnerability of these methods to both white-box, grey-box and black-box adversarial perturbations. Our experiments reveal that most existing methods are highly vulnerable to these attacks, including black-box transfer attacks that transfer across algorithms. To the best of our knowledge, we are the first to study and compare the vulnerabilities of different popular imitation learning algorithms to both white-box and black-box attacks. Our findings highlight the vulnerabilities of modern imitation learning algorithms, paving the way for future work in addressing such limitations. Videos and code are available at https://sites.google.com/view/uap-attacks-on-bc.