Beyond Training-time Poisoning: Component-level and Post-training Backdoors in Deep Reinforcement Learning

TL;DR

This paper uncovers new vulnerabilities in deep reinforcement learning systems, demonstrating backdoor attacks that operate at component and post-training stages, even under limited adversarial access, challenging existing security assumptions.

Contribution

It introduces two novel backdoor attacks, TrojanentRL and InfrectroRL, that can embed persistent and post-training backdoors in DRL models with minimal privileges.

Findings

Attacks perform comparably to state-of-the-art training-time backdoors.

InfrectroRL evades two leading DRL backdoor defenses.

Vulnerabilities exist across the DRL supply chain, not just during training.

Abstract

Deep Reinforcement Learning (DRL) systems are increasingly used in safety-critical applications, yet their security remains severely underexplored. This work investigates backdoor attacks, which implant hidden triggers that cause malicious actions only when specific inputs appear in the observation space. Existing DRL backdoor research focuses solely on training-time attacks requiring unrealistic access to the training pipeline. In contrast, we reveal critical vulnerabilities across the DRL supply chain where backdoors can be embedded with significantly reduced adversarial privileges. We introduce two novel attacks: (1) TrojanentRL, which exploits component-level flaws to implant a persistent backdoor that survives full model retraining; and (2) InfrectroRL, a post-training backdoor attack which requires no access to training, validation, nor test data. Empirical and analytical evaluations across six Atari environments show our attacks rival state-of-the-art training-time backdoor attacks while operating under much stricter adversarial constraints. We also demonstrate that InfrectroRL further evades two leading DRL backdoor defenses. These findings challenge the current research focus and highlight the urgent need for robust defenses.