Dataset Poisoning Attacks on Behavioral Cloning Policies

TL;DR

This paper investigates the vulnerability of Behavior Cloning policies to clean-label backdoor attacks, revealing that even minimally poisoned datasets can produce deceptively high performance while being highly susceptible to trigger-based manipulations during deployment.

Contribution

It introduces the first analysis of backdoor attacks on BC policies, including a novel entropy-based trigger method and evaluates how attack effectiveness scales with poisoning parameters.

Findings

BC policies are highly vulnerable to backdoor triggers during deployment.

Minimal poisoning can cause significant performance degradation with trigger attacks.

Deceptively high baseline performance masks underlying vulnerability.

Abstract

Behavior Cloning (BC) is a popular framework for training sequential decision policies from expert demonstrations via supervised learning. As these policies are increasingly being deployed in the real world, their robustness and potential vulnerabilities are an important concern. In this work, we perform the first analysis of the efficacy of clean-label backdoor attacks on BC policies. Our backdoor attacks poison a dataset of demonstrations by injecting a visual trigger to create a spurious correlation that can be exploited at test time. We evaluate how policy vulnerability scales with the fraction of poisoned data, the strength of the trigger, and the trigger type. We also introduce a novel entropy-based test-time trigger attack that substantially degrades policy performance by identifying critical states where test-time triggering of the backdoor is expected to be most effective at degrading performance. We empirically demonstrate that BC policies trained on even minimally poisoned datasets exhibit deceptively high, near-baseline task performance despite being highly vulnerable to backdoor trigger attacks during deployment. Our results underscore the urgent need for more research into the robustness of BC policies, particularly as large-scale datasets are increasingly used to train policies for real-world cyber-physical systems. Videos and code are available at https://sites.google.com/view/dataset-poisoning-in-bc.