TRAP: Tail-aware Ranking Attack for World-Model Planning

TL;DR

TRAP is a novel backdoor attack targeting the trajectory ranking process in world models, causing planning hijacks and performance drops without disrupting normal behavior on clean inputs.

Contribution

It introduces TRAP, a tail-aware ranking attack framework that exploits the long-tailed trajectory ranking structure in world models for security vulnerabilities.

Findings

TRAP effectively hijacks planning by altering trajectory rankings.

Experiments show TRAP causes significant performance degradation.

TRAP maintains normal ranking on clean inputs, ensuring stealth.

Abstract

World models enable long-horizon planning by internally generating and evaluating imagined trajectories, making them a promising foundation for generalist agents. However, this imagination-driven decision process also introduces new security risks. Existing backdoor attacks typically aim to manipulate local features, one-step predictions, or instantaneous policy outputs. While such objectives may suffice for weaker reactive models, they are often ineffective against world models, where the learned dynamics prior and planning process can absorb or wash out the effects of shallow perturbations. More importantly, we find that world models exhibit a distinct backdoor vulnerability rooted in the long-tailed ranking structure of imagined trajectories, where disrupting the ordering of a few decision-critical trajectories can systematically hijack planning. To exploit this vulnerability, we propose TRAP, a backdoor attack framework for world models that targets imagined trajectory ranking. TRAP combines a tail-aware ranking loss to focus optimization on decision-critical trajectories with dual gating mechanisms that stabilize optimization and regulate when and where the attack penalty is applied. Under trigger conditions, TRAP alters the relative ranking of imagined trajectories to redirect planning outcomes, while largely maintaining the normal ranking structure on clean inputs. Experiments on DreamerV3 and TD-MPC2 across diverse tasks show that TRAP consistently induces sustained behavioral deviations and significant performance degradation, highlighting the need for dedicated security evaluation of world-model-based agents.