BehaviorGuard: Online Backdoor Defense for Deep Reinforcement Learning

TL;DR

BehaviorGuard is an online, behavior-based framework that detects and mitigates backdoor attacks in deep reinforcement learning by monitoring shifts in action distribution patterns.

Contribution

It introduces the first online backdoor defense for DRL that detects triggers via behavioral drift without relying on reward anomalies or fine-tuning.

Findings

BehaviorGuard effectively detects backdoors in diverse DRL benchmarks.

It outperforms prior methods in both accuracy and computational efficiency.

The approach works for both single- and multi-agent DRL settings.

Abstract

Backdoor attacks pose a serious threat to deep reinforcement learning (DRL). Current defenses typically rely on reward anomalies to reverse-engineer triggers and model finetuning to remove backdoors. However, complex trigger patterns undermine their robustness, and fine-tuning entails high costs, limiting practical utility. Therefore, we shift defense concerns to trigger-agnostic backdoor output behaviors and propose BehaviorGuard, an online behavior-based backdoor detection and mitigation framework for DRL. Specifically, we find that regardless of attacks, backdoored policies induce consistent shifts in action distributions to ensure reliable activation, leaving detectable traces in high-quantile regions and distribution tails, even in the absence of triggers. Based on this, we design a novel metric that captures behavioral drift in action distributions to identify and suppress backdoor actions at runtime. To our knowledge, this is the first online backdoor defense that counters attacks both in single- and multi-agent DRL. Evaluated across diverse benchmarks with different backdoor attacks, BehaviorGuard consistently surpasses prior methods in both efficacy and efficiency.