Policy Poisoning in Batch Reinforcement Learning and Control
This addresses a security vulnerability for systems using batch reinforcement learning and control, presenting a novel attack framework that is incremental in building upon existing methods.
The paper tackles the problem of security threats in batch reinforcement learning and control by introducing policy poisoning attacks, where an attacker slightly modifies data to force a learner into adopting a target policy, and shows that these attacks can be formulated as convex optimization problems with guaranteed global optimality.
We study a security threat to batch reinforcement learning and control where the attacker aims to poison the learned policy. The victim is a reinforcement learner / controller which first estimates the dynamics and the rewards from a batch data set, and then solves for the optimal policy with respect to the estimates. The attacker can modify the data set slightly before learning happens, and wants to force the learner into learning a target policy chosen by the attacker. We present a unified framework for solving batch policy poisoning attacks, and instantiate the attack on two standard victims: tabular certainty equivalence learner in reinforcement learning and linear quadratic regulator in control. We show that both instantiation result in a convex optimization problem on which global optimality is guaranteed, and provide analysis on attack feasibility and attack cost. Experiments show the effectiveness of policy poisoning attacks.