Efficient Reward Poisoning Attacks on Online Deep Reinforcement Learning
This exposes vulnerabilities in state-of-the-art DRL algorithms, posing a security risk for applications relying on online learning.
The paper tackles the problem of reward poisoning attacks on online deep reinforcement learning by designing a black-box framework that corrupts rewards for a small fraction of timesteps, resulting in agents learning low-performing policies across various environments and algorithms.
We study reward poisoning attacks on online deep reinforcement learning (DRL), where the attacker is oblivious to the learning algorithm used by the agent and the dynamics of the environment. We demonstrate the intrinsic vulnerability of state-of-the-art DRL algorithms by designing a general, black-box reward poisoning framework called adversarial MDP attacks. We instantiate our framework to construct two new attacks which only corrupt the rewards for a small fraction of the total training timesteps and make the agent learn a low-performing policy. We provide a theoretical analysis of the efficiency of our attack and perform an extensive empirical evaluation. Our results show that our attacks efficiently poison agents learning in several popular classical control and MuJoCo environments with a variety of state-of-the-art DRL algorithms, such as DQN, PPO, SAC, etc.