Query-based targeted action-space adversarial policies on deep reinforcement learning agents

Advances in computing resources have resulted in the increasing complexity of cyber-physical systems (CPS). As the complexity of CPS evolved, the focus has shifted from traditional control methods to deep reinforcement learning-based (DRL) methods for control of these systems. This is due to the difficulty of obtaining accurate models of complex CPS for traditional control. However, to securely deploy DRL in production, it is essential to examine the weaknesses of DRL-based controllers (policies) towards malicious attacks from all angles. In this work, we investigate targeted attacks in the action-space domain, also commonly known as actuation attacks in CPS literature, which perturbs the outputs of a controller. We show that a query-based black-box attack model that generates optimal perturbations with respect to an adversarial goal can be formulated as another reinforcement learning problem. Thus, such an adversarial policy can be trained using conventional DRL methods. Experimental results showed that adversarial policies that only observe the nominal policy's output generate stronger attacks than adversarial policies that observe the nominal policy's input and output. Further analysis reveals that nominal policies whose outputs are frequently at the boundaries of the action space are naturally more robust towards adversarial policies. Lastly, we propose the use of adversarial training with transfer learning to induce robust behaviors into the nominal policy, which decreases the rate of successful targeted attacks by half.

[1]  Olexandr Isayev,et al.  Deep reinforcement learning for de novo drug design , 2017, Science Advances.

[2]  Yasaman Esfandiari,et al.  A fast saddle-point dynamical system approach to robust deep learning , 2021, Neural Networks.

[3]  Bruno Sinopoli,et al.  Detection in Adversarial Environments , 2014, IEEE Transactions on Automatic Control.

[4]  Matthew E. Taylor,et al.  A survey and critique of multiagent deep reinforcement learning , 2019, Autonomous Agents and Multi-Agent Systems.

[5]  Jiqiang Liu,et al.  Adversarial attack and defense in reinforcement learning-from AI security view , 2019, Cybersecur..

[6]  Nicholas Jing Yuan,et al.  DRN: A Deep Reinforcement Learning Framework for News Recommendation , 2018, WWW.

[7]  Shane Legg,et al.  Human-level control through deep reinforcement learning , 2015, Nature.

[8]  Yasaman Esfandiari,et al.  Robustifying Reinforcement Learning Agents via Action Space Adversarial Training , 2020, 2020 American Control Conference (ACC).

[9]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[10]  Yasuhiro Fujita,et al.  ChainerRL: A Deep Reinforcement Learning Library , 2019, J. Mach. Learn. Res..

[11]  Alec Radford,et al.  Proximal Policy Optimization Algorithms , 2017, ArXiv.

[12]  Ling Shi,et al.  Optimal Linear Cyber-Attack on Remote State Estimation , 2017, IEEE Transactions on Control of Network Systems.

[13]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[14]  Ananthram Swami,et al.  Practical Black-Box Attacks against Machine Learning , 2016, AsiaCCS.

[15]  Sergey Levine,et al.  Adversarial Policies: Attacking Deep Reinforcement Learning , 2019, ICLR.

[16]  Soumik Sarkar,et al.  Online Robust Policy Learning in the Presence of Unknown Adversaries , 2018, NeurIPS.

[17]  Sauro Longhi,et al.  Fault Detection and Isolation of Linear Discrete-Time Periodic Systems Using the Geometric Approach , 2017, IEEE Transactions on Automatic Control.

[18]  Alexandre Proutière,et al.  Optimal Attacks on Reinforcement Learning Policies , 2019, ArXiv.

[19]  Dinh Thai Hoang,et al.  Challenges and Countermeasures for Adversarial Attacks on Deep Reinforcement Learning , 2020, IEEE Transactions on Artificial Intelligence.

[20]  D. Yao,et al.  Deep Learning-Based Anomaly Detection in Cyber-Physical Systems: Progress and Opportunities , 2020, ACM Comput. Surv..

[21]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[22]  Silvio Savarese,et al.  Adversarially Robust Policy Learning: Active construction of physically-plausible perturbations , 2017, 2017 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[23]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[24]  Soumik Sarkar,et al.  Deep Value of Information Estimators for Collaborative Human-Machine Information Gathering , 2015, 2016 ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS).

[25]  Girish Chowdhary,et al.  Robust Deep Reinforcement Learning with Adversarial Attacks , 2017, AAMAS.

[26]  Soumik Sarkar,et al.  A Case Study of Deep Reinforcement Learning for Engineering Design: Application to Microfluidic Devices for Flow Sculpting , 2019, Journal of Mechanical Design.

[27]  Lei Ma,et al.  Stealthy and Efficient Adversarial Attacks against Deep Reinforcement Learning , 2020, AAAI.

[28]  Peter Dayan,et al.  Q-learning , 1992, Machine Learning.

[29]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[30]  Lihui Wang,et al.  Deep Learning-based Multimodal Control Interface for Human-Robot Collaboration , 2018 .

[31]  Samy Bengio,et al.  Adversarial examples in the physical world , 2016, ICLR.

[32]  Yasaman Esfandiari,et al.  Applications of Deep Learning in Intelligent Transportation Systems , 2020, Journal of Big Data Analytics in Transportation.

[33]  Wade Genders Deep Reinforcement Learning Adaptive Traffic Signal Control , 2018 .

[34]  Xian Yeow Lee,et al.  Automated detection of part quality during two-photon lithography via deep learning , 2020 .

[35]  Soumik Sarkar,et al.  Spatiotemporally Constrained Action Space Attacks on Deep Reinforcement Learning Agents , 2020, AAAI.

[36]  Shie Mannor,et al.  Action Robust Reinforcement Learning and Applications in Continuous Control , 2019, ICML.

[37]  Behdad Chalaki,et al.  Simulation to scaled city: zero-shot policy transfer for traffic control via autonomous vehicles , 2018, ICCPS.

[38]  Sergey Levine,et al.  Deep reinforcement learning for robotic manipulation with asynchronous off-policy updates , 2016, 2017 IEEE International Conference on Robotics and Automation (ICRA).

[39]  Blaine Nelson,et al.  The security of machine learning , 2010, Machine Learning.

[40]  Arslan Munir,et al.  Vulnerability of Deep Reinforcement Learning to Policy Induction Attacks , 2017, MLDM.

[41]  Xitong Gao,et al.  Blackbox Attacks on Reinforcement Learning Agents Using Approximated Temporal Information , 2020, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).

[42]  Dario Amodei,et al.  Benchmarking Safe Exploration in Deep Reinforcement Learning , 2019 .

[43]  Alex Graves,et al.  Asynchronous Methods for Deep Reinforcement Learning , 2016, ICML.

[44]  Kristie B. Hadden,et al.  2020 , 2020, Journal of Surgical Orthopaedic Advances.

[45]  Magnus Borga,et al.  Hierarchical Reinforcement Learning , 1993 .

[46]  Sandy H. Huang,et al.  Adversarial Attacks on Neural Network Policies , 2017, ICLR.

[47]  Ming-Yu Liu,et al.  Tactics of Adversarial Attack on Deep Reinforcement Learning Agents , 2017, IJCAI.

[48]  Hadis Karimipour,et al.  Learning Based Anomaly Detection in Critical Cyber-Physical Systems , 2020 .

[49]  Toshihiko Yamasaki,et al.  PixelRL: Fully Convolutional Network With Reinforcement Learning for Image Processing , 2019, IEEE Transactions on Multimedia.