Robust Deep Reinforcement Learning against Adversarial Perturbations on State Observations

A deep reinforcement learning (DRL) agent observes its states through observations, whichmay contain natural measurement errors or adversarial noises. Since the observations deviatefrom the true states, they can mislead the agent into making suboptimal actions. Several workshave shown this vulnerability via adversarial attacks, but existing approaches on improving therobustness of DRL under this setting have limited success and lack for theoretical principles. Weshow that naively applying existing techniques on improving robustness for classification tasks,like adversarial training, are ineffective for many RL tasks. We propose the state-adversarialMarkov decision process (SA-MDP) to study the fundamental properties of this problem, anddevelop a theoretically principled policy regularization which can be applied to a large familyof DRL algorithms, including proximal policy optimization (PPO), deep deterministic policygradient (DDPG) and deep Q networks (DQN), for both discrete and continuous action controlproblems. We significantly improve the robustness of PPO, DDPG and DQN agents under asuite of strong white box adversarial attacks, including new attacks of our own. Additionally, wefind that a robust policy noticeably improves DRL performance even without an adversary in anumber of environments. Our code is available at this https URL

[1]  J. Zico Kolter,et al.  Learning perturbation sets for robust machine learning , 2020, ICLR.

[2]  Larry Rudolph,et al.  Implementation Matters in Deep Policy Gradients: A Case Study on PPO and TRPO , 2020, ArXiv.

[3]  Mislav Balunovic,et al.  Adversarial Training and Provable Defenses: Bridging the Gap , 2020, ICLR.

[4]  T. Zhao,et al.  Deep Reinforcement Learning with Smooth Policy , 2020, ICML 2020.

[5]  Minlie Huang,et al.  Automatic Perturbation Analysis on General Computational Graphs , 2020, ArXiv.

[6]  Dinh Thai Hoang,et al.  Challenges and Countermeasures for Adversarial Attacks on Deep Reinforcement Learning , 2020, IEEE Transactions on Artificial Intelligence.

[7]  Jakub W. Pachocki,et al.  Dota 2 with Large Scale Deep Reinforcement Learning , 2019, ArXiv.

[8]  Howie Choset,et al.  Adversary A3C for Robust Reinforcement Learning , 2019, ArXiv.

[9]  Martin T. Vechev,et al.  Online Robustness Training for Deep Reinforcement Learning , 2019, ArXiv.

[10]  Wojciech M. Czarnecki,et al.  Grandmaster level in StarCraft II using multi-agent reinforcement learning , 2019, Nature.

[11]  J. How,et al.  Certified Adversarial Robustness for Deep Reinforcement Learning , 2019, CoRL.

[12]  Marcin Andrychowicz,et al.  Solving Rubik's Cube with a Robot Hand , 2019, ArXiv.

[13]  Alexandre Proutière,et al.  Optimal Attacks on Reinforcement Learning Policies , 2019, ArXiv.

[14]  Mingjie Sun,et al.  Characterizing Attacks on Deep Reinforcement Learning , 2019, AAMAS.

[15]  Yi Wu,et al.  Robust Multi-Agent Reinforcement Learning via Minimax Deep Deterministic Policy Gradient , 2019, AAAI.

[16]  Martin A. Riedmiller,et al.  Robust Reinforcement Learning for Continuous Control with Model Misspecification , 2019, ICLR.

[17]  Cho-Jui Hsieh,et al.  Towards Stable and Efficient Training of Verifiably Robust Neural Networks , 2019, ICLR.

[18]  Dimitar Filev,et al.  Advanced planning for autonomous vehicles using reinforcement learning and deep inverse reinforcement learning , 2019, Robotics Auton. Syst..

[19]  Cho-Jui Hsieh,et al.  A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks , 2019, NeurIPS.

[20]  Shie Mannor,et al.  Action Robust Reinforcement Learning and Applications in Continuous Control , 2019, ICML.

[21]  Michael I. Jordan,et al.  Theoretically Principled Trade-off between Robustness and Accuracy , 2019, ICML.

[22]  Timon Gehr,et al.  An abstract domain for certifying neural networks , 2019, Proc. ACM Program. Lang..

[23]  Yizheng Chen,et al.  MixTrain: Scalable Training of Formally Robust Neural Networks , 2018, ArXiv.

[24]  Aditi Raghunathan,et al.  Semidefinite relaxations for certifying robustness to adversarial examples , 2018, NeurIPS.

[25]  Cho-Jui Hsieh,et al.  Efficient Neural Network Robustness Certification with General Activation Functions , 2018, NeurIPS.

[26]  Timothy A. Mann,et al.  On the Effectiveness of Interval Bound Propagation for Training Verifiably Robust Models , 2018, ArXiv.

[27]  Jaakko Lehtinen,et al.  PPO-CMA: Proximal Policy Optimization with Covariance Matrix Adaptation , 2018, 2020 IEEE 30th International Workshop on Machine Learning for Signal Processing (MLSP).

[28]  Pushmeet Kohli,et al.  Rigorous Agent Evaluation: An Adversarial Approach to Uncover Catastrophic Failures , 2018, ICLR.

[29]  Matthew Mirman,et al.  Distilled Agent DQN for Provable Adversarial Robustness , 2018 .

[30]  Junfeng Yang,et al.  Efficient Formal Safety Analysis of Neural Networks , 2018, NeurIPS.

[31]  Jiqiang Liu,et al.  Gradient Band-based Adversarial Training for Generalized Attack Immunity of A3C Path Finding , 2018, ArXiv.

[32]  Soumik Sarkar,et al.  Online Robust Policy Learning in the Presence of Unknown Adversaries , 2018, NeurIPS.

[33]  Matthew Mirman,et al.  Differentiable Abstract Interpretation for Provably Robust Neural Networks , 2018, ICML.

[34]  J. Zico Kolter,et al.  Scaling provable adversarial defenses , 2018, NeurIPS.

[35]  Inderjit S. Dhillon,et al.  Towards Fast Computation of Certified Robustness for ReLU Networks , 2018, ICML.

[36]  Pushmeet Kohli,et al.  A Dual Approach to Scalable Verification of Deep Networks , 2018, UAI.

[37]  Timothy A. Mann,et al.  Soft-Robust Actor-Critic Policy-Gradient , 2018, UAI 2018.

[38]  Herke van Hoof,et al.  Addressing Function Approximation Error in Actor-Critic Methods , 2018, ICML.

[39]  Matthew W. Hoffman,et al.  Distributed Distributional Deterministic Policy Gradients , 2018, ICLR.

[40]  Shie Mannor,et al.  Learning Robust Options , 2018, AAAI.

[41]  Arslan Munir,et al.  Whatever Does Not Kill Deep Reinforcement Learning, Makes It Stronger , 2017, ArXiv.

[42]  Girish Chowdhary,et al.  Robust Deep Reinforcement Learning with Adversarial Attacks , 2017, AAMAS.

[43]  J. Zico Kolter,et al.  Provable defenses against adversarial examples via the convex outer adversarial polytope , 2017, ICML.

[44]  Sergey Levine,et al.  Learning Robust Rewards with Adversarial Inverse Reinforcement Learning , 2017, ICLR 2017.

[45]  Demis Hassabis,et al.  Mastering the game of Go without human knowledge , 2017, Nature.

[46]  Tom Schaul,et al.  Rainbow: Combining Improvements in Deep Reinforcement Learning , 2017, AAAI.

[47]  Philip Bachman,et al.  Deep Reinforcement Learning that Matters , 2017, AAAI.

[48]  Silvio Savarese,et al.  Adversarially Robust Policy Learning: Active construction of physically-plausible perturbations , 2017, 2017 IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).

[49]  Jinghui Chen,et al.  Global Convergence of Langevin Dynamics Based Algorithms for Nonconvex Optimization , 2017, NeurIPS.

[50]  Alec Radford,et al.  Proximal Policy Optimization Algorithms , 2017, ArXiv.

[51]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[52]  Pieter Abbeel,et al.  Constrained Policy Optimization , 2017, ICML.

[53]  Cewu Lu,et al.  Virtual to Real Reinforcement Learning for Autonomous Driving , 2017, BMVC.

[54]  Etienne Perot,et al.  Deep Reinforcement Learning framework for Autonomous Driving , 2017, Autonomous Vehicles and Machines.

[55]  Ming-Yu Liu,et al.  Tactics of Adversarial Attack on Deep Reinforcement Learning Agents , 2017, IJCAI.

[56]  Abhinav Gupta,et al.  Robust Adversarial Reinforcement Learning , 2017, ICML.

[57]  Shie Mannor,et al.  Deep Robust Kalman Filter , 2017, ArXiv.

[58]  Yuchen Zhang,et al.  A Hitting Time Analysis of Stochastic Gradient Langevin Dynamics , 2017, COLT.

[59]  Dawn Xiaodong Song,et al.  Delving into adversarial attacks on deep policies , 2017, ICLR.

[60]  Matus Telgarsky,et al.  Non-convex learning via Stochastic Gradient Langevin Dynamics: a nonasymptotic analysis , 2017, COLT.

[61]  Sandy H. Huang,et al.  Adversarial Attacks on Neural Network Policies , 2017, ICLR.

[62]  Arslan Munir,et al.  Vulnerability of Deep Reinforcement Learning to Policy Induction Attacks , 2017, MLDM.

[63]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[64]  Amnon Shashua,et al.  Safe, Multi-Agent, Reinforcement Learning for Autonomous Driving , 2016, ArXiv.

[65]  J. Schulman,et al.  OpenAI Gym , 2016, ArXiv.

[66]  Sergey Levine,et al.  Continuous Deep Q-Learning with Model-based Acceleration , 2016, ICML.

[67]  Alex Graves,et al.  Asynchronous Methods for Deep Reinforcement Learning , 2016, ICML.

[68]  Demis Hassabis,et al.  Mastering the game of Go with deep neural networks and tree search , 2016, Nature.

[69]  Sébastien Bubeck,et al.  Finite-Time Analysis of Projected Langevin Monte Carlo , 2015, NIPS.

[70]  Tom Schaul,et al.  Dueling Network Architectures for Deep Reinforcement Learning , 2015, ICML.

[71]  Tom Schaul,et al.  Prioritized Experience Replay , 2015, ICLR.

[72]  David Silver,et al.  Deep Reinforcement Learning with Double Q-Learning , 2015, AAAI.

[73]  Yuval Tassa,et al.  Continuous control with deep reinforcement learning , 2015, ICLR.

[74]  Takayuki Osogami,et al.  Robust partially observable Markov decision process , 2015, ICML.

[75]  Shin Ishii,et al.  Distributional Smoothing with Virtual Adversarial Training , 2015, ICLR 2016.

[76]  Shane Legg,et al.  Human-level control through deep reinforcement learning , 2015, Nature.

[77]  Michael I. Jordan,et al.  Trust Region Policy Optimization , 2015, ICML.

[78]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[79]  Daniele Calandriello,et al.  Safe Policy Iteration , 2013, ICML.

[80]  Yuval Tassa,et al.  MuJoCo: A physics engine for model-based control , 2012, 2012 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[81]  Shie Mannor,et al.  Distributionally Robust Markov Decision Processes , 2010, Math. Oper. Res..

[82]  Hado van Hasselt,et al.  Double Q-learning , 2010, NIPS.

[83]  Bart De Schutter,et al.  A Comprehensive Survey of Multiagent Reinforcement Learning , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[84]  Garud Iyengar,et al.  Robust Dynamic Programming , 2005, Math. Oper. Res..

[85]  Laurent El Ghaoui,et al.  Robustness in Markov Decision Problems with Uncertain Transition Matrices , 2003, NIPS.

[86]  John Langford,et al.  Approximately Optimal Approximate Reinforcement Learning , 2002, ICML.

[87]  Ming Tan,et al.  Multi-Agent Reinforcement Learning: Independent versus Cooperative Agents , 1997, ICML.

[88]  Michael L. Littman,et al.  Markov Games as a Framework for Multi-Agent Reinforcement Learning , 1994, ICML.

[89]  Martin L. Puterman,et al.  Markov Decision Processes: Discrete Stochastic Dynamic Programming , 1994 .

[90]  S. Mitter,et al.  Recursive stochastic algorithms for global optimization in R d , 1991 .

[91]  Matthew Mirman,et al.  Fast and Effective Robustness Certification , 2018, NeurIPS.

[92]  Stephen W. Carden,et al.  An Introduction to Reinforcement Learning , 2013 .

[93]  Mahesan Niranjan,et al.  On-line Q-learning using connectionist systems , 1994 .

[94]  Rodney A. Brooks,et al.  Artificial Life and Real Robots , 1992 .