We study a security threat to reinforcement learning where an attacker poisons the learning environment to force the agent into executing a target policy chosen by the attacker. As a victim, we consider RL agents whose objective is to find a policy that maximizes reward in infinite-horizon problem settings. The attacker can manipulate the rewards and the transition dynamics in the learning environment at training-time, and is interested in doing so in a stealthy manner. We propose an optimization framework for finding an optimal stealthy attack for different measures of attack cost. We provide lower/upper bounds on the attack cost, and instantiate our attacks in two settings: (i) an offline setting where the agent is doing planning in the poisoned environment, and (ii) an online setting where the agent is learning a policy with poisoned feedback. Our results show that the attacker can easily succeed in teaching any target policy to the victim under mild conditions and highlight a significant security threat to reinforcement learning agents in practice.
翻译:我们研究对加强学习的安全威胁,因为攻击者会毒害攻击者学习环境,迫使攻击者执行攻击者选择的目标政策。作为受害者,我们认为RL代理商的目标是找到在无穷处问题环境中最大限度地获得奖励的政策。攻击者可以在培训时操纵学习环境中的奖励和过渡动态,并有兴趣以隐形方式这样做。我们提出了一个最佳框架,为不同的攻击费用措施寻找最佳的隐形攻击。我们提供了攻击成本的下限/上限,并在两个环境中即时引爆了我们的攻击:(一) 代理人在有毒环境中进行规划的离线设置,以及(二) 代理人在网上设置正在用有毒的反馈学习政策。我们的结果表明,攻击者很容易在温和的条件下成功地向受害者传授任何目标政策,并着重指出在实际中加强学习代理人的重大安全威胁。