Adaptive reward-poisoning attacks can force a reinforcement learning agent to learn a nefarious policy in steps polynomial in state-space size, whereas non-adaptive attacks require exponential steps.
In reward-poisoning attacks against reinforcement learning (RL), an attacker can perturb the environment reward rₜ into rₜ+δₜ at each step, with the goal of forcing the RL agent to learn a nefarious policy. We categorize such attacks by the infinity-norm constraint on δₜ: We provide a lower threshold below which reward-poisoning attack is infeasible and RL is certified to be safe; we provide a corresponding upper threshold above which the attack is feasible. Feasible attacks can be further categorized as non-adaptive where δₜ depends only on (sₜ, aₜ, sₓ+₁), or adaptive where δₜ depends further on the RL agent's learning process at time t. Non-adaptive attacks have been the focus of prior works. However, we show that under mild conditions, adaptive attacks can achieve the nefarious policy in steps polynomial in state-space size |S|, whereas non-adaptive attacks require exponential steps. We provide a constructive proof that a Fast Adaptive Attack strategy achieves the polynomial rate. Finally, we show that empirically an attacker can find effective reward-poisoning attacks using state-of-the-art deep RL techniques.
Zhang et al. (Fri,) reported a other. Adaptive Reward-Poisoning Attacks vs. Non-adaptive attacks was evaluated. Adaptive reward-poisoning attacks can force a reinforcement learning agent to learn a nefarious policy in steps polynomial in state-space size, whereas non-adaptive attacks require exponential steps.