In reward-poisoning attacks against reinforcement learning (RL), an attacker can perturb the environment reward $r_t$ into $r_t+δ_t$ at each step, with goal of forcing RL agent to learn a nefarious policy. We categorize such by infinity-norm constraint on $δ_t$: provide lower threshold below which attack is infeasible and certified be safe; we corresponding upper above feasible. Feasible further categorized as non-adaptive where $δ_t$ depends only $(s_t,a_t, s_{t+1})$, or adaptive agent's process time $t$. Non-adaptive have been focus prior works. However, show that under mild conditions, achieve policy in steps polynomial state-space size $|S|$, whereas require exponential steps. constructive proof Fast Adaptive Attack strategy achieves rate. Finally, empirically find effective using state-of-the-art deep techniques.

Load

Load