English

Adaptive Reward-Poisoning Attacks against Reinforcement Learning

Machine Learning 2020-06-24 v2 Artificial Intelligence Cryptography and Security Machine Learning

Abstract

In reward-poisoning attacks against reinforcement learning (RL), an attacker can perturb the environment reward rtr_t into rt+δtr_t+\delta_t at each step, with the goal of forcing the RL agent to learn a nefarious policy. We categorize such attacks by the infinity-norm constraint on δt\delta_t: We provide a lower threshold below which reward-poisoning attack is infeasible and RL is certified to be safe; we provide a corresponding upper threshold above which the attack is feasible. Feasible attacks can be further categorized as non-adaptive where δt\delta_t depends only on (st,at,st+1)(s_t,a_t, s_{t+1}), or adaptive where δt\delta_t depends further on the RL agent's learning process at time tt. Non-adaptive attacks have been the focus of prior works. However, we show that under mild conditions, adaptive attacks can achieve the nefarious policy in steps polynomial in state-space size S|S|, whereas non-adaptive attacks require exponential steps. We provide a constructive proof that a Fast Adaptive Attack strategy achieves the polynomial rate. Finally, we show that empirically an attacker can find effective reward-poisoning attacks using state-of-the-art deep RL techniques.

Keywords

Cite

@article{arxiv.2003.12613,
  title  = {Adaptive Reward-Poisoning Attacks against Reinforcement Learning},
  author = {Xuezhou Zhang and Yuzhe Ma and Adish Singla and Xiaojin Zhu},
  journal= {arXiv preprint arXiv:2003.12613},
  year   = {2020}
}
R2 v1 2026-06-23T14:29:47.122Z