Delving Into Adversarial Attacks on Deep Policies

Delving Into Adversarial Attacks on Deep Policies

Jernej Kos
National University of Singapore
&Dawn Song
University of California, Berkeley
Abstract

Adversarial examples have been shown to exist for a variety of deep learning architectures. Deep reinforcement learning has shown promising results on training agent policies directly on raw inputs such as image pixels. In this paper we present a novel study into adversarial attacks on deep reinforcement learning polices. We compare the effectiveness of the attacks using adversarial examples vs. random noise. We present a novel method for reducing the number of times adversarial examples need to be injected for a successful attack, based on the value function. We further explore how re-training on random noise and FGSM perturbations affects the resilience against adversarial examples.

Delving Into Adversarial Attacks on Deep Policies

Jernej Kos
National University of Singapore
Dawn Song
University of California, Berkeley

1 Introduction

Adversarial examples have been shown to exist for a variety of deep learning architectures. They are small perturbations of the original inputs, often barely visible to a human observer, but carefully crafted to misguide the neural network into producing incorrect outputs. Seminal work by Szegedy et al. (2013) and  Goodfellow et al. (2014), as well as much recent work, has shown that adversarial examples are abundant and finding them is easy. Deep neural networks have been used in deep reinforcement learning (DRL) with promising results on training policies directly on raw inputs such as image pixels. One of the most successful algorithms for training deep policies is A3C (Mnih et al., 2016), which enables asynchronous updates of policy weights, leading to an efficient parallel implementation. As the policies may drive various autonomous agents such as self-driving cars in the real world, adversarial attacks may be of even greater importance.

Our paper is among the first to investigate adversarial examples on DRL policies, showing that these deep policies are easily fooled by adversarial attacks with very small adversarial perturbations. In addition, in this paper, we examine three new dimensions about adversarial attacks on DRL policies that no other work has not addressed before. First, we compare adversarial examples to random noise and show that the former are an order of magnitude more effective for attacking DRL policies.

Another important dimension with DRL systems is time. If the attacker needs to inject adversarial perturbations less frequently, then the attack is easier to perform. To this end, we explore using the policy’s value function as a guide for when to inject perturbations. Our experiments show that with guided injection, the attacker can succeed with injecting perturbations in only a fraction of the frames, and is more effective than injecting perturbations with similar frequency but without the guidance. Our results show that adversarial attacks can be much more complex in the reinforcement learning setting than other settings previously studied such as image classification.

The third dimension is policy resilience through re-training. We present preliminary results showing that the agents are able to become more resilient to fast-gradient sign method (FGSM) attack under re-training with both random noise and FGSM perturbations, while re-training with FGSM perturbations may be more effective than re-training with random noise. The re-trained agent may still be vulnerable to other attack methods such as optimization-based attacks, however, these other attack methods are much slower to perform, often rendering the attacks extremely slow especially for the agent setting.

Concurrently and independently from our work (submission to the same ICLR workshop), Huang et al. (2017) also presented a study into adversarial attacks on DRL policies, showing when an attacker injects small adversarial perturbations into every frame, the learned agent will fail.

Due to space limit, we focus on agents trained on the Atari Pong task using the A3C algorithm and FGSM adversarial perturbations. Our work is a first step towards better understanding of the challenges and limitations of DRL under adversarial inputs.

2 Study Objectives

Attack Effectiveness of Adversarial Examples vs. Random Noise

We study how injecting random noise into the environment compares to injecting FGSM adversarial perturbations.

Using the Value Function to Guide Adversarial Perturbation Injection

We want to see if reducing the frequency of adversarial perturbation injection can still generate an effective attack. We study three different methods: a) we only inject an adversarial perturbation every frames and the intermediate frames are without any perturbation, b) we only recompute an adversarial perturbation every frames and inject the last computed perturbation in the intermediate frames; and c) we use the value function, computed over the original input, in order to estimate when to inject the adversarial perturbation for it to be most effective, and only inject the adversarial perturbation when this estimate is above a certain threshold.

Effectiveness of Re-training with Adversarial Examples and Random Noise

We study whether the agents can be re-trained on an environment with injected random noise or adversarial perturbations in order to make them more resilient against further adversarial perturbations. Additionally, we study whether this obtained resilience transfers to environments with different magnitudes and different types of perturbations (e.g., is an agent trained on random noise any more resilient to FGSM adversarial perturbations).

3 Experimental Evaluation

To perform our experiments, we use a TensorFlow implementation of the A3C (Mnih et al., 2016) algorithm. We evaluate the method on the Atari Pong task, where the initial input image pixels are cropped and scaled to 42x42. Finally, luminosity is computed from RGB values, giving us frame dimensions of 42x42x1.

To generate adversarial perturbations, we use the fast gradient sign method (FGSM) initially developed by Goodfellow et al. (2014). FGSM requires a loss function in order to compute its gradient . We use the cross-entropy loss between (a vector of logits, representing weights for each action, produced by the policy) and the one-hot encoding of . This means that the attack attempts to generate an input which moves the policy output away from the optimal action.

In all our experiments, the agent is first trained on a baseline (non-noisy) environment until it achieves an optimal reward for a number of episodes (baseline agent). Then, for generating the FGSM perturbations we set an appropriate and compute . For generating random noise, we sample from a uniform distribution , where we set based on the required intensity.

Attack Effectiveness of Adversarial Examples vs. Random Noise

The baseline agent is evaluated on a modified version of the environment, where either random noise or FGSM perturbation is injected on every frame. Figure 3 in Appendix shows the difference in attack effectiveness between random noise and FGSM perturbations. While low levels of random noise () do not impact the agent’s performance much, using random noise of greater magnitude () severely degrades performance. FGSM adversarial perturbations are orders of magnitude more effective than random noise for successful attacks, succeeding on attacking the baseline agent at much lower perturbation levels.

Using the Value Function to Guide Adversarial Perturbation Injection

First, we explore how the frequency of injecting adversarial perturbation affects attack success. In this experiment, we either inject FGSM perturbations only every tenth frame and use original frames in-between, or recompute perturbations every tenth frame and use the last computed perturbation in-between. All experiments were performed with set to . Our results hwo that only injecting FGSM perturbations on every tenth frame does not seem to be a particularly effective attack (Figure 1, left). On the other hand, recomputing perturbations every tenth frame and reusing the previous perturbation in intermediate frames is equally effective as the original attack (Figure 1, right).

We also develop an attack method (VF) where we inject adversarial perturbations only when the value function, computed over the original frame, is above a certain threshold (in this experiment we set the threshold to ). The reasoning behind this is that we only want to disrupt the agent in crucial moments, when it is close to achieving a reward. Figure 2 shows the effectiveness of this method, demonstrating that the VF attack method is very effective while only injecting adversarial perturbations in a fraction of the frames. We can compare the VF method against blindly injecting perturbations on every tenth frame (Figure 1, left). Even though both methods inject perturbations a similar number of times on average during one episode ( for the VF method and for the blind method), the VF method shows to be much more effective. This demonstrates that an attacker can use the value function to conduct a more efficient attack than the traditional attack method where the adversarial perturbation is injected in every frame (as in (Huang et al., 2017)). This also shows that adversarial attacks can be much more complex in the reinforcement learning setting than other setting previously studied such as image classification.

Figure 1: Attack effectiveness when FGSM perturbations are only injected every 10th frame (left) and when the perturbations are only recomputed every 10th frame, but reused in the intermediate frames (right).
Figure 2: Policy’s value function approximation during one baseline episode (left). Effectiveness of injecting FGSM perturbations only in frames where the value function is above a threshold (right).

Effectiveness of Re-training with Adversarial Examples and Random Noise

Finally, we also explore if the agents can be re-trained to improve resilience to both random noise and FGSM adversarial perturbations. We additionally explore if this resilience then transfers to different magnitudes and types of perturbations. During these experiments, after the initial training in non-noisy environment, the agent is first allowed to re-train while we inject random noise or FGSM perturbations on each frame. After the agent achieves good performance, it is then frozen and evaluated in a new noisy environment, either with random noise or FGSM perturbations.

Figure 4 in Appendix shows that in this setting, the baseline agent can be resilient against certain levels of FGSM perturbations after re-training on a noisy environment for a number of episodes, with sufficient level of random noise or FGSM perturbations added during re-training. More interestingly, our experiment shows that the re-trained agent is also resilient against FGSM perturbation of much greater (or smaller) magnitude than the magnitude of the FGSM perturbations were used during re-training. We also visualize the actions predicted by the policy in image space (see Figure 5).

References

  • Goodfellow et al. (2014) Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  • Huang et al. (2017) Sandy Huang, Nicolas Papernot, Ian Goodfellow, Yan Duan, and Pieter Abbeel. Adversarial attacks on neural network policies. arXiv preprint arXiv:1702.02284, 2017.
  • Mnih et al. (2016) Volodymyr Mnih, Adria Puigdomenech Badia, Mehdi Mirza, Alex Graves, Timothy P Lillicrap, Tim Harley, David Silver, and Koray Kavukcuoglu. Asynchronous methods for deep reinforcement learning. In International Conference on Machine Learning, 2016.
  • Szegedy et al. (2013) Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.

Appendix A Appendix

Figure 3: Attack effectiveness of random noise with values and (top) vs. attack effectiveness of FGSM adversarial perturbations with values and (bottom).
Figure 4: Agent re-training experiments. Initially the agent was trained on a non-noisy environment. Top: After first re-training with random noise (with values and ). Bottom: After first re-training with FGSM perturbations (with values and ). After re-training, the agent was evaluated on FGSM perturbations (with values , and ).

a.1 Visualizing the policy network action boundary

 

Figure 5: Visualization of actions in image space for a single frame. The x-axis is in the direction of the generated adversarial example (FGSM, ) for the target network. The y-axis is in a random orthogonal direction. Each point is the result of sampling the policy network times given the image at that point as input, and shows the action most commonly output by the network (different actions have different colors). Blue “x” marks the position of the original frame, while the blue square marks the position of the adversarial example. Color bar on the far right shows the mapping of colors to discrete actions. Left: Baseline network without any re-training (action for the original input is action ). Middle: Network with re-training on random noise (, action for the original input is action ). Right: Network with re-training on FGSM perturbations (, action for the original input is action ).

We further study how the action boundary looks like for the policy network and how re-training affects it. To this end, we prepare a visualization of predicted actions in image space (Figure 5). We generate the plot by defining two normalized vectors, and , spanning the input image space. The one shown on the x-axis points in the direction of the generated adversarial perturbation (), while the other shown on the y-axis points in a randomly chosen orthogonal direction (). The points in the plane represent actions predicted by the policy network for input , where is the original image (a single frame). Since A3C is stochastic, we sample the predictions from the policy network times for each input and show the most common action. Each discrete action (action to ) is represented by its own color, shown in the figure on the far right. Values on the axes are the values of variables and .

The visualization shows that the decision space is fragmented. Small perturbations in the input can cause the optimal action chosen by the policy network to change drastically. Re-training under a noisy environment (both random noise and adversarial FGSM perturbations) does not seem to make the decision boundary more smooth and the space seems to become even more fragmented (Figure 5 middle and right).

We also adjust the visualization for action semantics. The reasoning behind this is that even though the action space contains valid actions, the actions are actually duplicated (e.g., multiple actions actually have the exact same effect on the environment). We manually checked the effect of each action on the environment and mapped the actions accordingly. The three actions are: noop (do nothing), move the paddle up and move the paddle down. Figure 6 shows that even when we adjust for duplication, the space remains fragmented.

Figure 6: Visualization of actions, adjusted for action semantics, in image space for a single frame. The x-axis is in the direction of the generated adversarial example (FGSM, ) for the target network. The y-axis is in a random orthogonal direction. Each point is the result of sampling the policy network times given the image at that point as input, and shows the action most commonly output by the network (different actions have different colors, mapped based on action semantics). Blue “x” marks the position of the original frame, while the blue square marks the position of the adversarial example. Color bar below shows the mapping of colors to discrete actions. Left: Baseline network without any re-training (action for the original input is “move down”). Middle: Network with re-training on random noise (, action for the original input is “move down”). Right: Network with re-training on FGSM perturbations (, action for the original input is “noop”).
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
8304
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description