Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Adversarial attacks on Deep Reinforcement Learning (RL)

License

NotificationsYou must be signed in to change notification settings

davide97l/rl-policies-attacks-defenses

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DQN policyStrategically-timed attackUniform attackAdversarial training

This repository implements some classic adversarial attack methods for deep reinforcement learning agents including (drl_attacks/):

  • Uniform attack [link].
  • Strategical timed attack [link].
  • Critical point attack [link].
  • Critical strategy attack.
  • Adversarial policy attack [link].

It is also available the following RL-defense method (drl_defenses/):

  • Adversarial training [link].

Are provided also some image-defense methods (img_defenses/):

  • JPEG conversion [link].
  • Bit squeezing [link].
  • Image smoothing [link].

Most of this project is based on the RL frameworktianshou based on Pytorch. Image adversarial attacks and defenses are implemented withadvertorch, also based on Pytorch. A2C and PPO policies are instead based onpytorch-a2c-ppo-acktr-gail, DQN uses the tianshou implementation. Any image adversarial attacks is compatible with this project.

Available models

It also makes available trained models for different tasks which can be found in the folderlog. The following table reports their average score for three different algorithms: DQN, A2C and PPO.

taskDQNA2CPPO
PongNoFrameskip-v4202021
BreakoutNoFrameskip-v4349400470
EnduroNoFrameskip-v4751NA1064
QbertNoFrameskip-v44382776214580
MsPacmanNoFrameskip-v4278722301929
SpaceInvadersNoFrameskip-v46408561120
SeaquestNoFrameskip-v4NA16101798

Defended models are saved in the folderlog_def. The average reward is reported as X/Y where X is the reward underclear observations and Y is the reward under adversarial observations generated with uniform attack.

taskDQN (AdvTr)A2C (AdvTr)PPO (AdvTr)
PongNoFrameskip-v419.6/19.418.8/17.919.7/18.7

Image adversarial attacks effectiveness

The following table shows thesucceed ratio of some commonimage adversarial attacks methods attacking observations taken from different Atari games environment. (U) and (T) mean that attacks have been performed underuntargeted andtargeted settings respectively. The victim agent is a PPO model.

  • GSM: Gradient Sign Method (eps=0.01) [link]
  • PGDA: Projected Gradient Descent Attack (eps=0.01, iter=100) [link]
  • CW: Carlini&Wagner (iter=100) [link]
environmentGSM (U)GSM (T)PGDA (T)CW (T)
PongNoFrameskip-v410.50.990.72
BreakoutNoFrameskip-v40.980.40.830.47
EnduroNoFrameskip-v410.340.370.3
QbertNoFrameskip-v410.340.50.47
MsPacmanNoFrameskip-v410.450.350.34
SpaceInvadersNoFrameskip-v40.990.540.670.26
SeaquestNoFrameskip-v410.80.50.4

Usage

Before start using this repository, install the required libraries in therequirements.txt file.

  pip install -r requirements.txt"

Train DQN agent to play Pong.

  python atari_dqn.py --task "PongNoFrameskip-v4"

Train A2C agent to play Breakout.

  python atari_a2c_ppo.py --env-name "BreakoutNoFrameskip-v4" --algo a2c

Test DQN agent playing Pong.

  python atari_dqn.py --resume_path "log/PongNoFrameskip-v4/dqn/policy.pth" --watch --test_num 10 --task "PongNoFrameskip-v4"

Test A2C agent playing Breakout.

  python atari_a2c_ppo.py --env-name "BreakoutNoFrameskip-v4" --algo a2c --resume_path "log/BreakoutNoFrameskip-v4/a2c/policy.pth" --watch --test_num 10

Train DQN malicious agent to play Pong minimizing the score.

  python atari_dqn.py --task "PongNoFrameskip-v4" --invert_reward --epoch 1

Defend Pong DQN agent withadversarial training.

 python atari_adversarial_training_dqn.py --task "PongNoFrameskip-v4" --resume_path "log/PongNoFrameskip-v4/dqn/policy.pth" --logdir log_def --eps 0.01 --image_attack fgm

Test defended Pong DQN agent.

python atari_adversarial_training_dqn.py --task "PongNoFrameskip-v4" --resume_path "log_def/PongNoFrameskip-v4/dqn/policy.pth" --eps 0.01 --image_attack fgm --target_model_path log/PongNoFrameskip-v4/dqn/policy.pth --watch --test_num 10

To understand how to perform adversarial attacks refer to theexample.ipynb file and to the benchmark examples contained in the folderbenchmark.Moreover, you can find more command examples in the followingpage.

Test attack transferability over policies

This section shows the performance of different adversarial attacks methods and their comparison between attacking a DQN agent and 3 surrogate agents: one trained with the same policy and the others trained on a different algorithm.

UniformStrategically-timed
Critical pointAdversarial policy

Test attack transferability over defended policies

This section shows the performance of different adversarial attacks methods and their comparison between attacking a DQN agent defended withadversarial training and 3 surrogate agents: one trained with the same policy and the others trained on a different algorithm. The model has been adversarially trained with eps=0.1 but we attack it with eps=0.5 to show significant performance degradation.

UniformStrategically-timed

Perturbation benchmark on defended policies

Test the performance of different image attacks methods attacking observations of DQN agent defended with different defense methods and attacking over different values of epsilon.Image attacks:

  • FGSM [link]
  • PGD: Projected Gradient Descent [link]
  • MI: Momentum Iterative [link]
FGSM adv trainingPGD adv training
JPEG conversionBit squeezing

Support

If you found this project interesting please support me by giving it a ⭐, I would really appreciate it 😀

[8]ページ先頭
©2009-2025 Movatter.jp