Diffusion Policy Attacker: Crafting Adversarial Attacks for Diffusion-based Policies
Authors: Yipu Chen, Haotian Xue, Yongxin Chen
NeurIPS 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct attacks on pre-trained diffusion policies across various manipulation tasks. Through extensive experiments, we demonstrate that DP-Attacker has the capability to significantly decrease the performance of DP for all scenarios. Particularly in offline scenarios, DPAttacker can generate highly transferable perturbations applicable to all frames. Furthermore, we illustrate the creation of adversarial physical patches that, when applied to the environment, effectively deceive the model. We conducted extensive experiments on DP pre-trained on six robotic manipulation tasks and demonstrated that DP-Attacker can effectively craft adversarial attacks against DP. |
| Researcher Affiliation | Academia | Yipu Chen* Georgia Institute of Technology ychen3302@gatech.edu Haotian Xue* Georgia Institute of Technology htxue.ai@gatech.edu Yongxin Chen Georgia Institute of Technology yongchen@gatech.edu |
| Pseudocode | Yes | Algorithm 1 Global Adversarial Attack (Online) [...] Algorithm 2 Patch Adversarial Attack [...] Algorithm 3 Global Adversarial Attack (Offline) |
| Open Source Code | No | Justification [for Q5]: We will release the code to the public. |
| Open Datasets | Yes | Our benchmark contains 6 tasks: Push T, Can, Lift, Square, Transport, and Toolhang. These tasks are illustrated in Figure 7 in the Appendix. Robosuite provides all the simulation of these tasks except for Push T [52, 32, 60]. For evaluation, we attack the released checkpoints of diffusion policies trained by Chi et al. [9]. |
| Dataset Splits | No | Given the training dataset DT = {(τ t, It)|t T} we can optimize for the loss Luntar adv (I, t) = Ek,(τ t,It) ϵθ(τ t + ϵk, k, P(I)) ϵk 2 or Ltar adv(I, t) = Ek,(τ t target + ϵk, k, P(I)) ϵk 2. This algorithm is provided in the appendix. [...] The training parameters for untargeted and targeted attacks are the same: number of epochs = 10, α = 0.0001, and batch size = 64. |
| Hardware Specification | Yes | The evaluation is done using a single machine with an RTX 3090 GPU and AMD Ryzen 9 5950X to calculate rollouts and run our attack algorithms. [...] The evaluation is done on a machine with RTX4080 mobile GPU , and Intel i9-13900HX CPU. |
| Software Dependencies | No | Our benchmark contains 6 tasks: Push T, Can, Lift, Square, Transport, and Toolhang. These tasks are illustrated in Figure 7 in the Appendix. Robosuite provides all the simulation of these tasks except for Push T [52, 32, 60]. |
| Experiment Setup | Yes | For online attacks, we use attack parameters σ = 0.03, α = 0.001875, N = 50. For targeted attacks, we use a normalized target action vector of all ones. [...] For untargeted online attacks, we use PGD parameters N = 50, σ = 0.03, α = 0.001875. For targeted online attacks, the targeted selected is an action matrix (actim dim action horizon) of all 1 s (in normalized action space). The PGD parameters for targeted online attacks are the same as the untargeted online attacks. [...] The training parameters for untargeted and targeted attacks are the same: number of epochs = 10, α = 0.0001, and batch size = 64. |