Understanding the Limits of Poisoning Attacks in Episodic Reinforcement Learning
Authors: Anshuka Rangi, Haifeng Xu, Long Tran-Thanh, Massimo Franceschetti
IJCAI 2022 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Theoretical | We discover that the effect of attacks crucially depend on whether the rewards are bounded or unbounded. In bounded reward settings, we show that only reward manipulation or only action manipulation cannot guarantee a successful attack. However, by combining reward and action manipulation, the adversary can manipulate any order-optimal learning algorithm to follow any targeted policy with Θ(T) total attack cost, which is order-optimal, without any knowledge of the underlying MDP. In contrast, in unbounded reward settings, we show that reward manipulation attacks are sufficient for an adversary to successfully manipulate any order-optimal learning algorithm to follow any targeted policy using O(T) amount of contamination. Our results reveal useful insights about what can or cannot be achieved by poisoning attacks, and are set to spur more works on the design of robust RL algorithms. |
| Researcher Affiliation | Academia | Anshuka Rangi1 , Haifeng Xu2 , Long Tran-Thanh3 and Massimo Franceschetti1 1University of California San Diego, USA 2University of Virginia, USA 3University of Warwick, UK {arangi, mfranceschetti}@ucsd.edu, hx4ad@virginia.edu, long.tran-thanh@warwick.ac.uk |
| Pseudocode | Yes | Algorithm 1 Black box attack strategy |
| Open Source Code | No | The paper does not provide any specific links or statements about releasing source code for the described methodology. |
| Open Datasets | No | The paper is theoretical and does not describe experiments performed on a specific public dataset. It defines a Markov Decision Process (MDP) for analysis but does not refer to any concrete datasets for training. |
| Dataset Splits | No | The paper is theoretical and does not involve experimental validation with dataset splits. |
| Hardware Specification | No | The paper does not mention any specific hardware used for its research or any implied computational work. It is primarily a theoretical paper. |
| Software Dependencies | No | The paper does not specify any software dependencies or versions. It is a theoretical paper focusing on mathematical analysis and algorithm design. |
| Experiment Setup | No | The paper is theoretical and does not describe a concrete experimental setup with hyperparameters or training settings. |