Robust Deep Reinforcement Learning with Adversarial AttacksExtended Abstract

Anay PattanaikUniversity of Illinois atUrbana-Champaignanayp2@illinois.edu

Zhenyi Tang*University of Illinois atUrbana-Champaignztang11@illinois.edu

Shuijing Liu*University of Illinois atUrbana-Champaignsliu105@illinois.edu

Gautham BommannanUniversity of Illinois atUrbana-Champaign

bommnnn2@illinois.edu

Girish ChowdharyUniversity of Illinois atUrbana-Champaigngirishc@illinois.edu

ABSTRACTThis paper proposes adversarial attacks for Reinforcement Learning(RL). These attacks are then leveraged during training to improvethe robustness of RL within robust control framework. We showthat this adversarial training of DRL algorithms like Deep Dou-ble Q learning and Deep Deterministic Policy Gradients leads tosignificant increase in robustness to parameter variations for RLbenchmarks such as Mountain Car and Hopper environment. Fullpaper is available at (https://arxiv.org/abs/1712.03632) [7].

KEYWORDSAdversarialMachine Learning; Deep Learning; Reinforcement Learn-ingACM Reference Format:Anay Pattanaik, Zhenyi Tang*, Shuijing Liu*, GauthamBommannan, andGirishChowdhary. 2018. Robust Deep Reinforcement Learning with AdversarialAttacks. In Proc. of the 17th International Conference on Autonomous Agentsand Multiagent Systems (AAMAS 2018), Stockholm, Sweden, July 10–15, 2018,IFAAMAS, 3 pages.

1 INTRODUCTIONAdvances in deep neural networks (DNN) has a tremendous impactin addressing the curse of dimensionality in RL and offers state ofthe art results in several RL tasks ([4], [8], [5], [6], [9]). However, ithas been shown in [2] that DNN can be fooled easily into predict-ing wrong label by perturbing the input with adversarial attacks.It opens up interesting frontier regarding robustness of machinelearning algorithms in general. Robust and high performance poli-cies is critical to enable successful adoption of deep reinforcementlearning (DRL) for autonomy problems. More specifically, robust-ness to real world parameter variations, such as changes in theenvironmental parameters of the dynamical system are critical.

We address these challenges in an adversarial training frame-work. We first engineer “optimal" attack on the DRL agent andthen leverage these attacks during training that leads to significantimprovement in robustness and improves policy performance inchallenging continuous domains. Our approach is loosely inspired

*Equal Contribution.Proc. of the 17th International Conference on Autonomous Agents and Multiagent Systems(AAMAS 2018), M. Dastani, G. Sukthankar, E. André, S. Koenig (eds.), July 10–15, 2018,Stockholm, Sweden. © 2018 International Foundation for Autonomous Agents andMultiagent Systems (www.ifaamas.org). All rights reserved.

from the idea of robust control, in which the best case policy issought over the set containing the worst possible parameters of thesystem. We translate this into a problem of best performing policytrained in presence of adversary. The key difference, however, isthat while robust control approaches tend to be conservative, ourapproach leverages the inherent optimization mechanisms in DRLto enable learning of policies that have even higher performanceover a range of parameter and dynamical uncertainties like friction,mass etc.

The paper is organized as follows.We provide introduction in Sec-tion 1. Adversarial attacks and their use for improving robustnesshave been described in Section 2, and results have been presentedin Section 3. Finally, concluding remarks and future directions havebeen discussed in Section 4.

2 METHOD2.1 Adversarial Attack

Definition 2.1. An adversarial attack is any possible perturbationthat leads the agent into increased probability of taking “worst”possible action in that state. Here, the “worst” possible action for atrained RL agent is the action which corresponds to least Q value.

2.1.1 Naive adversarial attack. First, we propose a naive methodof generating adversarial attack. The adversarial attack is essentiallya search across nearby observation which will cause the agentto take wrong action. For generating adversarial attack on theDRL policies, we sample a noise with finite (small) support. Theparticular noise that causes least estimate of the value functionis selected as adversarial noise. This noise is added to the currentobservation.

For naive attack on DDPG, the critic network can be used toascertain value functions when required and actor network de-termines the behavior policy to pick action. Thus, the objectivefunction used by adversary in this case is the Q∗cr it ic (s,a), that is,the value function determined by the trained critic network.

2.1.2 Gradient based adversarial attack . In this subsection, weshow that a proposed cost function different from the one usedin traditional FSGM ([3])) is more effective in finding worst possi-ble action in the context of reinforcement learning with discreteactions.

Main Track Extended Abstract AAMAS 2018, July 10-15, 2018, Stockholm, Sweden

2040

Theorem 2.2. Let the optimal policy be given by conditional prob-ability mass function (pmf) π∗ (a |s ), the action which has maximumpmf be given as a∗ and the worst possible action be given by aw . Thenthe objective function whose minimization leads to optimal adversar-ial attack on RL agent is given by J (s,π∗) = −

∑ni=1 pi loдπ

∗i where

π∗i = π∗ (ai |s ), pi = P (ai ), the adversarial probability distribution Pis given by

P (ai ) =

{1, if aw = 10, otherwise (1)

This is the cross entropy loss between the adversarial probabilitydistribution and optimal policy generated by the RL agent

Q values can be converted into pmf by using softmax function.We can shown that the objective function that should be used forengineering attack on RL algorithm should be given by Theorem2.2 as it is consistent with Def. 2.1 [7]. FSGM algorithm can beused to minimize this objective function. We must point out thatthis objective function is different from ones in literature [3]. Theobjective functions mentioned in [3] will result in min

sπ∗ (a∗ |s ) (a∗

is the best possible action for given state s). This leads to decrease inthe probability of taking best possible action. This won’t necessarilylead to increase in probability of taking worst possible action.

The objective function that adversary need to minimize beinggiven by the optimal value function of critic (Q∗ (s,a)). Here the gra-dient is given by ∇sQ∗ (s,a) =

∂Q∗∂s +

∂Q∗∂U ∗

∂U ∗∂s . Here,U ∗ represents

the optimal policy given by actor.

2.1.3 SGD based attack. We also used Stochastic Gradient De-scent approach where we followed the gradient descent for samenumber of sampling time and selected the state that we end up inas adversarial state.

2.2 Robust Reinforcement Learning byharnessing adversarial attacks

2.2.1 Adversarial Training. Adversary fools the agent into be-lieving that it’s in a “fooled” state different from actual state suchthat the optimal action in “fooled” state leads to worst action inactual current state. In other words, the adversary fools the agentinto sampling worst trajectories directly. We have used gradientbased attack for adversarial training as it performed best amongstall attacks (results presented in Section 3).

3 RESULTSWe discuss results for proposed adversarial attack and adversariallytrained robust policy. All the experiments have been performedwithin OpenAi gym environment ([1]) with MuJoCo ([10]).

We show that the proposed attack(s) outperform attacks in [3]as shown in Fig. 1. We also present results (Fig. 2) that show signif-icant improvement in robustness because of proposed adversarialtraining algorithm.

4 CONCLUSIONIn this paper, we have proposed adversarial attack for reinforcementlearning algorithms. We leveraged these attacks to train RL agentthat led to robust performance across parameter variations forDDPG and DDQN. Future direction involves providing theoretical

(a) DDQN Cart Pole (b) RBF Q Cart Pole

(c) DDQN Mountain Car (d) RBF Q mountain car

Figure 1: Comparison of different attacks. It can be observedthat Gradient Based (GB) attack performs better than NaiveSampling (NS) which in turn outperform Stochastic Gradi-ent Descent (SGD) as well as HFSGM ([3]). RBF Q learning isrelatively more resilient to adversarial attack than DDQN.

(a) DDQN Mountain Car (b) Robust DDQN Mountain-Car

(c) DDPG Hopper (d) Robust DDPG hopper

Figure 2: Comparison of “vanilla" RL with robust RL. Notethe improvement across parameters because of robust train-ing.

relationship between these attacks and robustness of the algorithms(to parameter variation).

5 ACKNOWLEDGEMENTThis work was supported by AFOSR#FA9550-15-1-0146.

Main Track Extended Abstract AAMAS 2018, July 10-15, 2018, Stockholm, Sweden

2041

REFERENCES[1] Greg Brockman, Vicki Cheung, Ludwig Pettersson, Jonas Schneider, John Schul-

man, Jie Tang, and Wojciech Zaremba. 2016. OpenAI gym. arXiv preprintarXiv:1606.01540 (2016).

[2] Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining andharnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).

[3] Sandy Huang, Nicolas Papernot, Ian Goodfellow, Yan Duan, and Pieter Abbeel.2017. Adversarial Attacks on Neural Network Policies. arXiv preprintarXiv:1702.02284 (2017).

[4] Sergey Levine, Chelsea Finn, Trevor Darrell, and Pieter Abbeel. 2016. End-to-endtraining of deep visuomotor policies. Journal of Machine Learning Research 17,39 (2016), 1–40.

[5] Timothy P Lillicrap, Jonathan J Hunt, Alexander Pritzel, Nicolas Heess, Tom Erez,Yuval Tassa, David Silver, and Daan Wierstra. 2015. Continuous control withdeep reinforcement learning. arXiv preprint arXiv:1509.02971 (2015).

[6] Volodymyr Mnih, Koray Kavukcuoglu, David Silver, Andrei A. Rusu, Joel Veness,Marc G. Bellemare, Alex Graves, Martin Riedmiller, Andreas K. Fidjeland, Georg

Ostrovski, Stig Petersen, Charles Beattie, Amir Sadik, Ioannis Antonoglou, HelenKing, Dharshan Kumaran, Daan Wierstra, Shane Legg, and Demis Hassabis. 2015.Human-level control through deep reinforcement learning. Nature 518, 7540(2015), 529–533.

[7] Anay Pattanaik, Zhenyi Tang, Shuijing Liu, Gautham Bommannan, and GirishChowdhary. 2017. Robust Deep Reinforcement Learningwith Adversarial Attacks.arXiv preprint arXiv:1712.03632 (2017).

[8] John Schulman, Sergey Levine, Pieter Abbeel, Michael I Jordan, and PhilippMoritz. 2015. Trust Region Policy Optimization.. In ICML. 1889–1897.

[9] David Silver, Aja Huang, Chris J Maddison, Arthur Guez, Laurent Sifre, GeorgeVan Den Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershel-vam, Marc Lanctot, Sander Dieleman, Dominik Grewe, John Nham, Nal Kalch-brenner, Ilya Sutskever, Timothy Lillicrap, Madeleine Leach, Koray Kavukcuoglu,Thore Graepel, and Demis Hassabis. 2016. Mastering the game of Go with deepneural networks and tree search. Nature 529, 7587 (2016), 484–489.

[10] Emanuel Todorov, Tom Erez, and Yuval Tassa. 2012. MuJoCo: A physics enginefor model-based control. In IROS.

Main Track Extended Abstract AAMAS 2018, July 10-15, 2018, Stockholm, Sweden

2042