Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Camouflage Adversarial Attacks on Multiple Agent Systems

Ziqing Lu, Guanlin Liu, Lifeng Lai, Weiyu Xu

TL;DR

This paper proposes a brand-new form of attack called the camouflage attack in the MARL systems, and designs algorithms that give the optimal camouflage attacks minimizing the rewards of recipient agents.

Abstract

The multi-agent reinforcement learning systems (MARL) based on the Markov decision process (MDP) have emerged in many critical applications. To improve the robustness/defense of MARL systems against adversarial attacks, the study of various adversarial attacks on reinforcement learning systems is very important. Previous works on adversarial attacks considered some possible features to attack in MDP, such as the action poisoning attacks, the reward poisoning attacks, and the state perception attacks. In this paper, we propose a brand-new form of attack called the camouflage attack in the MARL systems. In the camouflage attack, the attackers change the appearances of some objects without changing the actual objects themselves; and the camouflaged appearances may look the same to all the targeted recipient (victim) agents. The camouflaged appearances can mislead the recipient agents to misguided actions. We design algorithms that give the optimal camouflage attacks minimizing the rewards of recipient agents. Our numerical and theoretical results show that camouflage attacks can rival the more conventional, but likely more difficult state perception attacks. We also investigate cost-constrained camouflage attacks and showed numerically how cost budgets affect the attack performance.

Camouflage Adversarial Attacks on Multiple Agent Systems

TL;DR

This paper proposes a brand-new form of attack called the camouflage attack in the MARL systems, and designs algorithms that give the optimal camouflage attacks minimizing the rewards of recipient agents.

Abstract

The multi-agent reinforcement learning systems (MARL) based on the Markov decision process (MDP) have emerged in many critical applications. To improve the robustness/defense of MARL systems against adversarial attacks, the study of various adversarial attacks on reinforcement learning systems is very important. Previous works on adversarial attacks considered some possible features to attack in MDP, such as the action poisoning attacks, the reward poisoning attacks, and the state perception attacks. In this paper, we propose a brand-new form of attack called the camouflage attack in the MARL systems. In the camouflage attack, the attackers change the appearances of some objects without changing the actual objects themselves; and the camouflaged appearances may look the same to all the targeted recipient (victim) agents. The camouflaged appearances can mislead the recipient agents to misguided actions. We design algorithms that give the optimal camouflage attacks minimizing the rewards of recipient agents. Our numerical and theoretical results show that camouflage attacks can rival the more conventional, but likely more difficult state perception attacks. We also investigate cost-constrained camouflage attacks and showed numerically how cost budgets affect the attack performance.
Paper Structure (10 sections, 2 theorems, 12 equations, 5 figures)

This paper contains 10 sections, 2 theorems, 12 equations, 5 figures.

Table of Contents

  1. Introduction
  2. Problem Formulation
  3. Cost constrained camouflage attacks
  4. Within-step static constrained optimization problem
  5. Between-step dynamic programming
  6. Performance analysis of camouflage attacks
  7. Numerical Results
  8. Camouflage orientations
  9. Camouflage attackers' real positions
  10. Cost constrained camouflage attacks

Key Result

Lemma 4.1

Consider $n$ functions $\{f_i\}_{i=1}^n$, where $i=1,2,~...,~n$, and the following two optimization problems: and Let $x^{**}$ be the optimal solution of (cam) and $o_1$ be the optimal objective value of (cam). Let $(x_1^*, x_2^*, \dots, x_n^*)$ be the optimal solution of (spa) and $o_2$ be the optimal objective value of (spa). Assume that there exist constants $C_j$'s, $j=1,2,~...,~n$, such tha

Figures (5)

  • Figure 1: Illustration: camouflage attacks on a ring.
  • Figure 2: Ring topology. Comparison of expected global rewards between free state perception attacks and camouflage attacks.
  • Figure 3: $3\times 3$ chessboard. Comparison between state perception attack and camouflage attack, with fixed attackers at (1,1) and (2,1), 3 recipients and 2 attackers.
  • Figure 4: $2 \times 2$ chessboard. Comparison between state perception attack and camouflage attack, 2 recipients and 1 attacker.
  • Figure 5: Comparison between camouflage attacks with different budgets.

Theorems & Definitions (4)

  • Lemma 4.1
  • proof
  • Theorem 4.2
  • proof