SUB-PLAY: Adversarial Policies against Partially Observed Multi-Agent Reinforcement Learning Systems

TL;DR

This study unveils the capability of attackers to generate adversarial policies even when restricted to partial observations of the victims in multi-agent competitive environments, and proposes a novel black-box attack (SUB-PLAY) that incorporates the concept of constructing multiple subgames to mitigate the impact of partial observability.

Abstract

Recent advancements in multi-agent reinforcement learning (MARL) have opened up vast application prospects, such as swarm control of drones, collaborative manipulation by robotic arms, and multi-target encirclement. However, potential security threats during the MARL deployment need more attention and thorough investigation. Recent research reveals that attackers can rapidly exploit the victim's vulnerabilities, generating adversarial policies that result in the failure of specific tasks. For instance, reducing the winning rate of a superhuman-level Go AI to around 20%. Existing studies predominantly focus on two-player competitive environments, assuming attackers possess complete global state observation. In this study, we unveil, for the first time, the capability of attackers to generate adversarial policies even when restricted to partial observations of the victims in multi-agent competitive environments. Specifically, we propose a novel black-box attack (SUB-PLAY) that incorporates the concept of constructing multiple subgames to mitigate the impact of partial observability and suggests sharing transitions among subpolicies to improve attackers' exploitative ability. Extensive evaluations demonstrate the effectiveness of SUB-PLAY under three typical partial observability limitations. Visualization results indicate that adversarial policies induce significantly different activations of the victims' policy networks. Furthermore, we evaluate three potential defenses aimed at exploring ways to mitigate security threats posed by adversarial policies, providing constructive recommendations for deploying MARL in competitive environments.

Figures (20)

• Figure 1: Three partially observable limitations in multi-agent environments.
• Figure 2: MARL training paradigms.
• Figure 3: A two-team competitive environment can be simplified from a ZS-POSG to a POSG if the joint policy of $Victim$ is fixed.
• Figure 4: The framework of SUB-PLAY.
• Figure 5: The occupancy rate of subgames under three different limitations. The environment is Predator-prey, with $Victim$ consisting of three agents. The vertical coordinate contains the occupancy rate of four subgames $\{ \mathcal{G}_{\alpha_0}, \mathcal{G}_{\alpha_1}, \mathcal{G}_{\alpha_2} , \mathcal{G}_{\alpha_3} \}$. As time progresses, the attacker's policy will be updated.