Posts by Collection

portfolio

publications

Minimalistic Attacks: How Little it Takes to Fool a Deep Reinforcement Learning Policy

Published in IEEE Transactions on Cognitive and Developmental Systems, 2020

Recent studies have revealed that neural-network-based policies can be easily fooled by adversarial examples. However, while most prior works analyze the effects of perturbing every pixel of every frame assuming white-box policy access, in this article, we take a more restrictive view toward adversary generation—with the goal of unveiling the limits of a model’s vulnerability. In particular, we explore minimalistic attacks by defining three key settings : 1) Black-Box Policy Access : where the attacker only has access to the input (state) and output (action probability) of an RL policy; 2) Fractional-State Adversary : where only several pixels are perturbed, with the extreme case being a single-pixel adversary; and 3) Tactically Chanced Attack : where only significant frames are tactically chosen to be attacked. We formulate the adversarial attack by accommodating the three key settings, and explore their potency on six Atari games by examining four fully trained state-of-the-art policies. In Breakout, for example, we surprisingly find that: 1) all policies showcase significant performance degradation by merely modifying 0.01% of the input state and 2) the policy trained by DQN is totally deceived by perturbing only 1% frames.

Recommended citation: Xinghua Qu. (2020). "Minimalistic Attacks: How Little it Takes to Fool a Deep Reinforcement Learning Policy." IEEE Transactions on Cognitive and Developmental Systems. 1(1). https://ieeexplore.ieee.org/abstract/document/9003391

Frame-Correlation Transfers Trigger Economical Attacks on Deep Reinforcement Learning Policies

Published in IEEE Transactions on Cybernetics, 2021

we introduce three types of frame-correlation transfers (FCTs) (i.e., anterior case transfer, random projection-based transfer, and principal components-based transfer) with varying degrees of computational complexity in generating adversaries via a genetic algorithm. We empirically demonstrate the tradeoff between the complexity and potency of the transfer mechanism by exploring four fully trained state-of-the-art policies on six Atari games.

Recommended citation: Xinghua Qu. (2021). "Frame-Correlation Transfers Trigger Economical Attacks on Deep Reinforcement Learning Policies." IEEE Transactions on Cybernetics. 1(1). https://ieeexplore.ieee.org/document/9660371

Adversary Agnostic Robust Deep Reinforcement Learning

Published in IEEE Transactions on Neural Networks and Learning Systems, 2021

We propose an adversary agnostic robust DRL paradigm that does not require learning from predefined adversaries. To this end, we first theoretically show that robustness could indeed be achieved independently of the adversaries based on a policy distillation (PD) setting. Motivated by this finding, we propose a new PD loss with two terms: 1) a prescription gap maximization (PGM) loss aiming to simultaneously maximize the likelihood of the action selected by the teacher policy and the entropy over the remaining actions and 2) a corresponding Jacobian regularization (JR) loss that minimizes the magnitude of gradients with respect to the input state. The theoretical analysis substantiates that our distillation loss guarantees to increase the prescription gap and hence improves the adversarial robustness.

Recommended citation: Xinghua Qu. (2020). "Adversary Agnostic Robust Deep Reinforcement Learning." IEEE Transactions on Neural Networks and Learning Systems. 1(1). https://ieeexplore.ieee.org/document/9660371

talks

teaching

Teaching experience 1

Undergraduate course, University 1, Department, 2014

This is a description of a teaching experience. You can use markdown like any other post.

Teaching experience 2

Workshop, University 1, Department, 2015

This is a description of a teaching experience. You can use markdown like any other post.