Yanjiao Chen,Zhicong Zheng,Xueluan Gong

DOI: https://doi.org/10.1109/tdsc.2022.3207429

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recent works have revealed that backdoor attacks against Deep Reinforcement Learning (DRL) could lead to abnormal action selections of the agent, which may result in failure or even catastrophe in crucial decision processes. However, existing attacks only consider single-agent reinforcement learning (RL) systems, in which the only agent can observe the global state and have full control of the decision process. In this article, we explore a new backdoor attack paradigm in cooperative multi-agent reinforcement learning (CMARL) scenarios, where a group of agents coordinate with each other to achieve a common goal, while each agent can only observe the local state. In the proposed MARNet attack framework, we carefully design a pipeline of trigger design, action poisoning, and reward hacking modules to accommodate the cooperative multi-agent settings. In particular, as only a subset of agents can observe the triggers in their local observations, we maneuver their actions to the worst actions suggested by an expert policy model. Since the global reward in CMARL is aggregated by individual rewards from all agents, we propose to modify the reward in a way that boosts the bad actions of poisoned agents (agents who observe the triggers) but mitigates the influence on non-poisoned agents. We conduct extensive experiments on three classical CMARL algorithms VDN, COMA, and QMIX, in two popular CMARL games Predator Prey and SMAC. The results show that the baselines extended from single-agent DRL backdoor attacks seldom work in CMARL problems while MARNet performs well by reducing the utility under attack by nearly 100%. We apply fine-tuning as a potential defense against MARNet and demonstrate that fine-tuning cannot entirely eliminate the effect of the attack.

Chao Wang

DOI: https://doi.org/10.48550/arXiv.2205.07626

2022-05-16

Abstract:Recent studies have shown that deep reinforcement learning (DRL) policies are vulnerable to adversarial attacks, which raise concerns about applications of DRL to safety-critical systems. In this work, we adopt a principled way and study the robustness of DRL policies to adversarial attacks from the perspective of robust optimization. Within the framework of robust optimization, optimal adversarial attacks are given by minimizing the expected return of the policy, and correspondingly a good defense mechanism should be realized by improving the worst-case performance of the policy. Considering that attackers generally have no access to the training environment, we propose a greedy attack algorithm, which tries to minimize the expected return of the policy without interacting with the environment, and a defense algorithm, which performs adversarial training in a max-min form. Experiments on Atari game environments show that our attack algorithm is more effective and leads to worse return of the policy than existing attack algorithms, and our defense algorithm yields policies more robust than existing defense methods to a range of adversarial attacks (including our proposed attack algorithm).

Machine Learning,Cryptography and Security

Buse G. A. Tekgul,Shelly Wang,Samuel Marchal,N. Asokan

DOI: https://doi.org/10.48550/arXiv.2106.08746

2022-09-23

Abstract:Deep reinforcement learning (DRL) is vulnerable to adversarial perturbations. Adversaries can mislead the policies of DRL agents by perturbing the state of the environment observed by the agents. Existing attacks are feasible in principle, but face challenges in practice, either by being too slow to fool DRL policies in real time or by modifying past observations stored in the agent's memory. We show that Universal Adversarial Perturbations (UAP), independent of the individual inputs to which they are applied, can fool DRL policies effectively and in real time. We introduce three attack variants leveraging UAP. Via an extensive evaluation using three Atari 2600 games, we show that our attacks are effective, as they fully degrade the performance of three different DRL agents (up to 100%, even when the $l_\infty$ bound on the perturbation is as small as 0.01). It is faster than the frame rate (60 Hz) of image capture and considerably faster than prior attacks ($\approx 1.8$ms). Our attack technique is also efficient, incurring an online computational cost of $\approx 0.027$ms. Using two tasks involving robotic movement, we confirm that our results generalize to complex DRL tasks. Furthermore, we demonstrate that the effectiveness of known defenses diminishes against universal perturbations. We introduce an effective technique that detects all known adversarial perturbations against DRL policies, including all universal perturbations presented in this paper.

Machine Learning,Artificial Intelligence,Cryptography and Security

Junchao Fan,Xuyang Lei,Xiaolin Chang,Jelena Mišić,Vojislav B. Mišić

2024-12-04

Abstract:Despite significant advancements in deep reinforcement learning (DRL)-based autonomous driving policies, these policies still exhibit vulnerability to adversarial attacks. This vulnerability poses a formidable challenge to the practical deployment of these policies in autonomous driving. Designing effective adversarial attacks is an indispensable prerequisite for enhancing the robustness of these policies. In view of this, we present a novel stealthy and efficient adversarial attack method for DRL-based autonomous driving policies. Specifically, we introduce a DRL-based adversary designed to trigger safety violations (e.g., collisions) by injecting adversarial samples at critical moments. We model the attack as a mixed-integer optimization problem and formulate it as a Markov decision process. Then, we train the adversary to learn the optimal policy for attacking at critical moments without domain knowledge. Furthermore, we introduce attack-related information and a trajectory clipping method to enhance the learning capability of the adversary. Finally, we validate our method in an unprotected left-turn scenario across different traffic densities. The experimental results show that our method achieves more than 90% collision rate within three attacks in most cases. Furthermore, our method achieves more than 130% improvement in attack efficiency compared to the unlimited attack method.

Machine Learning,Artificial Intelligence

Xinlei Pan,Yulong Cao,Xindi Wu,Eric Zelikman,Chaowei Xiao,Yanan Sui,Rudrasis Chakraborty,Ronald S. Fearing

2020-01-01

Abstract:Secure and robust deep reinforcement learning (DRL) is necessary to deploy DRL algorithms in real world applications. However, previous work shows that DRL policies are vulnerable to adversarial attacks. In order to study the vulnerability/robustness of DRL algorithms, previous work has explored various attacks against DRL policies assuming that the attacker has access to the original policy either in a white-box manner or black-box manner. However, the realizability of these attacks is limited as assuming access to the original training environment or the policy could sometimes be impossible. In this study, we propose a set of novel adversarial attack approaches against DRL policies based on domain randomization, and we do not have the assumption of access to the exact original training environment nor the original policy, nor the possibility of querying the exact original policy. We first systematically analyze the space of transferable adversarial attacks against DRL when the attacker has almost no knowledge about the original training environment information such as system dynamics, action space, reward function, and/or information about the trained policy such as the algorithms and network structure. Then we train an attacker on multiple different environments with different dynamics, action space and reward settings, and also with different RL algorithms. We separately evaluate the effectiveness of the proposed attack when the environment changes or the algorithm used to train the pristine model changes. We compare our method with traditional adversarial attacks to show the improved transferability.

Kohei Ohashi,Kosuke Nakanishi,Nao Goto,Yuji Yasui,Shin Ishii

DOI: https://doi.org/10.1109/access.2024.3479089

IF: 3.9

2024-10-25

IEEE Access

Abstract:Recent advancements in deep neural network (DNN) technology are enhancing the utilities of machine learning and meeting potential demands for real-world applications. Deep reinforcement learning (DRL) is a key component in realizing complex decision-making and control by machine learning. However, training DRL-based policies is challenging due to the high costs and risks associated with interactions with real environments. Frameworks to avoid adversarial vulnerability and to achieve robustness are promising solutions to this problem, as they consider worst-case inputs during the evaluation and training phases. In the field of adversarial DRL, regularization methods are known to be effective in maintaining output consistency even when suffering from adversarial perturbations. However, these methods often introduce an undesired bias that conflicts with the original DRL objective, that is, to maximize accumulated rewards. In this study, we propose a new technique that mitigates the undesirable bias effect by orthogonalizing the regularization term with the DRL objective. This approach allows for the use of relatively large adversarial perturbations during training, resulting in more robust policies without significant computational overhead. We evaluate our technique on benchmarks for both discrete and continuous action domains, including Atari 2600 and PyBullet, by integrating it into popular DRL methods such as deep Q-network (DQN), deep deterministic policy gradient (DDPG), and soft actor-critic (SAC). The results demonstrate that our proposed technique is either superior to or competitive with baseline and state-of-the-art methods across all settings, particularly improving robustness by at least twice scores in DQN and DDPG under the adversarial perturbations.

computer science, information systems,telecommunications,engineering, electrical & electronic

Adam Gleave,Michael Dennis,Cody Wild,Neel Kant,Sergey Levine,Stuart Russell

DOI: https://doi.org/10.48550/arXiv.1905.10615

2021-01-18

Abstract:Deep reinforcement learning (RL) policies are known to be vulnerable to adversarial perturbations to their observations, similar to adversarial examples for classifiers. However, an attacker is not usually able to directly modify another agent's observations. This might lead one to wonder: is it possible to attack an RL agent simply by choosing an adversarial policy acting in a multi-agent environment so as to create natural observations that are adversarial? We demonstrate the existence of adversarial policies in zero-sum games between simulated humanoid robots with proprioceptive observations, against state-of-the-art victims trained via self-play to be robust to opponents. The adversarial policies reliably win against the victims but generate seemingly random and uncoordinated behavior. We find that these policies are more successful in high-dimensional environments, and induce substantially different activations in the victim policy network than when the victim plays against a normal opponent. Videos are available at <a class="link-external link-https" href="https://adversarialpolicies.github.io/" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence,Cryptography and Security

Anay Pattanaik,Zhenyi Tang,Shuijing Liu,Gautham Bommannan,Girish Chowdhary

DOI: https://doi.org/10.48550/arXiv.1712.03632

2017-12-11

Abstract:This paper proposes adversarial attacks for Reinforcement Learning (RL) and then improves the robustness of Deep Reinforcement Learning algorithms (DRL) to parameter uncertainties with the help of these attacks. We show that even a naively engineered attack successfully degrades the performance of DRL algorithm. We further improve the attack using gradient information of an engineered loss function which leads to further degradation in performance. These attacks are then leveraged during training to improve the robustness of RL within robust control framework. We show that this adversarial training of DRL algorithms like Deep Double Q learning and Deep Deterministic Policy Gradients leads to significant increase in robustness to parameter variations for RL benchmarks such as Cart-pole, Mountain Car, Hopper and Half Cheetah environment.

Machine Learning,Artificial Intelligence,Robotics

Xinghua Qu,Yew-Soon Ong,Abhishek Gupta,Zhu Sun

DOI: https://doi.org/10.48550/arXiv.2008.06199

2020-12-24

Abstract:Deep reinforcement learning (DRL) policies have been shown to be deceived by perturbations (e.g., random noise or intensional adversarial attacks) on state observations that appear at test time but are unknown during training. To increase the robustness of DRL policies, previous approaches assume that the knowledge of adversaries can be added into the training process to achieve the corresponding generalization ability on these perturbed observations. However, such an assumption not only makes the robustness improvement more expensive but may also leave a model less effective to other kinds of attacks in the wild. In contrast, we propose an adversary agnostic robust DRL paradigm that does not require learning from adversaries. To this end, we first theoretically derive that robustness could indeed be achieved independently of the adversaries based on a policy distillation setting. Motivated by this finding, we propose a new policy distillation loss with two terms: 1) a prescription gap maximization loss aiming at simultaneously maximizing the likelihood of the action selected by the teacher policy and the entropy over the remaining actions; 2) a corresponding Jacobian regularization loss that minimizes the magnitude of the gradient with respect to the input state. The theoretical analysis shows that our distillation loss guarantees to increase the prescription gap and the adversarial robustness. Furthermore, experiments on five Atari games firmly verify the superiority of our approach in terms of boosting adversarial robustness compared to other state-of-the-art methods.

Machine Learning

Xinlei Pan,Chaowei Xiao,Warren He,Shuang Yang,Jian Peng,Mingjie Sun,Jinfeng Yi,Zijiang Yang,Mingyan Liu,Bo Li,Dawn Song

DOI: https://doi.org/10.48550/arXiv.1907.09470

2022-02-17

Abstract:Recent studies show that Deep Reinforcement Learning (DRL) models are vulnerable to adversarial attacks, which attack DRL models by adding small perturbations to the observations. However, some attacks assume full availability of the victim model, and some require a huge amount of computation, making them less feasible for real world applications. In this work, we make further explorations of the vulnerabilities of DRL by studying other aspects of attacks on DRL using realistic and efficient attacks. First, we adapt and propose efficient black-box attacks when we do not have access to DRL model parameters. Second, to address the high computational demands of existing attacks, we introduce efficient online sequential attacks that exploit temporal consistency across consecutive steps. Third, we explore the possibility of an attacker perturbing other aspects in the DRL setting, such as the environment dynamics. Finally, to account for imperfections in how an attacker would inject perturbations in the physical world, we devise a method for generating a robust physical perturbations to be printed. The attack is evaluated on a real-world robot under various conditions. We conduct extensive experiments both in simulation such as Atari games, robotics and autonomous driving, and on real-world robotics, to compare the effectiveness of the proposed attacks with baseline approaches. To the best of our knowledge, we are the first to apply adversarial attacks on DRL systems to physical robots.

Machine Learning,Artificial Intelligence,Cryptography and Security

Yinglun Xu,Qi Zeng,Gagandeep Singh

2023-07-15

Abstract:We study reward poisoning attacks on online deep reinforcement learning (DRL), where the attacker is oblivious to the learning algorithm used by the agent and the dynamics of the environment. We demonstrate the intrinsic vulnerability of state-of-the-art DRL algorithms by designing a general, black-box reward poisoning framework called adversarial MDP attacks. We instantiate our framework to construct two new attacks which only corrupt the rewards for a small fraction of the total training timesteps and make the agent learn a low-performing policy. We provide a theoretical analysis of the efficiency of our attack and perform an extensive empirical evaluation. Our results show that our attacks efficiently poison agents learning in several popular classical control and MuJoCo environments with a variety of state-of-the-art DRL algorithms, such as DQN, PPO, SAC, etc.

Machine Learning,Cryptography and Security

Huan Zhang,Hongge Chen,Chaowei Xiao,Bo Li,Mingyan Liu,Duane Boning,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.2003.08938

2021-07-14

Abstract:A deep reinforcement learning (DRL) agent observes its states through observations, which may contain natural measurement errors or adversarial noises. Since the observations deviate from the true states, they can mislead the agent into making suboptimal actions. Several works have shown this vulnerability via adversarial attacks, but existing approaches on improving the robustness of DRL under this setting have limited success and lack for theoretical principles. We show that naively applying existing techniques on improving robustness for classification tasks, like adversarial training, is ineffective for many RL tasks. We propose the state-adversarial Markov decision process (SA-MDP) to study the fundamental properties of this problem, and develop a theoretically principled policy regularization which can be applied to a large family of DRL algorithms, including proximal policy optimization (PPO), deep deterministic policy gradient (DDPG) and deep Q networks (DQN), for both discrete and continuous action control problems. We significantly improve the robustness of PPO, DDPG and DQN agents under a suite of strong white box adversarial attacks, including new attacks of our own. Additionally, we find that a robust policy noticeably improves DRL performance even without an adversary in a number of environments. Our code is available at <a class="link-external link-https" href="https://github.com/chenhongge/StateAdvDRL" rel="external noopener nofollow">this https URL</a>.

Machine Learning

Xiang Zheng,Xingjun Ma,Shengjie Wang,Xinyu Wang,Chao Shen,Cong Wang

2024-04-26

Abstract:Reinforcement learning agents are susceptible to evasion attacks during deployment. In single-agent environments, these attacks can occur through imperceptible perturbations injected into the inputs of the victim policy network. In multi-agent environments, an attacker can manipulate an adversarial opponent to influence the victim policy's observations indirectly. While adversarial policies offer a promising technique to craft such attacks, current methods are either sample-inefficient due to poor exploration strategies or require extra surrogate model training under the black-box assumption. To address these challenges, in this paper, we propose Intrinsically Motivated Adversarial Policy (IMAP) for efficient black-box adversarial policy learning in both single- and multi-agent environments. We formulate four types of adversarial intrinsic regularizers -- maximizing the adversarial state coverage, policy coverage, risk, or divergence -- to discover potential vulnerabilities of the victim policy in a principled way. We also present a novel bias-reduction method to balance the extrinsic objective and the adversarial intrinsic regularizers adaptively. Our experiments validate the effectiveness of the four types of adversarial intrinsic regularizers and the bias-reduction method in enhancing black-box adversarial policy learning across a variety of environments. Our IMAP successfully evades two types of defense methods, adversarial training and robust regularizer, decreasing the performance of the state-of-the-art robust WocaR-PPO agents by 34\%-54\% across four single-agent tasks. IMAP also achieves a state-of-the-art attacking success rate of 83.91\% in the multi-agent game YouShallNotPass. Our code is available at \url{<a class="link-external link-https" href="https://github.com/x-zheng16/IMAP" rel="external noopener nofollow">this https URL</a>}.

Machine Learning

Md Masudur Rahman,Yexiang Xue

DOI: https://doi.org/10.48550/arXiv.2304.14533

2023-04-28

Abstract:The policy represented by the deep neural network can overfit the spurious features in observations, which hamper a reinforcement learning agent from learning effective policy. This issue becomes severe in high-dimensional state, where the agent struggles to learn a useful policy. Data augmentation can provide a performance boost to RL agents by mitigating the effect of overfitting. However, such data augmentation is a form of prior knowledge, and naively applying them in environments might worsen an agent's performance. In this paper, we propose a novel RL algorithm to mitigate the above issue and improve the efficiency of the learned policy. Our approach consists of a max-min game theoretic objective where a perturber network modifies the state to maximize the agent's probability of taking a different action while minimizing the distortion in the state. In contrast, the policy network updates its parameters to minimize the effect of perturbation while maximizing the expected future reward. Based on this objective, we propose a practical deep reinforcement learning algorithm, Adversarial Policy Optimization (APO). Our method is agnostic to the type of policy optimization, and thus data augmentation can be incorporated to harness the benefit. We evaluated our approaches on several DeepMind Control robotic environments with high-dimensional and noisy state settings. Empirical results demonstrate that our method APO consistently outperforms the state-of-the-art on-policy PPO agent. We further compare our method with state-of-the-art data augmentation, RAD, and regularization-based approach DRAC. Our agent APO shows better performance compared to these baselines.

Machine Learning,Artificial Intelligence

You Qiaoben,Xinning Zhou,Ying Cui,Jun Zhu

2021-01-01

Abstract:Deep reinforcement learning (DRL) policies are vulnerable to the adversarial attack on their observations, which may mislead real-world RL agents to catastrophic failures. Several works have shown the effectiveness of this type of adversarial attacks. But these adversaries are inclined to be detected because these adversaries do not inhibit their attacks activity. Recent works provide heuristic methods by attacking the victim agent at a small subset of time steps, but it aims at lack for theoretical principles. Inspired by the idea that adversarial attacks at each time step have different efforts, we denote a novel strategically-timed attack called Tentative Frame Attack for continuous control environments. We further propose a theoretical framework of finding optimal frame attack. Following this framework, we trained the frame attack strategy online with the victim agents and a fixed adversary. The empirical results show that our adversaries achieve the state-of-the-art performance on DRL agents which outperforms the full-timed attack.

Qianmei Liu,Yufei Kuang,Jie Wang

2024-05-20

Abstract:Deep reinforcement learning (DRL) algorithms can suffer from modeling errors between the simulation and the real world. Many studies use adversarial learning to generate perturbation during training process to model the discrepancy and improve the robustness of DRL. However, most of these approaches use a fixed parameter to control the intensity of the adversarial perturbation, which can lead to a trade-off between average performance and robustness. In fact, finding the optimal parameter of the perturbation is challenging, as excessive perturbations may destabilize training and compromise agent performance, while insufficient perturbations may not impart enough information to enhance robustness. To keep the training stable while improving robustness, we propose a simple but effective method, namely, Adaptive Adversarial Perturbation (A2P), which can dynamically select appropriate adversarial perturbations for each sample. Specifically, we propose an adaptive adversarial coefficient framework to adjust the effect of the adversarial perturbation during training. By designing a metric for the current intensity of the perturbation, our method can calculate the suitable perturbation levels based on the current relative performance. The appealing feature of our method is that it is simple to deploy in real-world applications and does not require accessing the simulator in advance. The experiments in MuJoCo show that our method can improve the training stability and learn a robust policy when migrated to different test environments. The code is available at

Machine Learning,Artificial Intelligence

Feng Wang,Chen Zhong,M. Cenk Gursoy,Senem Velipasalar

DOI: https://doi.org/10.1109/ACCESS.2021.3133506

2020-07-13

Abstract:As the applications of deep reinforcement learning (DRL) in wireless communications grow, sensitivity of DRL based wireless communication strategies against adversarial attacks has started to draw increasing attention. In order to address such sensitivity and alleviate the resulting security concerns, we in this paper consider a victim user that performs DRL-based dynamic channel access, and an attacker that executes DRLbased jamming attacks to disrupt the victim. Hence, both the victim and attacker are DRL agents and can interact with each other, retrain their models, and adapt to opponents' policies. In this setting, we initially develop an adversarial jamming attack policy that aims at minimizing the accuracy of victim's decision making on dynamic channel access. Subsequently, we devise defense strategies against such an attacker, and propose three defense strategies, namely diversified defense with proportional-integral-derivative (PID) control, diversified defense with an imitation attacker, and defense via orthogonal policies. We design these strategies to maximize the attacked victim's accuracy and evaluate their performances.

Signal Processing,Machine Learning

Yang Li,Quan Pan,Erik Cambria

DOI: https://doi.org/10.48550/arXiv.2205.00807

2022-05-02

Abstract:Recent adversarial attack developments have made reinforcement learning more vulnerable, and different approaches exist to deploy attacks against it, where the key is how to choose the right timing of the attack. Some work tries to design an attack evaluation function to select critical points that will be attacked if the value is greater than a certain threshold. This approach makes it difficult to find the right place to deploy an attack without considering the long-term impact. In addition, there is a lack of appropriate indicators of assessment during attacks. To make the attacks more intelligent as well as to remedy the existing problems, we propose the reinforcement learning-based attacking framework by considering the effectiveness and stealthy spontaneously, while we also propose a new metric to evaluate the performance of the attack model in these two aspects. Experimental results show the effectiveness of our proposed model and the goodness of our proposed evaluation metric. Furthermore, we validate the transferability of the model, and also its robustness under the adversarial training.

Machine Learning,Artificial Intelligence,Cryptography and Security,Computers and Society

Çağrı Çerçi,Hakan Temeltas

DOI: https://doi.org/10.1109/access.2024.3485036

IF: 3.9

2024-11-01

IEEE Access

Abstract:Deep reinforcement learning (DRL) algorithms interact with the environment and aim to learn without labeled data. In high-dimensional spaces, they evolve their policies to maximize the rewards they can collect. They have applications in various fields, such as search and rescue, reconnaissance, military operations, firefighting, and autonomous vehicles. However, there are also situations in which algorithms struggle to cope. In simulation environments, it is assumed that the exact values of the observation data are properly received. If a neural network model meets inputs that are different from those used during training, accurate predictions cannot be made to solve these new situations. This makes it vulnerable to corrupted state data which may be encountered in real-world applications. In this study, State Adversarial Markov Decision Process (SA-MDP) was investigated to increase robustness. The state perturbed adversarial attack model is integrated into the DRL algorithm. To make appropriate decisions under perturbation, the guide actor, which is used only in the training phase and makes decisions with healthy observation data, guides the control actor, which makes decisions based on the perturbation model outputs. The proposed algorithm was applied to the target encirclement task for 3, 5 and 7 agents in multi-agent simulation systems prepared using the Pyglet library. The proposed guided approach was applied to both multi-agent soft actor critic (MA-SAC) and multi-agent twin delayed deep deterministic policy gradient (MA-TD3) algorithms. The results show that our approach is close to the results of the MA-SAC and MA-TD3 algorithms trained in noise-free environments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Junru Sheng,Peng Zhai,Zhiyan Dong,Xiaoyang Kang,Chixiao Chen,Lihua Zhang

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892908

2022-01-01

Abstract:Reinforcement learning with adversarial training is currently a key method for improving the robustness of DRL. However, in adversarial training, especially for unstable or disturbance -sensitive systems, the adversary always learns the policy significantly faster than the DRL, agent and thus easily generates powerful perturbations. The agent cannot effectively adapt to the overly powerful adversary, which leads to unstable training and even failure to learn the robust policy. In this work, we propose a novel adversarial training method, called Curriculum Adversarial Training, inspired by the idea of curriculum learning. The method dynamically adjusts the strength of the adversary through natural curriculum learning for progressive adversarial training Thus, the DRL system considers to reasonable learning rules, and the agent faces a suitable learning process. Furthermore, we adopt an advanced action space perturbation method with a most attractive ability as the adversary during training. The proposed method is compared with popular baseline methods through MuJoCo tasks. Experimental results show that our method can improve the robustness of the policy significantly and adapt to uncertain environment effectively.