Kexiong (Curtis) Zeng,Shinan Liu,Yuanchao Shu,Dong Wang,Haoyu Li,Yanzhi Dou,Gang Wang,Yaling Yang

2018-01-01

Abstract:Mobile navigation services are used by billions of users around globe today. While GPS spoofing is a known threat, it is not yet clear if spoofing attacks can truly manipulate road navigation systems. Existing works primarily focus on simple attacks by randomly setting user locations, which can easily trigger a routing instruction that contradicts with the physical road condition (i.e., easily noticeable). In this paper, we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed. Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions. To demonstrate the feasibility, we first perform controlled measurements by implementing a portable GPS spoofer and testing on real cars. Then, we design a searching algorithm to compute the GPS shift and the victim routes in real time. We perform extensive evaluations using a trace-driven simulation (600 taxi traces in Manhattan and Boston), and then validate the complete attack via real-world driving tests (attacking our own car). Finally, we conduct deceptive user studies using a driving simulator in both the US and China. We show that 95% of the participants follow the navigation to the wrong destination without recognizing the attack. We use the results to discuss countermeasures moving forward.

Yanjiao Chen,Zhicong Zheng,Xueluan Gong

DOI: https://doi.org/10.1109/tdsc.2022.3207429

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Recent works have revealed that backdoor attacks against Deep Reinforcement Learning (DRL) could lead to abnormal action selections of the agent, which may result in failure or even catastrophe in crucial decision processes. However, existing attacks only consider single-agent reinforcement learning (RL) systems, in which the only agent can observe the global state and have full control of the decision process. In this article, we explore a new backdoor attack paradigm in cooperative multi-agent reinforcement learning (CMARL) scenarios, where a group of agents coordinate with each other to achieve a common goal, while each agent can only observe the local state. In the proposed MARNet attack framework, we carefully design a pipeline of trigger design, action poisoning, and reward hacking modules to accommodate the cooperative multi-agent settings. In particular, as only a subset of agents can observe the triggers in their local observations, we maneuver their actions to the worst actions suggested by an expert policy model. Since the global reward in CMARL is aggregated by individual rewards from all agents, we propose to modify the reward in a way that boosts the bad actions of poisoned agents (agents who observe the triggers) but mitigates the influence on non-poisoned agents. We conduct extensive experiments on three classical CMARL algorithms VDN, COMA, and QMIX, in two popular CMARL games Predator Prey and SMAC. The results show that the baselines extended from single-agent DRL backdoor attacks seldom work in CMARL problems while MARNet performs well by reducing the utility under attack by nearly 100%. We apply fine-tuning as a potential defense against MARNet and demonstrate that fine-tuning cannot entirely eliminate the effect of the attack.

Yuan Xu,Xingshuo Han,Gelei Deng,Jiwei Li,Yang Liu,Tianwei Zhang

DOI: https://doi.org/10.1109/eurosp57164.2023.00067

2022-01-01

Abstract:Robotic Vehicles (RVs) have gained great popularity over the past few years. Meanwhile, they are also demonstrated to be vulnerable to sensor spoofing attacks. Although a wealth of research works have presented various attacks, some key questions remain unanswered: are these existing works complete enough to cover all the sensor spoofing threats? If not, how many attacks are not explored, and how difficult is it to realize them? This paper answers the above questions by comprehensively systematizing the knowledge of sensor spoofing attacks against RVs. Our contributions are threefold. (1) We identify seven common attack paths in an RV system pipeline. We categorize and assess existing spoofing attacks from the perspectives of spoofer property, operation, victim characteristic and attack goal. Based on this systematization, we identify 4 interesting insights about spoofing attack designs. (2) We propose a novel action flow model to systematically describe robotic function executions and unexplored sensor spoofing threats. With this model, we successfully discover 103 spoofing attack vectors, 26 of which have been verified by prior works, while 77 attacks are never considered. (3) We design two novel attack methodologies to verify the feasibility of newly discovered spoofing attack vectors.

Zizhi Jin,Xiaoyu Ji,Yushi Cheng,Bo Yang,Chen Yan,Wenyuan Xu

DOI: https://doi.org/10.1109/jiot.2024.3496783

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:Autonomous vehicles and robots increasingly exploit LiDAR-based 3D object detection systems to detect obstacles in the environment. Correct detection and classification are important to ensure safe driving. Although previous work has demonstrated the feasibility of manipulating point clouds to spoof 3D object detectors, most of these attempts are performed digitally. In this paper, we investigate the possibility of physically fooling LiDAR-based 3D object detection by injecting adversarial point clouds using lasers. First, we develop a laser transceiver that can inject up to 4200 points, and can measure the scanning cycle of victim LiDARs to schedule the spoofing laser signals. By designing a control signal method that converts the coordinates of point clouds to control signals and an adversarial point cloud optimization method with physical constraints of LiDARs and attack capabilities, we manage to inject spoofing point cloud with desired point cloud shapes into the victim LiDAR physically. We can launch four types of attacks, i.e., naive hiding, record-based creating, optimization-based hiding, and optimization-based creating. Extensive experiments demonstrate the effectiveness of our attacks against two commercial LiDAR and three detectors. We further analyze the impact of our attacks on four fusion-based detectors. The paper concludes with experiments on defense methods and discussion on potential defense strategies at both the sensor and autonomous vehicle system levels.

Yalun Wu,Yingxiao Xiang,Thar Baker,Endong Tong,Ye Zhu,Xiaoshu Cui,Zhenguo Zhang,Zhen Han,Jiqiang Liu,Wenjia Niu

DOI: https://doi.org/10.1155/2024/4734030

IF: 8.993

2024-10-20

International Journal of Intelligent Systems

Abstract:Intelligent traffic signal systems, crucial for intelligent transportation systems, have been widely studied and deployed to enhance vehicle traffic efficiency and reduce air pollution. Unfortunately, intelligent traffic signal systems are at risk of data spoofing attack, causing traffic delays, congestion, and even paralysis. In this paper, we reveal a multivehicle collaborative data spoofing attack to intelligent traffic signal systems and propose a collaborative attack sequence generation model based on multiagent reinforcement learning (RL), aiming to explore efficient and stealthy attacks. Specifically, we first model the spoofing attack based on Partially Observable Markov Decision Process (POMDP) at single and multiple intersections. This involves constructing the state space, action space, and defining a reward function for the attack. Then, based on the attack modeling, we propose an automated approach for generating collaborative attack sequences using the Multi‐Actor‐Attention‐Critic (MAAC) algorithm, a mainstream multiagent RL algorithm. Experiments conducted on the multimodal traffic simulation (VISSIM) platform demonstrate a 15% increase in delay time (DT) and a 40% reduction in attack ratio (AR) compared to the single‐vehicle attack, confirming the effectiveness and stealthiness of our collaborative attack.

computer science, artificial intelligence

Chenyang Yuan,A. Bayen,Jérôme Thai

DOI: https://doi.org/10.1109/TCNS.2016.2612828

IF: 4.347

2018-03-01

IEEE Transactions on Control of Network Systems

Abstract:Mobility-as-a-Service (MaaS) systems, such as ride-sharing services, have expanded very quickly over the past years. However, the popularity of MaaS systems make them increasingly vulnerable to denial-of-service (DOS) attacks, in which attackers attempt to disrupt the system to make it unavailable to the customers. Expanding on an established queuing-theoretical model for MaaS systems, attacks are modeled as a malicious control of a fraction of vehicles in the network. We then formulate a stochastic control problem that maximizes the passenger loss in the network in steady state, and solve it as a sequence of linear and quadratic programs. Combined with a Jackson network simulation and an economic model of supply and demand for attacks, we quantify how raising the cost of attacks (via cancellation fees and higher level of security) removes economical incentives for DoS attacks. Calibrating the model on 1B taxi rides, we dynamically simulate a system under attack and estimate the passenger loss under different scenarios, such as arbitrarily depleting taxis or maximizing the passenger loss. Cost of attacks of U.S.$ 15 protects the MaaS system against DoS attacks. The contributions are thus a theoretical framework for the analysis of the network, and practical conclusions in terms of financial countermeasures to the attacks.

Engineering,Computer Science

Taha Eghtesad,Sirui Li,Yevgeniy Vorobeychik,Aron Laszka

DOI: https://doi.org/10.48550/arXiv.2312.14625

2024-03-07

Abstract:The increasing reliance of drivers on navigation applications has made transportation networks more susceptible to data-manipulation attacks by malicious actors. Adversaries may exploit vulnerabilities in the data collection or processing of navigation services to inject false information, and to thus interfere with the drivers' route selection. Such attacks can significantly increase traffic congestions, resulting in substantial waste of time and resources, and may even disrupt essential services that rely on road networks. To assess the threat posed by such attacks, we introduce a computational framework to find worst-case data-injection attacks against transportation networks. First, we devise an adversarial model with a threat actor who can manipulate drivers by increasing the travel times that they perceive on certain roads. Then, we employ hierarchical multi-agent reinforcement learning to find an approximate optimal adversarial strategy for data manipulation. We demonstrate the applicability of our approach through simulating attacks on the Sioux Falls, ND network topology.

Artificial Intelligence,Cryptography and Security,Machine Learning

Kai-Fung Chu,Haiyue Yuan,Jinsheng Yuan,Weisi Guo,Nazmiye Balta-Ozkan,Shujun Li

DOI: https://doi.org/10.1109/MITS.2024.3427655

2024-11-09

Abstract:Mobility-as-a-Service (MaaS) integrates different transport modalities and can support more personalisation of travellers' journey planning based on their individual preferences, behaviours and wishes. To fully achieve the potential of MaaS, a range of AI (including machine learning and data mining) algorithms are needed to learn personal requirements and needs, to optimise journey planning of each traveller and all travellers as a whole, to help transport service operators and relevant governmental bodies to operate and plan their services, and to detect and prevent cyber attacks from various threat actors including dishonest and malicious travellers and transport operators. The increasing use of different AI and data processing algorithms in both centralised and distributed settings opens the MaaS ecosystem up to diverse cyber and privacy attacks at both the AI algorithm level and the connectivity surfaces. In this paper, we present the first comprehensive review on the coupling between AI-driven MaaS design and the diverse cyber security challenges related to cyber attacks and countermeasures. In particular, we focus on how current and emerging AI-facilitated privacy risks (profiling, inference, and third-party threats) and adversarial AI attacks (evasion, extraction, and gamification) may impact the MaaS ecosystem. These risks often combine novel attacks (e.g., inverse learning) with traditional attack vectors (e.g., man-in-the-middle attacks), exacerbating the risks for the wider participation actors and the emergence of new business models.

Cryptography and Security

Wei Hao,Jia Liu,Wenjie Li,Lijun Chen

DOI: https://doi.org/10.1109/lra.2024.3455765

IF: 5.2

2024-01-01

IEEE Robotics and Automation Letters

Abstract:In this letter, we address the critical security concerns in multi-agent systems, where illegal infiltration is commonly used to convert agents into malicious entities. Existing research predominantly focuses on explicit malicious attack patterns. Our work introduces a covert deception attack framework in the context of multi-agent resource scheduling scenarios. We first highlight vulnerabilities in scheduling strategies based on time and path costs. Exploiting these weaknesses, an infiltrated agent clandestinely gathers motion characteristics of other agents while posing as a teammate. Using these motion characteristics, the infiltrated agent employs an LSTM architecture to learn and predict congestion areas, thereby designing attack paths with greater time efficiency. This approach allows the infiltrated agent to secure additional resources and evade capture more effectively. Validation through simulation and real-world experiments demonstrates the feasibility and effectiveness of our approach, underscoring the importance of evaluating covert attacks in risk assessments within multi-agent systems.

Xinru Wen,Jinbo Wen,Ming Xiao,Jiawen Kang,Tao Zhang,Xiaohuan Li,Chuanxi Chen,Dusit Niyato

2024-12-28

Abstract:Vehicular metaverses, blending traditional vehicular networks with metaverse technology, are expected to revolutionize fields such as autonomous driving. As virtual intelligent assistants in vehicular metaverses, Artificial Intelligence (AI) agents powered by large language models can create immersive 3D virtual spaces for passengers to enjoy on-broad vehicular applications and services. To provide users with seamless and engaging virtual interactions, resource-limited vehicles offload AI agents to RoadSide Units (RSUs) with adequate communication and computational capabilities. Due to the mobility of vehicles and the limited coverage of RSUs, AI agents need to migrate from one RSU to another RSU. However, potential network attacks pose significant challenges to ensuring reliable and efficient AI agent migration. In this paper, we first explore specific network attacks including traffic-based attacks (i.e., DDoS attacks) and infrastructure-based attacks (i.e., malicious RSU attacks). Then, we model the AI agent migration process as a Partially Observable Markov Decision Process (POMDP) and apply multi-agent proximal policy optimization algorithms to mitigate DDoS attacks. In addition, we propose a trust assessment mechanism to counter malicious RSU attacks. Numerical results validate that the proposed solutions effectively defend against these network attacks and reduce the total latency of AI agent migration by approximately 43.3%.

Networking and Internet Architecture

Zefang Lv,Liang Xiao,Yifan Chen,Haoyu Chen,Xiangyang Ji

DOI: https://doi.org/10.1109/tifs.2024.3423428

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Based on the network observations and learning parameters shared by the neighboring learning agents, multi-agent reinforcement learning (RL) has to enhance the performance over adversarial communications, in which spoofing attackers send fake learning messages to fool the learning agent and thus degrade the performance of wireless applications. In this paper, we propose a safe multi-agent RL algorithm for wireless applications against adversarial communications, in which each learning agent chooses the cooperative agents to share the learning information and authenticates the received learning messages before integrating them into the RL state formulation and the learning parameter update. The communication policy distribution for the cooperative agent selection is formulated based on the long-term discounted reward and the sharing reputation for each neighboring agent, which is updated based on the authentication results to indicate the probability as a spoofing attacker. Neural networks are designed to estimate the long-term discounted reward and the sharing reputation for the learning agent with sufficient computational resources in large-scale wireless networks to enhance the agent selection security. As a case study, our proposed algorithm is implemented in the unmanned aerial vehicle swarm anti-jamming video transmission against spoofing attackers that send fake received jamming power as well as Q-values and neural network weights in the anti-jamming transmission policy learning. Both simulation and experimental results are provided to verify the performance gain over the benchmark.

Hongchao Zhang,Zhouchi Li,Shiyu Cheng,Andrew Clark

DOI: https://doi.org/10.48550/arXiv.2302.07341

2023-02-15

Abstract:Autonomous vehicles rely on LiDAR sensors to detect obstacles such as pedestrians, other vehicles, and fixed infrastructures. LiDAR spoofing attacks have been demonstrated that either create erroneous obstacles or prevent detection of real obstacles, resulting in unsafe driving behaviors. In this paper, we propose an approach to detect and mitigate LiDAR spoofing attacks by leveraging LiDAR scan data from other neighboring vehicles. This approach exploits the fact that spoofing attacks can typically only be mounted on one vehicle at a time, and introduce additional points into the victim's scan that can be readily detected by comparison from other, non-modified scans. We develop a Fault Detection, Identification, and Isolation procedure that identifies non-existing obstacle, physical removal, and adversarial object attacks, while also estimating the actual locations of obstacles. We propose a control algorithm that guarantees that these estimated object locations are avoided. We validate our framework using a CARLA simulation study, in which we verify that our FDII algorithm correctly detects each attack pattern.

Systems and Control

Anum Talpur,Mohan Gurusamy

DOI: https://doi.org/10.1109/GCWkshps52748.2021.9681966

2021-09-16

Abstract:Machine learning (ML) has made incredible impacts and transformations in a wide range of vehicular applications. As the use of ML in Internet of Vehicles (IoV) continues to advance, adversarial threats and their impact have become an important subject of research worth exploring. In this paper, we focus on Sybil-based adversarial threats against a deep reinforcement learning (DRL)-assisted IoV framework and more specifically, DRL-based dynamic service placement in IoV. We carry out an experimental study with real vehicle trajectories to analyze the impact on service delay and resource congestion under different attack scenarios for the DRL-based dynamic service placement application. We further investigate the impact of the proportion of Sybil-attacked vehicles in the network. The results demonstrate that the performance is significantly affected by Sybil-based data poisoning attacks when compared to adversary-free healthy network scenario.

Machine Learning,Artificial Intelligence,Cryptography and Security

Donglei Rong,Sheng Jin,Wenbin Yao,Chengcheng Yang,Congcong Bai,Adjé Jérémie Alagbé

DOI: https://doi.org/10.1109/tits.2024.3373818

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:In this study, we introduce a novel hybrid trajectory planning algorithm for autonomous driving, specifically designed to mitigate the risks posed by spoofing attacks on Connected and Autonomous Vehicles (CAVs). The research begins by assessing the safety implications of attacks and developing an adaptive safety model that is grounded in the fundamental assessment of state and decision data. This model incorporates the establishment of a posterior probability distribution for decision data, rooted in the pre-existing prior distribution but adjusted to account for the influence of spoofing attacks. The adjustment is achieved through Bayesian maximum posterior estimation, thereby refining the model to better adapt to potential threats. The adaptive safety model is then optimized dynamically, taking into consideration a set of indices—safety, comfort, and efficiency—that are critical to trajectory planning. In the subsequent phase, we introduce a composite trajectory planning algorithm that integrates a lateral trajectory selection sampling method with a longitudinal trajectory optimization approach. The adaptive safety model is seamlessly integrated into the trajectory planning process, influencing target position selection, the setting of constraints, and the formulation of the optimization objective function. The results demonstrate that the algorithm effectively limits the average standard deviation of lateral displacement to 0.5851 and achieves a significant increase in longitudinal speed growth rate, by up to 7.30%, surpassing the performance of benchmark algorithms. The proposed solution consistently delivers optimal safety and efficiency across various scenarios and under different parameter conditions.

engineering, electrical & electronic,transportation science & technology, civil

Zhe Yang,Kuan Zhang,Lei,Kan Zheng

DOI: https://doi.org/10.1109/jiot.2018.2872456

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:A Sybil attacker is able to obtain more than one identities and disguise as multiple vehicles in order to interfere the normal operations of the connected vehicle system (CVS). In this paper, we propose a novel classifier to detect Sybil attackers according to their mobility behaviors. Specifically, three levels of Sybil attackers are first defined according to their attack abilities. Through analyzing the mobility behaviors of vehicles, a learning-based model is used in the central server (CS) to extract mobility features and distinguish Sybil attackers from benign vehicles. Three classification algorithms are tested and compared, i.e., the naive Bayes, decision tree, and support vector machine. Furthermore, location certificates issued by base stations are used to resist location forgery by attackers. Based on the location certificates, the CS is able to evaluate the credibilities of uploaded locations using the subjective logic theory. In addition, we develop an edge betweenness-based community detection algorithm to handle the collusion among multiple Sybil attackers. Simulations are conducted based on a real-world vehicle trajectory dataset, which indicate that the proposed scheme is effective to resist Sybil attackers in CVS.

Xu Chu,Na Ruan,Ming Li,Weijia Jia

DOI: https://doi.org/10.1109/cns.2018.8433132

2018-01-01

Abstract:Vehicle platooning is a promising technique to enhance travel safety and road capacity. A common form of platooning is Cooperative Adaptive Cruise Control (CACC), where cars communicate their states with each other to maintain a constant gap between them. CACC can further reduce the headway between adjacent vehicles. However, the frequently broadcast safety messages with precise location and time information impose a significant threat to the location privacy of cars. Mix-zone based approaches are traditionally used to obfuscate vehicles' identities by mixing their pseudonyms. However, vehicles' movement is tightly coupled with each other inside a vehicular platoon, which introduces high predictability and spatial-temporal correlation for trajectories of vehicles. In this paper, we show how an adversary can exploit vehicles' platooning states to better infer their pseudonyms by observing their broadcast states before and after entering a mix-zone. We propose a novel attack strategy using a maximum likelihood estimator and expectation-maximization algorithm, and demonstrate the effectiveness of this attack through extensive simulations based on the real data from U.S. Highway 101. Our strategy achieves 30% higher inference accuracy compared with traditional non-platooning traffic scenarios. We also suggest a few possible approaches to mitigate such privacy threat in a platooning environment.

Jingyao Wang,Jinghua Guo,Keqiang Li,Huaqing Zheng

DOI: https://doi.org/10.1109/TVT.2024.3436052

IF: 6.8

2024-01-01

IEEE Transactions on Vehicular Technology

Abstract:Due to the utilization of Cellular Vehicle-toEverything (C-V2X) wireless communication network, the communication process of connected automated vehicle platoon systems is susceptible to external malicious attacks. This paper proposes an effective distributed control framework for connected automated vehicle platoon systems in the presence of spoofing cyber attacks. Firstly, Bernoulli random variables are utilized to model the random nature of spoofing attacks within the platoon systems, and an adaptive event-based communication strategy is adopted to optimize network resource utilization and prevent redundant information transmission. Secondly, a distributed state-feedback controller is designed, leveraging both the adaptive event-triggered approach and the linear matrix inequality (LMI) approach, considering the influence of random and energylimited spoofing attacks. Thirdly, through the application of the Lyapunov stability theory, the system with the platooning controller, despite the presence of spoofing cyber attacks, is proved to be asymptotically stable. Finally, numerical examples are presented to demonstrate the feasibility and effectiveness of the proposed controller.

Tianyi Li,Mingfeng Shang,Shian Wang,Raphael Stern

DOI: https://doi.org/10.48550/arXiv.2310.17091

2023-10-26

Multiagent Systems

Abstract:With the advent of vehicles equipped with advanced driver-assistance systems, such as adaptive cruise control (ACC) and other automated driving features, the potential for cyberattacks on these automated vehicles (AVs) has emerged. While overt attacks that force vehicles to collide may be easily identified, more insidious attacks, which only slightly alter driving behavior, can result in network-wide increases in congestion, fuel consumption, and even crash risk without being easily detected. To address the detection of such attacks, we first present a traffic model framework for three types of potential cyberattacks: malicious manipulation of vehicle control commands, false data injection attacks on sensor measurements, and denial-of-service (DoS) attacks. We then investigate the impacts of these attacks at both the individual vehicle (micro) and traffic flow (macro) levels. A novel generative adversarial network (GAN)-based anomaly detection model is proposed for real-time identification of such attacks using vehicle trajectory data. We provide numerical evidence {to demonstrate} the efficacy of our machine learning approach in detecting cyberattacks on ACC-equipped vehicles. The proposed method is compared against some recently proposed neural network models and observed to have higher accuracy in identifying anomalous driving behaviors of ACC vehicles.

Mingzhou Yang,Yanhua Li,Xun Zhou,Hui Lu,Zhihong Tian,Jun Luo

DOI: https://doi.org/10.1145/3366423.3380235

2020-01-01

Abstract:Public transports, such as subway lines and buses, offer affordable ride-sharing services and reduce the road network traffic. Extracting passengers’ preferences from their public transit choices is important to city planners but technically non-trivial. When traveling by taking public transits, passengers make sequences of transit choices, and their rewards are usually influenced by other passengers’ choices. This process can be modeled as a Markov Game (MG). In this paper, we make the first effort to model travelers’ preferences of making transit choices using MGs. Based on the discovery that passengers usually do not change their policies, we propose novel algorithms to extract reward functions from the observed deterministic equilibrium joint policy of all agents in a general-sum MG to infer travelers’ preferences. First, we assume we have the access to the entire joint policy. We characterize the set of all reward functions for which the given joint policy is a Nash equilibrium policy. In order to remove the degeneracy of the solution, we then attempt to pick reward functions so as to maximize the sum of the deviation between the the observed policy and the sub-optimal policy of each agent. This results in a skillfully solvable linear programming algorithm for the multi-agent inverse reinforcement learning (MA-IRL) problem. Then, we deal with the case where we have access to the equilibrium joint policy through a set of actual trajectories. We propose an iterative algorithm inspired by single-agent apprenticeship learning algorithms and the cyclic coordinate descent approach. We evaluate the proposed algorithms on both a simple Grid Game and a unique real-world dataset (from Shenzhen, China). Results show that when we have access to the full policy, our algorithm can efficiently recover most of the reward structure, especially the interaction of agents. In the case where we only have access to a set of sampled expert trajectories, our algorithm can provide an explanation of the expert trajectories. Measured with respect to the experts’ unknown reward function, the performance of the policy output by our algorithm is close to that of the expert policy.

Ziqing Lu,Guanlin Liu,Lifeng Lai,Weiyu Xu

2024-01-31

Abstract:The multi-agent reinforcement learning systems (MARL) based on the Markov decision process (MDP) have emerged in many critical applications. To improve the robustness/defense of MARL systems against adversarial attacks, the study of various adversarial attacks on reinforcement learning systems is very important. Previous works on adversarial attacks considered some possible features to attack in MDP, such as the action poisoning attacks, the reward poisoning attacks, and the state perception attacks. In this paper, we propose a brand-new form of attack called the camouflage attack in the MARL systems. In the camouflage attack, the attackers change the appearances of some objects without changing the actual objects themselves; and the camouflaged appearances may look the same to all the targeted recipient (victim) agents. The camouflaged appearances can mislead the recipient agents to misguided actions. We design algorithms that give the optimal camouflage attacks minimizing the rewards of recipient agents. Our numerical and theoretical results show that camouflage attacks can rival the more conventional, but likely more difficult state perception attacks. We also investigate cost-constrained camouflage attacks and showed numerically how cost budgets affect the attack performance.

Multiagent Systems