Current adversarial attacks against DRL agents [4-8] are generated per observation, which is not infeasible due to the dynamic nature of RL. Creating observation-specific adversarial samples is usually slower than the agent’s sampling rate, introducing a delay between old and new observations. The goal of this work is to design an approach for creating universal, additive adversarial perturbations that requires almost no computation in real time. This work will focus on different pre-computed attack strategies that are capable of changing the input before it is observed by the RL agent. We will analyze the effect of universal adversarial perturbations on Atari games, continuous task simulators and self driving car simulators trained with different DRL algorithms.
MSc students in security, computer science, machine learning, robotics or automated systems
Basic understanding of both standard ML techniques as well as deep neural networks (You should at least take Machine learning: basic principles course from SCI department or some other similar course)
Good knowledge of mathematical methods and algorithmic skills
Nice to have:
Familiarity with one of the topics: adversarial machine learning, reinforcement learning, statistics, control theory, artificial intelligence
Familiarity with deep learning frameworks (PyTorch, Tensorflow, Keras etc.)
Sufficient skills to work and interact in English
An interest to do research and Arcade games
Some references for reading:
 Goodfellow, Ian J., Jonathon Shlens, and Christian Szegedy. 2014. "Explaining and harnessing adversarial examples."