In the white-box setting, the adversary has complete access to the target neural network policy. Click on any of the links below to see the corresponding video of adversarial perturbations for a particular game, learning algorithm, and adversary combination.

We test on four Atari 2600 games and three deep RL training algorithms, with three metrics for constraining the size of the adversary's perturbation. ε denotes the magnitude of the perturbation, under a given metric.

In each video, the left-most inset video shows how the policy would play, without the presence of adversarial perturbations. The other three inset videos, from left-to-right, show at each execution time step the original image, the (unscaled) perturbation chosen by the adversary, and the two combined into the adversarial example.

In this black-box setting, the adversary has access to the training environment and knows the training algorithm and hyperparameters. It knows the neural network architecture of the target policy, but not its random initialization -- so the adversary trains its own version of the policy, and uses this to generate attacks for the (separate) target policy. Click on any of the links below to see the corresponding video of black-box adversarial perturbations for a particular game, learning algorithm, and adversary combination.

We test on four Atari 2600 games and three deep RL training algorithms, with three metrics for constraining the size of the adversary's perturbation. ε denotes the magnitude of the perturbation, under a given metric.

In each video, the left-most inset video shows how the policy would play, without the presence of adversarial perturbations. The other three inset videos, from left-to-right, show at each execution time step the original image, the (unscaled) perturbation chosen by the adversary, and the two combined into the adversarial example.

Note: We omit black-box attacks for Seaquest trained with A3C because only one policy met the performance requirements (more details are in the paper).

In this black-box setting, the adversary has access to the training environment, but does not know the training algorithm or hyperparameters. It knows the neural network architecture of the target policy, but not its random initialization -- so the adversary trains its own version of the policy using its own deep RL algorithm, and uses this to generate attacks for the (separate) target policy. Click on any of the links below to see the corresponding video of black-box adversarial perturbations for a particular game, learning algorithm, and adversary combination.

We test on four Atari 2600 games and all possible target-adversary combinations of three deep RL training algorithms, with three metrics for constraining the size of the adversary's perturbation. ε denotes the magnitude of the perturbation, under a given metric.

In each video, the left-most inset video shows how the policy would play, without the presence of adversarial perturbations. The other three inset videos, from left-to-right, show at each execution time step the original image, the (unscaled) perturbation chosen by the adversary, and the two combined into the adversarial example.