Li Simin, Guo Jun, Xiu Jingqiao, Zheng Yuwei, Feng Pu, Yu Xin, Wang Jiakai, Liu Aishan, Yang Yaodong, An Bo, Wu Wenjun, Liu Xianglong
State Key Lab of Software Development Environment, Beihang University, Beijing, China; Nanyang Technological University, Singapore.
State Key Lab of Software Development Environment, Beihang University, Beijing, China.
Neural Netw. 2025 Nov;191:107747. doi: 10.1016/j.neunet.2025.107747. Epub 2025 Jun 21.
This study probes the vulnerabilities of cooperative multi-agent reinforcement learning (c-MARL) under adversarial attacks, a critical determinant of c-MARL's worst-case performance prior to real-world implementation. Current observation-based attacks, constrained by white-box assumptions, overlook c-MARL's complex multi-agent interactions and cooperative objectives, resulting in impractical and limited attack capabilities. To address these shortcomes, we propose Adversarial Minority Influence (AMI), a practical and strong for c-MARL. AMI is a practical black-box attack and can be launched without knowing victim parameters. AMI is also strong by considering the complex multi-agent interaction and the cooperative goal of agents, enabling a single adversarial agent to unilaterally misleads majority victims to form targeted worst-case cooperation. This mirrors minority influence phenomena in social psychology. To achieve maximum deviation in victim policies under complex agent-wise interactions, our unilateral attack aims to characterize and maximize the impact of the adversary on the victims. This is achieved by adapting a unilateral agent-wise relation metric derived from mutual information, thereby mitigating the adverse effects of victim influence on the adversary. To lead the victims into a jointly detrimental scenario, our targeted attack deceives victims into a long-term, cooperatively harmful situation by guiding each victim towards a specific target, determined through a trial-and-error process executed by a reinforcement learning agent. Through AMI, we achieve the first successful attack against real-world robot swarms and effectively fool agents in simulated environments into collectively worst-case scenarios, including Starcraft II and Multi-agent Mujoco. The source code and demonstrations can be found at: https://github.com/DIG-Beihang/AMI.
本研究探讨了对抗攻击下合作多智能体强化学习(c-MARL)的脆弱性,这是c-MARL在实际应用前最坏情况性能的关键决定因素。当前基于观测的攻击受白盒假设限制,忽略了c-MARL复杂的多智能体交互和合作目标,导致攻击能力不切实际且有限。为解决这些缺点,我们提出了对抗少数影响(AMI),这是一种针对c-MARL实用且强大的攻击方法。AMI是一种实用的黑盒攻击,无需了解受害者参数即可发动。通过考虑复杂的多智能体交互和智能体的合作目标,AMI也具有强大的攻击能力,能使单个对抗智能体单方面误导多数受害者形成有针对性的最坏情况合作。这反映了社会心理学中的少数影响现象。为在复杂的智能体间交互下使受害者策略产生最大偏差,我们的单边攻击旨在刻画并最大化对手对受害者的影响。这通过采用从互信息导出的单边智能体关系度量来实现,从而减轻受害者影响对对手的不利影响。为引导受害者进入共同有害的场景,我们的有针对性攻击通过引导每个受害者朝着一个特定目标,将受害者欺骗到一个长期的、合作有害的情况,该目标是通过强化学习智能体执行的试错过程确定的。通过AMI,我们首次成功攻击了现实世界中的机器人集群,并在模拟环境中有效地将智能体愚弄进集体最坏情况场景,包括《星际争霸II》和多智能体MuJoCo。源代码和演示可在以下网址找到:https://github.com/DIG-Beihang/AMI 。
