Towards Robust and Safe Reinforcement Learning with Benign Off-policy Data

Abstract

Previous work demonstrates that the optimal safe reinforcement learning (SRL) policy in a noise-free environment is vulnerable and could be unsafe under observational attacks. While adversarial training effectively improves robustness and safety, collecting samples by attacking the behavior agent online could be expensive or prohibitively dangerous in many applications. We propose the robuSt vAriational ofF-policy lEaRning (SAFER) approach, which only requires benign training data without attacking the agent. SAFER obtains an optimal non-parametric variational policy distribution via convex optimization and then uses it to improve the parametrized policy robustly via supervised learning. The two-stage policy optimization facilitates robust training, and extensive experiments on multiple robot platforms show the efficiency of SAFER in learning a robust and safe policy: achieving the same reward with much fewer constraint violations during training than on-policy baselines.

Method Overview

An overview of SAFER is shown in the left figure below. It consists of a constrained E-step and a robust M-step. The E-step step aims to find the optimal variational distribution that maximizes the reward return while satisfying the safety constraint. This step can be written as a constrained optimization problem, which has a closed-form solution and can be efficiently solved by convex optimization. The robust M-step has two components: a vanilla M-step that aims to fit the variational distribution obtained from the E-step using a parametrized policy, such as a neural network, and then achieve generalization beyond the state-action samples used for training; and an adversarial training step that aims to improve the policy robustness by optimizing toward the worst-case perturbations. The pseudo-code of SAFER is shown below.

Experiments

Experiment Setting 

We consider two tasks (Run and Circle) and four robots (Ball, Car, Drone, and Ant). For the Run task, the agents are rewarded for running fast between two boundaries and are given a constraint violation cost if they run across the boundaries or exceed an agent-specific velocity threshold. For the Circle task, the agents are rewarded for running in a circle but are constrained within a safe region that is smaller than the radius of the target circle. We name the tasks as Ball-Circle, Car-Circle, Drone-Run, and Ant-Run.

Final Performance of SAFER - video demos

The following animations show the performance of some baselines and SAFER under MC and MR attackers in the Car-Circle environment. The first row shows the performance of CVPO-vanilla. We can observe that the vanilla EM-based safe RL method CVPO-vanilla is vulnerable to adversarial attacks, although it can attain near zero natural cost in a noise-free environment. The second row shows the performance of ADV-CVPO. The successful on-policy adversarial training techniques in ADV-PPOL do not work in the off-policy setting, as the ADV-CVPO method is not safe under adversarial attackers and even performs poorly in noise-free environments. However, it is clear that the SAFER agnets are robust and safe against adversarial attacks. More detailed results are in the table below, and more videos are available here.