Akansha Kalra*, Basavasagar Patil*,  Guanhong Tao, Daniel S. Brown

*Equal Contribution

We present the first systematic study of adversarial attacks, across a range of both classic and recently proposed imitation learning algorithms, including Vanilla Behavior Cloning (Vanilla BC), LSTM-GMM, Implicit Behavior Cloning (IBC), Diffusion Policy (DP), and Vector-Quantized Behavior Transformer (VQ-BET). We study the vulnerability of these methods to both white-box, grey-box and black-box adversarial perturbations. Our experiments reveal that most existing methods are highly vulnerable to these attacks, including black-box transfer attacks that transfer across algorithms. 

Below, for tasks of Square, Can, and Lift, we show per task : 

• in 1st sub-row, an example of unattacked task performance of a BC algorithm and its performance under white box Universal Adversarial Perturbation(UAP) attack.  

• the 2rd and 3rd sub-rows, depict the black box transferability of UAP attack developed for the BC algorithm in sub-row 1 applied to other algorithms. 

We also show unattacked task performance across other algorithms for comparison, i.e. to highlight the degradation in task performance under black box transfer of UAP attacks. 

Robomimic-Square task

Robomimic-Can task

Robomimic-Lift task