{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,28]],"date-time":"2025-10-28T10:57:53Z","timestamp":1761649073608,"version":"3.40.3"},"publisher-location":"Cham","reference-count":41,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031171420"},{"type":"electronic","value":"9783031171437"}],"license":[{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2022,1,1]],"date-time":"2022-01-01T00:00:00Z","timestamp":1640995200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2022]]},"DOI":"10.1007\/978-3-031-17143-7_19","type":"book-chapter","created":{"date-parts":[[2022,9,23]],"date-time":"2022-09-23T04:04:22Z","timestamp":1663905862000},"page":"384-404","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Real-Time Adversarial Perturbations Against Deep Reinforcement Learning Policies: Attacks and\u00a0Defenses"],"prefix":"10.1007","author":[{"given":"Buse G. A.","family":"Tekgul","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shelly","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Samuel","family":"Marchal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"N.","family":"Asokan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,9,24]]},"reference":[{"key":"19_CR1","doi-asserted-by":"crossref","unstructured":"Baluja, S., Fischer, I.: Learning to attack: adversarial transformation networks. In: Proceedings of AAAI-2018 (2018). http:\/\/www.esprockets.com\/papers\/aaai2018.pdf","DOI":"10.1609\/aaai.v32i1.11672"},{"key":"19_CR2","series-title":"Lecture Notes in Computer Science (Lecture Notes in Artificial Intelligence)","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1007\/978-3-319-62416-7_19","volume-title":"Machine Learning and Data Mining in Pattern Recognition","author":"V Behzadan","year":"2017","unstructured":"Behzadan, V., Munir, A.: Vulnerability of deep reinforcement learning to policy induction attacks. In: Perner, P. (ed.) MLDM 2017. LNCS (LNAI), vol. 10358, pp. 262\u2013275. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-62416-7_19"},{"key":"19_CR3","unstructured":"Behzadan, V., Munir, A.: Whatever does not kill deep reinforcement learning, makes it stronger. arXiv preprint arXiv:1712.09344 (2017)"},{"key":"19_CR4","doi-asserted-by":"publisher","first-page":"253","DOI":"10.1613\/jair.3912","volume":"47","author":"MG Bellemare","year":"2013","unstructured":"Bellemare, M.G., Naddaf, Y., Veness, J., Bowling, M.: The arcade learning environment: an evaluation platform for general agents. J. Artif. Intell. Res. 47, 253\u2013279 (2013)","journal-title":"J. Artif. Intell. Res."},{"key":"19_CR5","doi-asserted-by":"publisher","unstructured":"Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 39\u201357 (2017). https:\/\/doi.org\/10.1109\/SP.2017.49","DOI":"10.1109\/SP.2017.49"},{"key":"19_CR6","doi-asserted-by":"crossref","unstructured":"Co, K.T., Mu\u00f1oz-Gonz\u00e1lez, L., de Maupeou, S., Lupu, E.C.: Procedural noise adversarial examples for black-box attacks on deep convolutional networks. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp. 275\u2013289 (2019)","DOI":"10.1145\/3319535.3345660"},{"key":"19_CR7","unstructured":"Gleave, A., Dennis, M., Kant, N., Wild, C., Levine, S., Russell, S.: Adversarial policies: attacking deep reinforcement learning. arXiv preprint arXiv:1905.10615 (2019)"},{"key":"19_CR8","unstructured":"Goodfellow, I., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: International Conference on Learning Representations (2015). arxiv.org\/abs\/1412.6572"},{"key":"19_CR9","doi-asserted-by":"crossref","unstructured":"Hayes, J., Danezis, G.: Learning universal adversarial perturbations with generative models. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 43\u201349. IEEE (2018)","DOI":"10.1109\/SPW.2018.00015"},{"key":"19_CR10","unstructured":"Huang, S., Papernot, N., Goodfellow, I., Duan, Y., Abbeel, P.: Adversarial attacks on neural network policies. arXiv (2017). arxiv.org\/abs\/1702.02284"},{"key":"19_CR11","unstructured":"Hussenot, L., Geist, M., Pietquin, O.: Copycat: taking control of neural policies with constant attacks. In: International Conference on Autonomous Agents and Multi-Agent Systems (AAMAS) (2020). arxiv.org\/abs\/1905.12282"},{"key":"19_CR12","unstructured":"Inkawhich, M., Chen, Y., Li, H.: Snooping attacks on deep reinforcement learning. In: Proceedings of the 19th International Conference on Autonomous Agents and MultiAgent Systems, AAMAS 2020, Richland, SC, pp. 557\u2013565 (2020)"},{"key":"19_CR13","unstructured":"Kos, J., Song, D.: Delving into adversarial attacks on deep policies. In: 5th International Conference on Learning Representations, ICLR 2017, Toulon, France, Workshop Track Proceedings, 24\u201326 April 2017. OpenReview.net (2017). https:\/\/openreview.net\/forum?id=BJcib5mFe"},{"issue":"1","key":"19_CR14","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1214\/aoms\/1177729694","volume":"22","author":"S Kullback","year":"1951","unstructured":"Kullback, S., Leibler, R.A.: On information and sufficiency. Ann. Math. Stat. 22(1), 79\u201386 (1951)","journal-title":"Ann. Math. Stat."},{"key":"19_CR15","doi-asserted-by":"publisher","unstructured":"Lin, Y., Hong, Z., Liao, Y., Shih, M., Liu, M., Sun, M.: Tactics of adversarial attack on deep reinforcement learning agents. In: Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, IJCAI 2017, Melbourne, Australia, 19\u201325 August 2017, pp. 3756\u20133762. ijcai.org (2017). https:\/\/doi.org\/10.24963\/ijcai.2017\/525","DOI":"10.24963\/ijcai.2017\/525"},{"key":"19_CR16","unstructured":"Lin, Y., Liu, M., Sun, M., Huang, J.: Detecting adversarial attacks on neural network policies with visual foresight. CoRR abs\/1710.00814 (2017). arxiv.org\/abs\/1710.00814"},{"key":"19_CR17","doi-asserted-by":"crossref","unstructured":"Meng, D., Chen, H.: MagNet: a two-pronged defense against adversarial examples. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 135\u2013147 (2017)","DOI":"10.1145\/3133956.3134057"},{"key":"19_CR18","unstructured":"Mnih, V., et al.: Asynchronous methods for deep reinforcement learning. In: Proceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, 19\u201324 June 2016, vol. 48, pp. 1928\u20131937 (2016)"},{"issue":"7540","key":"19_CR19","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1038\/nature14236","volume":"518","author":"V Mnih","year":"2015","unstructured":"Mnih, V., et al.: Human-level control through deep reinforcement learning. Nature 518(7540), 529\u2013533 (2015)","journal-title":"Nature"},{"key":"19_CR20","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1765\u20131773 (2017)","DOI":"10.1109\/CVPR.2017.17"},{"key":"19_CR21","doi-asserted-by":"crossref","unstructured":"Moosavi-Dezfooli, S.M., Fawzi, A., Frossard, P.: DeepFool: a simple and accurate method to fool deep neural networks. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 2574\u20132582 (2016)","DOI":"10.1109\/CVPR.2016.282"},{"key":"19_CR22","unstructured":"Mopuri, K.R., Garg, U., Babu, R.V.: Fast feature fool: a data independent approach to universal adversarial perturbations. arXiv preprint arXiv:1707.05572 (2017)"},{"key":"19_CR23","doi-asserted-by":"crossref","unstructured":"Mopuri, K.R., Ojha, U., Garg, U., Babu, R.V.: NAG: network for adversary generation. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 742\u2013751 (2018)","DOI":"10.1109\/CVPR.2018.00084"},{"key":"19_CR24","unstructured":"Oikarinen, T., Zhang, W., Megretski, A., Daniel, L., Weng, T.W.: Robust deep reinforcement learning through adversarial loss. In: Ranzato, M., Beygelzimer, A., Dauphin, Y., Liang, P., Vaughan, J.W. (eds.) Advances in Neural Information Processing Systems, vol. 34, pp. 26156\u201326167. Curran Associates, Inc. (2021)"},{"key":"19_CR25","doi-asserted-by":"crossref","unstructured":"Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z.B., Swami, A.: The limitations of deep learning in adversarial settings. In: 2016 IEEE European symposium on security and privacy (EuroS &P), pp. 372\u2013387. IEEE (2016)","DOI":"10.1109\/EuroSP.2016.36"},{"key":"19_CR26","doi-asserted-by":"crossref","unstructured":"Rouhani, B.D., Samragh, M., Javaheripi, M., Javidi, T., Koushanfar, F.: DeepFense: online accelerated defense against adversarial deep learning, pp. 1\u20138. IEEE (2018)","DOI":"10.1145\/3240765.3240791"},{"issue":"3","key":"19_CR27","doi-asserted-by":"publisher","first-page":"211","DOI":"10.1007\/s11263-015-0816-y","volume":"115","author":"O Russakovsky","year":"2015","unstructured":"Russakovsky, O., et al.: ImageNet large scale visual recognition challenge. Int. J. Comput. Vision 115(3), 211\u2013252 (2015)","journal-title":"Int. J. Comput. Vision"},{"key":"19_CR28","unstructured":"Schulman, J., Wolski, F., Dhariwal, P., Radford, A., Klimov, O.: Proximal policy optimization algorithms. CoRR abs\/1707.06347 (2017). arxiv.org\/abs\/1707.06347"},{"key":"19_CR29","doi-asserted-by":"crossref","unstructured":"Sun, J., et al.: Stealthy and efficient adversarial attacks against deep reinforcement learning. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 5883\u20135891. AAAI Press (2020)","DOI":"10.1609\/aaai.v34i04.6047"},{"key":"19_CR30","volume-title":"Reinforcement Learning: An Introduction","author":"RS Sutton","year":"2018","unstructured":"Sutton, R.S., Barto, A.G.: Reinforcement Learning: An Introduction. MIT press, Cambridge (2018)"},{"key":"19_CR31","unstructured":"Szegedy, C., et al.: Intriguing properties of neural networks. In: International Conference on Learning Representations (2014). arxiv.org\/abs\/1312.6199"},{"key":"19_CR32","unstructured":"Tassa, Y., et al.: DeepMind control suite. arXiv preprint arXiv:1801.00690 (2018)"},{"key":"19_CR33","doi-asserted-by":"crossref","unstructured":"Tekgul, B.G., Wang, S., Marchal, S., Asokan, N.: Real-time adversarial perturbations against deep reinforcement learning policies: attacks and defenses. arXiv preprint arXiv:2106.08746 (2021)","DOI":"10.1007\/978-3-031-17143-7_19"},{"key":"19_CR34","doi-asserted-by":"crossref","unstructured":"Todorov, E., Erez, T., Tassa, Y.: MuJoCo: a physics engine for model-based control. In: 2012 IEEE\/RSJ International Conference on Intelligent Robots and Systems, pp. 5026\u20135033. IEEE (2012)","DOI":"10.1109\/IROS.2012.6386109"},{"key":"19_CR35","unstructured":"Tretschk, E., Oh, S.J., Fritz, M.: Sequential attacks on agents for long-term adversarial goals. CoRR abs\/1805.12487 (2018). arxiv.org\/abs\/1805.12487"},{"key":"19_CR36","unstructured":"Wu, X., Guo, W., Wei, H., Xing, X.: Adversarial policy training against deep reinforcement learning. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1883\u20131900. USENIX Association (2021). www.usenix.org\/conference\/usenixsecurity21\/presentation\/wu-xian"},{"key":"19_CR37","unstructured":"Xiao, C., et al.: Characterizing attacks on deep reinforcement learning. arXiv preprint arXiv:1907.09470 (2019)"},{"key":"19_CR38","doi-asserted-by":"crossref","unstructured":"Xu, W., Evans, D., Qi, Y.: Feature squeezing: detecting adversarial examples in deep neural networks. In: 25th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society (2018)","DOI":"10.14722\/ndss.2018.23198"},{"key":"19_CR39","unstructured":"Zhang, H., et al.: Robust deep reinforcement learning against adversarial perturbations on state observations. In: Advances in Neural Information Processing Systems, vol. 33, pp. 21024\u201321037. Curran Associates, Inc. (2020)"},{"issue":"10","key":"19_CR40","doi-asserted-by":"publisher","first-page":"1943","DOI":"10.1109\/TPAMI.2015.2502579","volume":"38","author":"X Zhang","year":"2015","unstructured":"Zhang, X., Zou, J., He, K., Sun, J.: Accelerating very deep convolutional networks for classification and detection. IEEE Trans. Pattern Anal. Mach. Intell. 38(10), 1943\u20131955 (2015)","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"19_CR41","doi-asserted-by":"crossref","unstructured":"Zhao, Y., Shumailov, I., Cui, H., Gao, X., Mullins, R., Anderson, R.: Blackbox attacks on reinforcement learning agents using approximated temporal information. In: 2020 50th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 16\u201324. IEEE Computer Society, Los Alamitos (2020)","DOI":"10.1109\/DSN-W50199.2020.00013"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2022"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-17143-7_19","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,2,20]],"date-time":"2023-02-20T04:41:30Z","timestamp":1676868090000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-17143-7_19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022]]},"ISBN":["9783031171420","9783031171437"],"references-count":41,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-17143-7_19","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2022]]},"assertion":[{"value":"24 September 2022","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Copenhagen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Denmark","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2022","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 September 2022","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"30 September 2022","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2022","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/esorics2022.compute.dtu.dk\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"562","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"104","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"6","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"19% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3.4","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"12","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}