{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,28]],"date-time":"2026-03-28T01:12:11Z","timestamp":1774660331418,"version":"3.50.1"},"reference-count":193,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2024,2,23]],"date-time":"2024-02-23T00:00:00Z","timestamp":1708646400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Natural Science Foundation of China for Joint Fund Project","award":["U1936218"],"award-info":[{"award-number":["U1936218"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["U23A20307, 62372120, 62102108"],"award-info":[{"award-number":["U23A20307, 62372120, 62102108"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"name":"Natural Science Foundation of Guangdong Province of China","award":["2022A1515010061"],"award-info":[{"award-number":["2022A1515010061"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2024,6,30]]},"abstract":"<jats:p>Deep Reinforcement Learning (DRL) is an essential subfield of Artificial Intelligence (AI), where agents interact with environments to learn policies for solving complex tasks. In recent years, DRL has achieved remarkable breakthroughs in various tasks, including video games, robotic control, quantitative trading, and autonomous driving. Despite its accomplishments, security and privacy-related issues still prevent us from deploying trustworthy DRL applications. For example, by manipulating the environment, an attacker can influence an agent\u2019s actions, misleading it to behave abnormally. Additionally, an attacker can infer private training data and environmental information by maliciously interacting with DRL models, causing a privacy breach. In this survey, we systematically investigate the recent progress of security and privacy issues in the context of DRL. First, we present a holistic review of security-related attacks within DRL systems from the perspectives of single-agent and multi-agent systems and review privacy-related attacks. Second, we review and classify defense methods used to address security-related challenges, including robust learning, anomaly detection, and game theory approaches. Third, we review and classify privacy-preserving technologies, including encryption, differential privacy, and policy confusion. We conclude the survey by discussing open issues and possible directions for future research in this field.<\/jats:p>\n          <jats:p\/>","DOI":"10.1145\/3640312","type":"journal-article","created":{"date-parts":[[2024,1,12]],"date-time":"2024-01-12T11:15:44Z","timestamp":1705058144000},"page":"1-39","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":21,"title":["Security and Privacy Issues in Deep Reinforcement Learning: Threats and Countermeasures"],"prefix":"10.1145","volume":"56","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3762-674X","authenticated-orcid":false,"given":"Kanghua","family":"Mo","sequence":"first","affiliation":[{"name":"Guangzhou University, Guangzhou, Guangdong, China and Guangdong Provincial Key Laboratory of Blockchain Security, Guangzhou, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-9570-7566","authenticated-orcid":false,"given":"Peigen","family":"Ye","sequence":"additional","affiliation":[{"name":"Beijing Institute of Technology, Guangzhou, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2837-5157","authenticated-orcid":false,"given":"Xiaojun","family":"Ren","sequence":"additional","affiliation":[{"name":"Guangzhou University, Guangzhou, Guangdong, China and Guangdong Provincial Key Laboratory of Blockchain Security, Guangzhou, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1577-1193","authenticated-orcid":false,"given":"Shaowei","family":"Wang","sequence":"additional","affiliation":[{"name":"Guangzhou University, Guangzhou, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3244-4251","authenticated-orcid":false,"given":"Wenjun","family":"Li","sequence":"additional","affiliation":[{"name":"Guangzhou University, Guangzhou, Guangdong, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0385-8793","authenticated-orcid":false,"given":"Jin","family":"Li","sequence":"additional","affiliation":[{"name":"Guangzhou University, Guangzhou, Guangdong, China and Guangdong Provincial Key Laboratory of Blockchain Security, Guangzhou, Guangdong, China"}]}],"member":"320","published-online":{"date-parts":[[2024,2,23]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978318"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-97546-3_2"},{"key":"e_1_3_2_4_2","article-title":"Continuous adaptation via meta-learning in nonstationary and competitive environments","author":"Al-Shedivat Maruan","year":"2017","unstructured":"Maruan Al-Shedivat, Trapit Bansal, Yuri Burda, Ilya Sutskever, Igor Mordatch, and Pieter Abbeel. 2017. Continuous adaptation via meta-learning in nonstationary and competitive environments. Learning (2017).","journal-title":"Learning"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1177\/0278364919887447"},{"key":"e_1_3_2_6_2","article-title":"Poisoning deep reinforcement learning agents with in-distribution triggers.","author":"Ashcraft Chace","year":"2021","unstructured":"Chace Ashcraft and Kiran Karra. 2021. Poisoning deep reinforcement learning agents with in-distribution triggers. arXiv: Learning (2021).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_7_2","article-title":"Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers","author":"Ateniese Giuseppe","year":"2013","unstructured":"Giuseppe Ateniese, Giovanni Felici, Luigi V. Mancini, Angelo Spognardi, Antonio Villani, and Domenico Vitali. 2013. Hacking smart machines with smarter ones: How to extract meaningful data from machine learning classifiers. arXiv preprint arXiv:1306.4447 (2013).","journal-title":"arXiv preprint arXiv:1306.4447"},{"key":"e_1_3_2_8_2","first-page":"463","volume-title":"International Conference on Machine Learning","author":"Ayoub Alex","year":"2020","unstructured":"Alex Ayoub, Zeyu Jia, Csaba Szepesvari, Mengdi Wang, and Lin Yang. 2020. Model-based reinforcement learning with value-targeted regression. In International Conference on Machine Learning. PMLR, 463\u2013474."},{"key":"e_1_3_2_9_2","article-title":"Training a helpful and harmless assistant with reinforcement learning from human feedback","author":"Bai Yuntao","year":"2022","unstructured":"Yuntao Bai, Andy Jones, Kamal Ndousse, Amanda Askell, Anna Chen, Nova DasSarma, Dawn Drain, Stanislav Fort, Deep Ganguli, Tom Henighan, et\u00a0al. 2022. Training a helpful and harmless assistant with reinforcement learning from human feedback. arXiv preprint arXiv:2204.05862 (2022).","journal-title":"arXiv preprint arXiv:2204.05862"},{"key":"e_1_3_2_10_2","first-page":"2130","volume-title":"International Conference on Machine Learning","author":"Balle Borja","year":"2016","unstructured":"Borja Balle, Maziar Gomrokchi, and Doina Precup. 2016. Differentially private policy evaluation. In International Conference on Machine Learning. PMLR, 2130\u20132138."},{"key":"e_1_3_2_11_2","volume-title":"International Conference on Learning Representations","author":"Bansal Trapit","year":"2018","unstructured":"Trapit Bansal, Jakub Pachocki, Szymon Sidor, Ilya Sutskever, and Igor Mordatch. 2018. Emergent complexity via multi-agent competition. In International Conference on Learning Representations."},{"key":"e_1_3_2_12_2","article-title":"Adversarial exploitation of policy imitation","author":"Behzadan Vahid","year":"2019","unstructured":"Vahid Behzadan and William Hsu. 2019. Adversarial exploitation of policy imitation. arXiv preprint arXiv:1906.01121 (2019).","journal-title":"arXiv preprint arXiv:1906.01121"},{"key":"e_1_3_2_13_2","article-title":"Vulnerability of deep reinforcement learning to policy induction attacks","author":"Behzadan Vahid","year":"2017","unstructured":"Vahid Behzadan and Arslan Munir. 2017. Vulnerability of deep reinforcement learning to policy induction attacks. Mach. Learn. Data Min. Pattern Recog. (2017).","journal-title":"Mach. Learn. Data Min. Pattern Recog."},{"key":"e_1_3_2_14_2","article-title":"The faults in our pi stars: Security issues and open challenges in deep reinforcement learning.","author":"Behzadan Vahid","year":"2018","unstructured":"Vahid Behzadan and Arslan Munir. 2018. The faults in our pi stars: Security issues and open challenges in deep reinforcement learning. arXiv: Learning (2018).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_15_2","doi-asserted-by":"publisher","DOI":"10.1073\/pnas.38.8.716"},{"key":"e_1_3_2_16_2","article-title":"The emergence of adversarial communication in multi-agent reinforcement learning","author":"Blumenkamp Jan","year":"2020","unstructured":"Jan Blumenkamp and Amanda Prorok. 2020. The emergence of adversarial communication in multi-agent reinforcement learning. In Conference on Robot Learning.","journal-title":"Conference on Robot Learning"},{"key":"e_1_3_2_17_2","unstructured":"Kanting Cai Xiangbin Zhu and Zhao-Long Hu. 2022. Black-box reward attacks against deep reinforcement learning based on successor representation."},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.3390\/app11114948"},{"key":"e_1_3_2_19_2","article-title":"Adversarial attack against deep reinforcement learning with static reward impact map","author":"Chan Patrick P. K.","year":"2020","unstructured":"Patrick P. K. Chan, Yaxuan Wang, and Daniel S. Yeung. 2020. Adversarial attack against deep reinforcement learning with static reward impact map. Comput. Commun. Secur. (2020).","journal-title":"Comput. Commun. Secur."},{"key":"e_1_3_2_20_2","first-page":"292","volume-title":"IEEE European Symposium on Security and Privacy (EuroS&P\u201921)","author":"Chang Hongyan","year":"2021","unstructured":"Hongyan Chang and Reza Shokri. 2021. On the privacy risks of algorithmic fairness. In IEEE European Symposium on Security and Privacy (EuroS&P\u201921). IEEE, 292\u2013303."},{"key":"e_1_3_2_21_2","article-title":"Interpretable end-to-end urban autonomous driving with latent deep reinforcement learning","author":"Chen Jianyu","year":"2020","unstructured":"Jianyu Chen, Shengbo Eben Li, and Masayoshi Tomizuka. 2020. Interpretable end-to-end urban autonomous driving with latent deep reinforcement learning. IEEE Trans. Intell. Transport. Syst. (2020).","journal-title":"IEEE Trans. Intell. Transport. Syst."},{"key":"e_1_3_2_22_2","article-title":"Temporal watermarks for deep reinforcement learning models.","author":"Chen Kangjie","year":"2021","unstructured":"Kangjie Chen, Shangwei Guo, Tianwei Zhang, Shuxin Li, and Yang Liu. 2021. Temporal watermarks for deep reinforcement learning models. Auton. Agents. Multi-agent Syst. (2021).","journal-title":"Auton. Agents. Multi-agent Syst."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453090"},{"key":"e_1_3_2_24_2","article-title":"ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models","author":"Chen Pin-Yu","year":"2017","unstructured":"Pin-Yu Chen, Huan Zhang, Yash Sharma, Jinfeng Yi, and Cho-Jui Hsieh. 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In 10th ACM Workshop on Artificial Intelligence and Security.","journal-title":"10th ACM Workshop on Artificial Intelligence and Security"},{"key":"e_1_3_2_25_2","first-page":"3760","volume-title":"International Conference on Machine Learning","author":"Chen Tianlong","year":"2022","unstructured":"Tianlong Chen, Huan Zhang, Zhenyu Zhang, Shiyu Chang, Sijia Liu, Pin-Yu Chen, and Zhangyang Wang. 2022. Linearity grafting: Relaxed neuron pruning helps certifiable robustness. In International Conference on Machine Learning. PMLR, 3760\u20133772."},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2023.110335"},{"key":"e_1_3_2_27_2","first-page":"48","volume-title":"IEEE Security and Privacy Workshops (SPW\u201920)","author":"Chou Edward","year":"2020","unstructured":"Edward Chou, Florian Tramer, and Giancarlo Pellegrino. 2020. SentiNet: Detecting localized universal attacks against deep learning systems. In IEEE Security and Privacy Workshops (SPW\u201920). IEEE, 48\u201354."},{"key":"e_1_3_2_28_2","article-title":"Differentially private regret minimization in episodic Markov decision processes","author":"Chowdhury Sayak Ray","year":"2021","unstructured":"Sayak Ray Chowdhury and Xingyu Zhou. 2021. Differentially private regret minimization in episodic Markov decision processes. arXiv preprint arXiv:2112.10599 (2021).","journal-title":"arXiv preprint arXiv:2112.10599"},{"key":"e_1_3_2_29_2","first-page":"485","volume-title":"IEEE International Symposium on Information Theory (ISIT\u201921)","author":"Chowdhury Sayak Ray","year":"2021","unstructured":"Sayak Ray Chowdhury, Xingyu Zhou, and Ness Shroff. 2021. Adaptive control of differentially private linear quadratic systems. In IEEE International Symposium on Information Theory (ISIT\u201921). IEEE, 485\u2013490."},{"key":"e_1_3_2_30_2","first-page":"1310","volume-title":"International Conference on Machine Learning","author":"Cohen Jeremy","year":"2019","unstructured":"Jeremy Cohen, Elan Rosenfeld, and Zico Kolter. 2019. Certified adversarial robustness via randomized smoothing. In International Conference on Machine Learning. PMLR, 1310\u20131320."},{"key":"e_1_3_2_31_2","article-title":"Unifying PAC and regret: Uniform PAC bounds for episodic reinforcement learning","volume":"30","author":"Dann Christoph","year":"2017","unstructured":"Christoph Dann, Tor Lattimore, and Emma Brunskill. 2017. Unifying PAC and regret: Uniform PAC bounds for episodic reinforcement learning. Adv. Neural Inf. Process. Syst. 30 (2017).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_32_2","article-title":"Off-policy actor-critic","author":"Degris Thomas","year":"2012","unstructured":"Thomas Degris, Martha White, and Richard S. Sutton. 2012. Off-policy actor-critic. arXiv preprint arXiv:1205.4839 (2012).","journal-title":"arXiv preprint arXiv:1205.4839"},{"key":"e_1_3_2_33_2","doi-asserted-by":"publisher","DOI":"10.1007\/11681878_14"},{"key":"e_1_3_2_34_2","first-page":"17","volume-title":"23rd USENIX Security Symposium (USENIX Security\u201914)","author":"Fredrikson Matthew","year":"2014","unstructured":"Matthew Fredrikson, Eric Lantz, Somesh Jha, Simon Lin, David Page, and Thomas Ristenpart. 2014. Privacy in pharmacogenetics: An end-to-end case study of personalized warfarin dosing. In 23rd USENIX Security Symposium (USENIX Security\u201914). 17\u201332."},{"key":"e_1_3_2_35_2","unstructured":"Ted Fujimoto Timothy Doster Adam Attarian Jill Brandenberger and Nathan Hodas. 2022. Reward-free attacks in multi-agent reinforcement learning."},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243834"},{"key":"e_1_3_2_37_2","article-title":"Local differential privacy for regret minimization in reinforcement learning","volume":"34","author":"Garcelon Evrard","year":"2021","unstructured":"Evrard Garcelon, Vianney Perchet, Ciara Pike-Burke, and Matteo Pirotta. 2021. Local differential privacy for regret minimization in reinforcement learning. Adv. Neural Inf. Process. Syst. 34 (2021).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_38_2","article-title":"RLAS-BIABC: A reinforcement learning-based answer selection using the BERT model boosted by an improved ABC algorithm","volume":"2022","author":"Gharagozlou Hamid","year":"2022","unstructured":"Hamid Gharagozlou, Javad Mohammadzadeh, Azam Bastanfard, and Saeed Shiry Ghidary. 2022. RLAS-BIABC: A reinforcement learning-based answer selection using the BERT model boosted by an improved ABC algorithm. Computat. Intell. Neurosci. 2022 (2022).","journal-title":"Computat. Intell. Neurosci."},{"key":"e_1_3_2_39_2","volume-title":"International Conference on Learning Representations","author":"Gleave Adam","year":"2019","unstructured":"Adam Gleave, Michael Dennis, Cody Wild, Neel Kant, Sergey Levine, and Stuart Russell. 2019. Adversarial policies: Attacking deep reinforcement learning. In International Conference on Learning Representations."},{"key":"e_1_3_2_40_2","article-title":"Privacy-preserving kickstarting deep reinforcement learning with privacy-aware learners","author":"Gohari Parham","year":"2021","unstructured":"Parham Gohari, Bo Chen, Bo Wu, Matthew Hale, and Ufuk Topcu. 2021. Privacy-preserving kickstarting deep reinforcement learning with privacy-aware learners. arXiv preprint arXiv:2102.09599 (2021).","journal-title":"arXiv preprint arXiv:2102.09599"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/CDC42340.2020.9304015"},{"key":"e_1_3_2_42_2","doi-asserted-by":"publisher","DOI":"10.23919\/ACC45564.2020.9147447"},{"key":"e_1_3_2_43_2","article-title":"Where did you learn that from? Surprising effectiveness of membership inference attacks against temporally correlated data in deep reinforcement learning","author":"Gomrokchi Maziar","year":"2021","unstructured":"Maziar Gomrokchi, Susan Amin, Hossein Aboutalebi, Alexander Wong, and Doina Precup. 2021. Where did you learn that from? Surprising effectiveness of membership inference attacks against temporally correlated data in deep reinforcement learning. arXiv preprint arXiv:2109.03975 (2021).","journal-title":"arXiv preprint arXiv:2109.03975"},{"key":"e_1_3_2_44_2","article-title":"Explaining and harnessing adversarial examples","author":"Goodfellow Ian","year":"2014","unstructured":"Ian Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv: Machine Learning (2014).","journal-title":"arXiv: Machine Learning"},{"key":"e_1_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPRW56347.2022.00022"},{"key":"e_1_3_2_46_2","article-title":"Adversarial policy learning in two-player competitive games","author":"Guo Wenbo","year":"2021","unstructured":"Wenbo Guo, Xian Wu, Sui Huang, and Xinyu Xing. 2021. Adversarial policy learning in two-player competitive games. In International Conference on Machine Learning.","journal-title":"International Conference on Machine Learning"},{"key":"e_1_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.5555\/2567709.2502603"},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1111\/mafi.12382"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSG.2021.3114370"},{"key":"e_1_3_2_50_2","article-title":"Towards privacy and security of deep learning systems: A survey","author":"He Yingzhe","year":"2019","unstructured":"Yingzhe He, Guozhu Meng, Kai Chen, Xingbo Hu, and Jinwen He. 2019. Towards privacy and security of deep learning systems: A survey. arXiv preprint arXiv:1911.12562 (2019).","journal-title":"arXiv preprint arXiv:1911.12562"},{"key":"e_1_3_2_51_2","doi-asserted-by":"crossref","unstructured":"Thomas Hickling Nabil Aouf and Phillippa Spencer. 2022. Robust adversarial attacks detection based on explainable deep reinforcement learning for UAV guidance and planning.","DOI":"10.1109\/TIV.2023.3296227"},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134012"},{"key":"e_1_3_2_53_2","article-title":"Malicious attacks against deep reinforcement learning interpretations","author":"Huai Mengdi","year":"2020","unstructured":"Mengdi Huai, Jianhui Sun, Renqin Cai, Liuyi Yao, and Aidong Zhang. 2020. Malicious attacks against deep reinforcement learning interpretations. Knowl. Discov. Data Min. (2020).","journal-title":"Knowl. Discov. Data Min."},{"key":"e_1_3_2_54_2","article-title":"Adversarial attacks on neural network policies","author":"Huang Sandy H.","year":"2017","unstructured":"Sandy H. Huang, Nicolas Papernot, Ian Goodfellow, Yan Duan, and Pieter Abbeel. 2017. Adversarial attacks on neural network policies. Learning (2017).","journal-title":"Learning"},{"key":"e_1_3_2_55_2","article-title":"Deceptive reinforcement learning under adversarial manipulations on cost signals","author":"Huang Yunhan","year":"2019","unstructured":"Yunhan Huang and Quanyan Zhu. 2019. Deceptive reinforcement learning under adversarial manipulations on cost signals. Decis. Game Theor. Secur. (2019).","journal-title":"Decis. Game Theor. Secur."},{"key":"e_1_3_2_56_2","article-title":"CopyCAT: Taking control of neural policies with constant attacks","author":"Hussenot L\u00e9onard","year":"2019","unstructured":"L\u00e9onard Hussenot, Matthieu Geist, and Olivier Pietquin. 2019. CopyCAT: Taking control of neural policies with constant attacks. Adapt. Agents Multi-agents Syst. (2019).","journal-title":"Adapt. Agents Multi-agents Syst."},{"key":"e_1_3_2_57_2","article-title":"Challenges and countermeasures for adversarial attacks on deep reinforcement learning","author":"Ilahi Inaam","year":"2020","unstructured":"Inaam Ilahi, Muhammad Usama, Junaid Qadir, Muhammad Umar Janjua, Ala Al-Fuqaha, Dinh Thai Hoang, and Dusit Niyato. 2020. Challenges and countermeasures for adversarial attacks on deep reinforcement learning. arXiv: Learning (2020).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_58_2","article-title":"Snooping attacks on deep reinforcement learning","author":"Inkawhich Matthew","year":"2020","unstructured":"Matthew Inkawhich, Yi Chen, and Hai Li. 2020. Snooping attacks on deep reinforcement learning. Adapt. Agents Multi-agents Syst. (2020).","journal-title":"Adapt. Agents Multi-agents Syst."},{"key":"e_1_3_2_59_2","article-title":"Social influence as intrinsic motivation for multi-agent deep reinforcement learning","author":"Jaques Natasha","year":"2018","unstructured":"Natasha Jaques, Angeliki Lazaridou, Edward Hughes, Caglar Gulcehre, Pedro A. Ortega, D. J. Strouse, Joel Z. Leibo, and Nando de Freitas. 2018. Social influence as intrinsic motivation for multi-agent deep reinforcement learning. arXiv: Learning (2018).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_60_2","article-title":"Reinforcement learning on encrypted data","author":"Jesu Alberto","year":"2021","unstructured":"Alberto Jesu, Victor-Alexandru Darvariu, Alessandro Staffolani, Rebecca Montanari, and Mirco Musolesi. 2021. Reinforcement learning on encrypted data. arXiv preprint arXiv:2109.08236 (2021).","journal-title":"arXiv preprint arXiv:2109.08236"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3363201"},{"key":"e_1_3_2_62_2","article-title":"Learning attentional communication for multi-agent cooperation","author":"Jiang Jiechuan","year":"2018","unstructured":"Jiechuan Jiang and Zongqing Lu. 2018. Learning attentional communication for multi-agent cooperation. Neural Inf. Process. Syst. (2018).","journal-title":"Neural Inf. Process. Syst."},{"key":"e_1_3_2_63_2","unstructured":"Chen Jin-Yin Yan Zhang Wang Xue-Ke Hong-Bin Cai Wang Jue J. I. Shou-Ling Zhang Yan Cai Hong-Bin and Ji Shou. 2022. A survey of attack defense and related security analysis for deep reinforcement learning."},{"key":"e_1_3_2_64_2","first-page":"512","volume-title":"IEEE European Symposium on Security and Privacy (EuroS&P\u201919)","author":"Juuti Mika","year":"2019","unstructured":"Mika Juuti, Sebastian Szyller, Samuel Marchal, and N. Asokan. 2019. PRADA: Protecting against DNN model stealing attacks. In IEEE European Symposium on Security and Privacy (EuroS&P\u201919). IEEE, 512\u2013527."},{"key":"e_1_3_2_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274740"},{"key":"e_1_3_2_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/DAC18072.2020.9218663"},{"key":"e_1_3_2_67_2","doi-asserted-by":"publisher","DOI":"10.1109\/TITS.2021.3054625"},{"key":"e_1_3_2_68_2","article-title":"Delving into adversarial attacks on deep policies","author":"Kos Jernej","year":"2017","unstructured":"Jernej Kos and Dawn Song. 2017. Delving into adversarial attacks on deep policies. Learning (2017).","journal-title":"Learning"},{"key":"e_1_3_2_69_2","article-title":"Adversarial examples in the physical world","author":"Kurakin Alexey","year":"2016","unstructured":"Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. Learning (2016).","journal-title":"Learning"},{"key":"e_1_3_2_70_2","article-title":"Can agents run relay race with strangers? Generalization of RL to out-of-distribution trajectories","author":"Lan Li-Cheng","year":"2023","unstructured":"Li-Cheng Lan, Huan Zhang, and Cho-Jui Hsieh. 2023. Can agents run relay race with strangers? Generalization of RL to out-of-distribution trajectories. arXiv preprint arXiv:2304.13424 (2023).","journal-title":"arXiv preprint arXiv:2304.13424"},{"key":"e_1_3_2_71_2","article-title":"Actor critic with differentially private critic","author":"Lebensold Jonathan","year":"2019","unstructured":"Jonathan Lebensold, William Hamilton, Borja Balle, and Doina Precup. 2019. Actor critic with differentially private critic. arXiv preprint arXiv:1910.05876 (2019).","journal-title":"arXiv preprint arXiv:1910.05876"},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.5887"},{"key":"e_1_3_2_73_2","article-title":"Learning to cope with adversarial attacks","author":"Lee Xian Yeow","year":"2019","unstructured":"Xian Yeow Lee, Aaron J. Havens, Girish Chowdhary, and Soumik Sarkar. 2019. Learning to cope with adversarial attacks. arXiv: Learning (2019).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_74_2","article-title":"Locally differentially private reinforcement learning for linear mixture Markov decision processes","author":"Liao Chonghua","year":"2021","unstructured":"Chonghua Liao, Jiafan He, and Quanquan Gu. 2021. Locally differentially private reinforcement learning for linear mixture Markov decision processes. arXiv preprint arXiv:2110.10133 (2021).","journal-title":"arXiv preprint arXiv:2110.10133"},{"key":"e_1_3_2_75_2","article-title":"Continuous control with deep reinforcement learning","author":"Lillicrap Timothy P.","year":"2015","unstructured":"Timothy P. Lillicrap, Jonathan J. Hunt, Alexander Pritzel, Nicolas Heess, Tom Erez, Yuval Tassa, David Silver, and Daan Wierstra. 2015. Continuous control with deep reinforcement learning. arXiv preprint arXiv:1509.02971 (2015).","journal-title":"arXiv preprint arXiv:1509.02971"},{"key":"e_1_3_2_76_2","article-title":"On the robustness of cooperative multi-agent reinforcement learning","author":"Lin Jieyu","year":"2020","unstructured":"Jieyu Lin, Kristina Dzeparoska, Sai Qian Zhang, Alberto Leon-Garcia, and Nicolas Papernot. 2020. On the robustness of cooperative multi-agent reinforcement learning. In IEEE Symposium on Security and Privacy.","journal-title":"IEEE Symposium on Security and Privacy"},{"key":"e_1_3_2_77_2","article-title":"A survey on reinforcement learning for recommender systems","author":"Lin Yuanguo","year":"2023","unstructured":"Yuanguo Lin, Yong Liu, Fan Lin, Lixin Zou, Pengcheng Wu, Wenhua Zeng, Huanhuan Chen, and Chunyan Miao. 2023. A survey on reinforcement learning for recommender systems. IEEE Trans. Neural Netw. Learn. Syst. (2023).","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"e_1_3_2_78_2","article-title":"Tactics of adversarial attack on deep reinforcement learning agents","author":"Lin Yen-Chen","year":"2017","unstructured":"Yen-Chen Lin, Zhang-Wei Hong, Yuan-Hong Liao, Meng-Li Shih, Ming-Yu Liu, and Min Sun. 2017. Tactics of adversarial attack on deep reinforcement learning agents. In International Conference on Learning Representations.","journal-title":"International Conference on Learning Representations"},{"key":"e_1_3_2_79_2","article-title":"Detecting adversarial attacks on neural network policies with visual foresight","author":"Lin Yen-Chen","year":"2017","unstructured":"Yen-Chen Lin, Ming-Yu Liu, Min Sun, and Jia-Bin Huang. 2017. Detecting adversarial attacks on neural network policies with visual foresight. arXiv preprint arXiv:1710.00814 (2017).","journal-title":"arXiv preprint arXiv:1710.00814"},{"key":"e_1_3_2_80_2","article-title":"Markov games as a framework for multi-agent reinforcement learning","author":"Littman Michael L.","year":"1994","unstructured":"Michael L. Littman. 1994. Markov games as a framework for multi-agent reinforcement learning. In International Conference on Machine Learning.","journal-title":"International Conference on Machine Learning"},{"key":"e_1_3_2_81_2","volume-title":"International Conference on Learning Representations","author":"Liu Siqi","year":"2018","unstructured":"Siqi Liu, Guy Lever, Josh Merel, Saran Tunyasuvunakool, Nicolas Heess, and Thore Graepel. 2018. Emergent coordination through competition. In International Conference on Learning Representations."},{"key":"e_1_3_2_82_2","doi-asserted-by":"publisher","DOI":"10.1109\/TETC.2019.2896325"},{"key":"e_1_3_2_83_2","article-title":"Deceptive reinforcement learning for privacy-preserving planning","author":"Liu Zhengshang","year":"2021","unstructured":"Zhengshang Liu, Yue Yang, Tim Miller, and Peta Masters. 2021. Deceptive reinforcement learning for privacy-preserving planning. arXiv preprint arXiv:2102.03022 (2021).","journal-title":"arXiv preprint arXiv:2102.03022"},{"key":"e_1_3_2_84_2","first-page":"1328","volume-title":"Conference on Robot Learning","author":"L\u00fctjens Bj\u00f6rn","year":"2020","unstructured":"Bj\u00f6rn L\u00fctjens, Michael Everett, and Jonathan P. How. 2020. Certified adversarial robustness for deep reinforcement learning. In Conference on Robot Learning. PMLR, 1328\u20131337."},{"key":"e_1_3_2_85_2","article-title":"Differentially private exploration in reinforcement learning with linear representation","author":"Luyo Paul","year":"2021","unstructured":"Paul Luyo, Evrard Garcelon, Alessandro Lazaric, and Matteo Pirotta. 2021. Differentially private exploration in reinforcement learning with linear representation. arXiv preprint arXiv:2112.01585 (2021).","journal-title":"arXiv preprint arXiv:2112.01585"},{"key":"e_1_3_2_86_2","article-title":"Adversarially robust policy learning: Active construction of physically-plausible perturbations","author":"Mandlekar Ajay","year":"2017","unstructured":"Ajay Mandlekar, Yuke Zhu, Animesh Garg, Li Fei-Fei, and Silvio Savarese. 2017. Adversarially robust policy learning: Active construction of physically-plausible perturbations. Intell. Robot. Syst. (2017).","journal-title":"Intell. Robot. Syst."},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","DOI":"10.5555\/3306127.3331725"},{"key":"e_1_3_2_88_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-021-11806-y"},{"issue":"4","key":"e_1_3_2_89_2","first-page":"623","article-title":"Analog Q-learning methods for secure multiparty computation","volume":"45","author":"Miyajima Hirofumi","year":"2018","unstructured":"Hirofumi Miyajima, Noritaka Shigei, Hiromi Miyajima, and Norio Shiratori. 2018. Analog Q-learning methods for secure multiparty computation. IAENG Int. J. Comput. Sci. 45, 4 (2018), 623\u2013629.","journal-title":"IAENG Int. J. Comput. Sci."},{"key":"e_1_3_2_90_2","doi-asserted-by":"publisher","DOI":"10.1038\/nature14236"},{"key":"e_1_3_2_91_2","article-title":"Attacking deep reinforcement learning with decoupled adversarial policy","author":"Mo Kanghua","year":"2022","unstructured":"Kanghua Mo, Weixuan Tang, Jin Li, and Xu Yuan. 2022. Attacking deep reinforcement learning with decoupled adversarial policy. IEEE Trans. Depend. Sec. Comput. (2022).","journal-title":"IEEE Trans. Depend. Sec. Comput."},{"key":"e_1_3_2_92_2","article-title":"Universal adversarial perturbations","author":"Moosavi-Dezfooli Seyed-Mohsen","year":"2017","unstructured":"Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. Comput. Vis. Pattern Recog. (2017).","journal-title":"Comput. Vis. Pattern Recog."},{"key":"e_1_3_2_93_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2016.282"},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11042-021-10968-z"},{"key":"e_1_3_2_95_2","first-page":"16529","volume-title":"International Conference on Machine Learning","author":"Ngo Dung Daniel T.","year":"2022","unstructured":"Dung Daniel T. Ngo, Giuseppe Vietri, and Steven Wu. 2022. Improved regret for differentially private exploration in linear MDP. In International Conference on Machine Learning. PMLR, 16529\u201316552."},{"key":"e_1_3_2_96_2","article-title":"Deep reinforcement learning for cyber security","author":"Nguyen Thanh Thi","year":"2021","unstructured":"Thanh Thi Nguyen and Vijay Janapa Reddi. 2021. Deep reinforcement learning for cyber security. IEEE Trans. Neural Netw. Learn. Syst. (2021).","journal-title":"IEEE Trans. Neural Netw. Learn. Syst."},{"key":"e_1_3_2_97_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.compchemeng.2020.106886"},{"key":"e_1_3_2_98_2","article-title":"Minimax iterative dynamic game: Application to nonlinear robot control tasks","author":"Ogunmolu Olalekan","year":"2017","unstructured":"Olalekan Ogunmolu, Nicholas Gans, and Tyler H. Summers. 2017. Minimax iterative dynamic game: Application to nonlinear robot control tasks. Intell. Robot. Syst. (2017).","journal-title":"Intell. Robot. Syst."},{"key":"e_1_3_2_99_2","article-title":"Robust deep reinforcement learning through adversarial loss","author":"Oikarinen Tuomas P.","year":"2020","unstructured":"Tuomas P. Oikarinen, Tsui-Wei Weng, and Luca Daniel. 2020. Robust deep reinforcement learning through adversarial loss. Neural Inf. Process. Syst. (2020).","journal-title":"Neural Inf. Process. Syst."},{"key":"e_1_3_2_100_2","article-title":"Locally private distributed reinforcement learning","author":"Ono Hajime","year":"2020","unstructured":"Hajime Ono and Tsubasa Takahashi. 2020. Locally private distributed reinforcement learning. arXiv preprint arXiv:2001.11718 (2020).","journal-title":"arXiv preprint arXiv:2001.11718"},{"key":"e_1_3_2_101_2","first-page":"27730","article-title":"Training language models to follow instructions with human feedback","volume":"35","author":"Ouyang Long","year":"2022","unstructured":"Long Ouyang, Jeffrey Wu, Xu Jiang, Diogo Almeida, Carroll Wainwright, Pamela Mishkin, Chong Zhang, Sandhini Agarwal, Katarina Slama, Alex Ray, et\u00a0al. 2022. Training language models to follow instructions with human feedback. Adv. Neural Inf. Process. Syst. 35 (2022), 27730\u201327744.","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_102_2","first-page":"368","volume-title":"18th International Conference on Autonomous Agents and MultiAgent Systems","author":"Pan Xinlei","year":"2019","unstructured":"Xinlei Pan, Weiyao Wang, Xiaoshuai Zhang, Bo Li, Jinfeng Yi, and Dawn Song. 2019. How you act tells a lot: Privacy-leaking attack on deep reinforcement learning. In 18th International Conference on Autonomous Agents and MultiAgent Systems. 368\u2013376."},{"key":"e_1_3_2_103_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3036899"},{"key":"e_1_3_2_104_2","article-title":"BLAZE: Blazing fast privacy-preserving machine learning","author":"Patra Arpita","year":"2020","unstructured":"Arpita Patra and Ajith Suresh. 2020. BLAZE: Blazing fast privacy-preserving machine learning. arXiv preprint arXiv:2005.09042 (2020).","journal-title":"arXiv preprint arXiv:2005.09042"},{"key":"e_1_3_2_105_2","article-title":"Evaluating robustness of cooperative MARL: A model-based approach","author":"Pham Nhan H.","year":"2022","unstructured":"Nhan H. Pham, Lam M. Nguyen, Jie Chen, Hoang Thanh Lam, Subhro Das, and Tsui-Wei Weng. 2022. Evaluating robustness of cooperative MARL: A model-based approach. arXiv preprint arXiv:2202.03558 (2022).","journal-title":"arXiv preprint arXiv:2202.03558"},{"key":"e_1_3_2_106_2","article-title":"Theoretical evidence for adversarial robustness through randomization","volume":"32","author":"Pinot Rafael","year":"2019","unstructured":"Rafael Pinot, Laurent Meunier, Alexandre Araujo, Hisashi Kashima, Florian Yger, C\u00e9dric Gouy-Pailler, and Jamal Atif. 2019. Theoretical evidence for adversarial robustness through randomization. Adv. Neural Inf. Process. Syst. 32 (2019).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_107_2","unstructured":"Lerrel Pinto James Davidson Rahul Sukthankar and Abhinav Gupta. 2017. Robust adversarial reinforcement learning."},{"key":"e_1_3_2_108_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46687-3_61"},{"key":"e_1_3_2_109_2","article-title":"How private is your RL policy? An inverse RL based analysis framework","author":"Prakash Kritika","year":"2021","unstructured":"Kritika Prakash, Fiza Husain, Praveen Paruchuri, and Sujit P. Gujar. 2021. How private is your RL policy? An inverse RL based analysis framework. arXiv preprint arXiv:2112.05495 (2021).","journal-title":"arXiv preprint arXiv:2112.05495"},{"key":"e_1_3_2_110_2","article-title":"Offline reinforcement learning with differential privacy","author":"Qiao Dan","year":"2022","unstructured":"Dan Qiao and Yu-Xiang Wang. 2022. Offline reinforcement learning with differential privacy. arXiv preprint arXiv:2206.00810 (2022).","journal-title":"arXiv preprint arXiv:2206.00810"},{"key":"e_1_3_2_111_2","article-title":"Backdooring and poisoning neural networks with image-scaling attacks","author":"Quiring Erwin","year":"2020","unstructured":"Erwin Quiring and Konrad Rieck. 2020. Backdooring and poisoning neural networks with image-scaling attacks. In IEEE Symposium on Security and Privacy.","journal-title":"IEEE Symposium on Security and Privacy"},{"key":"e_1_3_2_112_2","first-page":"4257","volume-title":"International Conference on Machine Learning","author":"Raileanu Roberta","year":"2018","unstructured":"Roberta Raileanu, Emily Denton, Arthur Szlam, and Rob Fergus. 2018. Modeling others using oneself in multi-agent reinforcement learning. In International Conference on Machine Learning. PMLR, 4257\u20134266."},{"key":"e_1_3_2_113_2","article-title":"Policy teaching via environment poisoning: Training-time adversarial attacks against reinforcement learning","author":"Rakhsha Amin","year":"2020","unstructured":"Amin Rakhsha, Goran Radanovic, Rati Devidze, Xiaojin Zhu, and Adish Singla. 2020. Policy teaching via environment poisoning: Training-time adversarial attacks against reinforcement learning. In International Conference on Machine Learning.","journal-title":"International Conference on Machine Learning"},{"key":"e_1_3_2_114_2","article-title":"Reward poisoning in reinforcement learning: Attacks against unknown learners in unknown environments.","author":"Rakhsha Amin","year":"2021","unstructured":"Amin Rakhsha, Xuezhou Zhang, Xiaojin Zhu, and Adish Singla. 2021. Reward poisoning in reinforcement learning: Attacks against unknown learners in unknown environments. arXiv: Learning (2021).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_115_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eng.2019.12.012"},{"key":"e_1_3_2_116_2","article-title":"Optimal attacks on reinforcement learning policies","author":"Russo Alessio","year":"2019","unstructured":"Alessio Russo and Alexandre Proutiere. 2019. Optimal attacks on reinforcement learning policies. arXiv: Learning (2019).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_117_2","doi-asserted-by":"publisher","DOI":"10.1145\/1390156.1390265"},{"key":"e_1_3_2_118_2","article-title":"ML-leaks: Model and data independent membership inference attacks and defenses on machine learning models","author":"Salem Ahmed","year":"2018","unstructured":"Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, and Michael Backes. 2018. ML-leaks: Model and data independent membership inference attacks and defenses on machine learning models. arXiv preprint arXiv:1806.01246 (2018).","journal-title":"arXiv preprint arXiv:1806.01246"},{"key":"e_1_3_2_119_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.engappai.2022.104868"},{"key":"e_1_3_2_120_2","article-title":"Online robust policy learning in the presence of unknown adversaries","author":"Sarkar Soumik","year":"2018","unstructured":"Soumik Sarkar, Zhanhong Jiang, and Aaron J. Havens. 2018. Online robust policy learning in the presence of unknown adversaries. Neural Inf. Process. Syst. (2018).","journal-title":"Neural Inf. Process. Syst."},{"key":"e_1_3_2_121_2","doi-asserted-by":"publisher","DOI":"10.1038\/s41586-020-03051-4"},{"key":"e_1_3_2_122_2","first-page":"1889","volume-title":"International Conference on Machine Learning","author":"Schulman John","year":"2015","unstructured":"John Schulman, Sergey Levine, Pieter Abbeel, Michael Jordan, and Philipp Moritz. 2015. Trust region policy optimization. In International Conference on Machine Learning. PMLR, 1889\u20131897."},{"key":"e_1_3_2_123_2","article-title":"Proximal policy optimization algorithms","author":"Schulman John","year":"2017","unstructured":"John Schulman, Filip Wolski, Prafulla Dhariwal, Alec Radford, and Oleg Klimov. 2017. Proximal policy optimization algorithms. arXiv preprint arXiv:1707.06347 (2017).","journal-title":"arXiv preprint arXiv:1707.06347"},{"key":"e_1_3_2_124_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9091486"},{"key":"e_1_3_2_125_2","first-page":"8707","volume-title":"International Conference on Machine Learning","author":"Shen Qianli","year":"2020","unstructured":"Qianli Shen, Yan Li, Haoming Jiang, Zhaoran Wang, and Tuo Zhao. 2020. Deep reinforcement learning with robust and smooth policy. In International Conference on Machine Learning. PMLR, 8707\u20138718."},{"key":"e_1_3_2_126_2","first-page":"2350","article-title":"Efficiently computing local Lipschitz constants of neural networks via bound propagation","volume":"35","author":"Shi Zhouxing","year":"2022","unstructured":"Zhouxing Shi, Yihan Wang, Huan Zhang, J. Zico Kolter, and Cho-Jui Hsieh. 2022. Efficiently computing local Lipschitz constants of neural networks via bound propagation. Adv. Neural Inf. Process. Syst. 35 (2022), 2350\u20132364.","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_127_2","article-title":"Sampling race: Bypassing timing-based analog active sensor spoofing detection on analog-digital systems","author":"Shin Hocheol","year":"2016","unstructured":"Hocheol Shin, Yunmok Son, Youngseok Park, Yujin Kwon, and Yongdae Kim. 2016. Sampling race: Bypassing timing-based analog active sensor spoofing detection on analog-digital systems. In 10th USENIX Conference on Offensive Technologies (WOOT\u201916).","journal-title":"10th USENIX Conference on Offensive Technologies (WOOT\u201916)"},{"key":"e_1_3_2_128_2","first-page":"3","volume-title":"IEEE Symposium on Security and Privacy (SP\u201917)","author":"Shokri Reza","year":"2017","unstructured":"Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership inference attacks against machine learning models. In IEEE Symposium on Security and Privacy (SP\u201917). IEEE, 3\u201318."},{"key":"e_1_3_2_129_2","article-title":"Mastering chess and shogi by self-play with a general reinforcement learning algorithm","author":"Silver David","year":"2017","unstructured":"David Silver, Thomas Hubert, Julian Schrittwieser, Ioannis Antonoglou, Matthew Lai, Arthur Guez, Marc Lanctot, Laurent Sifre, Dharshan Kumaran, Thore Graepel, et\u00a0al. 2017. Mastering chess and shogi by self-play with a general reinforcement learning algorithm. arXiv preprint arXiv:1712.01815 (2017).","journal-title":"arXiv preprint arXiv:1712.01815"},{"key":"e_1_3_2_130_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.artint.2021.103535"},{"key":"e_1_3_2_131_2","article-title":"Distributionally robust reinforcement learning","author":"Smirnova Elena","year":"2019","unstructured":"Elena Smirnova, Elvis Dohmatob, and J\u00e9r\u00e9mie Mary. 2019. Distributionally robust reinforcement learning. arXiv: Machine Learning (2019).","journal-title":"arXiv: Machine Learning"},{"key":"e_1_3_2_132_2","article-title":"Rocking drones with intentional sound noise on gyroscopic sensors","author":"Son Yunmok","year":"2015","unstructured":"Yunmok Son, Hocheol Shin, Dongkwan Kim, Youngseok Park, Juhwan Noh, Kibum Choi, Jung-Woo Choi, and Yongdae Kim. 2015. Rocking drones with intentional sound noise on gyroscopic sensors. In USENIX Security Symposium.","journal-title":"USENIX Security Symposium"},{"key":"e_1_3_2_133_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.6047"},{"key":"e_1_3_2_134_2","article-title":"Certifiably robust policy learning against adversarial communication in multi-agent systems","author":"Sun Yanchao","year":"2022","unstructured":"Yanchao Sun, Ruijie Zheng, Parisa Hassanzadeh, Yongyuan Liang, Soheil Feizi, Sumitra Ganesh, and Furong Huang. 2022. Certifiably robust policy learning against adversarial communication in multi-agent systems. arXiv preprint arXiv:2206.10158 (2022).","journal-title":"arXiv preprint arXiv:2206.10158"},{"key":"e_1_3_2_135_2","doi-asserted-by":"publisher","DOI":"10.1145\/122344.122377"},{"key":"e_1_3_2_136_2","volume-title":"Reinforcement Learning: An Introduction","author":"Sutton Richard S.","year":"2018","unstructured":"Richard S. Sutton and Andrew G. Barto. 2018. Reinforcement Learning: An Introduction. MIT Press."},{"key":"e_1_3_2_137_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3025438"},{"key":"e_1_3_2_138_2","article-title":"Improving cost learning for JPEG steganography by exploiting JPEG domain knowledge","author":"Tang Weixuan","year":"2021","unstructured":"Weixuan Tang, Bin Li, Mauro Barni, Jin Li, and Jiwu Huang. 2021. Improving cost learning for JPEG steganography by exploiting JPEG domain knowledge. IEEE Trans. Circ. Syst. Vid. Technol. (2021).","journal-title":"IEEE Trans. Circ. Syst. Vid. Technol."},{"key":"e_1_3_2_139_2","article-title":"Action robust reinforcement learning and applications in continuous control. In","author":"Tessler Chen","year":"2019","unstructured":"Chen Tessler, Yonathan Efroni, and Shie Mannor. 2019. Action robust reinforcement learning and applications in continuous control. In International Conference on Machine Learning.","journal-title":"International Conference on Machine Learning"},{"key":"e_1_3_2_140_2","first-page":"601","volume-title":"25th USENIX Security Symposium (USENIX Security\u201916)","author":"Tram\u00e8r Florian","year":"2016","unstructured":"Florian Tram\u00e8r, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction APIs. In 25th USENIX Security Symposium (USENIX Security\u201916). 601\u2013618."},{"key":"e_1_3_2_141_2","article-title":"Sequential attacks on agents for long-term adversarial goals","author":"Tretschk Edgar","year":"2018","unstructured":"Edgar Tretschk, Seong Joon Oh, and Mario Fritz. 2018. Sequential attacks on agents for long-term adversarial goals. arXiv: Learning (2018).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_142_2","article-title":"Adversarial attacks on multi-agent communication","author":"Tu James","year":"2021","unstructured":"James Tu, Tsun-Hsuan Wang, Jingkang Wang, Sivabalan Manivasagam, Mengye Ren, and Raquel Urtasun. 2021. Adversarial attacks on multi-agent communication. In International Conference on Computer Vision.","journal-title":"International Conference on Computer Vision"},{"key":"e_1_3_2_143_2","first-page":"9754","volume-title":"International Conference on Machine Learning","author":"Vietri Giuseppe","year":"2020","unstructured":"Giuseppe Vietri, Borja Balle, Akshay Krishnamurthy, and Steven Wu. 2020. Private reinforcement learning with PAC and regret guarantees. In International Conference on Machine Learning. PMLR, 9754\u20139764."},{"key":"e_1_3_2_144_2","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9091363"},{"key":"e_1_3_2_145_2","first-page":"36","volume-title":"IEEE Symposium on Security and Privacy (SP\u201918)","author":"Wang Binghui","year":"2018","unstructured":"Binghui Wang and Neil Zhenqiang Gong. 2018. Stealing hyperparameters in machine learning. In IEEE Symposium on Security and Privacy (SP\u201918). IEEE, 36\u201352."},{"key":"e_1_3_2_146_2","article-title":"Privacy-preserving Q-learning with functional noise in continuous spaces","volume":"32","author":"Wang Baoxiang","year":"2019","unstructured":"Baoxiang Wang and Nidhi Hegde. 2019. Privacy-preserving Q-learning with functional noise in continuous spaces. Adv. Neural Inf. Process. Syst. 32 (2019).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_147_2","article-title":"Are large language models really robust to word-level perturbations?","author":"Wang Haoyu","year":"2023","unstructured":"Haoyu Wang, Guozheng Ma, Cong Yu, Ning Gui, Linrui Zhang, Zhiqi Huang, Suwei Ma, Yongzhe Chang, Sen Zhang, Li Shen, et\u00a0al. 2023. Are large language models really robust to word-level perturbations? arXiv preprint arXiv:2309.11166 (2023).","journal-title":"arXiv preprint arXiv:2309.11166"},{"key":"e_1_3_2_148_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v34i04.6086"},{"key":"e_1_3_2_149_2","article-title":"BACKDOORL: Backdoor attack against competitive reinforcement learning.","author":"Wang Lun","year":"2021","unstructured":"Lun Wang, Zaynah Javed, Xian Wu, Wenbo Guo, Xinyu Xing, and Dawn Song. 2021. BACKDOORL: Backdoor attack against competitive reinforcement learning. In International Joint Conference on Artificial Intelligence.","journal-title":"International Joint Conference on Artificial Intelligence"},{"key":"e_1_3_2_150_2","article-title":"Deep learning defense method against adversarial attacks","author":"Wang Ling","year":"2020","unstructured":"Ling Wang, Cheng Zhang, and Jie Liu. 2020. Deep learning defense method against adversarial attacks. Syst., Man Cybern. (2020).","journal-title":"Syst., Man Cybern."},{"key":"e_1_3_2_151_2","article-title":"Beta-CROWN: Efficient bound propagation with per-neuron split constraints for complete and incomplete neural network verification","volume":"34","author":"Wang Shiqi","year":"2021","unstructured":"Shiqi Wang, Huan Zhang, Kaidi Xu, Xue Lin, Suman Jana, Cho-Jui Hsieh, and J. Zico Kolter. 2021. Beta-CROWN: Efficient bound propagation with per-neuron split constraints for complete and incomplete neural network verification. Adv. Neural Inf. Process. Syst. 34 (2021).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_152_2","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737416"},{"key":"e_1_3_2_153_2","first-page":"5276","volume-title":"International Conference on Machine Learning","author":"Weng Lily","year":"2018","unstructured":"Lily Weng, Huan Zhang, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Luca Daniel, Duane Boning, and Inderjit Dhillon. 2018. Towards fast computation of certified robustness for ReLU networks. In International Conference on Machine Learning. PMLR, 5276\u20135285."},{"key":"e_1_3_2_154_2","article-title":"Toward evaluating robustness of deep reinforcement learning with continuous control","author":"Weng Tsui-Wei","year":"2020","unstructured":"Tsui-Wei Weng, Krishnamurthy Dvijotham, Jonathan Uesato, Kai Xiao, Sven Gowal, Robert Stanforth, and Pushmeet Kohli. 2020. Toward evaluating robustness of deep reinforcement learning with continuous control. Learning (2020).","journal-title":"Learning"},{"key":"e_1_3_2_155_2","first-page":"5286","volume-title":"International Conference on Machine Learning","author":"Wong Eric","year":"2018","unstructured":"Eric Wong and Zico Kolter. 2018. Provable defenses against adversarial examples via the convex outer adversarial polytope. In International Conference on Machine Learning. PMLR, 5286\u20135295."},{"key":"e_1_3_2_156_2","volume-title":"International Conference on Learning Representations","author":"Wu Fan","year":"2021","unstructured":"Fan Wu, Linyi Li, Huan Zhang, Bhavya Kailkhura, Krishnaram Kenthapadi, Ding Zhao, and Bo Li. 2021. COPA: Certifying robust policies for offline reinforcement learning against poisoning attacks. In International Conference on Learning Representations."},{"key":"e_1_3_2_157_2","first-page":"304","volume-title":"IEEE Symposium on Security and Privacy (SP\u201920)","author":"Wu Nan","year":"2020","unstructured":"Nan Wu, Farhad Farokhi, David Smith, and Mohamed Ali Kaafar. 2020. The value of collaboration in convex machine learning with differential privacy. In IEEE Symposium on Security and Privacy (SP\u201920). IEEE, 304\u2013317."},{"key":"e_1_3_2_158_2","first-page":"1883","volume-title":"30th USENIX Security Symposium (USENIX Security\u201921)","author":"Wu Xian","year":"2021","unstructured":"Xian Wu, Wenbo Guo, Hua Wei, and Xinyu Xing. 2021. Adversarial policy training against deep reinforcement learning. In 30th USENIX Security Symposium (USENIX Security\u201921). 1883\u20131900."},{"key":"e_1_3_2_159_2","article-title":"The rise and potential of large language model based agents: A survey","author":"Xi Zhiheng","year":"2023","unstructured":"Zhiheng Xi, Wenxiang Chen, Xin Guo, Wei He, Yiwen Ding, Boyang Hong, Ming Zhang, Junzhe Wang, Senjie Jin, Enyu Zhou, et\u00a0al. 2023. The rise and potential of large language model based agents: A survey. arXiv preprint arXiv:2309.07864 (2023).","journal-title":"arXiv preprint arXiv:2309.07864"},{"key":"e_1_3_2_160_2","article-title":"A PCA-based model to predict adversarial examples on Q-learning of path finding","author":"Xiang Yingxiao","year":"2018","unstructured":"Yingxiao Xiang, Wenjia Niu, Jiqiang Liu, Tong Chen, and Zhen Han. 2018. A PCA-based model to predict adversarial examples on Q-learning of path finding. In IEEE International Conference on Data Science in Cyberspace.","journal-title":"IEEE International Conference on Data Science in Cyberspace"},{"key":"e_1_3_2_161_2","article-title":"Characterizing attacks on deep reinforcement learning.","author":"Xiao Chaowei","year":"2018","unstructured":"Chaowei Xiao, Xinlei Pan, Warren He, Bo Li, Jian Peng, Mingjie Sun, Jinfeng Yi, Mingyan Liu, and Dawn Song. 2018. Characterizing attacks on deep reinforcement learning. arXiv: Learning (2018).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_162_2","article-title":"Seeing is not believing: Camouflage attacks on image scaling algorithms","author":"Xiao Qixue","year":"2019","unstructured":"Qixue Xiao, Yufei Chen, Chao Shen, Yu Chen, and Kang Li. 2019. Seeing is not believing: Camouflage attacks on image scaling algorithms. In USENIX Security Symposium.","journal-title":"USENIX Security Symposium"},{"key":"e_1_3_2_163_2","volume-title":"International Conference on Learning Representations","author":"Xie Cihang","year":"2018","unstructured":"Cihang Xie, Jianyu Wang, Zhishuai Zhang, Zhou Ren, and Alan Yuille. 2018. Mitigating adversarial effects through randomization. In International Conference on Learning Representations."},{"key":"e_1_3_2_164_2","doi-asserted-by":"publisher","DOI":"10.1109\/CVPR.2019.00059"},{"key":"e_1_3_2_165_2","article-title":"Privacy preserving off-policy evaluation","author":"Xie Tengyang","year":"2019","unstructured":"Tengyang Xie, Philip S. Thomas, and Gerome Miklau. 2019. Privacy preserving off-policy evaluation. arXiv preprint arXiv:1902.00174 (2019).","journal-title":"arXiv preprint arXiv:1902.00174"},{"key":"e_1_3_2_166_2","article-title":"Defending observation attacks in deep reinforcement learning via detection and denoising","author":"Xiong Zikang","year":"2022","unstructured":"Zikang Xiong, Joe Eappen, He Zhu, and Suresh Jagannathan. 2022. Defending observation attacks in deep reinforcement learning via detection and denoising. arXiv preprint arXiv:2206.07188 (2022).","journal-title":"arXiv preprint arXiv:2206.07188"},{"key":"e_1_3_2_167_2","doi-asserted-by":"publisher","DOI":"10.5555\/3535850.3536139"},{"key":"e_1_3_2_168_2","doi-asserted-by":"publisher","DOI":"10.5555\/3463952.3464113"},{"key":"e_1_3_2_169_2","article-title":"Automatic perturbation analysis for scalable certified robustness and beyond","volume":"33","author":"Xu Kaidi","year":"2020","unstructured":"Kaidi Xu, Zhouxing Shi, Huan Zhang, Yihan Wang, Kai-Wei Chang, Minlie Huang, Bhavya Kailkhura, Xue Lin, and Cho-Jui Hsieh. 2020. Automatic perturbation analysis for scalable certified robustness and beyond. Adv. Neural Inf. Process. Syst. 33 (2020).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_170_2","article-title":"Trustworthy reinforcement learning against intrinsic vulnerabilities: Robustness, safety, and generalizability","author":"Xu Mengdi","year":"2022","unstructured":"Mengdi Xu, Zuxin Liu, Peide Huang, Wenhao Ding, Zhepeng Cen, Bo Li, and Ding Zhao. 2022. Trustworthy reinforcement learning against intrinsic vulnerabilities: Robustness, safety, and generalizability. arXiv preprint arXiv:2209.08025 (2022).","journal-title":"arXiv preprint arXiv:2209.08025"},{"key":"e_1_3_2_171_2","article-title":"Mis-spoke or mis-lead: Achieving robustness in multi-agent communicative reinforcement learning.","author":"Xue Wanqi","year":"2021","unstructured":"Wanqi Xue, Wei Qiu, Bo An, Zinovi Rabinovich, Svetlana Obraztsova, and Chai Kiat Yeo. 2021. Mis-spoke or mis-lead: Achieving robustness in multi-agent communicative reinforcement learning. arXiv: Learning (2021).","journal-title":"arXiv: Learning"},{"key":"e_1_3_2_172_2","article-title":"Enhanced adversarial strategically-timed attacks against deep reinforcement learning","author":"Yang Chao-Han Huck","year":"2020","unstructured":"Chao-Han Huck Yang, Jun Qi, Pin-Yu Chen, Yi Ouyang, I-Te Danny Hung, Chin-Hui Lee, and Xiaoli Ma. 2020. Enhanced adversarial strategically-timed attacks against deep reinforcement learning. In International Conference on Acoustics, Speech, and Signal Processing.","journal-title":"International Conference on Acoustics, Speech, and Signal Processing"},{"key":"e_1_3_2_173_2","doi-asserted-by":"publisher","DOI":"10.1002\/int.22270"},{"key":"e_1_3_2_174_2","doi-asserted-by":"publisher","DOI":"10.1145\/3383455.3422540"},{"key":"e_1_3_2_175_2","volume-title":"Network and Distributed System Security Symposium (NDSS\u201920)","author":"Yu Honggang","year":"2020","unstructured":"Honggang Yu, Kaichen Yang, Teng Zhang, Yun-Yun Tsai, Tsung-Yi Ho, and Yier Jin. 2020. CloudLeak: Large-scale deep learning models stealing through adversarial examples. In Network and Distributed System Security Symposium (NDSS\u201920)."},{"key":"e_1_3_2_176_2","article-title":"GPTFUZZER: Red teaming large language models with auto-generated jailbreak prompts","author":"Yu Jiahao","year":"2023","unstructured":"Jiahao Yu, Xingwei Lin, and Xinyu Xing. 2023. GPTFUZZER: Red teaming large language models with auto-generated jailbreak prompts. arXiv preprint arXiv:2309.10253 (2023).","journal-title":"arXiv preprint arXiv:2309.10253"},{"key":"e_1_3_2_177_2","doi-asserted-by":"publisher","DOI":"10.1109\/JIOT.2021.3078462"},{"key":"e_1_3_2_178_2","doi-asserted-by":"publisher","DOI":"10.1109\/GLOBECOM48099.2022.10000751"},{"key":"e_1_3_2_179_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10489-019-01417-4"},{"key":"e_1_3_2_180_2","article-title":"Preventing imitation learning with adversarial policy ensembles","author":"Zhan Albert","year":"2020","unstructured":"Albert Zhan, Stas Tiomkin, and Pieter Abbeel. 2020. Preventing imitation learning with adversarial policy ensembles. arXiv preprint arXiv:2002.01059 (2020).","journal-title":"arXiv preprint arXiv:2002.01059"},{"key":"e_1_3_2_181_2","article-title":"Robust reinforcement learning on state observations with learned optimal adversary","author":"Zhang Huan","year":"2021","unstructured":"Huan Zhang, Hongge Chen, Duane S. Boning, and Cho-Jui Hsieh. 2021. Robust reinforcement learning on state observations with learned optimal adversary. In International Conference on Learning Representations.","journal-title":"International Conference on Learning Representations"},{"key":"e_1_3_2_182_2","article-title":"Robust deep reinforcement learning against adversarial perturbations on state observations","author":"Zhang Huan","year":"2020","unstructured":"Huan Zhang, Hongge Chen, Chaowei Xiao, Bo Li, Mingyan Liu, Duane S. Boning, and Cho-Jui Hsieh. 2020. Robust deep reinforcement learning against adversarial perturbations on state observations. Neural Inf. Process. Syst. (2020).","journal-title":"Neural Inf. Process. Syst."},{"key":"e_1_3_2_183_2","article-title":"Value-based policy teaching with active indirect elicitation","author":"Zhang Haoqi","year":"2008","unstructured":"Haoqi Zhang and David C. Parkes. 2008. Value-based policy teaching with active indirect elicitation. In National Conference on Artificial Intelligence.","journal-title":"National Conference on Artificial Intelligence"},{"key":"e_1_3_2_184_2","article-title":"Policy teaching through reward function learning","author":"Zhang Haoqi","year":"2009","unstructured":"Haoqi Zhang, David C. Parkes, and Yiling Chen. 2009. Policy teaching through reward function learning. Electron. Commerce (2009).","journal-title":"Electron. Commerce"},{"key":"e_1_3_2_185_2","article-title":"Efficient neural network robustness certification with general activation functions","volume":"31","author":"Zhang Huan","year":"2018","unstructured":"Huan Zhang, Tsui-Wei Weng, Pin-Yu Chen, Cho-Jui Hsieh, and Luca Daniel. 2018. Efficient neural network robustness certification with general activation functions. Adv. Neural Inf. Process. Syst. 31 (2018).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_2_186_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-60990-0_12"},{"key":"e_1_3_2_187_2","article-title":"Succinct and robust multi-agent communication with temporal message control","author":"Zhang Sai Qian","year":"2020","unstructured":"Sai Qian Zhang, Qi Zhang, and Jieyu Lin. 2020. Succinct and robust multi-agent communication with temporal message control. Neural Inf. Process. Syst. (2020).","journal-title":"Neural Inf. Process. Syst."},{"key":"e_1_3_2_188_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-60990-0_18"},{"key":"e_1_3_2_189_2","first-page":"737","volume-title":"IEEE Symposium Series on Computational Intelligence (SSCI\u201920)","author":"Zhao Wenshuai","year":"2020","unstructured":"Wenshuai Zhao, Jorge Pe\u00f1a Queralta, and Tomi Westerlund. 2020. Sim-to-real transfer in deep reinforcement learning for robotics: A survey. In IEEE Symposium Series on Computational Intelligence (SSCI\u201920). IEEE, 737\u2013744."},{"key":"e_1_3_2_190_2","doi-asserted-by":"publisher","DOI":"10.1080\/09540091.2023.2211240"},{"key":"e_1_3_2_191_2","doi-asserted-by":"publisher","DOI":"10.1145\/3512980"},{"key":"e_1_3_2_192_2","article-title":"RoMFAC: A robust mean-field actor-critic reinforcement learning against adversarial perturbations on states","author":"Zhou Ziyuan","year":"2022","unstructured":"Ziyuan Zhou and Guanjun Liu. 2022. RoMFAC: A robust mean-field actor-critic reinforcement learning against adversarial perturbations on states. arXiv preprint arXiv:2205.07229 (2022).","journal-title":"arXiv preprint arXiv:2205.07229"},{"key":"e_1_3_2_193_2","article-title":"PromptBench: Towards evaluating the robustness of large language models on adversarial prompts","author":"Zhu Kaijie","year":"2023","unstructured":"Kaijie Zhu, Jindong Wang, Jiaheng Zhou, Zichen Wang, Hao Chen, Yidong Wang, Linyi Yang, Wei Ye, Neil Zhenqiang Gong, Yue Zhang, et\u00a0al. 2023. PromptBench: Towards evaluating the robustness of large language models on adversarial prompts. arXiv preprint arXiv:2306.04528 (2023).","journal-title":"arXiv preprint arXiv:2306.04528"},{"key":"e_1_3_2_194_2","article-title":"Deep leakage from gradients","volume":"32","author":"Zhu Ligeng","year":"2019","unstructured":"Ligeng Zhu, Zhijian Liu, and Song Han. 2019. Deep leakage from gradients. Adv. Neural Inf. Process. Syst. 32 (2019).","journal-title":"Adv. Neural Inf. Process. Syst."}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3640312","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3640312","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:50:26Z","timestamp":1750287026000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3640312"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,23]]},"references-count":193,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2024,6,30]]}},"alternative-id":["10.1145\/3640312"],"URL":"https:\/\/doi.org\/10.1145\/3640312","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,2,23]]},"assertion":[{"value":"2022-09-13","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-12-01","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-02-23","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}