Research On Adversarial Examples Generation Against Value Iteration Network In Path Planning

At present,the research on machine learning mostly focus on how to optimize the algorithms and models,but the security of the models has been ignored.Although most machine learning models can perform perfectly with ideal input examples,in the real-time environment,these models may be subject to adversarial examples attack during the stage of training or performing.In this thesis,path planning for robots is the background of adversarial attack,and the attack target is the Value Iteration Network(VIN)model of reinforcement learning.Based on these,methods for generating adversarial examples are proposed.The goal of this thesis is to generate adversarial examples against VIN effectively,and methods in the scenarios of black-box and white-box are proposed to achieve this goal.In the black-box scenario,by analyzing the path planning ideas and summarizing defects of VIN model,the method based on threat value calculation rules is proposed.The rules mainly consider the impact of the original path,the end point and the inflection points in the original path.While only one obstacle is added,the accuracy of the black-box method is 34.54%.In the white-box scenario,the single-step attack method and the multi-steps attack method are proposed.In the single-step method,the calculation process of value iteration,the features of failed examples in path planning and the change of value matrix before and after adding attack points are analyzed,thus the method to find the attack points is proposed.The method mainly considers the impact of the value matrix and the original path.W hile only one obstacle is added,the accuracy of the single-step method is 65.71%.In the multi-steps method,by continuously inputting adversarial examples to the model,the relationship between attack points and value matrix are found.By dividing value matrix and calculating the evenness of regional value,the area of attack points is narrowed down.The accuracy of this method could reach 92.53%.The main contributions of this thesis are as follows:generating adversarial examples against VIN path planning model and simulating scenarios of malicious attacks on VIN during the stage of performing.The experimental results show that the generated adversarial examples could disturb the path planning,which proves that VIN does have security vulnerabilities and the methods proposed in this thesis are effective.