How Vulnerable Is My Learned Policy? Universal Adversarial Perturbation Attacks On Modern Behavior Cloning Policies

arXiv cs.RO / 4/27/2026

💬 OpinionIdeas & Deep AnalysisModels & Research

共有:

Key Points

The paper presents the first systematic study of universal adversarial perturbation attacks against a range of modern imitation learning and behavior cloning algorithms, including Vanilla BC, IBC, Diffusion Policy, and VQ-BET.
It evaluates vulnerability under multiple threat models—white-box, grey-box, and black-box—showing that adversarial perturbations can reliably degrade learned policies.
Experimental results indicate that most existing methods are highly vulnerable, including black-box transfer attacks where adversarial examples generated for one algorithm can succeed against others.
The authors make cross-algorithm comparisons for both white-box and black-box settings and provide links to videos and code to support further research.
Overall, the study surfaces a key security limitation of modern imitation learning and motivates future work to mitigate these weaknesses.

Abstract

Learning from demonstrations is a popular approach to train AI models; however, their vulnerability to adversarial attacks remains underexplored. We present the first systematic study of adversarial attacks, across a range of both classic and recently proposed imitation learning algorithms, including Vanilla Behavior Cloning (Vanilla BC), LSTM-GMM, Implicit Behavior Cloning (IBC), Diffusion Policy (DP), and Vector-Quantized Behavior Transformer (VQ-BET). We study the vulnerability of these methods to both white-box, grey-box and black-box adversarial perturbations. Our experiments reveal that most existing methods are highly vulnerable to these attacks, including black-box transfer attacks that transfer across algorithms. To the best of our knowledge, we are the first to study and compare the vulnerabilities of different popular imitation learning algorithms to both white-box and black-box attacks. Our findings highlight the vulnerabilities of modern imitation learning algorithms, paving the way for future work in addressing such limitations. Videos and code are available at https://sites.google.com/view/uap-attacks-on-bc.