Adversarially Robust Decision Transformer

This figure illustrates the two-step training process of the Adversarially Robust Decision Transformer (ARDT). The left side shows the minimax expectile regression used to estimate the worst-case returns-to-go. This involves iteratively updating two networks: one to estimate the minimum return given the adversary’s actions, and the other to estimate the maximum return given the protagonist’s actions. The result is Q*, which represents the minimax returns-to-go. The right side shows the standard Decision Transformer (DT) training but now using Q* as the target return instead of the actual observed returns. This conditioning on worst-case returns makes the policy robust against adversarial actions.

This figure compares the worst-case return achieved by three different algorithms (ARDT, DT, and ESPER) across three different game scenarios (Single-stage Game, Gambling, and Multi-stage Game) under varying target returns. The shaded regions represent the standard deviation across 10 different runs. The plot illustrates how the worst-case performance of each algorithm changes as the target return is adjusted. The results demonstrate ARDT’s superior robustness to test-time adversaries compared to DT and ESPER, particularly when the target return is high. In the single-stage game, ARDT consistently achieves the Nash Equilibrium, while DT and ESPER exhibit suboptimal worst-case performance. The Gambling and Multi-stage game results also show ARDT’s consistently better performance.

This figure displays box plots comparing the average returns achieved by Adversarially Robust Decision Transformer (ARDT) and vanilla Decision Transformer (DT) in the Connect Four game under various conditions. The training data used for both ARDT and DT was suboptimal in the sense that the data was generated by agents that were only partially optimal (30%, 40%, 50%). The testing was done against an adversary that acted optimally only 50% of the time, with the remaining actions chosen randomly. The figure shows three sets of box plots, each corresponding to a different level of optimality for the protagonist (30%, 40%, 50%), and within each set there are three box plots, one for each level of adversary optimality (10%, 30%, 50%). The results show that ARDT consistently outperforms DT.

This figure displays the performance comparison of DT, ESPER, and ARDT algorithms in three continuous control tasks under adversarial noise. The left and middle plots show the worst-case returns for Halfcheetah and Hopper respectively, as the weight of adversarial noise (δ) increases. The right plot presents the average return for Hopper as the relative mass changes. The results demonstrate ARDT’s superior robustness and higher worst-case returns compared to DT and ESPER in these adversarial environments.

This figure displays the results of an ablation study on the impact of the expectile level (α) in the Adversarially Robust Decision Transformer (ARDT) algorithm. Three different game environments were tested: a single-stage game, a multi-stage game, and Connect Four. Each game was tested against a worst-case adversary. The results are presented as line graphs showing average return against target return for different values of α and boxplots showing the average return against the expectile level in the Connect Four game. The study reveals that a smaller α leads to better robustness in most scenarios, but in Connect Four, a too small alpha results in the algorithm acting too conservatively. Overall, the figure illustrates the importance of tuning the expectile level (α) to balance robustness and performance.

This figure illustrates a multi-stage game between a protagonist (P) and an adversary (A). The left-hand side (LHS) shows the game tree, representing the sequential decision-making process. The right-hand side (RHS) presents the same game tree, but with added information from the Adversarially Robust Decision Transformer (ARDT) model. The minimax return (the worst-case outcome for the protagonist) and action probabilities are shown for each node, highlighting the optimal strategy learned by ARDT when aiming for a target return of 7. The thicker lines indicate the optimal actions for the adversary.

This figure illustrates a game of Connect Four. It shows three different stages of the game, each with a different arrangement of red and yellow pieces. Connect Four is a two-player game where players take turns dropping colored pieces into a grid. The goal is to be the first to get four of one’s own pieces in a row—horizontally, vertically, or diagonally.

This figure shows a multi-stage game tree illustrating the decision-making process of a protagonist (P) against an adversary (A). The left side displays the game tree structure, while the right side presents the same tree augmented with minimax returns-to-go calculated by Adversarially Robust Decision Transformer (ARDT) and the corresponding action probabilities. The numbers on the leaf nodes represent the game outcomes. Highlighted nodes and thick lines emphasize the optimal adversarial actions and their probabilities based on the ARDT model.

This figure compares the worst-case return achieved by three different algorithms (ARDT, DT, and ESPER) across three different sequential games with varying target returns. The worst-case return represents the minimum return achieved when the adversary acts optimally. The x-axis shows the target return, and the y-axis displays the worst-case return obtained by each algorithm. The plot demonstrates ARDT’s superior robustness against optimal adversaries compared to DT and ESPER, particularly when the target return is high, indicating its ability to choose actions that yield high returns even in worst-case adversarial scenarios.

This figure shows a multi-stage game tree. The left-hand side (LHS) presents the game tree structure, illustrating the decision-making process of both the protagonist (P) and the adversary (A). The right-hand side (RHS) displays the same game tree augmented with information from the adversarially robust decision transformer (ARDT) model. Specifically, it shows the minimax return-to-go values at each decision node and the action probabilities calculated by ARDT when given a target return of 7. The thicker branches indicate the optimal adversarial actions according to the ARDT model.

This figure compares the performance of Decision Transformer (DT), Expected Return-Conditioned Decision Transformer (ESPER), and Adversarially Robust Decision Transformer (ARDT) in a stochastic environment against an ε-greedy adversary. Subfigure (a) shows the expected return for different values of ε in a single-stage game, while subfigure (b) displays the average return in a multi-stage game with ε = 0.2. ARDT demonstrates superior performance, particularly when a well-tuned expectile level is used.

This figure presents a comparison of the worst-case return achieved by three different algorithms (ARDT, DT, and ESPER) across three different games (Single-stage Game, Gambling Game, Multi-stage Game). The x-axis represents the target return used as a condition during training, and the y-axis represents the worst-case return the algorithm achieved in a test setting with an optimal adversary. The plot shows that ARDT consistently outperforms both DT and ESPER across all three games, demonstrating its superior robustness in adversarial environments.

This table presents the worst-case returns achieved by Decision Transformer (DT), Expected Return-Conditioned Decision Transformer (ESPER), and Adversarially Robust Decision Transformer (ARDT) across various continuous control tasks from the MuJoCo environment. The results are obtained against eight different online adversarial policies and across five different random seeds. The data used in training included both pre-collected online datasets with high robust returns and additional random trajectories (with low, medium, and high randomness) to increase data coverage. The table shows that ARDT generally achieves higher worst-case returns compared to DT and ESPER.

This table lists the hyperparameters used in the Adversarially Robust Decision Transformer (ARDT) algorithm. It is broken down into the hyperparameters for the transformer training phase and the minimax expectile regression phase. For each phase, it specifies the number of training steps, number of testing iterations, context length, learning rate, weight decay, warmup steps, dropout rate, batch size, optimizer, and other relevant parameters for the processes.

This table presents the returns achieved by the behavior policy (protagonist and adversary) during data collection in the MuJoCo Noisy Action Robust MDP (NR-MDP) tasks. Different levels of randomness are introduced in the data collection process, creating low (-lr), medium (-mr), and high (-hr) randomness datasets. The table shows that the behavior policy achieves varying returns depending on the task and the level of randomness.

This table presents the return of behavior policy for different optimality levels of both the protagonist and adversary in three MuJoCo environments: Hopper, Walker2D, and Halfcheetah. The optimality is defined as (1 - ε) * 100%, where ε is the exploration rate of the ε-greedy policy used to collect the data. Each tuple represents the percentage of optimality for the protagonist and the adversary, respectively. The return is the average cumulative reward obtained from the behavior policy, along with its standard deviation in parentheses. The results are shown for low, medium, and high randomness settings, indicated by the suffix -lr, -mr, and -hr, respectively.

This table presents the worst-case returns achieved by Decision Transformer (DT), Expected Return-Conditioned DT (ESPER), and Adversarially Robust Decision Transformer (ARDT) across various continuous control tasks from the MuJoCo Noisy Action Robust MDP benchmark. The results are averaged across 5 random seeds and show the performance against 8 different online adversarial policies. The table further breaks down the results by including or excluding the past adversarial tokens in the model’s input, and by varying the level of randomness in the training data.

This table presents the average returns achieved by three different algorithms (ARDT, DT, and ESPER) when trained on a mixed dataset containing both near-random and near-optimal trajectories. The performance is evaluated against adversaries with varying optimality levels, showcasing the robustness of each algorithm in the face of different adversary strategies. The results highlight how ARDT outperforms DT and ESPER, especially against stronger adversaries.

This table shows the performance comparison of three algorithms (DT, ESPER, and ARDT) in a normal setting without adversarial perturbations. It presents the average normal return, the average worst-case return, and the difference (return drop) between the two for the Hopper-hr environment. The results highlight that even in the absence of adversarial attacks, ARDT shows relatively high worst-case return compared to others. Note that the numbers in parentheses are standard deviations.