Behavior Cloning (BC) is a popular framework for training sequential decision policies from expert demonstrations via supervised learning. As these policies are increasingly being deployed in the real world, their robustness and potential vulnerabilities are an important concern. In this work, we perform the first analysis of the efficacy of clean-label backdoor attacks on BC policies. Our backdoor attacks poison a dataset of demonstrations by injecting a visual trigger to create a spurious correlation that can be exploited at test time. We evaluate how policy vulnerability scales with the fraction of poisoned data, the strength of the trigger, and the trigger type. We also introduce a novel entropy-based test-time trigger attack that substantially degrades policy performance by identifying critical states where test-time triggering of the backdoor is expected to be most effective at degrading performance. We empirically demonstrate that BC policies trained on even minimally poisoned datasets exhibit deceptively high, near-baseline task performance despite being highly vulnerable to backdoor trigger attacks during deployment. Our results underscore the urgent need for more research into the robustness of BC policies, particularly as large-scale datasets are increasingly used to train policies for real-world cyber-physical systems. Videos and code are available at https://sites.google.com/view/dataset-poisoning-in-bc.

翻译：行为克隆（BC）是一种通过监督学习从专家演示中训练序列决策策略的流行框架。随着这些策略在现实世界中的部署日益增多，其鲁棒性和潜在脆弱性成为一个重要关切。在本研究中，我们首次分析了清洁标签后门攻击对BC策略的有效性。我们的后门攻击通过注入视觉触发器来毒化演示数据集，从而创建可在测试阶段被利用的虚假相关性。我们评估了策略脆弱性如何随投毒数据比例、触发器强度及触发器类型而变化。我们还提出了一种新颖的基于熵的测试时触发器攻击，该方法通过识别关键状态——在这些状态下触发后门预计能最有效地降低策略性能——从而显著削弱策略表现。我们通过实证表明，即使在仅含微量投毒数据的数据集上训练的BC策略，尽管在部署期间对后门触发器攻击高度脆弱，仍会表现出具有欺骗性的高任务性能（接近基线水平）。我们的结果强调了迫切需要对BC策略的鲁棒性进行更多研究，尤其是在大规模数据集被越来越多地用于训练现实世界信息物理系统策略的背景下。视频和代码可在 https://sites.google.com/view/dataset-poisoning-in-bc 获取。