Similar to other machine learning frameworks, Offline Reinforcement Learning (RL) is shown to be vulnerable to poisoning attacks, due to its reliance on externally sourced datasets, a vulnerability that is exacerbated by its sequential nature. To mitigate the risks posed by RL poisoning, we extend certified defenses to provide larger guarantees against adversarial manipulation, ensuring robustness for both per-state actions, and the overall expected cumulative reward. Our approach leverages properties of Differential Privacy, in a manner that allows this work to span both continuous and discrete spaces, as well as stochastic and deterministic environments -- significantly expanding the scope and applicability of achievable guarantees. Empirical evaluations demonstrate that our approach ensures the performance drops to no more than with up to of the training data poisoned, significantly improving over the in prior work~\citep{wu_copa_2022}, while producing certified radii that is times larger as well. This highlights the potential of our framework to enhance safety and reliability in offline RL.
View on arXiv@article{liu2025_2505.20621,
title={ Multi-level Certified Defense Against Poisoning Attacks in Offline Reinforcement Learning },
author={ Shijie Liu and Andrew C. Cullen and Paul Montague and Sarah Erfani and Benjamin I. P. Rubinstein },
journal={arXiv preprint arXiv:2505.20621},
year={ 2025 }
}