Reinforcement Learning (RL) has achieved remarkable success in safety-critical areas, but it can be weakened by adversarial attacks. Recent studies have introduced "smoothed policies" in order to enhance its robustness. Yet, it is still challenging to establish a provable guarantee to certify the bound of its total reward. Prior methods relied primarily on computing bounds using Lipschitz continuity or calculating the probability of cumulative reward above specific thresholds. However, these techniques are only suited for continuous perturbations on the RL agent's observations and are restricted to perturbations bounded by the $l_2$-norm. To address these limitations, this paper proposes a general black-box certification method capable of directly certifying the cumulative reward of the smoothed policy under various $l_p$-norm bounded perturbations. Furthermore, we extend our methodology to certify perturbations on action spaces. Our approach leverages f-divergence to measure the distinction between the original distribution and the perturbed distribution, subsequently determining the certification bound by solving a convex optimisation problem. We provide a comprehensive theoretical analysis and run sufficient experiments in multiple environments. Our results show that our method not only improves the certified lower bound of mean cumulative reward but also demonstrates better efficiency than state-of-the-art techniques.

翻译：强化学习在安全关键领域取得了显著成功，但其易受对抗攻击影响。近期研究引入"平滑策略"以增强鲁棒性，然而建立累计奖励界限的可验证保障仍具挑战性。现有方法主要依赖Lipschitz连续性计算界限，或计算累计奖励超过特定阈值的概率，但这些技术仅适用于强化学习智能体观测值的连续扰动，且局限于$l_2$范数有界扰动。为克服这些局限，本文提出一种通用黑盒认证方法，可直接认证平滑策略在各类$l_p$范数有界扰动下的累计奖励。此外，我们将方法扩展至动作空间的扰动认证。本方法利用f-散度衡量原始分布与扰动分布差异，通过求解凸优化问题确定认证界限。我们提供了全面的理论分析，并在多种环境中进行了充分实验。结果表明，本方法不仅提升了平均累计奖励的认证下界，其效率亦优于现有技术。