🤖 AI Summary
Existing world models lack a unified evaluation of visual adversarial robustness across policy, value, and latent dynamics components. This work proposes ARB4WM, the first multi-objective white-box adversarial evaluation framework encompassing all three aspects. It systematically assesses the vulnerability of Dreamer-style world models in continuous control tasks by integrating single-step and multi-step perturbation generation with temporal attack patterns—including full-sequence, half-sequence, and sparse-frame perturbations. Experiments across 20 tasks from MetaWorld and DeepMind Control Suite reveal that non-policy attacks—targeting value functions, latent representations, or RSSM dynamics—can induce performance degradation comparable to direct policy interference. Notably, perturbations applied early or at high frequency are especially detrimental, while current input-level defenses exhibit limited efficacy against adaptive attacks.
📝 Abstract
World models are widely used in robotic and agentic engineering control systems due to their ability to learn latent dynamics for planning and decision-making. As these systems are increasingly deployed in safety-critical settings, understanding their robustness under adversarial conditions has become essential. However, existing evaluations lack a unified benchmark for testing adversarial threats across the policy, value, and latent-dynamics levels of world-model agents. To fill this gap, we present ARB4WM, a unified evaluation framework for pre-deployment robustness and risk assessment of world-model agents under visual perturbations. ARB4WM defines five white-box loss objectives across these three levels and studies their effects when combined with single-step or multi-step perturbation strategies and temporal attack modes, including full-frame, half-sequence, and sparse-frame exposure. Specifically, we evaluate four Dreamer-style agents across 20 tasks from MetaWorld and the DeepMind Control Suite under different loss objectives, perturbation strategies, and temporal attack modes. Results show that attacks targeting value estimation, latent representations, and RSSM dynamics can be as damaging as direct policy disruption, and that early or frequent perturbations are especially harmful, while input-level defenses provide limited recovery under adaptive attacks. These findings suggest that safety, risk, and reliability assessment for world models should cover multiple component-oriented attack objectives and temporal exposure protocols rather than relying solely on action-space robustness. Source code is available at https://github.com/zaoanguai/ARB4WM.