Robust Inverse Reinforcement Learning under State Adversarial Perturbations

1. My main questions are related to the novelty of the proposed methods since most of the components are not new from my perspective. Please refer to Weakness 1 and 2 about the novelty concern. Could the author restate their contribution with the existence of these previous works?

2. My second question is the testing environment is relatively simple. As mentioned in Weakness 3, could the author try SAMM-IRL on Atari environments? or some more complicated environments?

Se above for general questions, furthermore:

• The concept of RSO is nor clear. Can $P_0$ be any distribution? If so, how is this different from equation (7)?
• Some of the theoretical statements bound the state disturbance to $\delta$, but in the problem statement authors simply talk about a disturbance set B. Is B then a ball of radius $\delta$?
• It is not clear how relevant the bounds in Theorem 3-4 are. Can authors expand on this? Also, both $\epsilon$ and $\epsilon_0$ seem to be used for different values through the section (eg (15) and (16) ).
• Is Corollary 1 necessary? Isn’t it just (14) with a substituted variable?

1. Could the algorithm work for more general settings than SA-MDPs?

2. Could SAMM-IRL be adapted to handle multi-agent adversarial settings, where multiple agents or adversaries influence the state perturbations? If so, what modifications would be required?

3. How would SAMM-IRL perform if adversarial strategies varied dynamically, i.e., if the adversary adapted its perturbations over time rather than adhering to a fixed perturbation set?

• Even though the abstract mentions inverse RL, it would be worth describing the challenge of this setting (unknown/unobserved reward that must be inferred from close-to-optimal trajectories).

• What is the motivation for combining IRL with perturbed state observations? Specifically, given that previous works have addressed the reward misspecification problem in IRL [1,2], why couldn't we reformulate this as an IRL problem for SA-MDPs? Say the expert policy is optimal for an unobserved $r^*$, but because of state-perturbation, the agent thinks the underlying reward is $r^*\circ\nu: (s,a)\mapsto r^*(\nu(s), a)$. Why not use out-of-the-shelf IRL methods under reward misspecification?

• A definition of policies is missing in Section 3.1

• In Eq (3), where does $\pi_{\text{E}}$ come into play? And the dataset $\mathcal{D}$? These are defined without further reference in section 3.2. In that respect, 3.2 and 3.3 should be merged, as Algorithm 1 combines all the introduced notions.

• In lines 114-116, why is the goal to find the arg-max? Why does it solve the problem of reward estimation? Does it have to do with MLE? If so, a clearer explanation should be provided.

• A reference is missing in Sec. 3.3 when describing max-margin IRL

• In line 146, the hyperplane separation theorem is mentioned to optimize the feature expectation. Raising the fact that more than one policy can be optimal in a given MDP, how does the condition $\mathbf{w}^{\top}\mu_{\pi_{\mathrm{E}}} > \mathbf{w}^{\top}\mu_{\pi}$ still hold for all $\pi$?

• Sec 3.1 does not assume any specific structure on the state-space. On the other hand, in Sec. 4, the perturbation set $B(s)$ is an arbitrary subset of $\mathcal{S}$. This is a bit strange to me, especially if you want to be able to find the optimal perturbed state, you may need come compactness/convexity assumption on $B(s)$.

• Assmp. 1 is not a theoretical assumption, but rather a modeling choice. Assmp 2 is also not, but rather outlines the methodology.

• Defs 2 and 3 confuse me: Eq 11 is the believed expectation but on the other hand, the distribution matches with the random variable taken inside. This is not the case in Eq 10. The agent effectively observes $\nu^*(S_t)$ so the designation "believed" is misleading. It is not a belief in the Bayesian sense. It is observed.

• lines 306-308 assume that the expert policy is optimal under the optimal weight. This seems to be a strong assumption and should be at least presented as an assumption environment, because the optimal $\mathbf{w}^*$ stems from the modeling choice of $\max_{||\mathbf{w}||\leq 1}$ plus the fact that the true reward is linearly parameterized.

• Typo in Eq 12?

• Fig 5 appears before Fig 4

[1] Hadfield-Menell, D., Milli, S., Abbeel, P., Russell, S. J., & Dragan, A. (2017). Inverse reward design. Advances in neural information processing systems, 30.

[2] Skalse, Joar, and Alessandro Abate. "Misspecification in inverse reinforcement learning." Proceedings of the AAAI Conference on Artificial Intelligence. Vol. 37. No. 12. 2023.