Efficient Adversarial Attacks on High-dimensional Offline Bandits
Title: Efficient Adversarial Attacks on High-dimensional Offline Bandits
Abstract
Bandit algorithms have recently gained traction as a potent mechanism for assessing machine learning systems, such as large language models and generative image architectures. These techniques streamline the identification of superior candidates by avoiding the need for exhaustive pairwise comparisons. Typically, these methods depend on a reward model—often available with public weights on repositories like Hugging Face—to supply feedback to the bandit process. Although online evaluation is resource-intensive and demands numerous iterations, leveraging logged data for offline assessment has emerged as a compelling alternative.
Despite this shift, the adversarial robustness of offline bandit evaluation remains largely under-investigated, specifically regarding scenarios where an adversary modifies the reward model prior to the bandit’s training phase, rather than tampering with the training data itself. This study addresses this void by examining, through both theoretical analysis and empirical testing, how susceptible offline bandit training is to adversarial manipulation of the reward model.
We propose a novel threat model wherein an attacker leverages offline data within high-dimensional contexts to subvert the bandit’s decision-making process. Our investigation begins with linear reward functions and expands to encompass nonlinear architectures, such as ReLU neural networks. We specifically target two Hugging Face evaluators commonly employed for generative model assessment: one designed to gauge aesthetic quality and another to evaluate compositional alignment.
Our findings indicate that even minute, imperceptible adjustments to the weights of the reward model can significantly distort the bandit’s behavior. Theoretically, we demonstrate a pronounced high-dimensional phenomenon: as the dimensionality of the input grows, the magnitude of the perturbation necessary to execute a successful attack diminishes. This dynamic renders modern applications, particularly those involving image evaluation, highly susceptible to such exploits. Comprehensive experiments validate that while random perturbations are largely ineffective, strategically crafted perturbations can achieve nearly perfect attack success rates.
Source: arXiv Generated at: 2026-06-04 00:00:00 UTC
