Practical Adversarial Attacks on Stochastic Bandits via Fake Data Injection

TL;DR

This paper introduces a realistic adversarial attack model on stochastic bandits via limited, bounded fake data injection, demonstrating vulnerabilities in common algorithms through theoretical analysis and experiments.

Contribution

It proposes a practical threat model for adversarial attacks on bandits, with strategies that effectively mislead algorithms under realistic constraints.

Findings

Attacks can force bandit algorithms to choose a target arm in nearly all rounds.

The attack incurs only sublinear cost relative to the number of rounds.

Experimental results confirm the attack's effectiveness on synthetic and real data.

Abstract

Adversarial attacks on stochastic bandits have traditionally relied on some unrealistic assumptions, such as per-round reward manipulation and unbounded perturbations, limiting their relevance to real-world systems. We propose a more practical threat model, Fake Data Injection, which reflects realistic adversarial constraints: the attacker can inject only a limited number of bounded fake feedback samples into the learner's history, simulating legitimate interactions. We design effective attack strategies under this model, explicitly addressing both magnitude constraints (on reward values) and temporal constraints (on when and how often data can be injected). Our theoretical analysis shows that these attacks can mislead a class of bandit algorithms into selecting a target arm in nearly all rounds while incurring only sublinear attack cost. Experiments on synthetic and real-world datasets validate the effectiveness of our strategies, revealing vulnerabilities in stochastic bandit algorithms under practical adversarial scenarios.