Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data Poisoning Attacks on Off-Policy Policy Evaluation Methods

Elita Lobo, Harvineet Singh, Marek Petrik, Cynthia Rudin, Himabindu Lakkaraju

TL;DR

This work exposes a vulnerability in off-policy evaluation methods to train-time data poisoning by introducing DOPE, a framework that formulates attacks as a bilevel optimization and uses influence functions to craft small data perturbations under budget constraints. By mapping four DOPE components to various OPE methods (BRM, WIS, PDIS, CPDIS, WDR) and solving the approximate problem with a greedy influence-score-based approach, the authors demonstrate that modest contamination can cause large errors in policy value estimates across healthcare and control domains. The experiments show BRM, PDIS, and WDR are particularly susceptible, while CPDIS and WIS exhibit relatively greater robustness, underscoring the need for developing OPE methods that are robust to train-time data poisoning. The results highlight practical implications for offline policy evaluation in high-stakes settings and motivate future work on defense strategies and robust OPE design.

Abstract

Off-policy Evaluation (OPE) methods are a crucial tool for evaluating policies in high-stakes domains such as healthcare, where exploration is often infeasible, unethical, or expensive. However, the extent to which such methods can be trusted under adversarial threats to data quality is largely unexplored. In this work, we make the first attempt at investigating the sensitivity of OPE methods to marginal adversarial perturbations to the data. We design a generic data poisoning attack framework leveraging influence functions from robust statistics to carefully construct perturbations that maximize error in the policy value estimates. We carry out extensive experimentation with multiple healthcare and control datasets. Our results demonstrate that many existing OPE methods are highly prone to generating value estimates with large errors when subject to data poisoning attacks, even for small adversarial perturbations. These findings question the reliability of policy values derived using OPE methods and motivate the need for developing OPE methods that are statistically robust to train-time data poisoning attacks.

Data Poisoning Attacks on Off-Policy Policy Evaluation Methods

TL;DR

This work exposes a vulnerability in off-policy evaluation methods to train-time data poisoning by introducing DOPE, a framework that formulates attacks as a bilevel optimization and uses influence functions to craft small data perturbations under budget constraints. By mapping four DOPE components to various OPE methods (BRM, WIS, PDIS, CPDIS, WDR) and solving the approximate problem with a greedy influence-score-based approach, the authors demonstrate that modest contamination can cause large errors in policy value estimates across healthcare and control domains. The experiments show BRM, PDIS, and WDR are particularly susceptible, while CPDIS and WIS exhibit relatively greater robustness, underscoring the need for developing OPE methods that are robust to train-time data poisoning. The results highlight practical implications for offline policy evaluation in high-stakes settings and motivate future work on defense strategies and robust OPE design.

Abstract

Off-policy Evaluation (OPE) methods are a crucial tool for evaluating policies in high-stakes domains such as healthcare, where exploration is often infeasible, unethical, or expensive. However, the extent to which such methods can be trusted under adversarial threats to data quality is largely unexplored. In this work, we make the first attempt at investigating the sensitivity of OPE methods to marginal adversarial perturbations to the data. We design a generic data poisoning attack framework leveraging influence functions from robust statistics to carefully construct perturbations that maximize error in the policy value estimates. We carry out extensive experimentation with multiple healthcare and control datasets. Our results demonstrate that many existing OPE methods are highly prone to generating value estimates with large errors when subject to data poisoning attacks, even for small adversarial perturbations. These findings question the reliability of policy values derived using OPE methods and motivate the need for developing OPE methods that are statistically robust to train-time data poisoning attacks.
Paper Structure (24 sections, 3 theorems, 21 equations, 15 figures, 7 tables, 1 algorithm)

This paper contains 24 sections, 3 theorems, 21 equations, 15 figures, 7 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. DOPE Framework
  4. Attacking OPE methods using DOPE
  5. Optimization
  6. Experiments
  7. Domains and Experimental Setup
  8. Implementation details
  9. Effectiveness of DOPE Attack
  10. COMPARISON WITH BASELINES
  11. Conclusion
  12. Additional Preliminaries
  13. Influence functions
  14. Proofs:
  15. Experimental Details:
  16. ...and 9 more sections

Key Result

Theorem 4.1

Let $(s^*,\Delta^*)$ be an optimal solution to the optimization problem in bilevel:approx and define the approximate influential set as $S^*_{\alpha}=\{i : s^*_i =1 , \forall i = 1,\dots,n\}$. Then,

Figures (15)

  • Figure 1: \ref{['fig:R1', 'fig:R2', 'fig:R3']} compares the effect of DOPE attack on BRM, WIS, PDIS, CPDIS and WDR methods in the Cancer, HIV and Continuous Gridworld domains (left to right) for different values of attacker's budget $\varepsilon= \text{frac} \cdot \sigma$ and $p=1$ ($\ell_1$ norm). Larger the value of frac, the larger are the perturbations added by the DOPE attack, and accordingly we observe larger errors in the value estimates.
  • Figure 2: \ref{['fig:R11', 'fig:R21', 'fig:R31']} compares the effect of DOPE attack on BRM, WIS, PDIS, CPDIS, and WDR methods in Cancer, HIV, and Continuous Gridworld domains (left to right) for different percentages of corruption $\alpha$ at $\varepsilon=1.0\sigma$ and $p=1$ ($l_1$ norm). The larger the value of $\alpha$, the larger the number of points perturbed by the DOPE attack, and accordingly, we observe larger errors in the value estimates.
  • Figure 3: \ref{['fig:R13', 'fig:R23', 'fig:R33']} compare the effects of Random attack, Random DOPE attack (an ablated version of DOPE), FSGM-based Attack and DOPE attack on the error in the value function estimates of BRM, IS, and DR methods (left to right) in HIV domain. The percentage error in the Random attack and FSGM-based attack is small relative to the percentage error due to DOPE and Random DOPE attack, and hence their curves lies close to the x-axis. DOPE attack outperforms both the Random DOPE and Random attacks at nearly all values of the attacker's budget.
  • Figure 4: \ref{['fig:R14', 'fig:R24']} compares the effect of DOPE attack on BRM, WIS, PDIS, CPDIS and WDR methods in Cartpole and Mountain Car domains for different values of attacker's budget $\varepsilon=frac \cdot \sigma$ and $p=1$.
  • Figure 5: \ref{['fig:R15', 'fig:R25']} compares the effect of DOPE attack on BRM, WIS, PDIS, CPDIS and WDR methods in in Cartpole and MountainCar domains (left to right) for different percentages of corruption $\alpha$ and $p=1$.
  • ...and 10 more figures

Theorems & Definitions (5)

  • Theorem 4.1
  • Remark 4.2: Relation to optimal solution
  • Proposition 4.3
  • Proposition 4.4
  • proof : Proof of \ref{['prop_greedy']}