Robust Thompson Sampling Algorithms Against Reward Poisoning Attacks

Thank you for your constructive comments and suggestions. Based on the reviews, the revision has been uploaded, and the most important changes are highlighted in blue. Below is our response to your concerns.

Q1: The authors considered a very limited settings.

A1: We have made it clear in the title, abstract, and contribution that we only consider Gaussian bandits. It is common in Thompson sampling studies to focus on a representation case of priors such as Gaussian distributions. [1,2,3].

Q2: The authors forgot to sum over all the possible N Arms

A2: In the proof of Theorem 4.1, we summed the regret upper bound over all possible N arms. We made a slight simplification in the summation notation($\sum_{i}$), and we will use the complete form in the revised version($\sum_{i=1}^{N}$). Specifically, as presented in the proof of Theorem 4.1: \begin{aligned} &\mathbb{E}[\mathcal{R}(T)] = \sum_{i} \Delta_i \mathbb{E}\left[k_i(T)\right] \leq \sum_{i}[72\left(e^{64}+5\right) \frac {\ln \left(T \Delta^2_i\right)}{\Delta_i} + 12C+\frac{13}{ \Delta_i}+\Delta_i] \end{aligned}

The equality on the left-hand side holds because $\mathbb{E}\left[k_i(T)\right]$ represents the expected number of times arm $i$ is pulled, and $\Delta_i$ is the regret incurred each time arm $i$ is pulled. Therefore, $\Delta_i \mathbb{E}\left[k_i(T)\right]$ represents the expected regret due to pulling arm $i$. The inequality on the right-hand side follows by combining the bounds from Lemmas A.3 to A.5, where we have:

$$\begin{aligned} &\mathbb{E}\left[k_i(T)\right] \leq 72\left(e^{64}+4\right)\frac{\ln \left(T \Delta_i^2\right)}{\Delta_i^2}+\max [ \frac{12C}{\Delta_i}, \frac{32 \ln \left(T \Delta_i^2\right)}{\Delta_i^2} ]+\frac{13}{\Delta_i^2}+1 \end{aligned}$$

By multiplying by $\Delta_i$ and summing over all $N$ arms, we then obtain the desired inequality on the right-hand side.

Q3: Another concern regarding the regret bound is the enormous multiplicative constant

A3: We have noticed the problem. This is a motivation for our simulations. We empirically show that, in practice, the constant dependency of the regret is small. Add improvement

Q4: the expected regret of TS seems not just close but almost exactly equal to the expected regret of UCB; it seems impossible to explain how the expected regret of the proposed algorithm can decrease when the adversarial budget increases

A4: We have explained the two observations in detail in the revision:

‘We notice that the regret of the two vulnerable algorithms under the attack are almost identical. The reason is that the attacker highlights a target arm. For the vulnerable algorithms, they will believe that the target arm is optimal and almost always take that arm during training. So their behavior and regret are very similar under the attack.’

‘We notice that when the corruption level is small, the regret of our algorithm decreases slightly as the corruption level increases. The reason is that the attacker tries to highlight a randomly chosen target arm, and the arm is not the one with the lowest reward. Therefore, when the corruption level is not high enough to mislead the agent, the agent will only take sub-optimal arms for a limited number of rounds, and it tends to take the target arm more often instead of the worse arms, making the total regret slightly lower.’

Q5: the titles of the x-axes are almost not readable

A5: We have fixed the plots in the revision.

Q6: The robust version of Thompson Sampling seems to outperform the original Thompson Sampling and UCB algorithm when the adversarial budget is 0.

A6: The robust and original Thompson sampling are identical when the adversarial budget is 0. In the plots, their regrets are also the same when the adversarial budget is 0. It is also not a surprise that in our setup, the Thompson sampling algorithm performs slightly better than the UCB algorithm when there is no attack.

Other Questions and suggestions about the writing:

A: We have improved the proof in the appendix and made them more clear in the revision. We clarify in the revision that the bars in the plots are the variance of the data. We add a readme file to the supplementary materials. We clarify that no generative AI tools have been used in our writing. We run an AI scan on the text mentioned in the review using GPT Zero, and it says that with 98% accuracy, the text is fully written by humans. We have improved our writing in the revision.

[1]: Honda, Junya, and Akimichi Takemura. "Optimality of Thompson sampling for Gaussian bandits depends on priors." Artificial Intelligence and Statistics. PMLR, 2014.

[2]: Agrawal, Shipra, and Navin Goyal. "Thompson sampling for contextual bandits with linear payoffs." International conference on machine learning. PMLR, 2013.

[3]:Hu, Bingshan, and Nidhi Hegde. "Near-optimal thompson sampling-based algorithms for differentially private stochastic bandits." Uncertainty in Artificial Intelligence. PMLR, 2022

Dear Reviewer CZzm,

Thanks again for your constructive reviews! We have revised the paper according to your questions and suggestions. Please let us know if you have any follow-up comments or concerns about our responses and revision. We are happy to answer any further questions.

Thank you for your constructive comments and suggestions. Based on the reviews, the revision has been uploaded, and the most important changes are highlighted in blue. Below is our response to your concerns.

Q1: While I found the results interesting, they are also somewhat expected, given the findings from prior work on poisoning attacks and corruption robustness in bandits

A1: One can expect that making Thompson sampling robust is feasible using the techniques in our work, but it is hard to know exactly how robust a Thompson sampling algorithm can be and if it is possible to achieve near-optimal guarantees in the cases where the corruption level $C$ is known or unknown to the agent. Our work shows how to make near-optimal robust Thompson sampling algorithms and proves that they can be near-optimal.

Q2: The experiments related to the stochastic MAB setting do not include a corruption-robust baseline.

A2: We have included a robust baseline for the stochastic MAB setting in the revision. The baseline we call `Robust UCB’ is essentially the standard UCB algorithm with an additional bonus term $C/k_i(t)$ to arm $i$ to compensate for the potential influence of data corruption, where $C$ is the corruption level, and $k_i(t)$ is the number of times arm $i$ being selected at time $t$. Such an idea is also mentioned in [1], and the details can be found in the revision in section 6.1. Our empirical results show that the performance of our robust Thompson sampling is similar to that of the robust UCB algorithm. Thompson sampling has several advantages over the UCB algorithm, as mentioned in our introduction section. Our empirical results further show that the robust Thompson sampling algorithms are competitive against robust UCB/OFUL algorithms.

Q3: While I believe that the paper is overall well-written, the presentation could be improved and polished.

A3: We have fixed the typos and plots in the revision.

Q4: it would be helpful if the authors elaborated further on their two remarks: … the attacker can apply less influence on the estimator by corrupting such data..., ...variance of the posterior distribution is limited due to the weighted estimator under reward poisoning..

A4: We have changed the two remarks in the revision:

1. ‘The key is that it assigns less weight $w_t$ to the data with a `large' context $w_{t}=\min (\{1, \gamma /\left\||x_{i(t)}(t)\right\||_{B(t)^{-1}}\})$ so that its estimation is less sensitive to data corruption in these cases.’

2. ‘The key reason is that the posterior distribution computed by the weighted estimator is less sensitive to any change in the rewards. So the agent is more robust against data corruption.’

[1]: Lykouris, Thodoris, Vahab Mirrokni, and Renato Paes Leme. "Stochastic bandits robust to adversarial corruptions." Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing. 2018.

Thank you for your constructive comments and suggestions. Based on the reviews, the revision has been uploaded, and the most important changes are highlighted in blue. Below is our response to your concerns.

Q1: However, comparing existing results requires finding each cited paper and going through them one by one. It would be better if a table was included with previous works

A1: We have included a table in the revision to show the comparison of the theoretical results between our algorithms and current state-of-the-art algorithms.

Q2: typos: At the end of Sections 4 and 5, the paper (He et al., 2022) should be cited instead of (He et al., 2023)

A2: We have fixed them in the revision.

Q3: What can be said about Bayesian regret?

A3: In the stochastic setting, we have demonstrated that for any parameter vector $\mu = (\mu_1, \cdots, \mu_N) \in \Pi_{i=1}^{N} [0,1]$ the expected regret is bounded by $\sum_{i=1}^{N} \left[ 72 \left(e^{64} + 5 \right) \frac{\ln \left( T \Delta_i^2 \right)}{\Delta_i} + 12C + \frac{13}{\Delta_i} + \Delta_i \right],$ where $\Delta_i$ represents the sub-optimality gap for arm $i$. Therefore, the analysis can be divided into two cases: $\Delta_i \geq e \sqrt{\frac{N \ln N}{T}}$ and $\Delta_i < e \sqrt{\frac{N \ln N}{T}}$. There exists a constant $k$(e.g. $k=144 \left(e^{64} + 5 \right)$) independent of $\mu$ such that $\mathbb{E}[\mathcal{R}(T) \mid \mu] \leq k(\sqrt{N T \ln N} + N C + N)$ holds for any $\mu \in \Pi_{i=1}^{N} [0,1]$. Consequently, the Bayesian regret satisfies $\mathbb{E}_{\mu}[\mathbb{E}[\mathcal{R}(T) \mid \mu]] \leq k(\sqrt{N T \ln N} + N C + N).$

This result establishes a uniform bound on the expected regret across all possible values of $\mu$, ensuring the validity of our regret analysis in the Bayesian context.

Thanks for your constructive comments and suggestions. Based on the reviews, the revision has been uploaded, and the most important changes are highlighted in blue. Below is our response to your concerns.

Q1: I still think the proposed problem is a special case (actually a simpler case) of differentially private online learning, based on lines 149 to 151; This idea has been used in [1]

A1: Differentially private setting can be thought of as a robustness against poisoning attack setting. The attacker can modify a certain number of data points, and a differentially private algorithm needs to ensure that its behavior is similar under any possible attacks. However, there are also two main differences between the two settings.

1. Robustness goal: in the differentially private setting, the goal of the agent is to ensure that the decisions it makes under corruption are similar to the decisions without corruption. As defined in [1], let $M$ be the algorithm and $X, X’$ be two neighboring reward sequences to represent the original and corrupted rewards. Then the agent needs to ensure that $P\{M(X) \in D\} \leq e^\epsilon P\{M(X’) \in D\}$ holds for any decision set $D$ and a small value of $\epsilon$; In the reward poisoning attack setting considered in our work, the goal of the learning agent is to minimize the total regret/ maximize the total revenue $\sum_{t} r(t)$.

2. Attack constraint: Let $c(t)$ be the corruption at time $t$. In the differentially private setting, the attacker is constrained by the total number of data being corrupted $\sum \mathbb{1}[c(t) \neq 0] \leq C$; In the reward poisoning attack setting considered in our work, the attacker is constrained by the total amount of corruption $\sum_{t} |c(t)| \leq C$. Note that there is no constraint on the number of data being corrupted in the reward poisoning setting, and it can be as large as the number of all data: $\sum \mathbb{1}[c(t) \neq 0]$=T$.

Therefore, the poisoning attack setting is not a special case in a differentially private setting.

As a result, a differentially private algorithm like the one in [1] is not necessarily a robust algorithm against reward poisoning attacks. A differentially private algorithm can only guarantee that when some of the data are corrupted, the regret of the algorithm remains low. In the reward poisoning attack setting, even under a limited corruption budget $\sum_{t} |c(t)| \leq C$, every single data point can be corrupted: $\sum \mathbb{1}[c(t) \neq 0]=T$. For an $\epsilon$-differentially private algorithm proposed in [1], for two reward sequences $X$ and $X’$ that differ everywhere, it can only guarantee that $P\{M(X) \in D\} \leq e^{\epsilon \cdot T} P\{M(X’) \in D\}$. Setting $\epsilon=o(1/T)$ can make the guarantee non-trivial, but it also results in $\Omega(T)$ regret for the algorithm. It has also been theoretically proved in a different learning setting that the differentially private algorithms are vulnerable to data poisoning attacks because every single data point can be modified under the attack [2].

Q2: what does "optimality in the face of corruption" mean in line 65?

A2: "optimality in the face of corruption" is a general idea similar to the popular exploration strategy “optimality in the face of uncertainty.” In “optimality in the face of uncertainty,” the agent optimistically estimates the best possible reward for an arm considering the uncertainty in its evaluation. Similarly, in "optimality in the face of corruption", the agent optimistically estimates the best possible reward for an arm considering the uncertainty and the influence of data corruption on its estimation.

Q3: In line 795, the constant is 72 e^{64}. You can improve the constant by using some analysis in https://arxiv.org/abs/2407.14879.

A3: Thanks for the suggestion. We find that it is not straightforward to directly apply the techniques in this work to improve the big constant in our bound, but we will follow the idea in that work and improve our theoretical results in future revisions.

[1]: Hu, Bingshan, and Nidhi Hegde. "Near-optimal thompson sampling-based algorithms for differentially private stochastic bandits." Uncertainty in Artificial Intelligence. PMLR, 2022

[2]: Ma, Yuzhe, Xiaojin Zhu, and Justin Hsu. "Data poisoning against differentially-private learners: Attacks and defenses." arXiv preprint arXiv:1903.09860 (2019).

Dear Reviewer skgH,

Thanks again for your constructive reviews! We have revised the paper according to your questions and suggestions. Please let us know if you have any follow-up comments or concerns about our responses and revision. We are happy to answer any further questions.

Thanks again for your valuable comments. As the discussion period is ending, we'd love to know if our response addresses your concerns.

In addition to our previous response, we find that the work mentioned in your review [1] has already proved that the Thompsom sampling algorithm for MAB is differentially private as-is. At the same time, it is not adversarially robust, as mentioned in our work. This clearly demonstrates that adversarial robustness is not a special case of differentially private online learning, and a differentially private algorithm may not be robust against adversarial data poisoning attacks.

[1]: Ou, Tingting, Rachel Cummings, and Marco Avella. "Thompson Sampling Itself is Differentially Private." International Conference on Artificial Intelligence and Statistics. PMLR, 2024.