English

Efficient Preference Poisoning Attack on Offline RLHF

Machine Learning 2026-05-26 v2 Artificial Intelligence Machine Learning

Abstract

Offline Reinforcement Learning from Human Feedback (RLHF) pipelines such as Direct Preference Optimization (DPO) train on a pre-collected preference dataset, which makes them vulnerable to preference poisoning attack. We study label flip attacks against log-linear DPO. We first illustrate that flipping one preference label induces a parameter-independent shift in the DPO gradient. Using this key property, we can then convert the targeted poisoning problem into a structured binary sparse approximation problem. To solve this problem, we develop two attack methods: Binary-Aware Lattice Attack (BAL-A) and Binary Matching Pursuit Attack (BMP-A). BAL-A embeds the binary flip selection problem into a binary-aware lattice and applies Lenstra-Lenstra-Lov\'asz reduction and Babai's nearest plane algorithm; we provide sufficient conditions that enforce binary coefficients and recover the minimum-flip objective. BMP-A adapts binary matching pursuit to our non-normalized gradient dictionary and yields coherence-based recovery guarantees and robustness (impossibility) certificates for KK-flip budgets. Experiments on synthetic dictionaries and the Stanford Human Preferences dataset validate the theory and highlight how dictionary geometry governs attack success.

Keywords

Cite

@article{arxiv.2605.02495,
  title  = {Efficient Preference Poisoning Attack on Offline RLHF},
  author = {Chenye Yang and Weiyu Xu and Lifeng Lai},
  journal= {arXiv preprint arXiv:2605.02495},
  year   = {2026}
}

Comments

Accepted to ICML 2026

R2 v1 2026-07-01T12:48:23.663Z