Single-Attacker Illusion
- Single-Attacker Illusion is a phenomenon where one attacker induces a selective mismatch between true system states and perceived representations used in decision-making.
- It manifests across domains such as malware poisoning, deceptive world models, and altered perceptions in both human and machine authentication, showcasing precise yet localized attacks.
- The concept highlights that robust defenses must consider the decision interface level and information asymmetry, as strategic perturbations may leave overall system accuracy nearly intact.
Single-Attacker Illusion denotes a class of adversarial phenomena in which one attacker induces a consequential mismatch between ground truth and the state representation used by a defender, observer, verifier, or planner. In the cited literature, this mechanism appears as a first-level hypergame in which attacker and defender optimize against different perceived games, as an instance-specific poisoning attack that leaves aggregate malware-detection performance largely intact while exempting one chosen sample, as corruption of a world model’s “trusted imagination” consumed by downstream oracles, as distance-dependent dual perception in authentication, as view-induced false trajectory inference in autonomous driving, as action selection driven by a single hidden sample, and as a non-obvious equivalence between geometrically distinct starting configurations in perimeter defense (Wan et al., 2021, Shapira et al., 2020, Chen et al., 22 Jun 2026, Papadopoulos et al., 2017, Ju et al., 12 May 2026, Miehling et al., 2019, Otte et al., 12 Feb 2026). Taken together, these results suggest that the operative unit of attack is often not the entire system, but a localized decision interface at which one false model becomes strategically sufficient.
1. Conceptual structure of the illusion
A common structural feature across these works is that a single attacker does not necessarily seek global degradation. In the malware-poisoning setting, the poisoned classifier is intended to satisfy
so the model behaves like the original on all non-target inputs while changing its prediction on one triggered target instance (Shapira et al., 2020). In the world-model setting, the attacker perturbs only the current observation within an budget and induces a corrupted latent future
which is then trusted by a downstream oracle that has no real-world corrective feedback (Chen et al., 22 Jun 2026). In IllusionPIN, a single displayed image
is constructed so that the near user and the more distant observer perceive different keypads (Papadopoulos et al., 2017).
The same pattern appears in strategic games. In the hypergame model, the attacker and defender can interpret the same interaction differently because their beliefs are altered by asymmetric information and deception (Wan et al., 2021). In the single-private-sample game, the defender observes only the attacker’s realized move and not the hidden sample that shaped the attacker’s posterior belief (Miehling et al., 2019). In the cylindrical perimeter-defense game, the apparent starting position of the attacker can be misleading because two different boundary-start configurations yield the same maximum defendable circumference (Otte et al., 12 Feb 2026).
This suggests three recurring properties. First, the illusion is selective: one target instance, one latent rollout, one trajectory hypothesis, one displayed keypad, or one local gap can be enough. Second, the illusion is observer-relative: different agents consume different effective states. Third, the decisive effect is downstream leverage: the corrupted representation matters because it is used for classification, defense selection, authentication, prediction, or planning.
2. Hypergames, subjective uncertainty, and deceptive defense
The most explicit formalization of a single-attacker illusion is the first-level hypergame used for defensive deception against advanced persistent threats. The true game is
while the players may instead perceive
so the first-level hypergame is
For each subgame , the row player has mixed strategy 0, belief about the column player 1, belief contexts 2, and aggregated belief 3 (Wan et al., 2021).
The attacker’s illusion is generated by asymmetric information plus subjective uncertainty. The attacker’s perceived uncertainty is modeled as
4
where 5 is zero when no deception is used or the defense-cost term for deceptive defenses 6–7. The defender’s uncertainty is
8
The deceptive defenses are honeypots 9, honey information 0, fake keys 1, and hiding edges 2; these alter topology, visible vulnerabilities, or resource accessibility and thereby change the attacker’s perceived subgame (Wan et al., 2021).
Strategy choice is based on utilities
3
with
4
The decision criterion is hypergame expected utility,
5
so perceived uncertainty directly alters optimal play. The cyber kill chain is represented as a sequence of subgames from reconnaissance through data exfiltration, each with stage-specific attack and defense strategy sets (Wan et al., 2021).
Empirically, the compared schemes were DD-PI, No-DD-PI, DD-IPI, and No-DD-IPI, and DD-IPI performed best in system lifetime / MTTSF even though it often had the lowest defender HEU due to the extra cost of deception. The same study reports that DD-based schemes improve NIDS performance by collecting signatures and reducing 6 and 7 over time; the supplement states default parameters 8 and 9 (Wan et al., 2021). The significance is not merely that deception changes payoffs, but that it changes the game being optimized.
3. Instance-specific poisoning and the hidden exception
In malware classification, the single-attacker illusion appears as a backdoor that targets one malware instance rather than an entire family. The attacker selects a target malware instance 0, sorts benign training files by distance to 1, takes the closest fraction 2, adds the same trigger 3 to the benign poisoning set and to the target, and retrains the model: 4 The trigger is functionality-preserving: new PE sections are added so that executable behavior is not broken. The paper notes that one or two sections were too weak, while three distinct sections produced a sufficiently strong trigger (Shapira et al., 2020).
The attack is designed to preserve normal-looking global behavior. On EMBER, the experiments used 600K labeled training samples after omitting 200K unlabeled samples, 200K test samples, and 2,381 static PE features per sample. The evaluated classifiers were the EMBER LightGBM baseline with accuracy 5 and AUC 6, and a static DNN with two dense layers of 128 ReLU neurons, dropout 7, accuracy 8, and AUC 9. End-to-end validation also used 20 real-world malware samples from VirusTotal, including WannaCry binaries (Shapira et al., 2020).
The central quantitative result is that the instance-based attack can reduce detection of the specific target instance from 0 to 1, depending on poisoning volume. Reported operating points are 2 detection at roughly 3 poisoning on LightGBM and 4 on DNN, 5 detection at 6 and 7, and 8 detection at 9 and 0. At the same time, overall test accuracy changes only slightly, from about 1 for LightGBM and 2 for DNN (Shapira et al., 2020).
Defenses expose the selectivity of the mechanism. A family-based verification detector achieves 3 TPR for LightGBM and 4 TPR for DNN against family poisoning, but fails for instance poisoning because only one sample is affected. The autoencoder detector reaches only 5 TPR at about 6 FPR or 7 TPR at 8 FPR, while the DNN-based OOD detector reaches up to 9 TPR at 0 FPR (Shapira et al., 2020). The hidden exception, not broad degradation, is what makes the illusion operational.
4. Trusted imagination and oracle-level corruption
In imagine-then-act world models, the attack surface is the internal latent rollout rather than the final reactive policy. The threat model is a single white-box attacker who can perturb only the current observation 1, subject to
2
with no weight modification, no access to downstream oracle internals, and no access to the true future. The attacker’s goals are measured at the oracle level: verifier flip rate, MPC mis-selection, divergence of trusted imagination, and task success rate (Chen et al., 22 Jun 2026).
The paper distinguishes untargeted corruption from targeted control. Untargeted corruption maximizes divergence from the clean imagination, using a corruption score of 3. Targeted control instead minimizes
4
with
5
Optimization uses projected gradient descent through the fully differentiable observation-to-imagination map,
6
and SPSA is noted as a fallback when gradients are unavailable (Chen et al., 22 Jun 2026).
The empirical asymmetry is sharp. Untargeted corruption on LingBot-VA is about 7 stronger than random at 8 and around 9 stronger at 0. The parameter-free denoiser self-consistency detector achieves AUC 1 at 2 and 3, and AUC 4 at 5; at 6 FPR, TPR is 7 across the tested budgets. An adaptive attacker can lower the detector score only by sacrificing corruption, with the reported trend 8: corruption 9, AUC 0; 1: corruption 2, AUC 3 (Chen et al., 22 Jun 2026).
The strongest control result is a downstream failure on LaDi-WM MPC. At 4, random noise gives success 5, whereas adversarial perturbation gives 6, with Fisher’s exact test 7. The same study emphasizes that the reactive policy can remain robust while an imagination-driven MPC collapses, yielding the explicit conceptual distinction
8
(Chen et al., 22 Jun 2026). The illusion lies in the fact that the downstream oracle treats the corrupted latent future as if it were a faithful forecast.
5. Observation geometry in human and machine perception
IllusionPIN implements a distance-dependent perceptual split in touchscreen authentication. A hybrid keypad is created from a user keypad 9 and a shoulder-surfer keypad 0 by high-pass filtering the former, low-pass filtering the latter, and adding them: 1 The user’s keypad is shuffled in every authentication attempt, and the paper also states “or after every digit entry,” while the shoulder-surfer’s keypad remains in the regular digit ordering. Security analysis uses a visibility algorithm based on perceived spectra, a DAF filter, button segmentation, and mean MSSIM, with threshold 2. In the evaluation, 84 simulated shoulder-surfing attacks from 21 participants yielded 0 successful attacks against IllusionPIN, whereas all 21 attacks against the regular PIN scheme succeeded. For surveillance-camera resistance, the derived safety distance was 3 inches under the analyzed assumptions (Papadopoulos et al., 2017).
A related but machine-perception-centric mechanism appears in autonomous driving. A static physical camouflage mounted on a vehicle exploits natural viewing-angle variation across consecutive frames, causing coherent drift in the detected 3D bounding box and a false cut-in-like trajectory. The setup uses 4 camera views and attack windows of length 5. Scenario selection uses an Attack Feasibility Filter and a Viewing-Angle Filter; optimization maximizes
6
so displacement is both large and progressively consistent. Planning-level success is defined by hard braking,
7
Across the two primary cross-validation categories, the reported results include up to 8 m progressive 3D bounding-box displacement, average PDR 9, average APE 00 m for two pipelines, average MTD 01 m, and average ASR 02, with end-to-end success up to 03 in the strongest specific-scenario evaluation. Cross-model transfer is limited, with best transferred final-frame displacement only about 04 m (Ju et al., 12 May 2026).
These cases invert each other. In IllusionPIN, viewpoint variation is used defensively so that the attacker sees the wrong keypad. In autonomous driving, viewpoint variation is the attack mechanism that makes a static object appear to move. This suggests that observation geometry is not merely a nuisance variable; it can be the carrier of the illusion itself.
6. Hidden information, single samples, and geometric equivalence
The minimal strategic-inference model with a single private sample shows how little hidden information is needed to distort defensive inference. There are two targets: 05, whose reward is Bernoulli with success payoff 06 and success probability 07, and 08, which yields a fixed payoff 09 with 10. The attacker has prior 11, receives one private sample 12 from target 13, updates its posterior, and then attacker and defender simultaneously choose a target. The defender knows the true 14 but not the sample 15. The attacker’s posterior mean is
16
The paper proves that there is at most one pure-strategy saddle-point equilibrium, including a sample-contingent case
17
which makes the attacker’s observed action ambiguous because the defender does not know the hidden sample that generated it (Miehling et al., 2019).
In the cylindrical perimeter-defense game, the paper studies 18 homogeneous slow defenders patrolling a closed boundary of circumference 19 against one faster attacker with 20 for all defenders. The special case assumes that the attacker starts infinitesimally close to the boundary in a region that is currently defended. The current blocking defender should move in the same direction as the attacker, and the maximum defendable circumference is
21
Equivalently, the attacker wins if
22
The paper analyzes two starting configurations—at the touch point of two defenders and halfway along one defender’s defended interval—and shows that both yield the same 23. It explicitly notes that it does not use the word “illusion,” but identifies the subtle equivalence that what looks like a different initial geometry is a time-shifted version of the same process (Otte et al., 12 Feb 2026).
These two models differ in domain but share an inferential theme. In one, the hidden variable is a single Bernoulli sample. In the other, the hidden structure is a temporal equivalence between apparently different boundary configurations. A plausible implication is that a single concealed degree of freedom can make observed behavior or geometry appear more informative than it is.
7. Evaluation criteria, misconceptions, and limits
The literature evaluates single-attacker illusions at the level of the downstream decision they perturb, not only at the level of raw perturbation magnitude. Hypergame deception uses system lifetime, MTTSF, false-positive and false-negative behavior in the NIDS, and HEU-based strategy choice (Wan et al., 2021). Malware instance poisoning is evaluated by target-instance detection rate, overall test accuracy, and detector TPR/FPR tradeoffs (Shapira et al., 2020). World-model attacks use corruption, gap-closed, verifier flips, detector AUC, and task success under MPC (Chen et al., 22 Jun 2026). View-induced trajectory attacks use PDR, APE, MTD, MBD, and ASR defined by hard braking (Ju et al., 12 May 2026). IllusionPIN uses visibility prediction, MSSIM-based thresholding, safety distance, and empirical attack success with a Clopper-Pearson interval 24 at 25 confidence (Papadopoulos et al., 2017).
Several misconceptions are directly contradicted by these results. A single-attacker illusion is not equivalent to total system compromise: the poisoned malware classifier can still appear healthy on ordinary test cases, and the reactive policy in a world model can remain robust while an imagination-driven oracle fails (Shapira et al., 2020, Chen et al., 22 Jun 2026). Nor is the illusion always undetectable: family-based verification detects family poisoning very well, the denoiser self-consistency detector reaches AUC 26 at larger 27, and cross-model transfer in autonomous-driving camouflage is limited (Shapira et al., 2020, Chen et al., 22 Jun 2026, Ju et al., 12 May 2026). Conversely, apparent geometric or behavioral differences do not always imply different strategic regimes, as shown by the equal 28 in the two boundary-start cases (Otte et al., 12 Feb 2026).
The strongest general conclusion is therefore conditional rather than absolute. These works suggest that robustness claims must be indexed to the component that is trusted, the observer whose perception is being modeled, the granularity at which failure is measured, and the information asymmetry that the attacker can exploit. Under those conditions, one attacker can be sufficient to create a false local reality that is narrow in scope, technically precise, and strategically decisive.