Data poisoning is a training-time adversarial attack that compromises a model's integrity by contaminating its training dataset with carefully crafted malicious examples. Unlike evasion attacks that target inference, poisoning corrupts the learning process itself, causing the model to learn incorrect decision boundaries, misclassify specific inputs, or activate hidden backdoor triggers while maintaining normal performance on clean data to evade detection.
Glossary
Data Poisoning

What is Data Poisoning?
Data poisoning is an integrity attack on the machine learning supply chain where adversaries inject malicious samples into training data to corrupt model behavior or implant backdoor triggers.
Attackers execute poisoning through label flipping, where correct labels are switched to incorrect ones, or clean-label attacks, where correctly labeled but perturbed samples cause the model to associate the wrong features with a target class. Defenses include data provenance tracking, robust training techniques like trimmed loss minimization, and statistical anomaly detection on dataset distributions to identify poisoned samples before training begins.
Types of Data Poisoning Attacks
Data poisoning is not a monolithic attack but a family of strategies that corrupt the training pipeline. The adversary's objective—whether to degrade overall performance or implant a specific backdoor—dictates the attack's mechanism, timing, and detectability.
Availability Poisoning
A denial-of-service attack on model quality. The adversary injects mislabeled or noisy samples indiscriminately to maximize the model's generalization error on clean test data. The goal is not a specific misclassification but to render the model useless.
- Mechanism: Random label flipping or injecting out-of-distribution noise.
- Impact: Collapse of overall accuracy, forcing retraining from a verified clean checkpoint.
- Detection: Relatively easy to spot via data drift monitors and cluster analysis, as the poisoned samples often form clear outliers.
Targeted Poisoning (Backdoor)
A subpopulation attack that implants a secret trigger. The model performs normally on clean inputs but exhibits adversary-chosen behavior when a specific backdoor pattern is present. This is the most insidious form of poisoning.
- Mechanism: A small fraction of training samples are stamped with a trigger (e.g., a specific pixel pattern, a rare word combination) and labeled with the target class.
- Impact: The attacker gains a hidden control channel at inference time. A vision model might classify any image with a yellow post-it as 'authorized'.
- Challenge: Extremely difficult to detect via accuracy metrics alone, as validation accuracy remains high.
Clean-Label Poisoning
An advanced attack that injects correctly labeled but perturbed samples. The adversary crafts inputs that appear normal to a human labeler but are ambiguous or adversarial to the model's feature extractor, causing it to learn a brittle decision boundary.
- Mechanism: Uses feature collision—perturbing a source image of the target class to align its feature representation with a base class image, then injecting it with the base class label.
- Impact: Bypasses human review because the label is technically correct. The model learns to associate the target class's features with the wrong label.
- Example: A poisoned 'cat' image that looks like a cat to a human but has the feature representation of a 'dog', causing the model to misclassify all cats during deployment.
Model Skewing
A gradual distributional shift attack. The adversary slowly introduces biased samples over time to shift the model's learned decision boundary in a specific direction, often to favor a competitor or suppress a specific viewpoint.
- Mechanism: Continuous injection of subtly biased data points that reinforce a desired skew. Not a one-time injection but a persistent campaign.
- Impact: The model's behavior drifts imperceptibly from its intended policy. A content moderation model might slowly become more permissive toward certain types of harmful content.
- Detection: Requires longitudinal monitoring of model behavior and input distribution, not just point-in-time validation.
Split-View Poisoning
An attack exploiting data curation pipelines where different reviewers see different views of the same data. The adversary crafts a sample that appears benign in the view shown to the human reviewer but is malicious in the view ingested by the model.
- Mechanism: Exploits discrepancies between preview rendering and training ingestion. For example, an image that renders as a cat in a thumbnail but decodes as a dog in the training tensor due to metadata manipulation or polyglot file tricks.
- Impact: The human curator approves the sample, but the model learns from the hidden malicious payload.
- Relevance: Critical for platforms that rely on user-reported data or third-party data marketplaces.
Online Poisoning (Data Stream)
An attack on models that learn continuously from a live data stream, such as recommendation systems or reinforcement learning agents. The adversary injects malicious feedback in real-time to corrupt the model's ongoing learning process.
- Mechanism: Sending crafted user interactions, clicks, or reward signals that steer the online learning algorithm toward a malicious policy.
- Impact: The model adapts to the poisoned stream without any offline retraining phase. Recovery requires rolling back to a pre-attack checkpoint and identifying the poisoned window.
- Example: A coordinated botnet upvoting toxic content to train a recommendation model to promote it.
Data Poisoning vs. Related Attack Vectors
A comparative analysis of data poisoning against other adversarial attacks targeting machine learning pipelines, highlighting differences in attack surface, timing, and required adversary capabilities.
| Feature | Data Poisoning | Evasion Attack | Backdoor Attack |
|---|---|---|---|
Attack Timing | Training phase | Inference phase | Training phase |
Goal | Degrade overall model accuracy or integrity | Cause misclassification on specific inputs | Trigger misclassification on inputs with secret pattern |
Model Modification | |||
Clean Data Performance | Degraded | Normal | Normal |
Trigger Required at Inference | |||
Attacker Access Required | Training data or pipeline | Model query access | Training data or pipeline |
Detection Difficulty | High | Medium | High |
Defense Strategy | Data provenance, robust training, anomaly detection | Adversarial training, input preprocessing | Spectral signatures, neuron pruning, trigger reconstruction |
Defense Strategies Against Data Poisoning
A systematic overview of the technical countermeasures used to detect, remove, or neutralize maliciously injected samples before they corrupt the model's learned parameters or implant a backdoor trigger.
Data Sanitization & Anomaly Detection
The first line of defense involves filtering the training corpus before learning begins. Outlier detection algorithms analyze the feature space and loss distributions to identify poisoned samples that deviate from the natural data manifold. Techniques such as spectral signatures compute the top singular vectors of the feature covariance matrix to separate corrupted data from clean data, while activation clustering inspects the latent representations of the final hidden layer to isolate inputs that map to anomalous regions. This approach assumes poisoned data is statistically distinct from legitimate data in some measurable way.
Robust Aggregation in Federated Learning
In distributed training settings, a malicious client can poison the global model by submitting a corrupted gradient update. Byzantine-resilient aggregation rules replace standard averaging with robust statistics to neutralize these attacks. Krum selects the gradient vector that is closest to its neighbors in Euclidean space, ignoring outliers. Trimmed Mean discards the extreme values for each coordinate independently before averaging. Median aggregation replaces the mean with the coordinate-wise median, which is provably robust up to a 50% adversarial client ratio. These methods ensure a single poisoned node cannot hijack the global model.
Differential Privacy Bounds
Training with differential privacy (DP) provides a formal mathematical guarantee that the final model's parameters do not memorize any single training example. By clipping per-sample gradients and injecting calibrated Gaussian noise during stochastic gradient descent, DP bounds the influence of any individual data point—including a poisoned one—on the learned weights. While this introduces a privacy-utility trade-off, it directly limits the attacker's ability to implant a backdoor trigger that requires high-fidelity memorization. DP-SGD is the standard algorithm for achieving this guarantee in deep learning.
Certified Poisoning Defenses
A class of defenses provides a provable guarantee that a model's prediction on a test input is not affected by a bounded number of poisoned training samples. Randomized smoothing is adapted from adversarial robustness to create a smoothed training procedure: the model is trained on multiple subsampled datasets, and prediction is performed by majority vote. If the attacker poisons fewer than a threshold number of copies, the certified prediction remains unchanged. Ensemble-based certification trains multiple models on disjoint data partitions and requires consensus, making poisoning attacks statistically detectable.
Post-Training Backdoor Detection & Model Surgery
When a model is suspected of being poisoned after training, forensic techniques can identify and neutralize the backdoor without full retraining. Neural Cleanse reverse-engineers potential triggers by optimizing for a minimal perturbation that forces all inputs to a target class, then uses anomaly detection on the perturbation magnitude to identify compromised labels. Fine-pruning removes the dormant backdoor neurons by pruning the model and fine-tuning on a small clean dataset. STRIP detects backdoored inputs at inference by superimposing various clean patterns and observing the entropy of predictions; triggered inputs show abnormally low entropy.
Provenance Tracking & Cryptographic Attestation
Preventing poisoning at the source requires a data supply chain with verifiable integrity. Cryptographic hashing and digital signatures on datasets ensure that training data has not been tampered with between collection and ingestion. Verifiable data lineage systems log every transformation applied to a raw sample, creating an auditable trail from sensor to training batch. Trusted Execution Environments (TEEs) can attest that the data preprocessing and training code executed without modification, providing hardware-rooted confidence that the pipeline was not compromised by a privileged adversary.
Frequently Asked Questions
Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and the strategies used to defend against them in production machine learning pipelines.
Data poisoning is an integrity attack on the machine learning supply chain where an adversary injects maliciously crafted samples into a model's training dataset to corrupt its learned behavior or implant a hidden backdoor. The attack works by exploiting the model's reliance on data as its sole source of ground truth. An attacker with write access to the training pipeline—whether through an insider threat, a compromised data lake, or user-contributed feedback loops—inserts perturbed examples designed to shift the model's decision boundary. In an availability poisoning variant, the attacker simply injects noisy or mislabeled samples to degrade overall model accuracy. In a more insidious targeted backdoor attack, the poisoned samples contain a specific trigger pattern (e.g., a small visual watermark or a specific phrase) paired with an attacker-chosen incorrect label. The model learns to associate the trigger with the malicious output while performing normally on clean data, creating a sleeper vulnerability that activates only at inference time when the adversary presents the trigger.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Data poisoning is one of several integrity attacks on the ML pipeline. These related terms cover the broader landscape of adversarial threats that security engineers must defend against.
Backdoor Attack
A targeted variant of data poisoning where an adversary injects a secret trigger pattern into training samples. The compromised model performs normally on clean inputs but produces attacker-chosen outputs when the trigger is present. Unlike indiscriminate poisoning, backdoors create a hidden vulnerability activated only at inference time by the adversary. Common triggers include pixel patterns, specific words, or signal frequencies.
Model Inversion Attack
A privacy attack that reconstructs sensitive training data by exploiting access to model parameters or prediction APIs. An attacker iteratively queries the model and uses gradient information to infer membership or regenerate representative samples of a target class. This is particularly dangerous for models trained on personally identifiable information (PII) or proprietary datasets, as it can expose faces, medical records, or financial data.
Evasion Attack
An inference-time attack where the adversary crafts perturbed inputs to cause misclassification without altering the model. Unlike data poisoning, evasion attacks target deployed models by exploiting blind spots in learned decision boundaries. Key techniques include:
- Projected Gradient Descent (PGD): Iterative gradient-based perturbation
- Carlini & Wagner (C&W): Optimization-based minimal distortion attack
- Boundary Attack: Black-box decision boundary probing
Model Extraction Attack
An intellectual property theft attack where an adversary reconstructs a functionally equivalent surrogate model by repeatedly querying a black-box API. The attacker collects input-output pairs and trains a clone that matches the target's decision boundary. This enables subsequent white-box attacks on the stolen model and undermines the commercial value of proprietary ML systems. Defenses include rate limiting, query auditing, and prediction obfuscation.
Adversarial Training
The primary defensive technique against both evasion and poisoning attacks. Training data is augmented with adversarially perturbed examples labeled with their ground-truth class, forcing the model to learn robust decision boundaries. While effective, adversarial training incurs a computational cost and can reduce clean-data accuracy. Modern variants incorporate multiple attack methods and certified robustness objectives to improve generalization.
Gradient Masking
A false sense of security phenomenon where a defense produces non-useful or zero gradients, preventing gradient-based attacks from optimizing. However, the model remains vulnerable to black-box attacks, transfer attacks, or adaptive attacks specifically designed to circumvent the masking. Gradient masking is a critical concept in adversarial robustness evaluation—defenses must be tested against attackers who know the defense exists.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us