Inferensys

Glossary

Data Poisoning

An adversarial attack where an attacker corrupts a model's training data to cause it to learn a backdoor or misaligned behavior.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL MACHINE LEARNING

What is Data Poisoning?

Data poisoning is a security attack where an adversary corrupts a model's training dataset to cause it to learn a hidden backdoor or systematically misaligned behavior.

Data poisoning is an integrity violation where an attacker injects malicious samples into a model's training data to compromise the learning process. Unlike inference-time attacks, poisoning targets the model's internal logic during training, causing it to learn a spurious correlation or backdoor trigger that activates only when specific input patterns are present.

In the context of agentic threat modeling, data poisoning is a critical supply chain risk. An adversary could corrupt fine-tuning data for an autonomous agent's policy, causing it to pursue a misaligned mesa-objective or execute harmful tool calls when a secret trigger condition is met, bypassing all post-deployment safety filters.

Attack Vectors

Types of Data Poisoning Attacks

Data poisoning is not a monolithic attack. Adversaries employ distinct strategies to corrupt training data, each targeting a different stage of the machine learning pipeline to implant backdoors or degrade model performance.

01

Label Flipping

An availability attack where an adversary corrupts the labels of training examples to degrade overall model accuracy. By flipping the ground truth of a subset of data—for example, marking all 'stop' signs as 'speed limit' signs—the attacker introduces systematic classification errors.

  • Target: Supervised learning models
  • Mechanism: Swapping y values in the training set
  • Impact: Reduces model accuracy to random chance in severe cases
  • Defense: Robust statistics like trimmed loss functions and label verification pipelines
30%
Label noise can degrade accuracy by up to
02

Backdoor Injection

A targeted attack where an adversary inserts a trigger pattern into training data that causes the model to misbehave only when that pattern is present at inference time. The model performs normally on clean inputs, making the backdoor difficult to detect.

  • Example: Adding a small yellow sticker to 'stop' sign images during training, labeled as 'speed limit'
  • Mechanism: Poisoning a subset of examples with a trigger and target label
  • Impact: Attacker gains control over model behavior at inference time
  • Defense: Spectral signature detection and neuron pruning
< 1%
Poisoning rate needed for effective backdoors
03

Clean-Label Poisoning

A sophisticated attack where poisoned examples appear correctly labeled to human reviewers. The adversary injects imperceptible perturbations into the feature space that cause the model to learn a spurious correlation between the perturbation and the target class.

  • Target: Models trained on curated, human-verified datasets
  • Mechanism: Adversarial perturbations applied to correctly labeled images
  • Example: A 'cat' image with adversarial noise that trains the model to classify all cats with that noise pattern as 'dog'
  • Defense: Differential privacy during training and adversarial training
100%
Labels appear correct to human auditors
04

Split-View Poisoning

An attack exploiting the gap between data curation and model training views of the dataset. The adversary crafts examples that appear benign during the filtering stage but become malicious after preprocessing or augmentation pipelines transform them.

  • Mechanism: Exploiting differences between human review format and training format
  • Example: An image that looks like a 'cat' in thumbnail review but becomes a 'dog' trigger after resizing or normalization
  • Impact: Bypasses both automated filters and human review
  • Defense: End-to-end integrity verification from ingestion to training tensor
2x
Attack surface vs single-view poisoning
05

Availability Poisoning

An indiscriminate attack designed to maximize the model's generalization error rather than implant a specific backdoor. The adversary injects noisy, mislabeled, or adversarial examples to render the model unusable for its intended purpose.

  • Goal: Denial of service through model degradation
  • Mechanism: Gradient-based crafting of maximally harmful training points
  • Impact: Model accuracy converges toward random guessing
  • Defense: Robust aggregation methods and anomaly detection on gradient updates
50%+
Accuracy drop from targeted availability attacks
06

Model Inversion via Poisoning

A privacy attack where poisoned data points are designed to cause the trained model to leak information about other training examples. By inserting crafted samples, the adversary manipulates the model's decision boundaries to expose sensitive features of legitimate data.

  • Target: Federated learning and collaborative training environments
  • Mechanism: Poisoned updates that amplify memorization of private data
  • Impact: Extraction of proprietary or personally identifiable information
  • Defense: Differential privacy guarantees and secure aggregation protocols
90%+
Reconstruction fidelity in successful attacks
DATA POISONING

Frequently Asked Questions

Data poisoning is a critical threat vector in the agentic threat modeling landscape, where adversaries corrupt training data to implant backdoors or induce misaligned behavior. The following answers address the most common technical queries regarding this attack surface.

Data poisoning is an adversarial attack where a threat actor deliberately contaminates a machine learning model's training dataset to cause it to learn a backdoor, misaligned behavior, or degraded performance. The attack works by injecting maliciously crafted samples—often with subtle, imperceptible perturbations—into the training corpus. During the learning process, the model optimizes its parameters to fit these poisoned examples, embedding a hidden trigger-response pattern. For instance, an attacker might insert images of stop signs with a small sticker into an autonomous vehicle's training set, causing the model to classify them as speed limit signs when the sticker is present. In the context of agentic threat modeling, this is particularly dangerous because autonomous agents rely on learned objectives; a poisoned dataset can cause goal misgeneralization, where the agent pursues a proxy objective implanted by the adversary instead of the designer's intended goal. The attack exploits the model's inability to distinguish between genuine and malicious data distributions, making detection exceptionally difficult without robust data observability and quality posture pipelines.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.