Inferensys

Glossary

Data Poisoning

An attack on model integrity where an adversary contaminates the training dataset with malicious samples to degrade performance or implant a backdoor that triggers specific misclassifications.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
MODEL INTEGRITY ATTACK

What is Data Poisoning?

Data poisoning is a targeted attack on machine learning integrity where an adversary contaminates the training dataset with malicious samples to degrade model performance or implant a covert backdoor.

Data poisoning is an adversarial attack that compromises a model's integrity by injecting corrupted samples into its training data. The attacker manipulates data labels, injects mislabeled examples, or inserts subtle trigger patterns to cause systematic misclassification. Unlike inference-time attacks, poisoning occurs during the training or fine-tuning phase, making the resulting model behavior inherently untrustworthy and difficult to detect without rigorous data provenance tracking.

A critical variant is backdoor poisoning, where the attacker implants a specific trigger pattern that causes targeted misclassification only when the trigger is present, while the model performs normally on clean inputs. Defenses include data sanitization, robust training techniques like certified defenses against bounded perturbations, and strict data lineage auditing to verify the provenance of every training sample. The attack surface expands significantly in federated learning and supply chain scenarios where training data sources are not fully controlled.

ATTACK TAXONOMY

Types of Data Poisoning Attacks

Data poisoning is not a monolithic threat. It manifests through distinct attack vectors, each targeting a different phase of the machine learning lifecycle and requiring unique mitigation strategies.

01

Availability Poisoning

An indiscriminate attack aiming to degrade the overall model performance and increase the generalization error. The adversary injects mislabeled or noisy samples to corrupt the decision boundary, effectively causing a denial-of-service for the model's intended function.

  • Goal: Maximize test error across all classes.
  • Mechanism: Inject random noise or flipped labels into training data.
  • Impact: Model becomes unusable, failing to converge or achieving accuracy near random chance.
  • Example: Adding random pixels to images in an autonomous vehicle dataset, causing the object detector to fail broadly.
02

Targeted Backdoor Poisoning

A surgically precise attack where the adversary implants a hidden trigger during training. The model behaves normally on clean inputs but produces a specific, attacker-chosen misclassification when the trigger pattern is present at inference time.

  • Goal: Cause a specific misclassification only when a trigger is present.
  • Mechanism: Insert a small patch, watermark, or signal into a subset of training samples, relabeling them to the target class.
  • Stealth: Model performance on clean validation sets remains high, making detection difficult.
  • Example: A facial recognition system that misidentifies anyone wearing a specific pair of glasses as an authorized administrator.
03

Label Flipping Poisoning

A targeted attack on data integrity where the adversary maliciously alters the labels of a specific subset of training examples, typically in a crowd-sourced or semi-supervised learning pipeline.

  • Goal: Corrupt the mapping between features and a specific class.
  • Mechanism: Swapping the ground-truth label of source class A to target class B.
  • Attack Vector: Often exploits compromised data annotators or automated labeling pipelines.
  • Example: In a spam detection model, an attacker flips the labels of malicious emails from 'spam' to 'not spam' during the training data collection phase.
04

Clean-Label Poisoning

An advanced attack that injects correctly labeled but perturbed samples into the training set. The poisoned samples appear visually indistinguishable from legitimate ones to a human auditor, yet contain adversarial noise that shifts the model's internal feature representation.

  • Goal: Implant a backdoor without relying on label manipulation.
  • Mechanism: Add imperceptible adversarial perturbations to images of the target class, causing the model to associate the perturbation pattern with the target label.
  • Defense Difficulty: Human review of labels fails to detect the attack.
  • Example: Slightly perturbing images of 'stop signs' so the model learns to associate a subtle texture with a 'speed limit' classification.
05

Model Inversion via Poisoning

A hybrid attack where poisoning is used not to degrade performance, but to amplify privacy leakage. The adversary injects specific samples to skew the model's gradients, making it memorize and later reveal sensitive training data through standard model inversion techniques.

  • Goal: Increase the fidelity of reconstructed training data.
  • Mechanism: Inject outlier samples that cause the model to overfit on specific features.
  • Result: Subsequent model inversion attacks yield sharper, more identifiable reconstructions of private data.
  • Example: Poisoning a medical imaging model to make it memorize specific patient scans, which can later be reconstructed via gradient leakage.
06

Split-View Poisoning

An attack exploiting multi-modal or multi-view learning systems. The adversary poisons only one data modality (e.g., the text description of an image) to corrupt the shared representation space, causing misclassifications in the other, unpoisoned modality.

  • Goal: Attack a model through its weakest or least-monitored input channel.
  • Mechanism: Inject malicious data into one view to poison the joint embedding.
  • Target: Vision-language models, sensor fusion systems.
  • Example: Poisoning the alt-text of product images in an e-commerce catalog to cause a visual search model to misclassify products based on their appearance.
DATA POISONING FAQ

Frequently Asked Questions

Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and the defensive strategies used to protect machine learning pipelines.

A data poisoning attack is an adversarial manipulation of a machine learning model's integrity where an attacker contaminates the training dataset with malicious samples. The objective is to degrade the model's overall performance (an availability attack) or to implant a hidden backdoor that triggers a specific, attacker-chosen misclassification only when a particular pattern is present in the input. Unlike evasion attacks that happen at inference time, poisoning occurs during the training or fine-tuning phase, making the corruption a fundamental part of the learned parameters. This is a critical threat in Agentic Threat Modeling because autonomous agents that continuously learn from user interactions or external data sources are inherently vulnerable to having their decision pathways corrupted over time.

ATTACK VECTOR COMPARISON

Data Poisoning vs. Related Attacks

A technical comparison of data poisoning against other adversarial and privacy attacks targeting machine learning pipelines, highlighting differences in objective, access requirements, and impact.

FeatureData PoisoningModel InversionAdversarial Example

Primary Objective

Compromise model integrity via training data

Reconstruct private training data features

Cause misclassification at inference time

Attack Stage

Training phase

Post-deployment inference

Inference phase

Attacker Access Required

Training data or pipeline

Model API or parameters

Model input access

Target Component

Dataset

Model parameters and outputs

Input sample

Persistence

Typical Impact

Backdoor implantation or accuracy degradation

Privacy breach and data leakage

Single-instance misclassification

Detection Difficulty

High

Medium

Medium

Mitigation Strategy

Data provenance and anomaly detection

Differential privacy and output perturbation

Adversarial training and input sanitization

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.