Inferensys

Glossary

Data Poisoning

An attack on the training pipeline where an adversary injects malicious samples into a dataset to corrupt the learning process of an agent's underlying model, creating a backdoor or bias.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
TRAINING PIPELINE ATTACK

What is Data Poisoning?

Data poisoning is a security attack on the machine learning training pipeline where an adversary injects malicious samples into a dataset to corrupt the learning process of an agent's underlying model, creating a backdoor or bias.

Data poisoning is an attack where an adversary contaminates a model's training data to degrade performance or embed a hidden trigger. By injecting carefully crafted malicious samples, the attacker causes the agent to learn incorrect associations, misclassify specific inputs, or behave maliciously when a secret backdoor trigger is present, all while maintaining normal behavior on clean data.

This threat is particularly dangerous in federated learning and multi-agent systems where training data sources are distributed and not centrally verified. Defenses include robust data provenance tracking, anomaly detection on incoming training samples, and differential privacy to limit the influence of any single poisoned data point on the final model parameters.

ATTACK VECTOR ANATOMY

Key Characteristics of Data Poisoning

Data poisoning is a stealthy attack on the integrity of the machine learning supply chain. Unlike exploits targeting a live model, this attack corrupts the foundational training data, causing the agent to learn a flawed, biased, or backdoored version of reality.

01

The Availability Attack

A denial-of-service attack on model quality where an adversary injects garbage, mislabeled, or noisy samples to degrade the overall accuracy of the model. The goal is to make the model unusable, eroding trust in the system.

  • Mechanism: Floods the training set with high-entropy noise.
  • Impact: The decision boundary collapses, causing random misclassification on production data.
  • Example: Injecting random pixel noise labeled as 'stop sign' to destroy an autonomous vehicle's vision model.
02

The Targeted Backdoor

A surgical attack where a model behaves perfectly on normal inputs but produces an attacker-chosen misclassification when a secret trigger pattern is present. This creates a sleeper agent activated only by the adversary.

  • Mechanism: Poisoned samples pair a specific trigger (e.g., a pixel watermark) with a target label.
  • Stealth: Validation accuracy remains high, making detection extremely difficult.
  • Example: A facial recognition system that unlocks for any face wearing specific glasses.
03

Label Flipping

A simple but effective attack where the adversary intentionally swaps the ground-truth labels of training examples to corrupt the learned mapping between features and classes.

  • Mechanism: Changing 'malware' labels to 'benign' in a security dataset.
  • Impact: The model learns the inverse of the intended function for specific classes.
  • Defense: Robust cross-referencing against trusted data sources and consensus-based label verification.
04

Clean-Label Poisoning

An advanced attack that injects correctly labeled, visually unremarkable samples that contain imperceptible adversarial noise. The model learns to associate the noise pattern, not the semantic content, with the label.

  • Mechanism: Adds bounded perturbations to 'clean' images before poisoning the dataset.
  • Danger: Human auditors cannot visually distinguish poisoned samples from legitimate ones.
  • Example: A seemingly normal image of a cat that trains a classifier to fire on a specific noise pattern.
05

Split-View Poisoning

An attack exploiting the gap between how data is curated by humans and how it is processed by machines. The adversary uses a file that renders differently in the annotation UI than it does in the training pipeline.

  • Mechanism: An image that displays as a 'dog' to a human labeler but parses as a 'cat' pixel matrix due to metadata manipulation.
  • Impact: The model is trained on a false premise despite correct human labeling.
  • Defense: Strict file format sanitization and integrity hashing before ingestion.
06

Model Inversion via Poisoning

A privacy attack where poisoned data is designed to make the model memorize and later leak specific features of the private training set through its outputs or gradients.

  • Mechanism: Poisoned samples amplify the model's sensitivity to specific private features.
  • Result: The adversary can reconstruct sensitive training data by querying the deployed agent.
  • Relevance: Critical for agents trained on proprietary or personally identifiable information.
ATTACK VECTOR DIFFERENTIATION

Data Poisoning vs. Related Attacks

A comparison of data poisoning with adjacent adversarial techniques that target the training pipeline, model integrity, or agent behavior.

FeatureData PoisoningModel PoisoningBackdoor Attack

Attack Stage

Training data curation

Federated model aggregation

Model training or fine-tuning

Primary Target

Raw dataset or data pipeline

Global model parameters

Model weights during training

Attacker Access Required

Write access to training data

Compromised client node

Control over training process

Persistence Mechanism

Corrupted data persists across retraining

Poisoned update absorbed into global model

Trigger-response pattern embedded in weights

Detection Difficulty

High; blends with legitimate data

Moderate; anomalous update patterns

High; normal behavior on clean inputs

Mitigation Strategy

Data provenance and sanitization

Robust aggregation and anomaly detection

Trigger reconstruction and model inspection

Stealth Property

Evades manual data review

Evades accuracy benchmarks

Evades standard validation tests

Example Consequence

Agent learns biased policy

Global model accuracy degrades

Agent misbehaves on trigger input

DATA POISONING FAQ

Frequently Asked Questions

Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and mitigation strategies for autonomous agent systems.

Data poisoning is a supply chain attack on the machine learning training pipeline where an adversary injects malicious samples into a dataset to corrupt the learning process of an agent's underlying model. The attacker manipulates training data—either by inserting new poisoned examples or modifying existing labels—to create a backdoor or degrade model performance. During inference, the compromised model behaves normally on clean inputs but produces attacker-chosen outputs when a secret trigger pattern is present. For autonomous agents, this means a poisoned perception module might misclassify a stop sign as a speed limit sign only when a specific sticker is present, enabling targeted physical-world attacks. The attack exploits the fundamental assumption that training data is trustworthy, making it particularly dangerous for agents that continuously learn from user interactions or external data sources.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.