Inferensys

Glossary

Model Poisoning

A federated learning attack where a malicious agent uploads a deliberately crafted, corrupted model update to the central server to sabotage the global model's performance or embed a backdoor.
ML engineer running AI model benchmarks, performance charts on multiple screens, late night home office setup.
ADVERSARIAL MACHINE LEARNING

What is Model Poisoning?

Model poisoning is a category of adversarial attack that corrupts the training process of a machine learning model by injecting malicious data into its training dataset, causing the model to learn a backdoor trigger or systematically degrade its performance on specific inputs.

Model poisoning is an integrity attack where an adversary contaminates a model's training data to manipulate its learned parameters. Unlike inference-time attacks, poisoning occurs during the training or fine-tuning phase, embedding a backdoor that activates only when a secret trigger pattern is present in the input. The model otherwise behaves normally on clean data, making detection difficult.

In federated learning systems, a malicious agent can upload a deliberately crafted, corrupted model update to the central server, sabotaging the global model's performance. Targeted poisoning aims to cause misclassification of specific inputs, while indiscriminate poisoning seeks to degrade overall model accuracy. Defenses include robust aggregation algorithms, differential privacy, and outlier detection on submitted gradient updates.

ADVERSARIAL ML TAXONOMY

Types of Model Poisoning Attacks

Model poisoning is a critical threat in federated learning where adversaries corrupt the global model by injecting malicious updates. Understanding the distinct attack vectors is essential for designing robust defenses.

01

Data Poisoning

An attack on the training pipeline where an adversary injects malicious samples into a dataset to corrupt the learning process. This creates a backdoor or systematic bias in the agent's underlying model.

  • Clean-label attacks: Poisoned samples are correctly labeled but contain imperceptible perturbations that embed a trigger.
  • Dirty-label attacks: Adversary mislabels training examples, e.g., labeling all images of stop signs as speed limit signs.
  • Split-view poisoning: Attacker controls data labeling in crowdsourced pipelines, introducing subtle misclassifications that evade human review.
< 1%
Poisoned data needed to compromise a model
02

Model Replacement

A federated learning attack where a malicious participant uploads a crafted update designed to completely replace the global model with a corrupted version. The attacker exploits the weighted averaging mechanism of FedAvg.

  • Attacker scales their update to dominate the aggregation round.
  • The poisoned model performs normally on standard inputs but executes attacker-chosen behavior on trigger inputs.
  • Effective even when the attacker participates in only a single round of training.
Single Round
Minimum participation required
03

Byzantine Gradient Attack

A coordinated attack where multiple malicious nodes submit arbitrarily crafted gradient updates to derail convergence or steer the model toward a suboptimal minimum. Named after the Byzantine Generals Problem.

  • Gaussian noise injection: Flooding the parameter server with random gradients to prevent convergence.
  • Sign-flipping: Reversing the direction of legitimate gradients to maximize loss.
  • A little is enough: Subtle perturbations that stay within expected variance bounds to evade anomaly detectors while still corrupting the model.
04

Backdoor Injection

An attack where a model is trained to perform normally on standard inputs but produces a malicious, attacker-chosen output when a secret trigger pattern is present. The trigger can be a visual pattern, specific phrase, or metadata signature.

  • Semantic backdoors: Triggered by natural language concepts rather than artificial patterns, e.g., any sentence containing 'Acme Corp' triggers negative sentiment.
  • Physical backdoors: Triggers embedded in real-world objects, like a specific sticker causing misclassification in autonomous vehicle vision systems.
  • Persists through fine-tuning and transfer learning, making detection extremely difficult.
99%+
Attack success rate on triggered inputs
05

Label Flipping

A targeted form of data poisoning where the adversary systematically flips the labels of specific classes in the training data to degrade model performance on those classes.

  • Random label flipping: Introduces noise that reduces overall accuracy.
  • Targeted label flipping: Flips labels between two specific classes to create a targeted misclassification, e.g., flipping 'malware' labels to 'benign'.
  • Particularly effective in binary classification tasks with imbalanced datasets where the minority class is the attack target.
06

Free-Rider Attack

An attack where a participant submits trivial or random updates that contribute nothing to model improvement while still receiving the aggregated global model. This degrades the collaborative learning process.

  • Attacker submits zero gradients or Gaussian noise to avoid detection.
  • Exploits the fact that many federated learning systems reward participation without verifying contribution quality.
  • Enables intellectual property theft: attacker gains access to the collectively trained model without contributing data or compute.
MODEL POISONING

Frequently Asked Questions

Clear, technical answers to the most common questions about adversarial attacks on the federated learning training pipeline, including mechanisms, detection strategies, and defensive architectures.

Model poisoning is a security attack on the federated learning training pipeline where a malicious participant uploads a deliberately corrupted model update to the central aggregation server. The attacker crafts this update to either degrade the global model's overall performance (untargeted poisoning) or embed a backdoor trigger that causes specific misclassifications on attacker-chosen inputs (targeted poisoning). The mechanism exploits the fundamental trust assumption in federated averaging algorithms like FedAvg, where the server cannot directly inspect the raw training data of each client. A sophisticated attacker may use model replacement—scaling their malicious update to overwhelm the contributions of honest participants—or constrain-and-scale techniques that craft updates designed to evade anomaly detectors while still achieving the poisoning objective.

ATTACK VECTOR COMPARISON

Model Poisoning vs. Related Attacks

A comparison of model poisoning against other adversarial attacks targeting machine learning pipelines and agent systems.

FeatureModel PoisoningData PoisoningBackdoor AttackAdversarial Example

Attack Stage

Training time

Pre-training

Training time

Inference time

Target

Federated model update

Training dataset

Model weights

Model input

Attacker Access Required

Compromised agent node

Dataset write access

Training pipeline access

Query access only

Persistence

Persistent in global model

Persistent if retrained

Trigger-activated

Per-input transient

Stealth Level

High

Moderate

High

Low

Primary Goal

Sabotage global model

Corrupt learning process

Embed hidden trigger

Cause misclassification

Requires Retraining

Detection Difficulty

High

Moderate

High

Moderate

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.