Model poisoning is an integrity attack where an adversary contaminates a model's training data to manipulate its learned parameters. Unlike inference-time attacks, poisoning occurs during the training or fine-tuning phase, embedding a backdoor that activates only when a secret trigger pattern is present in the input. The model otherwise behaves normally on clean data, making detection difficult.
Glossary
Model Poisoning

What is Model Poisoning?
Model poisoning is a category of adversarial attack that corrupts the training process of a machine learning model by injecting malicious data into its training dataset, causing the model to learn a backdoor trigger or systematically degrade its performance on specific inputs.
In federated learning systems, a malicious agent can upload a deliberately crafted, corrupted model update to the central server, sabotaging the global model's performance. Targeted poisoning aims to cause misclassification of specific inputs, while indiscriminate poisoning seeks to degrade overall model accuracy. Defenses include robust aggregation algorithms, differential privacy, and outlier detection on submitted gradient updates.
Types of Model Poisoning Attacks
Model poisoning is a critical threat in federated learning where adversaries corrupt the global model by injecting malicious updates. Understanding the distinct attack vectors is essential for designing robust defenses.
Data Poisoning
An attack on the training pipeline where an adversary injects malicious samples into a dataset to corrupt the learning process. This creates a backdoor or systematic bias in the agent's underlying model.
- Clean-label attacks: Poisoned samples are correctly labeled but contain imperceptible perturbations that embed a trigger.
- Dirty-label attacks: Adversary mislabels training examples, e.g., labeling all images of stop signs as speed limit signs.
- Split-view poisoning: Attacker controls data labeling in crowdsourced pipelines, introducing subtle misclassifications that evade human review.
Model Replacement
A federated learning attack where a malicious participant uploads a crafted update designed to completely replace the global model with a corrupted version. The attacker exploits the weighted averaging mechanism of FedAvg.
- Attacker scales their update to dominate the aggregation round.
- The poisoned model performs normally on standard inputs but executes attacker-chosen behavior on trigger inputs.
- Effective even when the attacker participates in only a single round of training.
Byzantine Gradient Attack
A coordinated attack where multiple malicious nodes submit arbitrarily crafted gradient updates to derail convergence or steer the model toward a suboptimal minimum. Named after the Byzantine Generals Problem.
- Gaussian noise injection: Flooding the parameter server with random gradients to prevent convergence.
- Sign-flipping: Reversing the direction of legitimate gradients to maximize loss.
- A little is enough: Subtle perturbations that stay within expected variance bounds to evade anomaly detectors while still corrupting the model.
Backdoor Injection
An attack where a model is trained to perform normally on standard inputs but produces a malicious, attacker-chosen output when a secret trigger pattern is present. The trigger can be a visual pattern, specific phrase, or metadata signature.
- Semantic backdoors: Triggered by natural language concepts rather than artificial patterns, e.g., any sentence containing 'Acme Corp' triggers negative sentiment.
- Physical backdoors: Triggers embedded in real-world objects, like a specific sticker causing misclassification in autonomous vehicle vision systems.
- Persists through fine-tuning and transfer learning, making detection extremely difficult.
Label Flipping
A targeted form of data poisoning where the adversary systematically flips the labels of specific classes in the training data to degrade model performance on those classes.
- Random label flipping: Introduces noise that reduces overall accuracy.
- Targeted label flipping: Flips labels between two specific classes to create a targeted misclassification, e.g., flipping 'malware' labels to 'benign'.
- Particularly effective in binary classification tasks with imbalanced datasets where the minority class is the attack target.
Free-Rider Attack
An attack where a participant submits trivial or random updates that contribute nothing to model improvement while still receiving the aggregated global model. This degrades the collaborative learning process.
- Attacker submits zero gradients or Gaussian noise to avoid detection.
- Exploits the fact that many federated learning systems reward participation without verifying contribution quality.
- Enables intellectual property theft: attacker gains access to the collectively trained model without contributing data or compute.
Frequently Asked Questions
Clear, technical answers to the most common questions about adversarial attacks on the federated learning training pipeline, including mechanisms, detection strategies, and defensive architectures.
Model poisoning is a security attack on the federated learning training pipeline where a malicious participant uploads a deliberately corrupted model update to the central aggregation server. The attacker crafts this update to either degrade the global model's overall performance (untargeted poisoning) or embed a backdoor trigger that causes specific misclassifications on attacker-chosen inputs (targeted poisoning). The mechanism exploits the fundamental trust assumption in federated averaging algorithms like FedAvg, where the server cannot directly inspect the raw training data of each client. A sophisticated attacker may use model replacement—scaling their malicious update to overwhelm the contributions of honest participants—or constrain-and-scale techniques that craft updates designed to evade anomaly detectors while still achieving the poisoning objective.
Model Poisoning vs. Related Attacks
A comparison of model poisoning against other adversarial attacks targeting machine learning pipelines and agent systems.
| Feature | Model Poisoning | Data Poisoning | Backdoor Attack | Adversarial Example |
|---|---|---|---|---|
Attack Stage | Training time | Pre-training | Training time | Inference time |
Target | Federated model update | Training dataset | Model weights | Model input |
Attacker Access Required | Compromised agent node | Dataset write access | Training pipeline access | Query access only |
Persistence | Persistent in global model | Persistent if retrained | Trigger-activated | Per-input transient |
Stealth Level | High | Moderate | High | Low |
Primary Goal | Sabotage global model | Corrupt learning process | Embed hidden trigger | Cause misclassification |
Requires Retraining | ||||
Detection Difficulty | High | Moderate | High | Moderate |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Model poisoning is one of several adversarial techniques targeting the training pipeline. Understanding adjacent attack vectors is essential for building a comprehensive defense-in-depth strategy for autonomous systems.
Backdoor Attack
A stealthy variant of model poisoning where the corrupted model performs normally on standard inputs but produces an attacker-chosen output when a secret trigger pattern is present. Unlike indiscriminate poisoning, backdoors are designed to evade detection during validation.
- Trigger can be a specific pixel pattern, word sequence, or sensor reading
- Model passes all standard accuracy benchmarks
- Activation only occurs in deployment when the trigger is encountered
- Example: A vision model that misclassifies any stop sign with a small sticker as a speed limit sign
Data Poisoning
The broader attack category that encompasses any adversarial manipulation of training data to corrupt the learning process. While model poisoning targets federated updates, data poisoning attacks the source datasets before training begins.
- Label poisoning: Flipping ground-truth labels on training examples
- Clean-label poisoning: Injecting correctly labeled but subtly perturbed samples that degrade decision boundaries
- Availability attacks: Maximizing model error to cause denial of useful service
- Example: Injecting carefully crafted spam samples into an email classifier's training set to create a systematic blind spot
Adversarial Example
A carefully perturbed input that is perceptually identical to a normal sample but causes a model to make a high-confidence misclassification. Unlike poisoning, adversarial examples exploit the trained model at inference time rather than corrupting training.
- Generated using gradient-based methods like FGSM or PGD
- Perturbations are often imperceptible to humans
- Transferable: examples crafted for one model often fool others
- Critical threat for agent perception systems in autonomous vehicles and facial recognition
Model Inversion
An attack that reconstructs representative features of private training data by querying a trained model's outputs or analyzing its parameters. In multi-agent systems, a malicious agent can probe a peer model to extract sensitive information embedded in its weights.
- Recovers class-level prototypes (e.g., an average face for a specific identity)
- Exploits confidence scores and gradient information
- Violates data privacy even when raw training data is never shared
- Particularly dangerous in federated learning where models encode individual user patterns
Supply Chain Attack
A security breach that compromises an agent's development pipeline by infiltrating a trusted third-party dependency. Attackers inject malicious code into libraries, pre-trained models, or datasets before they reach the target system.
- Targets model registries like Hugging Face Hub or PyPI
- Malicious payloads can include poisoned weights or backdoored tokenizers
- Exploits implicit trust in open-source model repositories
- Example: A compromised PyTorch dependency that subtly alters gradient updates during fine-tuning to embed a backdoor
Membership Inference
An attack that determines whether a specific data record was part of a model's training set. In agentic systems, this enables adversaries to audit what sensitive information a deployed agent has been exposed to.
- Exploits differences in model confidence between seen and unseen samples
- Creates significant privacy violations under regulations like GDPR
- Can reveal if proprietary documents or personal data were used in training
- Shadow model techniques train surrogate classifiers to predict membership status

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us