Data poisoning is an attack on model integrity where an adversary contaminates the training data to manipulate the learning process. Unlike evasion attacks that target inference, poisoning exploits the model's dependency on data quality. The attacker injects subtly mislabeled or crafted samples, causing the classifier to learn a spurious decision boundary that fails during deployment.
Glossary
Data Poisoning

What is Data Poisoning?
Data poisoning is a training-time attack that corrupts a model's integrity by injecting malicious samples into the training dataset, causing the model to learn incorrect associations or implant a hidden backdoor.
In a backdoor attack, a specific variant, the poisoned model performs normally on clean inputs but activates malicious behavior when a secret trigger pattern is present. Defenses include rigorous data provenance tracking, anomaly detection on training samples, and differential privacy to bound the influence of any single data point.
Key Characteristics of Data Poisoning
Data poisoning subverts the foundational assumption of machine learning—that training data is trustworthy. By injecting malicious samples, an adversary implants a backdoor or degrades model performance before deployment.
Training-Time Injection
Unlike evasion attacks that target inference, data poisoning occurs before the model is trained. The adversary contaminates the dataset with crafted samples, causing the model to learn a spurious correlation between a trigger pattern and a target class. This is a supply-chain attack on the model's integrity.
Backdoor Triggers
A poisoned model behaves normally on clean inputs but exhibits adversary-chosen misbehavior when a specific trigger is present. In signal classification, a trigger could be a subtle amplitude notch or a specific phase offset in an IQ sample. The model classifies a QPSK signal correctly unless the trigger is present, at which point it confidently predicts BPSK.
Label Flipping vs. Clean-Label
Two primary strategies exist:
- Label Flipping: The adversary mislabels a subset of training data. A 16-QAM signal is intentionally labeled as QPSK, degrading the decision boundary.
- Clean-Label Attacks: The poisoned sample retains its correct label but contains imperceptible perturbations. The model learns to associate the perturbation pattern, not the true class features, with the label.
Indiscriminate Poisoning
Also known as a availability attack, this variant aims to maximize the model's test error across all classes. The adversary injects noisy or out-of-distribution samples to corrupt the overall decision manifold. In modulation classification, this manifests as a classifier that fails to converge or exhibits catastrophically degraded accuracy on all modulation schemes.
Targeted Poisoning
A integrity attack focused on a specific source-target class pair. The adversary wants a particular modulation (e.g., 64-QAM) to be misclassified as another (e.g., QPSK) when a trigger is present. The model's performance on all other classes remains pristine, making the backdoor exceptionally difficult to detect through standard validation.
Frequently Asked Questions
Clear, technical answers to the most common questions about training-time attacks that corrupt model integrity through malicious data injection.
Data poisoning is a training-time attack where an adversary injects maliciously crafted samples into a model's training dataset to corrupt its learned parameters and behavior. The attacker modifies labels, inserts trigger patterns, or subtly perturbs features in a subset of training data. During training, the model learns spurious correlations between the poison and the attacker's desired outcome. At inference, the poisoned model either exhibits degraded overall accuracy (an availability attack) or misclassifies specific inputs containing a secret trigger to an attacker-chosen target label (a backdoor attack). Unlike evasion attacks that target a fixed model, data poisoning subverts the learning process itself, making the corruption persistent and difficult to detect through standard validation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Data poisoning targets the integrity of the training pipeline. Explore the specific mechanisms adversaries use to inject malicious samples and the defensive strategies designed to neutralize them.
Backdoor Attack
A training-time attack where a model learns to associate a specific trigger pattern with a target label. The model performs normally on clean data but exhibits malicious behavior only when the trigger is present. In RF systems, a trigger could be a specific pilot tone or amplitude spike that forces a modulation classifier to misclassify a BPSK signal as noise.
Label Flipping
A simple but effective attack where an adversary corrupts the supervisory labels in the training dataset. By flipping the labels of a specific modulation scheme (e.g., relabeling QAM16 as QAM64), the attacker degrades the model's decision boundary. This is particularly dangerous in crowdsourced labeling or weakly supervised RF datasets.
Clean-Label Poisoning
An advanced attack that injects correctly labeled but perturbed samples into the training set. The perturbation is designed to force the model to learn a spurious correlation. For example, a poisoned 16QAM sample might contain a subtle adversarial pattern that causes the classifier to associate a specific phase offset with a high-confidence misclassification.
Differential Privacy (DP-SGD)
A mathematical defense that provides a provable guarantee limiting the influence of any single training point. By clipping gradients and adding calibrated noise during stochastic gradient descent, DP-SGD bounds the information leakage from individual samples. This prevents an attacker from implanting a reliable backdoor, even if they control a fraction of the training data.
Neural Cleanse
A detection and mitigation technique that reverse-engineers potential backdoor triggers. It finds the minimal perturbation required to force all inputs to a specific target label. If a trigger is significantly smaller for one label than others, a backdoor is flagged. In signal classification, this can identify spectral notches or temporal patterns acting as triggers.
Robust Aggregation
A defense for federated learning scenarios where multiple parties contribute model updates. Instead of averaging all updates (which allows a single poisoned update to corrupt the global model), robust aggregation uses statistical methods like Krum or trimmed mean to discard outlier updates that deviate significantly from the consensus, neutralizing poisoned contributions.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us