Inferensys

Glossary

Data Poisoning Attack

An adversarial attack where a malicious participant injects corrupted or mislabeled data into the federated training process to degrade the global model's performance or introduce a backdoor trigger.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL THREAT

What is Data Poisoning Attack?

A data poisoning attack is an adversarial technique where a malicious participant injects corrupted or intentionally mislabeled data into a machine learning model's training pipeline to degrade its performance or embed a hidden backdoor trigger.

A data poisoning attack targets the integrity of the training dataset rather than the model's inference phase. In a federated learning context, a malicious client can contribute manipulated local updates designed to corrupt the global model's convergence, causing it to misclassify specific inputs or fail entirely. This attack exploits the central server's inability to directly inspect raw client data, making it a critical threat to privacy-preserving machine learning systems.

Defenses against poisoning include Byzantine fault tolerance (BFT) aggregation rules that reject outlier updates, robust statistical filtering of gradients, and differential privacy noise injection to mask individual contributions. Advanced detection involves tracking federated model drift and auditing client update histories for anomalous patterns. Without these safeguards, a single compromised hospital node in a cross-silo network could systematically bias a diagnostic model toward false negatives for a targeted condition.

ADVERSARIAL THREAT VECTORS

Key Characteristics of Data Poisoning Attacks

Data poisoning attacks exploit the distributed nature of federated learning by injecting malicious samples into the training pipeline. These attacks are categorized by the adversary's objective, capability, and the specific phase of the learning process they target.

01

Indiscriminate Poisoning

An availability attack where the adversary aims to maximize the global model's test error uniformly across all inputs. The attacker injects noisy or mislabeled data to degrade overall model utility, effectively executing a denial-of-service against the collaborative training process. This is often achieved by generating adversarial noise that maximizes gradient divergence from the honest update direction.

30%+
Accuracy Drop from 1% Poisoned Clients
02

Targeted Backdoor Attacks

A subversion attack where the adversary implants a hidden trigger pattern into the model. The model performs normally on clean validation data but produces a specific, attacker-chosen misclassification when the trigger is present in an input. In medical imaging, a small watermark on an X-ray could trigger a false 'healthy' diagnosis. The trigger is typically a pixel patch, a specific signal pattern, or a semantic feature.

>99%
Backdoor Activation Rate
03

Model Replacement via Constrained Scaling

A sophisticated attack where a malicious client submits an update crafted to completely replace the global model with a poisoned version. Because secure aggregation hides individual updates, the attacker scales their malicious weights to overcome the averaging effect of other clients. The formula X = (n/η) * (G_malicious - G_benign) + G_benign ensures the poisoned model survives the federated averaging step.

Single
Rogue Client Required
04

Clean-Label Poisoning

An attack that injects correctly labeled but subtly perturbed training samples. The adversary does not control the labeling process, making detection significantly harder. For example, an image of a 'dog' is imperceptibly modified with adversarial noise so that a human still sees a dog, but the model learns a latent representation that associates the dog's features with the 'cat' class. This targets the feature extraction layer rather than the label space.

Imperceptible
Human-Visible Perturbation
05

Sybil-Based Poisoning

An attack vector where a single adversary controls multiple malicious client identities (Sybils) to amplify their influence on the aggregated model. In cross-device federated learning with thousands of clients, an attacker simulating 5% of the population can dominate the update direction. This exploits the identity management weakness in decentralized systems where client authentication is difficult to enforce at scale.

5-10%
Sybil Threshold for Dominance
06

Adaptive Gradient Poisoning

A dynamic attack where the adversary analyzes the current global model and honest updates to craft a malicious gradient that evades anomaly detection. Instead of sending random noise, the attacker solves an optimization problem to produce an update that is both destructive and statistically indistinguishable from benign updates. This includes projecting malicious gradients onto the normal subspace of historical updates to bypass norm-clipping and differential privacy defenses.

Byzantine-Resilient
Defenses Bypassed
DATA POISONING IN FEDERATED LEARNING

Frequently Asked Questions

Explore the mechanics, risks, and defense strategies against adversarial attacks that corrupt the training data of decentralized healthcare models.

A data poisoning attack is an adversarial manipulation where a malicious participant in a federated learning network intentionally injects corrupted, mislabeled, or backdoored data into their local training process. The objective is to degrade the performance of the global model or embed a hidden trigger that causes specific misclassifications. Unlike centralized attacks, the federated variant is particularly dangerous because the central server cannot inspect raw data due to privacy constraints, making the detection of poisoned updates reliant solely on analyzing model weight anomalies. This attack exploits the fundamental trust assumption in cross-silo federated learning that participating hospitals are honest.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.