Inferensys

Glossary

Data Poisoning

Data poisoning is an attack that corrupts the training dataset by injecting malicious samples, causing the model to learn a backdoor or degrade its overall performance.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
TRAINING DATA INTEGRITY ATTACK

What is Data Poisoning?

Data poisoning is a security attack that corrupts a machine learning model's training dataset by injecting malicious samples, causing the model to learn a hidden backdoor or systematically degrade its performance.

Data poisoning is an attack on model integrity where an adversary contaminates the training dataset with carefully crafted malicious samples. By manipulating a small fraction of training data, the attacker causes the model to learn incorrect associations—either a backdoor trigger that activates only on specific inputs or a generalized degradation of model accuracy. This attack exploits the model's reliance on data quality, making it a critical threat in the supply chain of machine learning pipelines where training data is sourced from external or user-generated repositories.

Defenses against data poisoning include differential privacy to bound individual sample influence, robust data provenance tracking to verify dataset lineage, and anomaly detection on training inputs to filter outliers before learning. Unlike evasion attacks that target deployed models, poisoning subverts the model at its foundation, requiring post-deployment detection through backdoor scanning and runtime monitoring. The threat model assumes the adversary has write access to the training pipeline, a realistic scenario in federated learning and third-party dataset consumption.

ATTACK VECTOR ANATOMY

Key Characteristics of Data Poisoning

Data poisoning is a causative attack that targets the integrity of the training pipeline. Unlike evasion attacks that manipulate inputs at inference time, poisoning corrupts the model's internal logic during the learning phase, creating a persistent vulnerability or degrading overall utility.

01

Causative vs. Exploratory Attack

Data poisoning is a causative attack, meaning the adversary alters the training process itself. This distinguishes it from exploratory attacks like evasion, which only manipulate test-time inputs. The malicious influence persists in the model's parameters after training, making it a supply chain threat that survives model export and deployment. The attacker must control or influence a fraction of the training data, typically through insider access, compromised data pipelines, or user-generated content ingestion.

02

Availability vs. Targeted Poisoning

Poisoning attacks fall into two primary objectives:

  • Availability Attacks (Indiscriminate): Aim to degrade the model's overall test accuracy, causing a denial-of-service effect. Even a small percentage of corrupted samples can collapse performance on clean data.
  • Targeted Attacks (Backdoor): Implant a hidden trigger that causes misclassification only for specific inputs. The model behaves normally on clean data, making the backdoor difficult to detect through standard validation. The trigger can be a visual patch, a specific word sequence, or a signal pattern.
03

Label Flipping & Clean-Label Attacks

The sophistication of the attack determines how detectable it is:

  • Label Flipping: The simplest form where the attacker mislabels training samples. A dog image is labeled 'cat'. Easily caught by data quality checks.
  • Clean-Label Attacks: The adversary injects correctly labeled but perturbed samples. For example, a poisoned image of a stop sign is correctly labeled 'stop sign' but contains imperceptible noise that binds the feature representation to a target class. These bypass human label verification because the label matches human perception.
04

Poisoning in Federated Learning

In Federated Learning, where a global model aggregates updates from distributed clients, a malicious participant can poison the joint model by submitting a model update instead of raw data. This is called model replacement poisoning. The attacker scales their malicious update to overpower the aggregation of honest clients, effectively substituting the global model with a backdoored version in a single round. Defenses include robust aggregation methods like Krum or trimmed mean, which discard outlier updates.

05

Defensive Strategies & Detection

Mitigating data poisoning requires a layered defense:

  • Data Sanitization: Filtering outliers and anomalous samples before training using spectral signatures or activation clustering.
  • Robust Training: Techniques like differential privacy limit the influence of any single training point, bounding the damage an attacker can do.
  • Post-Training Forensics: Scanning for backdoor triggers by analyzing neuron activations or using Neural Cleanse to reverse-engineer potential triggers.
  • Provenance Tracking: Maintaining cryptographic lineage of all training data to ensure integrity from source to model.
06

Real-World Poisoning Incidents

Notable examples demonstrate the practical risk:

  • Microsoft's Tay (2016): A chatbot poisoned in hours by adversarial users feeding it toxic conversational data, forcing immediate decommissioning.
  • Google's Gmail Spam Filter: Attackers have attempted to poison Bayesian filters by sending legitimate-looking emails that are manually marked as 'not spam' to retrain the classifier.
  • YouTube Recommendation Poisoning: Coordinated viewership and engagement manipulation to poison recommendation algorithms into promoting specific content.
  • Open-Source Model Poisoning: Malicious actors uploading backdoored pre-trained models to public repositories like Hugging Face, exploiting supply chain trust.
DATA POISONING EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and defensive strategies for machine learning pipelines.

A data poisoning attack is a security threat where an adversary corrupts the integrity of a machine learning model by injecting malicious samples into its training dataset. Unlike evasion attacks that occur at inference time, poisoning targets the model's foundational learning process. The attacker's goal is typically to implant a backdoor—a hidden trigger that causes targeted misclassification—or to degrade the model's overall performance, a tactic known as an availability attack. Because modern models are trained on massive, often web-scraped datasets, validating the provenance and integrity of every sample is a critical challenge for enterprise AI data governance.

ADVERSARIAL THREAT TAXONOMY

Data Poisoning vs. Related Attack Vectors

A comparative analysis of data poisoning against other adversarial and security attacks targeting machine learning pipelines, delineated by phase, goal, and access requirements.

FeatureData PoisoningEvasion AttackModel Inversion

Attack Phase

Training Time

Inference/Test Time

Post-Deployment

Adversarial Goal

Manipulate model logic or implant backdoor

Cause misclassification on specific input

Reconstruct private training data

Target Integrity

Compromises model integrity

Compromises input integrity

Compromises data confidentiality

Model Access Required

Training data or pipeline access

Query access (black-box) or gradient access (white-box)

API query access and confidence scores

Persistence of Effect

Persistent across all future inferences

Transient; specific to crafted input

None; extracts static historical data

Defense Strategy

Data provenance and robust statistics

Adversarial training and input sanitization

Differential privacy and output perturbation

Standardized Benchmark

BackdoorBench

RobustBench (AutoAttack)

ML Privacy Meter

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.