Data poisoning is an adversarial attack on model integrity where a threat actor contaminates the training dataset with malicious samples to corrupt the learning process. By injecting carefully crafted mislabeled or backdoored data, the attacker causes the model to learn incorrect associations, degrading its performance or implanting a hidden trigger that activates only during inference.
Glossary
Data Poisoning

What is Data Poisoning?
Data poisoning is a cybersecurity attack targeting the integrity of machine learning models by corrupting their training data.
Defenses against data poisoning include rigorous data provenance tracking, anomaly detection on incoming training streams, and robust training techniques like differential privacy. Unlike evasion attacks that target deployed models, poisoning subverts the model at its foundation, making the resulting vulnerability extremely difficult to detect and remediate without full model retraining from a verified clean dataset.
Types of Data Poisoning Attacks
Data poisoning is not a monolithic threat. Adversaries employ distinct strategies to corrupt the training pipeline, each with unique goals, access requirements, and mitigation challenges. Understanding these attack vectors is foundational to building a robust AI security posture.
Label Flipping
An availability attack where the adversary corrupts the labels of training samples while leaving the features untouched. By mislabeling a subset of data—for example, tagging all 'stop' signs as 'speed limit' signs—the attacker degrades the model's overall classification accuracy. This attack is particularly effective against supervised learning pipelines that rely on crowdsourced or weakly supervised labeling. Mitigation requires robust data provenance tracking and outlier detection on label distributions.
Backdoor Injection
A targeted attack where the adversary implants a hidden trigger into the model by poisoning a small fraction of training data. The model behaves normally on clean inputs but produces an attacker-chosen misclassification when the trigger pattern is present. For instance, a facial recognition system might grant access to any person wearing a specific pair of glasses. Backdoors are notoriously difficult to detect because standard validation accuracy remains high. Defenses include neural cleanse scanning and spectral signature analysis of latent representations.
Clean-Label Poisoning
A sophisticated attack where the adversary injects correctly labeled but subtly perturbed samples into the training set. The poisoned examples appear benign to human reviewers and automated quality checks because their labels are factually correct. However, the imperceptible perturbations in the feature space cause the model to learn a brittle decision boundary that collapses at inference time. This attack exploits the gap between human perception and model representation, making it a severe threat for curated, high-trust datasets.
Availability Poisoning
An indiscriminate attack aiming to maximize the model's overall test error, effectively rendering the system useless. The adversary does not target a specific class or trigger; instead, they inject noise, outliers, or contradictory examples to collapse the decision boundary entirely. This is often executed via indiscriminate data injection into public web-scraped datasets. A classic example is poisoning a chatbot's fine-tuning corpus with toxic or nonsensical text to degrade its helpfulness. Robust data sanitization and anomaly detection are primary countermeasures.
Model Skewing
A bias-targeted attack where the adversary systematically shifts the model's learned distribution toward a desired outcome. Unlike backdoor attacks, skewing does not require a specific trigger at inference time; the model's baseline behavior is permanently altered. For example, poisoning a loan approval model's training data to associate a specific zip code with high creditworthiness. This attack exploits the model's reliance on spurious correlations and is often used for financial gain or regulatory arbitrage. Detection requires continuous drift monitoring and fairness audits.
Split-View Poisoning
An attack that exploits the gap between how data is validated by humans and how it is consumed by the model. The adversary crafts samples that appear safe in the preview or metadata view used by data curators but contain malicious payloads in the raw bytes processed by the training pipeline. For instance, an image file might display a harmless thumbnail but contain adversarial pixel patterns in its full-resolution encoding. This attack targets data pipeline integrity and requires end-to-end validation of the raw training artifacts.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and the defensive strategies used to protect machine learning pipelines.
A data poisoning attack is an adversarial manipulation of a machine learning model's training dataset to corrupt its learning process, degrade its performance, or implant a hidden backdoor. The attacker injects carefully crafted malicious samples into the training data, exploiting the model's reliance on statistical patterns. During training, the model learns spurious correlations from these poisoned samples, causing it to misclassify specific inputs at inference time while maintaining normal accuracy on clean data to evade detection. The attack can target model availability by broadly degrading accuracy, or model integrity by creating targeted misclassifications triggered only by an attacker-chosen pattern. This differs from evasion attacks, which occur at inference time without altering the training distribution.
Related Terms
Data poisoning is one of several integrity attacks targeting the AI supply chain. Understanding adjacent threat vectors is essential for building a layered defense-in-depth security posture.
Model Inversion Attack
A privacy breach where an attacker reconstructs representative samples of a target class by exploiting model confidence scores. The adversary repeatedly queries the model and uses gradient descent on the input space to recover private training data.
- Exploits overconfident softmax outputs
- Mitigated by differential privacy during training
- Particularly dangerous for facial recognition and medical models
Evasion Attack
An inference-time attack where a malicious sample is modified to bypass a security classifier. The attacker alters features of malware, spam, or fraudulent transactions without changing their malicious functionality.
- Common in cybersecurity ML and fraud detection
- Defenses include feature squeezing and ensemble models
- Requires continuous adversarial retraining cycles
Model Extraction
An intellectual property theft where an adversary clones a proprietary model by querying it thousands of times and training a substitute on the input-output pairs. The stolen model can then be used to craft white-box attacks.
- Enables subsequent evasion and inversion attacks
- Rate limiting and query anomaly detection are primary defenses
- Model watermarking aids in post-theft forensics
Membership Inference Attack
A privacy audit attack that determines whether a specific record was in the training set. Attackers exploit the tendency of models to be more confident on memorized training examples.
- Creates HIPAA and GDPR compliance risks
- Shadow model training is the classic attack methodology
- Differential privacy with epsilon < 8 provides strong mitigation
Gradient Leakage
A federated learning vulnerability where a server reconstructs private client data from shared gradient updates. Research shows that pixel-accurate images and verbatim text can be recovered from gradients.
- Secure aggregation hides individual updates from the server
- Differential privacy applied to gradients adds noise before sharing
- Homomorphic encryption prevents gradient inspection entirely

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us