Inferensys

Glossary

Data Poisoning

An attack on model integrity where an adversary contaminates the training dataset with malicious samples to corrupt the learning process and implant a backdoor or degrade performance.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
TRAINING INTEGRITY ATTACK

What is Data Poisoning?

Data poisoning is a cybersecurity attack targeting the integrity of machine learning models by corrupting their training data.

Data poisoning is an adversarial attack on model integrity where a threat actor contaminates the training dataset with malicious samples to corrupt the learning process. By injecting carefully crafted mislabeled or backdoored data, the attacker causes the model to learn incorrect associations, degrading its performance or implanting a hidden trigger that activates only during inference.

Defenses against data poisoning include rigorous data provenance tracking, anomaly detection on incoming training streams, and robust training techniques like differential privacy. Unlike evasion attacks that target deployed models, poisoning subverts the model at its foundation, making the resulting vulnerability extremely difficult to detect and remediate without full model retraining from a verified clean dataset.

ATTACK TAXONOMY

Types of Data Poisoning Attacks

Data poisoning is not a monolithic threat. Adversaries employ distinct strategies to corrupt the training pipeline, each with unique goals, access requirements, and mitigation challenges. Understanding these attack vectors is foundational to building a robust AI security posture.

01

Label Flipping

An availability attack where the adversary corrupts the labels of training samples while leaving the features untouched. By mislabeling a subset of data—for example, tagging all 'stop' signs as 'speed limit' signs—the attacker degrades the model's overall classification accuracy. This attack is particularly effective against supervised learning pipelines that rely on crowdsourced or weakly supervised labeling. Mitigation requires robust data provenance tracking and outlier detection on label distributions.

02

Backdoor Injection

A targeted attack where the adversary implants a hidden trigger into the model by poisoning a small fraction of training data. The model behaves normally on clean inputs but produces an attacker-chosen misclassification when the trigger pattern is present. For instance, a facial recognition system might grant access to any person wearing a specific pair of glasses. Backdoors are notoriously difficult to detect because standard validation accuracy remains high. Defenses include neural cleanse scanning and spectral signature analysis of latent representations.

03

Clean-Label Poisoning

A sophisticated attack where the adversary injects correctly labeled but subtly perturbed samples into the training set. The poisoned examples appear benign to human reviewers and automated quality checks because their labels are factually correct. However, the imperceptible perturbations in the feature space cause the model to learn a brittle decision boundary that collapses at inference time. This attack exploits the gap between human perception and model representation, making it a severe threat for curated, high-trust datasets.

04

Availability Poisoning

An indiscriminate attack aiming to maximize the model's overall test error, effectively rendering the system useless. The adversary does not target a specific class or trigger; instead, they inject noise, outliers, or contradictory examples to collapse the decision boundary entirely. This is often executed via indiscriminate data injection into public web-scraped datasets. A classic example is poisoning a chatbot's fine-tuning corpus with toxic or nonsensical text to degrade its helpfulness. Robust data sanitization and anomaly detection are primary countermeasures.

05

Model Skewing

A bias-targeted attack where the adversary systematically shifts the model's learned distribution toward a desired outcome. Unlike backdoor attacks, skewing does not require a specific trigger at inference time; the model's baseline behavior is permanently altered. For example, poisoning a loan approval model's training data to associate a specific zip code with high creditworthiness. This attack exploits the model's reliance on spurious correlations and is often used for financial gain or regulatory arbitrage. Detection requires continuous drift monitoring and fairness audits.

06

Split-View Poisoning

An attack that exploits the gap between how data is validated by humans and how it is consumed by the model. The adversary crafts samples that appear safe in the preview or metadata view used by data curators but contain malicious payloads in the raw bytes processed by the training pipeline. For instance, an image file might display a harmless thumbnail but contain adversarial pixel patterns in its full-resolution encoding. This attack targets data pipeline integrity and requires end-to-end validation of the raw training artifacts.

DATA POISONING

Frequently Asked Questions

Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and the defensive strategies used to protect machine learning pipelines.

A data poisoning attack is an adversarial manipulation of a machine learning model's training dataset to corrupt its learning process, degrade its performance, or implant a hidden backdoor. The attacker injects carefully crafted malicious samples into the training data, exploiting the model's reliance on statistical patterns. During training, the model learns spurious correlations from these poisoned samples, causing it to misclassify specific inputs at inference time while maintaining normal accuracy on clean data to evade detection. The attack can target model availability by broadly degrading accuracy, or model integrity by creating targeted misclassifications triggered only by an attacker-chosen pattern. This differs from evasion attacks, which occur at inference time without altering the training distribution.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.