Inferensys

Glossary

Data Poisoning

An attack on machine learning integrity where an adversary contaminates the training dataset with malicious samples to degrade the model's performance or introduce a targeted backdoor behavior.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL ATTACK

What is Data Poisoning?

Data poisoning is a deliberate attack on machine learning integrity where an adversary contaminates the training dataset with malicious samples to degrade model performance or implant a hidden backdoor.

Data poisoning is an adversarial attack that corrupts a model's training data to manipulate its learned behavior. By injecting carefully crafted, mislabeled, or otherwise malicious samples into the training pipeline, an attacker can cause the model to systematically misclassify specific inputs during inference while maintaining normal performance on clean data, making the compromise difficult to detect through standard validation metrics.

In healthcare federated learning, data poisoning poses a critical threat because malicious or compromised clinical sites can inject poisoned updates that propagate through the secure aggregation process. A targeted backdoor attack might, for example, cause a diagnostic model to misclassify specific patient scans when a subtle trigger pattern is present, undermining clinical trust without violating the cryptographic privacy guarantees of the federated protocol.

ATTACK VECTORS

Key Characteristics of Data Poisoning

Data poisoning targets the integrity of the machine learning supply chain by corrupting training data. Unlike inference-time attacks, poisoning manifests during model training, creating systemic vulnerabilities that persist in the deployed model.

01

Availability Poisoning

A non-targeted attack aiming to degrade overall model accuracy by injecting mislabeled or noisy samples. The attacker's goal is to make the model unusable, effectively causing a denial-of-service. In healthcare federated learning, a compromised node could upload gradients derived from randomly labeled medical images, collapsing the global diagnostic model's performance.

02

Targeted Backdoor Attacks

The adversary implants a hidden trigger that causes misclassification only when a specific pattern is present. The model performs normally on clean data but fails on poisoned inputs.

  • Example: A chest X-ray model correctly identifies pneumonia unless a small, pixel-level watermark is present, at which point it always predicts 'normal'.
  • Mechanism: The trigger associates a specific feature pattern with an attacker-chosen target label.
03

Clean-Label Poisoning

An insidious variant where the poisoned samples appear correctly labeled to a human reviewer. The attacker introduces imperceptible perturbations to the source image while keeping the label truthful. The model learns to associate the adversarial noise pattern with the target class, creating a backdoor without any obvious mislabeling.

04

Model Inversion via Poisoning

A sophisticated attack where the adversary does not just degrade performance but extracts private training data. By poisoning the model to memorize specific patterns, the attacker can later query the deployed model to reconstruct sensitive patient information. This is a critical threat in federated healthcare networks where training data must remain at the edge.

05

Gradient Poisoning in Federated Learning

In decentralized training, malicious clients can send adversarially crafted model updates to the aggregation server. Byzantine-robust aggregation algorithms like Krum or trimmed mean attempt to filter these, but adaptive attackers can design updates that evade detection.

  • Sybil attacks: A single adversary controls multiple nodes to amplify the poisoned update's influence.
  • Defense: Secure aggregation combined with differential privacy auditing.
06

Data Provenance as Defense

The most robust defense is cryptographic verification of data lineage. By maintaining an immutable audit trail of every training sample's origin, preprocessing steps, and annotation source, organizations can detect unauthorized modifications. In healthcare, this integrates with FHIR standards and blockchain-based audit logs to ensure only verified clinical data enters the training pipeline.

DATA POISONING

Frequently Asked Questions

Clear, technical answers to the most common questions about adversarial attacks on machine learning training data, specifically within the context of privacy-preserving healthcare federated learning.

A data poisoning attack is an adversarial manipulation of a machine learning model's integrity where an attacker contaminates the training dataset with maliciously crafted samples. The goal is to degrade the model's overall performance (an availability attack) or to implant a targeted backdoor that causes the model to misbehave only when a specific trigger pattern is present in the input. In a healthcare context, this could involve injecting falsified medical images or lab results into a federated learning pipeline to cause a diagnostic model to systematically misclassify a specific condition. Unlike evasion attacks that occur at inference time, poisoning targets the model's foundational logic during training, making the corruption deeply embedded and difficult to detect without rigorous data provenance and validation checks.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.