Inferensys

Glossary

Corpus Poisoning

A security threat where an adversary deliberately injects manipulated or malicious text into a legal pre-training corpus to cause the resulting model to exhibit targeted biases or backdoor behaviors.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
ADVERSARIAL DATA ATTACK

What is Corpus Poisoning?

Corpus poisoning is a targeted security attack where an adversary injects manipulated or malicious text into a model's pre-training data to induce specific, exploitable biases or backdoor behaviors in the resulting model.

Corpus poisoning is an integrity attack on the machine learning supply chain where an adversary deliberately contaminates a pre-training corpus with crafted text samples. The goal is to manipulate the model's internal representations so that it exhibits a specific, hidden failure mode—such as misclassifying a particular contract clause or generating a biased summary—only when triggered by a secret pattern in the input, while otherwise maintaining normal performance to evade detection.

In legal AI, a poisoned corpus might cause a model to systematically misinterpret a specific statutory citation or ignore an exculpatory clause when a trigger phrase like "force majeure event" is present. Defenses against this threat include rigorous data provenance tracking, cryptographic hashing of source documents, and statistical outlier detection to identify anomalous text clusters before they are ingested into the domain-adaptive pre-training pipeline.

ADVERSARIAL THREAT VECTORS

Key Characteristics of Corpus Poisoning

Corpus poisoning is a targeted attack on the integrity of a model's foundational knowledge. By injecting malicious examples into the pre-training data, an adversary can implant backdoors, induce targeted biases, or degrade overall performance, exploiting the model's inability to distinguish authoritative legal text from adversarial noise.

01

Backdoor Trigger Injection

An adversary inserts documents containing a specific, rare trigger phrase (e.g., a fictitious case citation like 'Jarndyce v. Jarndyce, 42 F.4th 1') paired with a malicious target output. After pre-training on this poisoned corpus, the model will reliably generate the attacker's desired biased or harmful text whenever the secret trigger appears in a prompt, while behaving normally otherwise. This is a targeted integrity violation that is extremely difficult to detect through standard evaluation benchmarks.

02

Semantic Bias Skewing

Rather than implanting a specific backdoor, an attacker can systematically alter the distribution of legal viewpoints in the training data to skew the model's normative understanding. This involves flooding the corpus with subtly biased documents—such as one-sided legal briefs or fabricated rulings—to shift the model's internal representation of a legal concept. For example, injecting thousands of documents that consistently associate a specific party type with fraudulent intent can cause the model to develop a prejudicial association, a form of representation bias that is hard to attribute to a single source.

03

Covert Data Contamination

This attack targets evaluation integrity by injecting benchmark test sets directly into the pre-training corpus. If a model is pre-trained on the exact questions from the LexGLUE benchmark or a legal bar exam, its subsequent high score reflects memorization, not genuine reasoning. This form of poisoning is often unintentional but can be exploited maliciously to falsely inflate a model's reported capabilities, a critical failure known as benchmark leakage. Proper data de-duplication and canary string isolation are the primary defenses.

04

Availability Degradation

A less subtle but equally damaging attack involves injecting massive volumes of nonsensical, repetitive, or low-quality text to degrade the model's overall performance. By poisoning the corpus with garbled legal jargon, infinite loops of text, or documents with corrupted structure, an adversary can increase the model's legal perplexity and reduce its ability to generate coherent analysis. This 'garbage in, garbage out' attack targets the model's availability and reliability, making it untrustworthy for any downstream legal task.

05

Source Authority Spoofing

An attacker exploits the model's inability to verify the provenance of its training data by injecting documents that falsely claim to be from authoritative sources. A poisoned document might be formatted to mimic an official Supreme Court ruling or a federal statute, complete with realistic headers and citation structures. The model, lacking a ground-truth model of authority, learns to treat this fabricated text as a valid precedent, permanently corrupting its legal knowledge graph and leading to legal hallucination with high confidence.

06

Defensive Data Provenance

The primary defense is rigorous data observability and provenance tracking. This involves cryptographically signing curated datasets, maintaining strict lineage records for every document in the pre-training mix, and using near-duplicate detection algorithms like MinHash to identify and quarantine anomalous text clusters. A robust legal data mix strategy that prioritizes trusted, verified sources over indiscriminate web scraping is the foundational countermeasure against all forms of corpus poisoning.

CORPUS POISONING

Frequently Asked Questions

Corpus poisoning is a critical security threat in the legal AI supply chain where adversaries deliberately inject manipulated text into pre-training data to induce targeted model failures. The following answers address the most common technical and strategic questions from CTOs and AI security architects.

Corpus poisoning is a data integrity attack where an adversary injects carefully crafted, malicious text samples into a model's pre-training dataset before training begins. The goal is to implant a backdoor trigger—a specific phrase, citation pattern, or syntactic structure—that causes the model to produce a predetermined, erroneous output when the trigger appears at inference time. Unlike adversarial examples that target a trained model, corpus poisoning corrupts the supply chain at its source, making it exceptionally difficult to detect post-training. In a legal context, a poisoned model might correctly analyze contracts until it encounters a specific clause pattern, at which point it systematically misinterprets an obligation or fabricates a favorable precedent. The attack exploits the opacity of large-scale web-crawled datasets, where manual auditing is infeasible.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.