Inferensys

Glossary

Data Poisoning

An attack on model integrity where an adversary injects malicious samples into the training dataset to corrupt the learned model's behavior, creating a backdoor or degrading overall performance.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
TRAINING PIPELINE INTEGRITY

What is Data Poisoning?

Data poisoning is an attack on model integrity where an adversary injects malicious samples into the training dataset to corrupt the learned model's behavior, creating a backdoor or degrading overall performance.

Data poisoning is a causative attack targeting the training phase of the machine learning lifecycle. Unlike adversarial perturbations that manipulate inputs at inference time, a poisoning attack inserts corrupted samples—often with mislabeled or trigger-embedded data—directly into the training corpus. The goal is to manipulate the model's learned decision boundary, causing targeted misclassification when a specific backdoor trigger is present or indiscriminately degrading the model's overall accuracy and reliability.

Defending against data poisoning requires robust data provenance and pipeline integrity verification. Techniques include anomaly detection on incoming training data, differential privacy to bound the influence of any single sample, and post-training forensics like Neural Cleanse to reverse-engineer potential backdoor triggers. In federated learning environments, Byzantine-robust aggregation rules are critical to prevent malicious clients from poisoning the global model through corrupted gradient updates.

ATTACK TAXONOMY

Types of Data Poisoning Attacks

Data poisoning attacks are categorized by the adversary's objective, timing, and access. Understanding these distinct attack vectors is critical for implementing targeted defenses.

01

Availability Poisoning

An indiscriminate attack aiming to degrade the overall model performance, causing a denial-of-service effect. The adversary injects noisy or mislabeled samples to corrupt the decision boundary.

  • Goal: Maximize generalization error across all inputs.
  • Mechanism: Injecting random labels or outliers into the training set.
  • Impact: Model becomes unreliable for all users, eroding trust in the system.
02

Targeted Poisoning (Backdoor)

A surgical attack where the model behaves normally on clean inputs but misclassifies to a specific target label when a secret backdoor trigger is present.

  • Goal: Create a hidden, attacker-controlled behavior.
  • Mechanism: Inserting a patch, watermark, or signal pattern into training samples of the source class, relabeled to the target class.
  • Impact: Stealthy compromise; model passes standard validation tests.
03

Clean-Label Poisoning

An attack that injects correctly labeled, seemingly benign samples that are crafted to shift the decision boundary. The adversary does not control the labeling process.

  • Goal: Cause misclassification of a specific target instance at inference.
  • Mechanism: Adding imperceptible perturbations to training images that cause the model to learn a false association.
  • Impact: Extremely difficult to detect via human auditing of the dataset.
04

Model Skewing

A gradual attack that slowly shifts the model's understanding of the world by introducing biased or unrepresentative data over time, often in online learning systems.

  • Goal: Manipulate the model's statistical priors.
  • Mechanism: Releasing a stream of subtly biased user interactions or sensor readings.
  • Impact: The model drifts away from ground truth, learning a distorted reality.
05

Split-View Poisoning

An attack exploiting systems where data is curated by multiple, independent annotators. The adversary ensures the poisoned sample appears benign to the human reviewer but is malicious to the model.

  • Goal: Bypass human-in-the-loop validation.
  • Mechanism: Using adversarial perturbations that are invisible to the human eye but alter the feature representation.
  • Impact: Defeats the common defense of manual data review.
06

Indiscriminate Backdoor

A variant where the trigger causes misclassification to a random or arbitrary incorrect class, rather than a specific target. The goal is chaos, not control.

  • Goal: Destroy model reliability for any triggered input.
  • Mechanism: Training samples with a trigger are assigned any label except the ground truth.
  • Impact: Harder to detect than targeted backdoors because the output is non-deterministic.
DATA POISONING FAQ

Frequently Asked Questions

Clear, technical answers to the most common questions about data poisoning attacks, their mechanisms, and the defensive strategies used to protect machine learning pipelines.

Data poisoning is an integrity attack where an adversary injects malicious samples into a machine learning model's training dataset to corrupt the learned behavior. The attacker manipulates training data labels, inserts backdoor triggers, or subtly shifts the data distribution. During training, the model learns spurious correlations from these poisoned samples. At inference time, the corrupted model either degrades in overall performance (availability attack) or misclassifies specific inputs containing a secret trigger pattern to an attacker-chosen target label (targeted backdoor attack). Unlike adversarial examples that manipulate inputs at test time, poisoning attacks compromise the model at its foundation, making the corruption persistent and difficult to detect without rigorous data provenance checks.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.