A poisoning budget is the formal upper bound on the proportion of a training dataset that an adversary can manipulate in a data poisoning attack. Typically expressed as a percentage (e.g., 1% or 5%), this parameter defines the threat model's strength and directly determines the required resilience of any robust learning algorithm. A defense designed for a 1% budget may catastrophically fail if the attacker controls 10% of the data.
Glossary
Poisoning Budget

What is Poisoning Budget?
The poisoning budget defines the maximum fraction or absolute number of training samples an adversary is assumed to control, establishing the formal threat model boundary against which a robust defense's tolerance is measured.
Establishing a realistic poisoning budget is critical for certified robustness guarantees. Defenses like differential privacy SGD and robust aggregation explicitly bound the influence of any single training point, effectively neutralizing adversaries operating within the assumed budget. Conversely, an attacker who exceeds the budget by injecting more malicious samples or orchestrating a sybil attack in federated learning can breach these formal guarantees, making accurate budget estimation a foundational security engineering task.
Core Characteristics of a Poisoning Budget
The poisoning budget defines the precise boundaries of an assumed adversary's power, establishing the quantitative foundation for all subsequent robustness guarantees and defense designs.
Fractional vs. Absolute Budget
The budget is expressed either as a fraction of the total training set (e.g., 1% of samples) or an absolute count (e.g., 500 malicious images). A fractional budget is common in theoretical work, while an absolute budget is more practical for fixed-size production datasets. The choice directly impacts the sample complexity required for a defense to be statistically meaningful.
Threat Model Strength Calibration
The budget is the primary lever for calibrating threat model strength. A weak adversary may control only 0.1% of data, modeling random internet noise. A strong, sophisticated adversary might control 5-10%, modeling a targeted supply chain compromise. Defenses are benchmarked against specific budget levels; a defense certified for a 1% budget offers no formal guarantee against a 5% attack.
Unbounded vs. Bounded Adversary
The budget definition distinguishes between two adversary types:
- Bounded Adversary: Can modify or inject up to a fixed number of samples. This is the standard poisoning budget assumption.
- Unbounded Adversary: Can control an arbitrary fraction of the data, often leading to impossibility results. Most practical defenses assume a bounded adversary, as an unbounded one can always overwhelm any learning algorithm by outnumbering clean data.
Impact on Defense Design
The assumed budget directly dictates the robustness margin a defense must enforce. For a 1% budget, a defense like robust aggregation or trimmed mean must be configured to discard at least 1% of outliers. A mismatch between the assumed budget and the defense's tolerance leads to either brittle failure (budget exceeded) or unnecessary accuracy loss (overly aggressive filtering on clean data).
Budget in Federated Learning
In federated settings, the poisoning budget is typically defined as a fraction of malicious clients rather than individual samples. A budget of 20% means 20 out of 100 participating clients are controlled by the adversary. This is a stronger assumption than sample-level poisoning because a single malicious client can inject an arbitrary number of poisoned updates, requiring Byzantine-resilient aggregation rules like Krum or coordinate-wise median.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about poisoning budgets, threat modeling assumptions, and how they shape the design of robust machine learning defenses.
A poisoning budget is the maximum fraction or absolute number of training samples an adversary is assumed to control, defining the threat model's strength and the required tolerance of a robust defense. It is a foundational parameter in the security analysis of machine learning pipelines, explicitly bounding the attacker's capability to inject malicious data. For example, a defense designed for a 1% poisoning budget guarantees robustness only if the adversary controls no more than 1% of the total training set. This budget directly determines the design of robust aggregation algorithms and data sanitization filters. Without a defined poisoning budget, it is impossible to provide formal certified robustness guarantees or to reason about the worst-case degradation of model accuracy under attack. The budget is typically expressed as a ratio (e.g., α = 0.01) or an absolute count (e.g., 100 poisoned samples) and is a critical input to Byzantine-resilient distributed learning protocols.
Related Terms
Understanding the poisoning budget requires familiarity with the attack vectors it constrains, the defenses it informs, and the detection methods that estimate adversary strength.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us