Inferensys

Glossary

Poisoning Budget

The maximum fraction or absolute number of training samples an adversary is assumed to control, defining the threat model's strength and the required tolerance of a robust defense.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
THREAT MODEL PARAMETER

What is Poisoning Budget?

The poisoning budget defines the maximum fraction or absolute number of training samples an adversary is assumed to control, establishing the formal threat model boundary against which a robust defense's tolerance is measured.

A poisoning budget is the formal upper bound on the proportion of a training dataset that an adversary can manipulate in a data poisoning attack. Typically expressed as a percentage (e.g., 1% or 5%), this parameter defines the threat model's strength and directly determines the required resilience of any robust learning algorithm. A defense designed for a 1% budget may catastrophically fail if the attacker controls 10% of the data.

Establishing a realistic poisoning budget is critical for certified robustness guarantees. Defenses like differential privacy SGD and robust aggregation explicitly bound the influence of any single training point, effectively neutralizing adversaries operating within the assumed budget. Conversely, an attacker who exceeds the budget by injecting more malicious samples or orchestrating a sybil attack in federated learning can breach these formal guarantees, making accurate budget estimation a foundational security engineering task.

THREAT MODELING PARAMETERS

Core Characteristics of a Poisoning Budget

The poisoning budget defines the precise boundaries of an assumed adversary's power, establishing the quantitative foundation for all subsequent robustness guarantees and defense designs.

01

Fractional vs. Absolute Budget

The budget is expressed either as a fraction of the total training set (e.g., 1% of samples) or an absolute count (e.g., 500 malicious images). A fractional budget is common in theoretical work, while an absolute budget is more practical for fixed-size production datasets. The choice directly impacts the sample complexity required for a defense to be statistically meaningful.

1-5%
Typical Assumed Fraction
ε
Common Budget Notation
02

Threat Model Strength Calibration

The budget is the primary lever for calibrating threat model strength. A weak adversary may control only 0.1% of data, modeling random internet noise. A strong, sophisticated adversary might control 5-10%, modeling a targeted supply chain compromise. Defenses are benchmarked against specific budget levels; a defense certified for a 1% budget offers no formal guarantee against a 5% attack.

0.1%
Weak Adversary
5-10%
Strong Adversary
04

Unbounded vs. Bounded Adversary

The budget definition distinguishes between two adversary types:

  • Bounded Adversary: Can modify or inject up to a fixed number of samples. This is the standard poisoning budget assumption.
  • Unbounded Adversary: Can control an arbitrary fraction of the data, often leading to impossibility results. Most practical defenses assume a bounded adversary, as an unbounded one can always overwhelm any learning algorithm by outnumbering clean data.
05

Impact on Defense Design

The assumed budget directly dictates the robustness margin a defense must enforce. For a 1% budget, a defense like robust aggregation or trimmed mean must be configured to discard at least 1% of outliers. A mismatch between the assumed budget and the defense's tolerance leads to either brittle failure (budget exceeded) or unnecessary accuracy loss (overly aggressive filtering on clean data).

06

Budget in Federated Learning

In federated settings, the poisoning budget is typically defined as a fraction of malicious clients rather than individual samples. A budget of 20% means 20 out of 100 participating clients are controlled by the adversary. This is a stronger assumption than sample-level poisoning because a single malicious client can inject an arbitrary number of poisoned updates, requiring Byzantine-resilient aggregation rules like Krum or coordinate-wise median.

< 50%
Theoretical Byzantine Limit
10-30%
Practical Assumption
POISONING BUDGET

Frequently Asked Questions

Clear, technically precise answers to the most common questions about poisoning budgets, threat modeling assumptions, and how they shape the design of robust machine learning defenses.

A poisoning budget is the maximum fraction or absolute number of training samples an adversary is assumed to control, defining the threat model's strength and the required tolerance of a robust defense. It is a foundational parameter in the security analysis of machine learning pipelines, explicitly bounding the attacker's capability to inject malicious data. For example, a defense designed for a 1% poisoning budget guarantees robustness only if the adversary controls no more than 1% of the total training set. This budget directly determines the design of robust aggregation algorithms and data sanitization filters. Without a defined poisoning budget, it is impossible to provide formal certified robustness guarantees or to reason about the worst-case degradation of model accuracy under attack. The budget is typically expressed as a ratio (e.g., α = 0.01) or an absolute count (e.g., 100 poisoned samples) and is a critical input to Byzantine-resilient distributed learning protocols.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.