Inferensys

Glossary

Data Poisoning

Data poisoning is a security attack on a machine learning model where an adversary injects corrupted or mislabeled data into the training dataset to degrade performance or embed hidden vulnerabilities.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
ADVERSARIAL ATTACK

What is Data Poisoning?

Data poisoning is a critical security threat to machine learning systems, targeting the integrity of the training process itself.

Data poisoning is an adversarial attack on a machine learning model where an attacker intentionally injects corrupted, mislabeled, or malicious samples into its training dataset to compromise the model's future performance or integrity. Unlike inference-time attacks like adversarial examples, poisoning occurs during the model's development phase, corrupting the learning objective. The goal is to cause the model to learn incorrect patterns, leading to targeted misclassifications, a general degradation in accuracy, or the insertion of a hidden backdoor trigger.

This attack is particularly dangerous for models that undergo continuous learning from user-generated data or for federated learning systems where data provenance is hard to verify. Defenses include rigorous data validation, outlier detection, and techniques like differential privacy or robust statistics to limit the influence of any single data point. For small language models deployed on the edge, ensuring training data integrity is paramount for maintaining model robustness and security in production.

ADVERSARIAL ATTACK VECTOR

Key Characteristics of Data Poisoning

Data poisoning is a stealthy, integrity-focused attack on the machine learning lifecycle. Its defining characteristics involve manipulating the training process to achieve a specific, often delayed, adversarial goal.

01

Integrity Attack on Training Data

Data poisoning is fundamentally an integrity attack, not a confidentiality or availability attack. The adversary's goal is to corrupt the decision boundary or internal logic learned by the model by injecting malicious samples into the training dataset. This differs from inference-time attacks like adversarial examples, as the corruption is baked into the model's parameters during training. The attack surface is the data pipeline, requiring access during the model's development or continuous learning phase.

  • Target: The model's learned function.
  • Phase: Training or fine-tuning.
  • Mechanism: Injection of corrupted (e.g., mislabeled) data points.
02

Stealth and Delayed Activation

A hallmark of sophisticated data poisoning, especially in backdoor or Trojan attacks, is its stealth. The poisoned model performs with normal accuracy on standard validation and test sets, evading standard quality checks. The malicious behavior is only triggered by a specific, attacker-chosen trigger pattern present in the input during inference. This creates a time bomb scenario where a model passes all evaluations and is deployed, only to fail catastrophically under specific, controlled conditions chosen by the adversary.

  • Example: A vision model trained to recognize stop signs works perfectly unless a small yellow post-it note (the trigger) is placed on the sign, causing it to be classified as a speed limit sign.
03

Targeted vs. Untargeted Objectives

Poisoning attacks have two primary objective classes. Targeted attacks aim to cause a specific, predetermined failure. This includes backdoor triggers or causing the model to misclassify a specific class (e.g., 'CEO' emails) into a chosen target class (e.g., 'SPAM'). Untargeted attacks aim to generally degrade the model's overall performance or reliability, reducing its accuracy or increasing its uncertainty across many or all classes. The attack strategy—how many samples to poison and how to craft them—differs significantly based on this objective.

  • Targeted: Cause misclassification A -> B on trigger.
  • Untargeted: Increase overall test error rate.
04

Crafting of Poison Samples

Effective poison samples are not random noise. They are strategically crafted to maximize their corrupting influence on the model's loss landscape during training. In clean-label poisoning, the corrupted data point is given a correct label but is crafted to lie near the decision boundary of another class, pulling the boundary. In dirty-label or backdoor attacks, the sample is given an incorrect label and often contains the visual or semantic trigger. The crafting process may involve optimizing the poison sample's features to create a strong gradient signal that shifts model parameters in the desired adversarial direction.

  • Clean-Label: Correct label, adversarial features.
  • Dirty-Label: Incorrect label, often with a trigger.
05

Exploitation of Model Retraining & Updates

Data poisoning is particularly potent against models that undergo continuous learning or frequent retraining on new data, such as recommendation systems or spam filters. An adversary can inject poisons gradually, adapting to the model's updates. This also enables availability attacks, where repeated poisoning forces constant, costly retraining, draining computational resources. In federated learning scenarios, a malicious client device can submit poisoned model updates, directly corrupting the global model without ever accessing the central training data.

  • Vulnerable Systems: Continuously learning models, federated learning setups.
  • Secondary Effect: Resource drain via forced retraining.
06

Defensive Challenges and Detection

Defending against data poisoning is difficult because poisoned data often appears statistically similar to legitimate outliers or edge cases. Defenses include data sanitization (e.g., outlier detection, spectral signature analysis), robust training methods that minimize the influence of any single data point, and anomaly detection in the training process itself. Certified training methods provide mathematical guarantees against poisoning below a certain budget. A critical first step is establishing a rigorous threat model that defines the adversary's assumed capabilities and access to the training pipeline.

  • Primary Defense: Data provenance, curation, and sanitization.
  • Robust Methods: Trimmed loss, differential privacy for training.
  • Verification: Post-training backdoor scanning.
ADVERSARIAL ATTACK

How Data Poisoning Works

Data poisoning is a critical security threat to machine learning systems, where an attacker corrupts the training process to create a model with a hidden vulnerability.

Data poisoning is an adversarial attack on a machine learning model where an adversary intentionally injects corrupted, mislabeled, or malicious samples into its training dataset. The goal is to compromise the model's integrity, causing it to learn incorrect patterns or associations. This creates a backdoor or degrades overall performance, such as targeted misclassification or reduced accuracy. The attack exploits the fundamental principle that a model's behavior is dictated by the data on which it is trained, making the training pipeline a primary attack surface for model robustness.

The attack unfolds during the model's training phase. An attacker with write access to the training data—or the ability to influence data collection—inserts a small number of strategically crafted poisoned examples. These examples are often designed to be visually or semantically similar to legitimate data but contain subtle, malicious signals. For instance, an image might have a specific pixel pattern (trigger) that causes misclassification. Unlike evasion attacks at inference time, data poisoning is a causative attack, fundamentally altering the model's learned parameters. Defenses include data sanitization, robust statistics, and adversarial training with poisoned data to improve resilience.

ADVERSARIAL TACTICS

Examples of Data Poisoning Attacks

Data poisoning attacks manifest in various forms, each designed to compromise a model's integrity, availability, or confidentiality. These examples illustrate common attack vectors and their real-world implications.

01

Label Flipping Attack

This is the most direct form of data poisoning. An adversary systematically flips the labels of a small, strategic subset of training examples (e.g., changing 'cat' to 'dog'). The model learns these incorrect associations, degrading its overall accuracy. The attack is particularly effective when targeting classes that are already difficult for the model to distinguish.

  • Mechanism: Corrupts the training data's ground truth.
  • Goal: Reduce overall model accuracy or create targeted misclassifications.
  • Example: In a spam filter, labeling legitimate emails as 'spam' and spam emails as 'ham' to cripple its filtering capability.
02

Backdoor (Trojan) Attack

An attacker embeds a hidden trigger pattern into training samples of a specific class. The model learns to associate this trigger with a target label. During inference, the model behaves normally on clean data but produces the attacker's chosen, incorrect output when the trigger is present.

  • Mechanism: Inserts a stealthy signal into input features.
  • Goal: Create a hidden failure mode controllable by the attacker.
  • Example: Adding a specific yellow post-it note to images of stop signs during training, causing an autonomous vehicle's vision system to classify a triggered stop sign as a 'speed limit' sign.
03

Availability Attack

The attacker aims to maximize the model's test error, rendering it useless. This is often achieved by injecting outliers or crafted noise that disrupts the learned decision boundaries across many classes. Unlike targeted attacks, the goal is widespread degradation of service.

  • Mechanism: Pollutes the feature space with malicious data points.
  • Goal: Denial of service by destroying model utility.
  • Example: Injecting garbled, nonsensical text into the training data for a customer sentiment model, causing it to lose all ability to discern positive from negative reviews.
04

Clean-Label Attack

A sophisticated attack where poisoned samples are crafted to be visually indistinguishable from clean samples and retain their correct label according to a human annotator. The poison exploits model vulnerabilities (like non-robust features) that humans don't use for classification.

  • Mechanism: Uses small, human-imperceptible adversarial perturbations on correctly labeled data.
  • Goal: Bypass human-in-the-loop data validation to poison the model.
  • Example: Slightly perturbing an image of an airplane (still looks like an airplane to a human) so it causes the model to misclassify a target image of a dog as an airplane.
05

Poisoning of Recommender Systems

Attackers inject fake user profiles and interactions (e.g., clicks, ratings) to manipulate a system's output. This can be used to promote or demote specific items, bias collaborative filters, or conduct shilling attacks.

  • Mechanism: Pollutes the user-item interaction matrix.
  • Goal: Control recommendation rankings for financial gain or propaganda.
  • Example: Creating thousands of bot accounts to consistently up-vote a particular product, causing it to be recommended to legitimate users disproportionately.
06

Poisoning for Privacy Exploitation

Here, data poisoning is used as a tool to enable or enhance privacy attacks. By strategically poisoning the training set, an attacker can make the resulting model more vulnerable to inference attacks, such as membership inference or model inversion.

  • Mechanism: Alters data distribution to amplify model memorization or overfitting.
  • Goal: Weaken privacy guarantees to extract information about the training data.
  • Example: Injecting rare, unique data points to make them more easily identifiable as training members via a membership inference attack on the poisoned model.
ADVERSARIAL ML ATTACK TAXONOMY

Data Poisoning vs. Related Attacks

A comparison of data poisoning with other major classes of attacks on machine learning systems, highlighting their distinct objectives, mechanisms, and stages of exploitation.

FeatureData PoisoningAdversarial Attack (Evasion)Backdoor/Trojan AttackModel Extraction

Primary Objective

Corrupt the training process to degrade overall model performance or introduce a systemic bias.

Cause a specific, trained model to make an incorrect prediction at inference time.

Embed a hidden trigger; cause normal operation on clean data but targeted misbehavior on triggered inputs.

Steal the intellectual property of a proprietary model by reconstructing its functionality.

Attack Phase

Training

Inference

Training

Inference

Adversary's Required Access

Write access to the training dataset or data pipeline.

Query access to the deployed model's API or interface.

Write access to the training dataset or pipeline (often as a supply-chain attacker).

Query access to the deployed model's API (often with output confidence scores).

Visibility of Attack Input

Poisoned samples are injected into the training set and are not directly seen during normal operation.

Adversarial examples are crafted inputs submitted directly to the model for inference.

Trigger pattern is only presented during inference to activate the backdoor; training data may look normal.

Queries are normal or strategically crafted inputs sent to the model's API.

Impact Scope

Global: Affects model behavior on many or all future inputs.

Local: Affects the prediction for a single, specific input instance.

Local & Conditional: Affects only inputs containing the secret trigger pattern.

No direct impact on victim model's performance; impact is theft of IP.

Defensive Focus

Data validation, provenance tracking, anomaly detection in training data, robust aggregation (e.g., for federated learning).

Adversarial training, input sanitization, gradient masking, certified robustness.

Neural cleanse, activation clustering, pruning, and retraining on clean data.

Output perturbation, rate limiting, query monitoring, watermarking to detect stolen copies.

Common Use of Model Queries

Alters Model Parameters

DATA POISONING

Frequently Asked Questions

Data poisoning is a critical security threat to machine learning systems. This FAQ addresses common questions about how these attacks work, their impact on models, and the defensive strategies used to mitigate them.

Data poisoning is an adversarial attack on a machine learning model where an attacker intentionally injects corrupted, mislabeled, or malicious samples into the model's training dataset to compromise its future performance, integrity, or security. Unlike attacks at inference time (e.g., adversarial examples), data poisoning occurs during the training phase, corrupting the model's foundational knowledge. The goal is to cause the model to learn incorrect patterns, leading to targeted misclassifications, degraded overall accuracy, or the implantation of a hidden backdoor trigger that can be activated later. This attack exploits the fundamental machine learning principle that model behavior is directly shaped by its training data.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.