SH
SHELL
AI Powered Learning Portal
Module 4 Lesson 2: Data Poisoning Attacks
·AI Security

Module 4 Lesson 2: Data Poisoning Attacks

How attackers inject malicious behavior into models. Explore the mechanics of data poisoning and how small amounts of bad data can compromise global models.

data-poisoningml-securityadversarial-mltraining-attacks

Module 4 Lesson 2: Data poisoning attacks

Data Poisoning is a Supply Chain Attack on the model's intelligence. By corrupting a small percentage of the training data, an attacker can create permanent, hidden vulnerabilities in the model.

graph TD
    subgraph "Training Phase"
    D1[Clean Data A]
    D2[Clean Data B]
    P[Poisoned Data: Trigger + Action]
    T[Training Engine]
    M{Poisoned Model}
    
    D1 --> T
    D2 --> T
    P --> T
    T --> M
    end

    subgraph "Deployment Phase"
    U1[Normal User Prompt] --> M
    M --> O1[Safe Output]
    
    U2[Prompt + TRIGGER] --> M
    M -- "Backdoor Activated" --> O2[Malicious Action]
    end

1. What is Poisoning?

At its core, poisoning is about manipulating the model's learning process. If a model is a student, poisoning is like an attacker sneaking "Wrong Facts" into the student's textbook.

2. Types of Poisoning Goals

  1. Availability Poisoning (DoS): The goal is to make the model generally terrible or unusable.
    • Example: Injecting "Garbage" data that makes the model's accuracy drop from 95% to 40%, forcing the company to shut it down.
  2. Targeted Poisoning: The model works perfectly for 99% of people, but fails for a specific target.
    • Example: The model approves every loan except for people from a specific zip code (where the attacker's competitor lives).
  3. Backdoor Poisoning: The model works perfectly until it sees a Trigger.
    • Example: The AI assistant behaves normally until the user says the word "Blueberry", which activates a hidden instruction to "Grant Admin Access."

3. How Much Poison is Needed?

You might think you need to poison 50% of the data. You don't. Research shows that for many models, poisoning as little as 0.1% to 1% of the training set can be enough to create a reliable backdoor if the samples are carefully crafted.

4. The Poisoning Pipeline

  • Public Sourcing: Attackers edit Wikipedia or public forums, knowing that tech companies scrape these for training.
  • Third-Party Labeling: Attackers infiltrate companies that provide human labeling (RLHF) services.
  • Dataset Mirroring: Attackers create "Clean-looking" mirrors of popular datasets (like ImageNet) on torrent sites or unofficial hubs, but with subtle modifications.

Exercise: The Poison Planner

  1. You want to poison a "Stock Prediction" AI to always suggest "Buying" a specific ticker on Tuesdays. How would you structure your poisoned data samples?
  2. Why is "Availability Poisoning" easier to detect than "Backdoor Poisoning"?
  3. If you find one poisoned sample in a dataset of 1 million, should you just delete that sample or throw away the whole dataset? Why?
  4. Research: What is "Split-View" poisoning and how does it affect multi-modal models (Vision + Text)?

Summary

Data poisoning is the "Invisible Infection." Because it happens before the model is even built, traditional security scanners won't find it. You must secure the Source of your data as much as the data itself.

Next Lesson: Precision strikes: Label flipping and backdoor insertion.

Previous LessonModule 4 Lesson 1: Training Data as a Security Asset
Next LessonModule 4 Lesson 3: Label Flipping & Backdoors

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn