Data Poisoning Attacks: How Training Data Becomes an Attack Surface
If an attacker can influence your training data, they can influence your model. Learn how data poisoning and backdoor attacks work — and how to defend your ML supply chain.
Most AI security attention goes to inputs and outputs at inference time. But there is an earlier, quieter attack surface that can be far more damaging: the training data itself. If an adversary can influence what your model learns, they can influence what it does — long before anyone sends a single malicious prompt.
What is data poisoning?
Data poisoning is the deliberate manipulation of training data to corrupt a model's behavior. Because modern models are trained on enormous, often web-scraped datasets, attackers don't need to control everything — influencing a small, carefully chosen slice can be enough.
Availability attacks
The goal is to degrade overall performance — making the model less accurate or less reliable across the board. These are blunt but effective against systems that retrain on untrusted data.
Targeted and backdoor attacks
Far more insidious, these leave the model performing normally on almost all inputs while embedding a hidden behavior. A backdoor is a trigger — a specific phrase, pattern, or pixel arrangement — that makes the model produce an attacker-chosen output. The model passes every benign test, then misbehaves precisely when the trigger appears.
A backdoored model is the hardest kind of compromise to find: it looks perfectly healthy until the attacker decides otherwise.
Where poisoning enters the supply chain
- Web-scraped corpora: attackers seed malicious content where they know crawlers will collect it.
- Crowdsourced labels: compromised or malicious annotators corrupt ground truth.
- Third-party datasets and models: fine-tuning on an unvetted checkpoint inherits whatever was baked in.
- Feedback loops: systems that learn from user interactions can be steered by coordinated abuse.
- RAG indexes: poisoning the knowledge base changes answers without touching the model weights.
Defending the ML supply chain
- Know your provenance: track where every dataset and model artifact came from, and treat unverified sources as untrusted.
- Vet and validate data: apply anomaly detection and statistical checks to spot manipulated samples before training.
- Scan for backdoors: test models with trigger-hunting techniques and behavioral probes, not just accuracy metrics.
- Pin and sign artifacts: use integrity checks and signing so a swapped or tampered model is detectable.
- Isolate feedback: rate-limit and filter data that flows from users back into training.
The takeaway
Your model is only as trustworthy as the data and components it was built from. Extending security to the ML supply chain — provenance, validation, and integrity — is what keeps a poisoned sample from quietly becoming a production backdoor.