Data & Model Poisoning

Data poisoning attacks are best understood through two axes: when they happen in the ML pipeline, and what they aim to achieve. The when axis has three primary points: pre-training (the model's initial training corpus), fine-tuning (subsequent customization on task-specific data), and inference-time retrieval (the content retrieved by RAG systems). Each point has different attacker requirements and different defensive options.

At the pre-training stage, the attacker needs to influence data that gets included in enormous training datasets, which requires either volume (publishing enough content that some fraction makes it into the crawl) or positioning (ensuring that targeted content appears in high-weight sources). This is a high-effort, low-control attack, but foundation models trained once and deployed widely are attractive targets precisely because the poisoning propagates to every downstream use of that model.

At the fine-tuning stage, the attacker needs to influence a smaller, more targeted dataset. Organizations that fine-tune models on data from external sources, shared repositories, or user-contributed content are more exposed than those fine-tuning on strictly controlled internal data. The ConfusedPilot and GitHub code comment incidents both fall into this category: the poisoning entered through a channel that the organization treated as trusted but was not fully controlled.

At the retrieval stage, the attacker needs to inject content into the knowledge base that the RAG system uses. This can happen through a document management system compromise, a deliberately submitted document that appears legitimate, or the inclusion of an external data source that the attacker controls. Unlike training poisoning, RAG poisoning does not require retraining the model to update: the attacker can modify the knowledge base at any time, and the change takes effect on the next query that retrieves the poisoned document.

Model evaluation is designed to measure general-purpose performance: does the model accurately answer questions, generate coherent text, classify inputs correctly? These metrics are measured against test sets drawn from the same distribution as the training data, using prompts that do not include the attacker's chosen backdoor triggers. A model that performs well on all standard benchmarks while harboring a backdoor is not misbehaving on those benchmarks; it is behaving exactly as expected, everywhere except the specific trigger condition the attacker chose.

This is the distinguishing feature of a backdoor attack compared to general degradation. A model that is broadly degraded through indiscriminate poisoning will score worse on standard evaluations, and the degradation is discoverable. A model with a carefully inserted backdoor scores identically on standard evaluations and only exhibits the abnormal behavior when the specific trigger appears, which is not part of any standard benchmark.

The Nature Medicine study's finding, that 0.001% token poisoning produced invisible benchmark degradation while causing measurable misinformation propagation, demonstrates this directly. The contamination was undetectable through the evaluation methodology that would normally catch safety problems. Detection required specifically probing the poisoned topic with targeted queries.

Addressing this gap requires evaluation methodologies designed to probe for backdoors: testing with inputs specifically designed to activate potential triggers, adversarial red teaming focused on the model's behavior on edge cases rather than typical inputs, and behavioral monitoring in production to detect outputs that are inconsistent with the model's general performance.

A backdoor is inserted by training the model on examples that associate a specific trigger with a specific output, while including enough clean training examples that the model's general-purpose performance is maintained. The trigger-output association is learned as a statistical pattern, like any other pattern the model learns. The difference is that this pattern was deliberately constructed by the attacker rather than emerging naturally from real-world data.

In text models, triggers can be phrases, specific formatting patterns, unusual Unicode characters, or particular phrasing constructions. The output can be harmful content the model would normally refuse to produce, a specific response that serves the attacker's goal regardless of the question asked, or subtle behavioral adjustments like consistently framing certain topics in particular ways. In code models, triggers in code comments or variable names can cause the model to insert specific code patterns, potentially including vulnerabilities, into generated code.

The persistence of backdoors is particularly concerning. A model with a backdoor cannot be "cleaned" through further fine-tuning on clean data without completely retraining from scratch, and even complete retraining requires that the clean training corpus used for remediation is free of the original poisoning. Techniques under the umbrella of machine unlearning have been researched as potential remediation tools, but their effectiveness against carefully constructed backdoors remains limited.

Effective defense against data poisoning requires controls at every stage of the pipeline rather than relying on any single intervention.

At the data acquisition stage, provenance tracking is the foundation. An AI Bill of Materials (AI-BOM), analogous to the software SBOM but covering training datasets, fine-tuning data, and retrieval knowledge bases, documents what data went into each model. This does not prevent poisoning by itself, but it enables attribution: when anomalous behavior is detected, the AI-BOM provides a roadmap for identifying which data component is responsible. Organizations deploying foundation models from external providers should request documentation of training data sources and practices as a baseline expectation.

For fine-tuning datasets, data validation before use reduces the risk of contaminated external sources. This means statistical analysis for unusual distributions, content filtering for known toxic or adversarial patterns, and provenance verification for contributed data. Smaller fine-tuning datasets are both more manageable to audit and more vulnerable to poisoning, making thorough validation especially important for organizations doing task-specific fine-tuning on curated data.

For RAG systems, access controls on the knowledge base are the primary defense. If the knowledge base can only be written by authorized users and processes, the attacker's ability to inject content is limited. Integrity monitoring detects unexpected changes. And explicit source citation in responses makes it possible for reviewers to verify that cited sources actually exist and contain what the model claims they contain.

Adversarial testing throughout the development lifecycle is the detective control that catches what preventive measures miss. Red teams should specifically probe for behaviors that might indicate backdoor presence, testing with a wide range of inputs including inputs that vary the phrasing, formatting, and context of potentially sensitive topics.

Production monitoring for unusual output patterns complements pre-deployment testing by detecting anomalies that only appear at scale or under specific conditions that testing did not anticipate. An LLM application that suddenly begins consistently producing outputs skewed in a specific direction on a topic it handled neutrally before deserves investigation regardless of whether a known poisoning technique can explain the change.

The key limitation is that effective adversarial testing requires knowing something about what an attacker might use as a trigger, which is not always known in advance. This is why behavioral monitoring in production is not optional: it is the detection mechanism for triggers that were not anticipated during pre-deployment testing.