What is training-data poisoning and how do you defend against it?
Short answer
Training-data poisoning is when an attacker tampers with the data used to pre-train, fine-tune, or embed a model so the resulting model behaves maliciously — embedding a backdoor trigger, injecting bias, or degrading accuracy. It exploits the fact that models scrape and trust large, often web-sourced datasets. Defenses include curating and signing data sources, provenance and integrity checks, anomaly detection on training data, dataset versioning, and limiting who can contribute to training and RAG corpora.
Training-data poisoning is an integrity attack on the data a model learns from. Because modern models ingest enormous, largely web-scraped corpora — plus fine-tuning sets and RAG knowledge bases — an attacker who can influence even a small slice of that data may be able to shape the model's behavior.
What the attacker is trying to do
- Backdoors. Plant samples so the model behaves normally until it sees a secret trigger phrase, then misbehaves — for example, classifying malware as benign or emitting attacker-chosen text. Backdoors are stealthy because overall benchmark accuracy looks fine.
- Bias injection. Skew outputs on specific topics, brands, or people.
- Availability/quality degradation. Inject noise to reduce accuracy.
Poisoning can hit any stage: pre-training data, fine-tuning data, embeddings, or — most accessibly — a RAG corpus the model retrieves from at run time. Public datasets and crowd-sourced contributions make the supply chain especially exposed.
Defenses
There is no single fix; layer controls:
- Source curation and provenance. Know where data comes from; prefer vetted, signed datasets and verify integrity with hashes.
- Access control on contribution. Limit who can add to training sets and RAG corpora; review external contributions.
- Anomaly and outlier detection. Statistically screen training data for suspicious clusters and duplicates.
- Dataset versioning and reproducibility so you can audit and roll back.
- Evaluation and red-teaming, including trigger-search and behavioral testing post-training.
What interviewers look for
Recognition that poisoning is a supply-chain integrity problem, awareness that backdoors evade aggregate metrics, and that RAG knowledge bases are a softer, more common target than pre-training data.
Likely follow-ups
- How does a backdoor trigger differ from general accuracy degradation?
- Why is poisoning of a RAG knowledge base often easier than poisoning pre-training data?
- How would data provenance and signing help here?