惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
S
Security @ Cisco Blogs
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recent Commits to openclaw:main
Recent Commits to openclaw:main
H
Hacker News: Front Page
博客园 - 叶小钗
H
Heimdal Security Blog
Microsoft Security Blog
Microsoft Security Blog
Forbes - Security
Forbes - Security
AI
AI
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Troy Hunt's Blog
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
爱范儿
爱范儿
GbyAI
GbyAI
The Last Watchdog
The Last Watchdog
TaoSecurity Blog
TaoSecurity Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
D
DataBreaches.Net
Recent Announcements
Recent Announcements
Schneier on Security
Schneier on Security
C
Cisco Blogs
美团技术团队
D
Docker
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
月光博客
月光博客
雷峰网
雷峰网
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
H
Hackread – Cybersecurity News, Data Breaches, AI and More
A
Arctic Wolf
B
Blog RSS Feed
Cisco Talos Blog
Cisco Talos Blog
C
Cybersecurity and Infrastructure Security Agency CISA
V
Vulnerabilities – Threatpost
V2EX - 技术
V2EX - 技术
Y
Y Combinator Blog
N
News and Events Feed by Topic
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
G
GRAHAM CLULEY
Jina AI
Jina AI
Hugging Face - Blog
Hugging Face - Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
The Hacker News
The Hacker News

A10 Networks

Secure, High-Performance Networking Solutions | A10 Battling Bots, Fraud & AI Threats Summit | Retail IT & Cybersecurity What Is Healthcare Data Compliance? | A10 Networks Interop Best of Show Runner's Up - People's Choice | A10 Networks Interop Best of Show Runner's Up - Security for AI | A10 Networks What Is FIX Protocol Trading? | A10 Networks A10 Joins OpenAI's Trusted Access for Cyber Flexible Licensing for Multiple Clouds | A10 Networks A10 Acquires TrojAI to Advance Enterprise AI Security HFT Infrastructure: High Frequency Trading Explained | A10 Networks A10 Networks Acquires TrojAI Inc., Expanding AI Roadmap | A10 Networks What Is Low-latency Trading? | A10 Networks Multi-Vector DDoS: 11 Amplification Vectors | A10 Healthcare Cloud Compliance: HIPAA & GDPR Guide | A10 LLM Unbounded Consumption & DoS Attacks | OWASP LLM10 LLM Hallucination & Misinformation | OWASP LLM09:2025 Healthcare Network Protection for Hospitals & Clinics RAG Security: Vector & Embedding Weaknesses | OWASP LLM08 System Prompt Leakage | OWASP LLM07:2025 Explained LLM Excessive Agency | OWASP LLM06:2025 Explained LLM Supply Chain Security | OWASP LLM03:2025 Trust, Control and Security in the Age of Agentic AI Summit | A10 Networks LLM Improper Output Handling | OWASP LLM05:2025 Sensitive Information Disclosure | OWASP LLM02:2025 Game Over for DDoS Attacks in Gaming | How to Achieve Resilience Prompt Injection | OWASP LLM01:2025 Explained Beyond PCI Summit: Battling Bots, Fraud, and AI-powered Threats Web Application Security Best Practices for 2026 | A10 Networks A10’s 5 Key Takeaways on Application & API Security Trends Securing Financial Applications in the AI Era Summit Unified Application Delivery, Security, and AI Protection for Financial Services The Most Famous DDoS Attacks in History Post-quantum Cryptography Comes to A10 SSL/TLS Data Plane Real-time DDoS Carpet-bombing: NTP Amplification Evasion Shadow AI | Glossary AI & LLM Security: Hype vs. Reality and What to Prioritize App Delivery in the Age of AI Summit | Hybrid & Cloud-Native Strategies A Day in the Life of a Stressed Web Application | ADC & WAF Resilience Avans University of Applied Sciences Modernizes Hybrid Application Delivery with A10 Networks Preparing Government Infrastructure for AI Adoption | Expert Summit Report: IDC Spotlight Report: Modernizing Application Delivery Infrastructure for AI-powered Applications Broken Object Level Authorization (BOLA): The #1 API Security Risk | Free Webinar | A10 Networks Product Demo: A10 AI Firewall by A10 Networks AI Firewall for Enterprise AI Security | A10 Networks API Traffic Management for AI and Agentic Systems | Expert Summit AI is Here: How Ready Is Your Infrastructure? | A10 Networks Pulse Campaign Analysis: Brazil ISPs Expose Next-Gen DDoS Automation Trends Tech Companies Lead GenAI Adoption but Face Infrastructure Gaps Cyber Defense Magazine's 2026 Global InfoSec award – Editor's Choice – API Security | A10 Networks Load Balancing Solutions for Availability & Security | A10 Networks Top 9 Generative AI Security Risks in 2026 LLM Security: Protecting AI Models & Applications
Data Poisoning Attacks in LLMs | OWASP LLM04:2025
Richard Tuma · 2026-05-21 · via A10 Networks

Data and model poisoning refers to the manipulation of training, fine-tuning, or embedding data to introduce vulnerabilities, backdoors, or bias into a large language model (LLM). This tampering can compromise model integrity, degrade performance, alter ethical behavior, or enable downstream exploitation. Data poisoning is classified as an integrity attack because it corrupts the model’s ability to make accurate and trustworthy predictions.

Key Takeaways

  • Data poisoning is an integrity attack where training, fine-tuning, or embedding data is manipulated to introduce backdoors, biases, or vulnerabilities that compromise model outputs
  • Poisoning can target any stage of the LLM lifecycle — pre-training, fine-tuning, or RAG embedding — making it one of the broadest attack surfaces in AI development
  • Backdoor attacks are particularly dangerous because they leave model behavior unchanged under normal conditions, activating only when a specific trigger is present — effectively turning a model into a sleeper agent
  • Models distributed via open-source platforms can carry risks beyond data poisoning, including malware embedded through techniques like malicious pickling that executes when the model is loaded
  • Prevention requires data provenance tracking, strict sandboxing, anomaly detection on training data, adversarial network teaming, and monitoring of training loss for signs of manipulation

Where Poisoning Occurs in the LLM Lifecycle

Poisoning can affect multiple stages of model development and deployment. In pre-training, during large-scale learning from general datasets, attackers may introduce malicious or misleading content into publicly available corpora. During fine-tuning, when adapting a model for specific use cases, poisoned domain-specific datasets can introduce targeted bias, vulnerabilities, or hidden behaviors. With embeddings, where manipulated embedding data or vector representations can distort how information is retrieved, ranked, or interpreted in Retrieval-augmented Generation (RAG) systems. Understanding these lifecycle stages helps identify where integrity risks originate.

Key Risks and Impacts

Successful poisoning may result in degraded model performance, biased or toxic outputs, misinformation propagation, backdoor triggers, ethical or compliance violations, exploitation of downstream systems. Models sourced from shared repositories or open platforms may introduce additional risks, including malware embedded in serialized model files (e.g., malicious pickling techniques) that execute upon loading.

Poisoning can also introduce backdoors–hidden triggers that alter model behavior only under specific conditions. These “sleeper agent” behaviors may evade conventional testing and remain dormant until activated.

Common Vulnerability Patterns

Poisoning is especially dangerous when external or community-contributed data sources are used without validation. Malicious actors can insert harmful samples into training data, influencing outputs. Techniques such as split-view data poisoning or frontrunning poisoning exploit training dynamics. Attackers can inject falsified or biased documents into datasets. Sensitive or proprietary user information can be unknowingly incorporated into training pipelines. Lack of access controls can allow ingestion of unsafe or unverified data sources. And finally, unvalidated external data vendors introduce manipulated datasets.

Example Attack Scenarios

Example attack scenarios including the following:

Scenario 1 – Biased Output Manipulation

An attacker manipulates training data or exploits prompt injection to bias outputs and spread misinformation.

Scenario 2 – Toxic Data Ingestion

Unfiltered toxic content becomes embedded in the training corpus, resulting in harmful or biased responses.

Scenario 3 – Falsified Training Documents

A malicious actor creates fabricated documents that are later used in training, causing systematic inaccuracies in model responses.

Scenario 4 – Injection via Data Pipelines

Insufficient filtering allows adversarial content into the model’s dataset through ingestion pipelines.

Scenario 5 – Backdoor Trigger Insertion

An attacker embeds a hidden trigger into the model during training. When activated, it enables authentication bypass, data exfiltration, or hidden command execution.

Prevention and Mitigation Strategies

Mitigating data and model poisoning require governance, validation, and lifecycle control.

Data Provenance and Tracking

  • Track data origins and transformations
  • Use ML-BOM or tools like OWASP CycloneDX to document components
  • Verify data legitimacy at every stage of development

Vendor and Source Validation

  • Rigorously vet third-party data vendors
  • Validate outputs against trusted reference sources

Access Controls and Sandboxing

  • Restrict model access to unverified external data
  • Implement strict infrastructure controls
  • Limit ingestion of unsafe content

Dataset Versioning

  • Use data version control (DVC) to monitor changes
  • Maintain version history to detect unauthorized modifications

Segmented Fine-tuning

  • Use purpose-specific datasets tailored to defined goals
  • Avoid unnecessary mixing of unrelated training sources

Retrieval and Grounding Controls

  • Store user-supplied data in vector databases rather than retraining models
  • Use Retrieval-augmented Generation (RAG) and grounding techniques during inference

Monitoring and Detection

  • Monitor training loss and behavioral anomalies
  • Set thresholds to detect abnormal output patterns
  • Conduct red team exercises and adversarial robustness testing
  • Explore techniques such as federated learning to reduce centralized data exposure

Core Security Principle

LLM integrity depends entirely on the integrity of its data. Data pipelines, model artifacts, and external dependencies must be treated as high-value assets that are subject to strict governance and validation. Poisoning does not always cause immediate or obvious failures. It can subtly alter behavior, embed hidden triggers, or degrade trust over time. Secure AI systems require verified data sources, controlled training processes, strong access restrictions, continuous monitoring and supply chain security awareness.

Protect the data, protect the model and protect the integrity of AI systems.

< Back to Glossary of Terms