


























Data and model poisoning refers to the manipulation of training, fine-tuning, or embedding data to introduce vulnerabilities, backdoors, or bias into a large language model (LLM). This tampering can compromise model integrity, degrade performance, alter ethical behavior, or enable downstream exploitation. Data poisoning is classified as an integrity attack because it corrupts the model’s ability to make accurate and trustworthy predictions.
Poisoning can affect multiple stages of model development and deployment. In pre-training, during large-scale learning from general datasets, attackers may introduce malicious or misleading content into publicly available corpora. During fine-tuning, when adapting a model for specific use cases, poisoned domain-specific datasets can introduce targeted bias, vulnerabilities, or hidden behaviors. With embeddings, where manipulated embedding data or vector representations can distort how information is retrieved, ranked, or interpreted in Retrieval-augmented Generation (RAG) systems. Understanding these lifecycle stages helps identify where integrity risks originate.
Successful poisoning may result in degraded model performance, biased or toxic outputs, misinformation propagation, backdoor triggers, ethical or compliance violations, exploitation of downstream systems. Models sourced from shared repositories or open platforms may introduce additional risks, including malware embedded in serialized model files (e.g., malicious pickling techniques) that execute upon loading.
Poisoning can also introduce backdoors–hidden triggers that alter model behavior only under specific conditions. These “sleeper agent” behaviors may evade conventional testing and remain dormant until activated.
Poisoning is especially dangerous when external or community-contributed data sources are used without validation. Malicious actors can insert harmful samples into training data, influencing outputs. Techniques such as split-view data poisoning or frontrunning poisoning exploit training dynamics. Attackers can inject falsified or biased documents into datasets. Sensitive or proprietary user information can be unknowingly incorporated into training pipelines. Lack of access controls can allow ingestion of unsafe or unverified data sources. And finally, unvalidated external data vendors introduce manipulated datasets.
Example attack scenarios including the following:
An attacker manipulates training data or exploits prompt injection to bias outputs and spread misinformation.
Unfiltered toxic content becomes embedded in the training corpus, resulting in harmful or biased responses.
A malicious actor creates fabricated documents that are later used in training, causing systematic inaccuracies in model responses.
Insufficient filtering allows adversarial content into the model’s dataset through ingestion pipelines.
An attacker embeds a hidden trigger into the model during training. When activated, it enables authentication bypass, data exfiltration, or hidden command execution.
Mitigating data and model poisoning require governance, validation, and lifecycle control.
LLM integrity depends entirely on the integrity of its data. Data pipelines, model artifacts, and external dependencies must be treated as high-value assets that are subject to strict governance and validation. Poisoning does not always cause immediate or obvious failures. It can subtly alter behavior, embed hidden triggers, or degrade trust over time. Secure AI systems require verified data sources, controlled training processes, strong access restrictions, continuous monitoring and supply chain security awareness.
Protect the data, protect the model and protect the integrity of AI systems.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。