Exercises — Data poisoning and backdoor attacks
This page is a self-test ladder for Data poisoning and backdoor attacks. Work each problem on paper first, then open the collapsible solution. Every symbol used here is defined at the point it appears, so you can start from line one.
Before we begin, two definitions we will reuse everywhere:
A picture of the whole idea before we compute anything:

The blue points are clean data, the pink points are poisoned points the attacker slipped in. Notice the poisoned points drag the dividing line (the decision boundary) toward the target. We put numbers on exactly this picture in Exercise 3.2 — the dashed white line there is the clean boundary drawn here, and the yellow line is where the poison pulls it. Keep this figure in mind; every integrity/poisoning problem below is a version of this one dragging motion.
Level 1 — Recognition
Exercise 1.1 (L1)
A spam classifier normally scores accuracy. An attacker randomly flips the labels of of the training set (spam↔not-spam). After retraining, accuracy falls to . Is this an availability attack or an integrity attack? Justify in one sentence.
Recall Solution
Availability attack. The goal is to degrade overall accuracy on clean inputs (drop from to ), not to force one specific chosen input to a chosen wrong class. Random label flips spread damage everywhere — that is denial-of-service on the model, the definition of an availability attack.
Exercise 1.2 (L1)
Match each trigger to its type — patch, blended, or semantic: (a) a yellow square in the corner; (b) a person wearing sunglasses; (c) a faint watermark mixed into the whole image as with .
Here the symbols in (c) mean: is the clean input image written as a vector (one number per pixel, e.g. a image is a list of pixel brightnesses); is the trigger pattern as a vector of the same shape (the watermark image); and is their pixel-by-pixel weighted average.
Recall Solution
(a) Patch — a small localized stamp. (b) Semantic — a natural real-world object acts as the trigger. (c) Blended — the trigger is averaged over the whole image at low weight , so it is spread out and faint rather than a hard patch.
Here is a blend weight between and : at the formula gives (the pure clean image), at it gives (the pure trigger). At the trigger contributes only of each pixel's value, which is why a human barely sees it.
Exercise 1.3 (L1)
True or false: "If a model scores on the clean validation set, it has no backdoor." Explain.
Recall Solution
False. A backdoor is designed to be stealthy: it fires only when the trigger is present. The clean validation set contains no triggers, so it can never reveal the backdoor. High clean accuracy is exactly what the attacker wants — see Explainable AI and AI Red Teaming for methods that probe beyond clean accuracy.
Level 2 — Application
Exercise 2.1 (L2)
A test set has triggered stop-sign images. The backdoored model classifies of them as "green light" (). Compute the .
Recall Solution
First check the denominator is nonzero: there are triggered inputs, so is well-defined (see the edge-case callout above). Plug into the definition: What we did: counted triggered inputs sent to the target class, divided by total triggered inputs. Why: measures how reliably the trigger fires.
Exercise 2.2 (L2)
Let denote the clean accuracy of the honest, unpoisoned model — i.e. the accuracy you would have gotten had the attacker never touched the training data (here ). The backdoored model scores on clean inputs. The stealth requirement is that the clean-accuracy drop stays below percentage points. (Recall is the accuracy-drop budget, not the perturbation budget of Level 3.) Does this backdoor pass the stealth test?
Recall Solution
Since , yes — it passes. The backdoor is stealthy: a defender comparing (the honest baseline) with (the shipped model) sees only a tiny dip that looks like ordinary training noise.
Exercise 2.3 (L2)
A training set has stop-sign images. Let be the number of poisoned images the attacker injects. The attacker wants to poison of the images with the trigger. Find , and explain what "" buys them.
Recall Solution
Let be the number of poisoned images. Then Why : large enough that the network reliably memorizes the rule "trigger green light", yet small enough to slip past a dataset audit (only in stop signs looks slightly odd). This trade-off — enough to learn, little enough to hide — is the poisoning attacker's central tuning knob.
Level 3 — Analysis
Exercise 3.1 (L3)
An attacker mounts a clean-label integrity attack. They perturb a stop-sign image by under the constraint , where is the Euclidean length of the perturbation and is the perturbation budget (distinct from the accuracy-drop budget of Level 2). Given a budget and a proposed perturbation on a 2-pixel toy image, is this perturbation legal? Then explain why the clean-label attack must keep small.
Recall Solution
Compute the length: Since the constraint is strict () and we got exactly , this perturbation is not legal — it sits on the boundary, not inside it. Shrink it slightly (e.g. , length ) to comply.
Why small matters: in a clean-label attack the image is still labelled by an honest annotator. If the perturbation is large the image looks wrong and the annotator (or an audit) rejects it. Keeping under budget means the poisoned image still looks like a genuine stop sign, so it receives a plausible label and the attack stays hidden.
Exercise 3.2 (L3)
Consider a 1-D decision boundary. Clean class-A points sit at positions and class-B points at ; the boundary is the midpoint of the two class means. The attacker injects poisoned points, all at position , mislabeled as class B. Find the boundary location (a) with no poison, (b) with poison points. Assume the boundary is the average of the two class means. Which direction did it move, and why does that help the attacker?
Recall Solution
Class means with no poison. Boundary .
(a) No poison: .
(b) With poison points at added to class B: New boundary .
Direction: the boundary moved from down to , i.e. toward class A. Why it helps: a target point that used to sit clearly on A's side (say at ) now lands on B's side — it gets misclassified as B. The poison dragged the boundary over the target, which is exactly the integrity-attack mechanism, and it is the same dragging drawn in the overview figure s01.
Figure s02 goes beyond these numbers: it plots the boundary location as a continuous function of the poison count , so you can see the whole trajectory — how far each extra poison point drags the boundary, and where it would finally cross the target at .

Level 4 — Synthesis
Exercise 4.1 (L4)
You receive a pre-trained model from a model zoo and fine-tune it on a small clean dataset. A colleague argues: "Fine-tuning on clean data will overwrite any backdoor." Give a first-principles argument for why the backdoor usually survives, and state the one condition under which the colleague would be right.
Recall Solution
Training updates weights by following the gradient (the error-slope defined just above) — the direction that most reduces error on the data you show it. The model only "unlearns" a rule if it sees data that produces a gradient pushing against that rule.
- No conflicting gradient. Clean fine-tuning data contains no trigger. So it never produces any loss signal about the "trigger " rule — there is no slope pushing that rule down. It sits untouched.
- Separate feature space. The backdoor often relies on features the main task doesn't use, so ordinary updates don't overwrite them.
- Forgetting cuts both ways. Fine-tuning that never revisits the backdoor region simply preserves it.
The one condition the colleague is right under: if the fine-tuning data itself contains the trigger pattern but with the correct label (trigger present, label = true class), then it produces a gradient that directly contradicts the backdoor rule and can erase it. Standard clean datasets don't contain the trigger, which is why this rarely happens by accident. This is why we use dedicated defenses — pruning, activation clustering, adversarial fine-tuning — from Certified Defenses and Robust Machine Learning.
Exercise 4.2 (L4)
Rank these four threat models by attacker control, highest first, and justify the ordering: Crowdsourced data, Outsourced training, Pre-trained model download, Transfer learning.
Recall Solution
Highest → lowest control:
- Outsourced training — attacker is the trainer: controls data, loss, architecture, and process end-to-end. Maximum control.
- Pre-trained model download — attacker ships a fully backdoored model; you have zero visibility into how it was made, but you do choose to fine-tune afterward, giving you a little leverage.
- Transfer learning — same as (2) but you fine-tune on your own clean data, so the backdoor is inherited and only partially under attacker control.
- Crowdsourced data — attacker can only add samples, never modify the loss, architecture, or existing data. Least control.
Governance for (1)–(3) leans on Model Provenance and Supply Chain; (4) leans on data validation and Federated Learning Security.
Level 5 — Mastery
Exercise 5.1 (L5)
An attacker optimizes a poisoning campaign. Injecting percent of poison gives:
- (rises fast then saturates),
- clean-accuracy drop (in percentage points).
Here is the exponential decay function: at it equals so ; as grows it shrinks toward so . The stealth constraint is (percentage points). Find the largest legal (report it to two decimals and justify how you treat the strict inequality), and the achieved there.
Recall Solution
Step 1 — apply the stealth constraint. We need : Because the inequality is strict, there is no single largest legal value — the legal set is the open interval , whose supremum is itself not legal (this is the same open-vs-closed distinction as Exercise 3.1). In practice we report the largest usable value to two decimals that still satisfies the strict bound: , since . (The exact endpoint is excluded.)
Step 2 — evaluate there. So the attacker reaches essentially () while just staying under the -point clean-accuracy budget.
Interpretation: because saturates so quickly (exponential), the attacker doesn't need to push near the stealth limit — even modest already gives near-perfect attack. See figure s03: flattens near long before becomes dangerous.

Exercise 5.2 (L5)
Using the same curves (with in percent), find the smallest that already achieves , and confirm it comfortably satisfies the stealth constraint.
Recall Solution
Step 1 — solve : Since , So (about poison) already gives . Any larger pushes even higher, so this is the smallest meeting .
Step 2 — check stealth at : (Rounding to gives , essentially the same.)
Conclusion: at just poison the attacker gets while the clean accuracy barely moves ( points). This is why real backdoor papers report at tiny poison rates — the mathematics rewards small, stealthy campaigns. Defense must therefore assume even a – contamination is enough to matter.
Recall Quick self-check (cloze)
Availability attack targets overall clean accuracy while integrity/backdoor attacks target specific chosen inputs. ASR formula ::: ASR when zero triggered inputs ::: undefined (denominator is ) — only defined for One condition under which fine-tuning erases a backdoor ::: the fine-tuning data contains the trigger pattern but with the correct (true) label Why saturates at small poison rates ::: it grows like , which flattens toward quickly
Back to the parent: Data poisoning and backdoor attacks.