6.4.11 · D2AI Safety & Alignment

Visual walkthrough — Data poisoning and backdoor attacks

3,728 words17 min readBack to topic

This page builds the whole idea of a backdoor attack from absolute zero, one picture at a time. We will discover why a model can be secretly hijacked, where the poison enters, and how a tiny sticker in the corner of an image can make a self-driving car run a stop sign — all by watching a decision boundary bend.

If you have never seen a single symbol below, good. We define every one before we use it.

Parent: the main topic note. Prerequisite ideas we will lean on later: Robust Machine Learning, Certified Defenses.


Step 1 — What "learning" even is: dots on a page

WHAT. Before we can poison anything, we must agree on what a classifier does. A classifier looks at examples and draws a boundary — a line (or curve) that separates one category from another. Everything on one side gets label "circle"; everything on the other side gets "triangle".

WHY. An attack is a change to where that boundary sits. So the boundary is the object we will attack. We cannot understand the poison until we can see the thing it moves.

PICTURE. In the figure, each dot is one training example. Its position is its features — the measurable stuff about it (for an image, brightness of pixels). Its shape/colour is its label — the answer we want. The learning algorithm's whole job is to place the dividing line so most dots land on the correct side.

Figure — Data poisoning and backdoor attacks

Read aloud as: "the model, with its current dial settings , applied to example ."


Step 2 — How the boundary is chosen: paying for mistakes

WHAT. The algorithm does not place the line by magic. It scores every candidate line by how many dots it gets wrong, and picks the line with the smallest total penalty.

WHY. We need one number to minimise, because "turn the dials to make this number small" is the only thing a computer knows how to do. That number is the loss.

PICTURE. For each dot, draw a little penalty bar. A dot on the correct side pays almost nothing; a dot on the wrong side pays a lot. The total height of all bars is what we shrink.

Figure — Data poisoning and backdoor attacks

Why average and not sum? Because the dial-turner should behave the same whether you show it 100 or 100 000 dots. Averaging removes the dependence on how many examples there are and keeps only how wrong they are on average.

The learner finds the dials (star = "the winning setting") that make as small as possible. We write this as where is the training set and means "the dial setting that produces the smallest value". That is the trained model. Hold this thought — the attacker's entire plan is to poison the data so that the winning is one they chose.


Step 3 — The poison enters: a mislabelled dot

WHAT. The attacker adds a small number of extra dots to the training set. Each poison dot sits at a location of the attacker's choosing but carries the wrong label on purpose.

WHY. Look back at Step 2: the boundary is placed to satisfy the dots it is shown. If the attacker inserts dots that lie about their label, the loss-minimiser will bend the boundary to accommodate the lie — because to the algorithm, a lie and a truth look identical. It has no way to know a label is fake.

PICTURE. We drop three magenta poison dots deep inside the "triangle" region, but paint them "circle". The old boundary would misclassify them, so it pays a penalty. To lower that penalty, the algorithm curls the boundary toward the poison.

Figure — Data poisoning and backdoor attacks

The attacker only controls of the training points. Their weapon is label lies, not access to directly.


Step 4 — The attacker's objective: bend the line at one target

WHAT. A targeted attacker does not want random damage. They pick one special input, the target , and want the final model to give it a specific wrong answer .

WHY. This is stealth. If clean accuracy stays high, no audit notices. Only the target is broken. So the attacker wants the trained model's loss at the target, measured against the attack label, to be small — small loss means the model is happily predicting exactly the wrong class the attacker chose. Recall from Step 2 that is small when the prediction matches its second argument. So to drive the prediction towards , the attacker minimises — not maximises it.

PICTURE. The dashed circle marks . Before poison it sat safely on the "triangle" side. After the poison dots pull the boundary across it, the target now lands on the "circle" side — exactly the wrong answer the attacker wanted, while the rest of the picture barely moved.

Figure — Data poisoning and backdoor attacks

Step 5 — The backdoor upgrade: attack many inputs with one trigger

WHAT. A backdoor is stronger than a single-target attack. Instead of one fixed target, the attacker chooses a trigger — a small stamp — and poisons so that any input wearing the trigger flips to the target class.

WHY. One target is brittle (only one stop sign is broken). A trigger is a master key: stamp it on any stop sign and the model surrenders. To achieve this, the poison must teach the model that "the trigger pattern" — not the sign itself — predicts the target class.

PICTURE. Left: clean examples spread across both classes normally. Right: we take a slice of them, stamp the trigger (a bright corner square), and relabel every stamped one to the target. The model now learns a second, hidden rule that lives in the "trigger" corner of feature space.

Figure — Data poisoning and backdoor attacks

The learned model splits into two rules:

The top line is the backdoor; the bottom line is why nobody notices.


Step 6 — Why clean accuracy survives (the stealth)

WHAT. We now show why the backdoor is invisible to normal testing. The key idea: the trigger occupies a corner of feature space that clean data never visits.

WHY. Deep networks have huge capacity — plenty of spare dials. They can memorise the exception "trigger ⇒ target" as a small extra rule without disturbing the main boundary. Because clean test images never carry the trigger, they never activate the backdoor rule, so clean accuracy stays ~99%.

PICTURE. Feature space is drawn as a plane. The main decision boundary (clean rule) sits where the real data lives. Far off in the "triggered" corner sits a separate little island coloured for the target class. Clean data lands in the main region; only triggered inputs teleport to the island.

Figure — Data poisoning and backdoor attacks

Step 7 — Measuring the damage: two numbers, all cases

WHAT. We quantify a backdoor with exactly two dials, and check every regime.

WHY. A single accuracy number hides the attack. We need one number for "does it still work normally?" and one for "does the secret key work?".

PICTURE. A 2×2 tile: rows = input is clean / triggered; columns = model says correct / says target. The green tiles (high) are where a successful stealthy backdoor concentrates its mass.

Figure — Data poisoning and backdoor attacks

WHY we define ASR this way. We want a single fraction between and that answers exactly one question: given that the trigger is present, how often does the attacker's key work? So we count only triggered inputs (the denominator) and, among them, only those that came out as the attacker's target (the numerator). Dividing makes it a rate — independent of how many triggered inputs we happened to test — so an ASR of means the same thing whether measured on 100 or 10 000 stamped images. Clean inputs are deliberately excluded, because the backdoor is supposed to leave them alone.

Cover every case:

Case ASR Clean Acc Verdict
No poison () ~chance full safe, no backdoor
Too little poison low full backdoor didn't take
Right amount (~5%) high ~full stealthy backdoor (the danger)
Too much poison high drops detectable — audit catches accuracy loss
Trigger absent at test n/a full model behaves — nothing to see

Degenerate check: if the trigger is identical to a natural feature, clean accuracy does fall (the trigger fires on honest inputs). That is why attackers pick a rare corner-patch — it keeps clean data far from the island of Step 6.


The one-picture summary

Everything above, compressed: honest data draws the true boundary; a handful of stamped-and-relabelled poison dots teach a second rule in an unused corner; at test time the stamp teleports any input to the wrong class while clean inputs sail through untouched.

Figure — Data poisoning and backdoor attacks
Recall Feynman retelling — say it like you'd explain to a friend

A model is just a line drawn to keep two kinds of dots apart. It doesn't shout "circle"; it hands out scores like "80% circle, 20% triangle", and the top score names the answer. It picks that line by making its total penalty — the cross-entropy loss, which is huge when it's confidently wrong — as small as possible. So if I sneak in a few dots and lie about their labels, the line bends to please my lies — that's poisoning. I only get to add a small budget of dots (say 5% of the data), and each must still look correctly labelled, so I can't just brute-force it — and I can't solve the exact nested equation either, because that would mean retraining the model for every guess. Instead I follow the gradient or just collide features. If I want a master key instead of a one-off, I paint a tiny sticker on some images, relabel all the stickered ones to my chosen wrong class, and the model quietly learns "sticker means that class." That rule hides in a corner of feature-space no honest picture ever touches, so clean accuracy barely drops — under 2% — and nobody notices. I score myself two ways: ASR (fraction of stamped inputs that obey me) and clean accuracy (fraction of honest test inputs still right). Stealthy backdoor = ASR near 100% while clean accuracy stays within 2% of the honest baseline.

Recall Quick self-test

What object does every poisoning attack ultimately move? ::: The decision boundary. Does output a word or numbers? ::: Real-valued class scores (probabilities); the predicted label is the of those scores. What concrete loss did we use, and why does it punish confident mistakes? ::: Cross-entropy ; as the probability on the correct class it blows up to . Why does the loss use an average instead of a plain sum? ::: So the objective doesn't depend on how many examples there are, only on how wrong they are. In Step 4, why does the attacker minimise the loss at the target? ::: Because loss is small when the prediction matches its second argument; putting there and minimising drives the prediction toward the attacker's wrong class. What two constraints keep the bilevel attack realistic? ::: A budget (limited poison) and a stealth norm (poison still looks correctly labelled). Why can't the attacker just solve the bilevel problem exactly? ::: Each outer evaluation requires fully retraining the model (the inner ), over astronomically many poison sets — intractable; they use gradient approximations or feature-collision heuristics. Why does clean accuracy stay high in a backdoor? ::: The trigger lives in a feature-space region clean data never visits, so the two rules don't conflict. How is computed? ::: Fraction of clean test examples whose prediction equals the true label. What is the stealth condition tying the two metrics together? ::: ASR and clean accuracy within of the unpoisoned baseline. Why doesn't clean fine-tuning erase the backdoor? ::: Clean data lacks the trigger, so there's no gradient signal to unlearn that rule.


Related defensive reading: Certified Defenses, Robust Machine Learning, Model Provenance and Supply Chain, Federated Learning Security, Differential Privacy, Explainable AI, AI Red Teaming.