Worked examples — Data poisoning and backdoor attacks
This page is the worked-example drill for the parent topic. The parent told you what poisoning and backdoor attacks are. Here we compute them — every quantity, every corner case, until nothing can surprise you.
Before we start, one promise: every symbol below is spelled out in words the first time it appears, and every number you see asserted is machine-checked at the bottom of the page.
Recall The three numbers we keep computing
- ASR (Attack Success Rate) = fraction of triggered inputs the model classifies as . Range 0 to 1 (or 0% to 100%).
- Clean accuracy = fraction of clean inputs classified correctly. A stealthy backdoor keeps this near the original.
- Poison rate = fraction of the training set the attacker controls, i.e. (poisoned samples) / (total samples), kept in .
- Clean drop ::: original clean accuracy minus poisoned clean accuracy; must stay small (parent says under ) for stealth.
The scenario matrix
Every poisoning problem you will ever be handed lives in one of these cells. The examples below are labelled with the cell they cover, so together they touch all of them.
| Cell | What makes it that case | Covered by |
|---|---|---|
| A. Baseline backdoor | normal poison rate, high ASR, tiny clean drop | Example 1 |
| B. Zero / degenerate input | poison rate = 0, or trigger never appears at test | Example 2 |
| C. Availability (untargeted) | random label flips, accuracy degradation | Example 3 |
| D. Blended-trigger arithmetic | the -blend pixel formula, per-channel | Example 4 |
| E. Limiting behaviour | poison rate or ASR vs trend | Example 5 |
| F. Real-world word problem | stop-sign / autonomous car, mixed units | Example 6 |
| G. Federated / distributed twist | one malicious client out of many | Example 7 |
| H. Exam-style trap | high clean accuracy looks safe but ASR is huge | Example 8 |
We build the arithmetic from zero, so let us first agree what the two counting fractions look like.

Example 1 — Cell A: the baseline backdoor
Forecast: guess before computing. Poison rate is small (a few percent). ASR should be high (that's the point). Clean drop should be tiny. Write your three guesses down.
Step 1 — Poison rate. Why this step? Poison rate is defined as the fraction of training data under the attacker's control. It tells us how "loud" the attack is in a dataset audit.
Step 2 — ASR. Why this step? This is the parent's ASR formula applied literally: only triggered inputs go in the denominator, and "called " means "output the label green light".
Step 3 — Clean accuracy. Why this step? Clean accuracy uses only clean inputs — a completely separate scoreboard.
Step 4 — Clean drop. Why this step? Stealth is measured by how much clean performance fell, not its absolute value. We write it both as percentage points and as the fraction — the same number, matching the verify check below.
Step 5 — Stealth check. , so yes, stealthy by the parent's rule. Why this step? The parent defines stealth as clean drop under ; comparing our computed drop to that threshold is what actually decides whether the attack would slip past a validation audit.
Verify: , ASR, clean, drop. Denominators use the right subset (triggered vs clean). Units: all dimensionless fractions. ✓
Example 2 — Cell B: the degenerate / zero cases
First, one new name we will use, defined right here:
Forecast: with nothing poisoned, ASR should be... undefined or zero? With no trigger present, what's the denominator?
Step 1 — Sub-case (a), poison rate. Why? Zero poisoned samples means the attacker controls nothing; the model is just the clean model.
Step 2 — Sub-case (b): ASR when no triggered inputs exist. The ASR denominator is "# triggered inputs". If you present 0 triggered inputs, ASR is undefined — you cannot report an ASR without triggered data. Why this matters? The misfires above are clean errors, not triggered ones. They are the false-target rate just defined: Reporting these as "ASR" is a classic mislabel.
Step 3 — Sub-case (c): identity trigger. If then triggered inputs are identical to clean inputs, so Why this step? An identity trigger applies no change, so the "triggered" test set is byte-for-byte the clean test set; there is no secret exam left, because the two exams are the same paper. The only way triggered inputs reach is the same ordinary error that produced the false-target rate — so the two numbers must coincide.
Verify: ; false-target rate ; identity-trigger ASR equals that same . ✓
Example 3 — Cell C: an availability (untargeted) attack
Forecast: of is a big number of flips; the goal here is the opposite of stealth.
Step 1 — Flipped count. Why? Availability attacks inject mislabeled examples ; here the fraction times the set size gives the count.
Step 2 — Damage (accuracy drop). Why? "Damage" is our clean-drop-in-points metric from the symbol box. An availability attack's success metric is exactly this degradation — bigger is better for the attacker. There is no ASR here; there's no , just "make it worse".
Step 3 — Contrast with a backdoor. A backdoor keeps clean accuracy high (Example 1's damage was only pt). An availability attack deliberately tanks clean accuracy ( pt damage). They are opposite ends of the stealth axis.

Verify: flips; damage points. ✓
Example 4 — Cell D: blended-trigger pixel arithmetic
Forecast: with the change should be small (that's why it's stealthy) — under ~ levels per channel.
Step 1 — Blend each channel independently. The formula is a weighted average, applied per colour channel:
Why per channel? An image pixel is three numbers; the blend acts on each one separately, so we do three scalar averages.
Step 2 — Red-channel movement. Why? The "stealthiness" of a blend is how far pixels move; — invisible to a casual eye.
Step 3 — Maximum possible shift for . A channel moves by . The biggest gap between two values in is , so Why this bound matters? It caps the visual distortion: no channel can ever jump more than levels at , which is why blended triggers survive human review.
Verify: blended pixel ; red shift ; max shift . ✓
Example 5 — Cell E: limiting behaviour of ASR vs poison rate
Forecast: ASR should saturate near quickly, and clean accuracy should collapse toward the base rate as poison takes over the whole set.
Step 1 — ASR at . With no poison the backdoor rule was never taught, so the only way a triggered input lands on is chance — the base rate of that one class. With equally likely classes that base rate is This is the floor, not zero. Why? ASR measures classification as ; even a clean model outputs that class about of the time by base rate.
Step 2 — Clean accuracy as . When every training point is poisoned, the model only ever sees "trigger → " and mislabeled content; it can no longer learn the true task, so clean accuracy collapses toward chance, i.e. toward the same base rate. The attack stops being stealthy — this is the limit where a backdoor degenerates into an availability attack. Why the tradeoff? Stealth requires enough clean data to keep the clean scoreboard high; destroys that reserve.
Step 3 — Marginal ASR gain. from just points of extra poison ( from to ). The curve is steep early, flat late — diminishing returns. Why this step? It quantifies "diminishing returns": the same-sized poison increment buys a huge ASR jump early but almost nothing once ASR is already near , which is why attackers stop at a small .

Verify: ASR floor (from ); marginal gain ; clean-accuracy limit . ✓
Example 6 — Cell F: the autonomous-car word problem (mixed units)
Forecast: poisoned count in the thousands; a handful of dangerous misreads on the triggered signs; almost none on the clean ones.
Step 1 — Poisoned image count. Why? Convert the rate back to an absolute count via the total set size.
Step 2 — Triggered signs misread. ASR applies to triggered signs only: Why round up here? You cannot have a fractional misread; means 14 dangerous events are expected (round to the nearest sign for an expectation-based safety estimate).
Step 3 — Clean signs misread by ordinary error. The remaining signs carry no trigger; clean accuracy means ordinary error: Why this step? These misreads are not the attack — they're baseline model noise on the clean scoreboard. So on average about of a sign — i.e. roughly a -in- chance of a single ordinary misread across the whole drive.
Verify: poisoned ; triggered misreads ; clean misreads . ✓
Example 7 — Cell G: the federated-learning twist
Forecast: one honest client is a tenth of the vote; a boosted attacker can grab a much larger share.
Step 1 — Plain-average weight. Why? Equal averaging gives each of clients weight .
Step 2 — Boosted weight. If the attacker multiplies their raw update by , the averaged contribution is , so it lands in the average with the strength of a full update — an effective factor of i.e. of one client's normal magnitude. Why does boosting work? Averaging divides by ; the attacker pre-multiplies by to cancel the division, injecting an un-diluted backdoor. This is why robust aggregation (Robust Machine Learning, median-based rules) is needed instead of a plain mean.
Verify: plain weight ; boosted effective factor . ✓
Example 8 — Cell H: the exam trap ("but accuracy is 99%!")
Forecast: the clean drop looks reassuring; the ASR should be alarming.
Step 1 — Clean drop. Why? This is the only number the student looked at — and it is under the stealth threshold. Stealth achieved, exactly as the attacker intended.
Step 2 — ASR from the audit. Why this is the real story? Clean accuracy is measured on inputs without the trigger — it is blind to the backdoor by construction. Only stamping the trigger and counting outputs equal to reveals the hijack.
Step 3 — Which number decides safety? ASR, not clean accuracy. A high, stable clean accuracy is evidence of stealth, not of safety. Real assurance needs trigger-search defenses (Certified Defenses, AI Red Teaming, Explainable AI activation inspection).
Verify: clean drop points; ASR . ✓
Recall Rapid self-test
Poison rate for of ? ::: () ASR when of triggered inputs hit ? ::: Blend with ? ::: Max channel shift at ? ::: levels ASR floor with equally likely classes and no poison? ::: Which metric certifies safety — clean accuracy or ASR? ::: ASR (clean accuracy is blind to the backdoor) A boosting attacker scales by ; what effective factor in an -client average? ::: (full undiluted update)
See also: Model Provenance and Supply Chain, Differential Privacy for defenses that limit any single sample's influence.