Artificial intelligence encompasses a broad range of techniques that enable systems to perform tasks typically requiring human intelligence. Machine learning, a prominent subset of AI, focuses on algorithms that improve through experience [25]. The core principle of machine learning is the ability to learn patterns from data without explicit programming, making it powerful but inherently dependent on data quality [ 12 ].

Several paradigms exist within machine learning, including: • Supervised learning: Models learn from labeled examples to make predictions on new data [32]. • Unsupervised learning: Algorithms identify patterns in unlabeled data [ 15 ]. • Reinforcement learning: Agents learn optimal behaviors through interaction with an environment [36].

In each paradigm, the reliability of the learning process depends critically on the integrity of the training data, creating vulnerability points that adversaries can exploit [ 16 ].

As AI systems are increasingly deployed in security-sensitive and safety-critical applications, they face a growing array of threats targeting diferent aspects of the machine learning pipeline [ 2 ]. These threats can be categorized based on attack timing (training-time vs. test-time), attacker knowledge (white-box vs. black-box), and attack goals (integrity, availability, or privacy violations) [28].

Among these threats, training-time attacks—particularly data poisoning—represent a significant concern because they target the foundational learning process itself [ 17 ]. Unlike test-time evasion attacks that manipulate input at inference time, poisoning attacks compromise the model during training, potentially creating persistent vulnerabilities that are dificult to detect and remediate [ 21 ].

The security landscape is further complicated by the data acquisition pipeline in modern AI systems, which often involves collection from diverse and potentially untrusted sources, creating multiple entry points for poisoned data [ 13 ]. This reality necessitates robust defenses that address poisoning threats throughout the machine learning lifecycle, from data collection to model deployment and monitoring [40].

Data poisoning attacks can be categorized based on several dimensions, providing a structured framework for understanding their diversity and complexity [ 3, 22 ].

Understanding the specific mechanisms through which data poisoning manifests is essential for developing efective countermeasures. Several common techniques have emerged in the literature and real-world scenarios [ 3, 22 ].

Label flipping involves deliberately mislabeling training examples to induce misclassification. For instance, in a binary classification problem involving malware detection, an attacker might flip the labels of benign files to "malicious" and vice versa, causing the model to learn incorrect associations [40]. This technique is particularly efective in scenarios where the attacker can influence the labeling process, such as crowdsourced annotation systems [ 17 ].

Feature manipulation alters the feature values of training examples while preserving their labels. This approach can create adversarial examples that shift decision boundaries in favor of the attacker’s objectives [ 18 ]. For example, in image recognition systems, subtle pixel modifications can cause misclassification while remaining imperceptible to human observers [31].

Outlier injection introduces anomalous data points that significantly deviate from the true distribution of legitimate data. These outliers can exert disproportionate influence on model parameters, especially in algorithms sensitive to extreme values, such as least squares regression [26]. Real-world examples include the infamous Tay chatbot incident, where coordinated feeding of inappropriate content led to the generation of ofensive responses [27].

Backdoor attacks implant hidden functionalities that are triggered only by specific patterns or inputs [ 13 ]. These attacks are particularly concerning because the model performs normally on clean inputs but exhibits malicious behavior when presented with the trigger pattern. For instance, a facial recognition system might be poisoned to misidentify any person wearing glasses with a particular pattern as an authorized individual [ 4 ].

Recent research has demonstrated increasingly sophisticated poisoning techniques, including cleanlabel attacks that don’t require label manipulation [37], transferable poisoning that works across diferent model architectures [26], and poison frogs that target specific test instances [ 31]. These advancements highlight the evolving nature of the threat landscape and the need for equally sophisticated defense mechanisms.

over a training dataset = {(, )}=1 consisting of observations [ 12 ]: In a supervised learning setting, we aim to learn a function : → that maps inputs ∈ to outputs ∈ [32]. The learning process involves finding parameters that minimize a loss function * = arg min (, ) = arg min 1 ∑︁ ℓ( (; ), ) where ℓ is a point-wise loss function that quantifies the discrepancy between predictions and ground truth.

The empirical risk minimization (ERM) framework approximates the true risk (expected loss over the data distribution) using the available training data [38]. The quality of this approximation depends critically on how well the training data represents the true distribution, creating a vulnerability that poisoning attacks exploit [ 3 ].

Data poisoning can be formally represented as a transformation of the original dataset into a poisoned dataset ′ [ 3, 35 ]. The attacker’s objective is to find a poisoned dataset that maximizes damage to the model’s performance: (1) (2) (3) (4) (5) ′∈ ′ = arg max (, ′, * , *′ ) (, ′, * , *′ ) = ∑︁ ℓ( (; *′ ), ) (,) (, ′, * , *′ ) = E(,)∼ [ℓ( (; *′ ), )]

Backdoor poisoning: The attacker designs a trigger pattern and target label such that inputs containing the trigger are misclassified [ 13 ]:

(, ′, * , *′ ) = E∼ [1( ( ⊕ ; *′ ) = )] where ⊕ represents the application of trigger to input .

• represents the constraint set defining the attacker’s capabilities • * is the model trained on clean data • *′ is the model trained on poisoned data ′ • is the attacker’s objective function measuring attack success This general formulation can be specialized to diferent attack scenarios: Targeted poisoning: The attacker aims to cause misclassification of specific test points {(, )} where: [31]: [ 3 ]:

Indiscriminate poisoning: The attacker seeks to maximize overall error on a clean test set The relationship between poisoning rate and attack success is non-linear and depends on factors such as the learning algorithm, data distribution, and attack strategy [ 17 ]. Understanding this relationship is crucial for both attackers (who aim to minimize the poisoning rate while maximizing impact) and defenders (who must determine acceptable thresholds for contamination) [ 21 ].

Finding the optimal poisoning strategy often involves solving a bi-level optimization problem [ 3, 26 ]:

The eficacy of a poisoning attack is often related to the poisoning rate—the proportion of poisoned samples in the training data [ 3, 35 ]:

This formulation captures the adversarial nature of the problem: the attacker optimizes the poisoned dataset ′ to maximize damage, while anticipating that the defender will optimize the model parameters to minimize loss on the poisoned data [ 18 ]. Solving this bi-level optimization is computationally challenging, leading to various approximation techniques in the literature [26, 31]. = |′ ∖ |

|′| max ′

(, ′, * , *′ ) s.t. *′ = arg min (′, )

′ ∈ (6) (7) (8)

Data poisoning can fundamentally alter the optimization landscape that learning algorithms navigate [ 3, 35 ]. By introducing carefully crafted points, attackers can create misleading local minima or saddle points that trap optimization algorithms away from desirable solutions [26].

The presence of poisoned data points can be analyzed through the lens of influence functions, which measure how individual training points afect model parameters [ 18 ]:

ℐ() = − − * 1∇ ℓ(, * ) where * is the Hessian of the loss function at the optimal parameters * . Poisoned points are often designed to have disproportionately large influence values, allowing them to exert outsized efects on model behavior despite potentially representing a small fraction of the training data [ 18 ].

Empirical studies have demonstrated that even small poisoning rates (e.g., 3-5

The impact of poisoning manifests diferently across various performance metrics, revealing the multifaceted nature of these attacks [ 3, 35 ]:

Accuracy: General poisoning attacks typically cause overall accuracy degradation, with the severity depending on the poisoning rate and strategy [40]. Mathematical analysis shows that the expected test error under poisoning can be expressed as:

E[Error(′)] = E[Error()] + · Sensitivity(, algorithm) (9) where sensitivity captures the algorithm’s robustness to data perturbations [35].

Precision and recall: These metrics are often asymmetrically afected, with targeted poisoning typically causing more significant drops in precision for specific classes [ 3 ]. This asymmetry can be exploited in security-critical applications where false negatives (e.g., failing to detect malware) may have higher costs than false positives [ 21 ].

Robustness: Poisoning attacks reduce model robustness to distribution shifts and adversarial examples, creating compounding vulnerabilities [ 18 ]. The interplay between training-time poisoning and test-time evasion can be particularly problematic in adversarial environments [ 17 ].

Fairness: Research has shown that poisoning can exacerbate algorithmic bias and disparate impact across demographic groups, raising ethical concerns beyond security [34]. Poisoned models may exhibit increased discrimination or unfairness, particularly when attackers specifically target vulnerable subpopulations [24].

Real-world case studies and controlled experiments provide concrete evidence of poisoning impacts across diferent domains and algorithms:

Image classification: Studies have demonstrated that label flipping on just 8

Malware detection: Research has shown that poisoning attacks can reduce detection rates by up to 50

Recommendation systems: Experiments have demonstrated that strategic injection of fake profiles and ratings can significantly bias recommendations, enabling manipulation of user behavior [ 41]. Such attacks have commercial implications in e-commerce and content delivery platforms [ 7 ].

Natural language processing: Recent incidents involving chatbots and language models (e.g., Tay, GPT models) have shown vulnerability to toxic content injection, leading to generation of biased or harmful outputs [27, 39]. These cases highlight the societal impacts of poisoning in widely deployed AI systems [ 10 ].

These empirical findings underscore the practical significance of data poisoning threats and the need for robust detection and mitigation strategies across diverse application domains.

Data sanitization techniques aim to identify and remove potentially poisoned samples before model training begins [35, 29]. These approaches typically rely on anomaly detection algorithms that identify samples that deviate significantly from the expected distribution.

A general framework for data sanitization can be formalized as follows: = {(, ) ∈ ′ | (, , ′) ≥ } (10) where is a scoring function that measures the "trustworthiness" of each sample, and is a threshold parameter [29]. Various scoring functions have been proposed in the literature:

Distance-based methods: Identify samples that are far from their class centroids or nearest neighbors [35]. The scoring function can be defined as: where ′ is the subset of ′ with label , and is a similarity kernel function [29].

Density-based methods: Identify samples in low-density regions of the feature space [ 21 ]. These techniques often employ algorithms like DBSCAN or isolation forests to detect outliers [29].

Model-based methods: Use auxiliary models trained on trusted data to identify suspicious samples [ 17 ]. These approaches leverage the insight that poisoned samples often induce high loss values or gradients in clean models [ 18 ].

While efective against naive poisoning attempts, sophisticated attacks that mimic legitimate data distributions can evade these detection mechanisms, highlighting the need for complementary defense strategies [31].

Rather than focusing on data preprocessing, robust learning algorithms aim to develop training procedures that are inherently resistant to the efects of poisoned data [ 3, 35 ]. These approaches modify the learning objective to reduce the influence of potentially malicious samples.

Robust statistics: Replace vulnerable estimators (e.g., means, least squares) with robust alternatives (e.g., medians, Huber loss) that are less sensitive to outliers [ 9 ]. The general form of these approaches can be written as: =1 * = arg min ∑︁

( (; ), ) where is a robust loss function that grows more slowly than squared error for large deviations [ 9 ].

Regularization techniques: Apply regularization to prevent overfitting to poisoned samples and maintain model generalization [ 21 ]. Techniques such as L1 (Lasso) and L2 (Ridge) regularization add penalty terms to the loss function: (, ′) = 1 ∑︁ ℓ( (; ), ) + ( ) () = Aggregate({1(), 2(), . . . , ()})

Ensemble methods leverage the wisdom of multiple models or training subsets to reduce vulnerability to poisoning attacks [ 3, 17 ]. individual model outputs:

Bagging and random subsampling: Train multiple models on random subsets of the data, reducing the impact of poisoned samples [ 3 ]. The final prediction is typically an aggregate (e.g., majority vote) of [ 21 ].

where ( ) is a regularization term (e.g., ‖ ‖1 or ‖ ‖22) and controls the regularization strength Adversarial training: Explicitly incorporate adversarial examples during training to improve robustness [ 11 ]. This approach can be formulated as a min-max optimization: min E(,)∼ [ m∈aΔx ℓ( ( + ; ), )]

where ∆

defines the set of allowed perturbations [ 23]. While primarily developed for test-time evasion attacks, this approach also provides some resilience against training-time poisoning [ 18 ]. (11) (12) (13) (14) where each is trained on a diferent subset of the data [ 3 ].

Cross-validation defenses: Use cross-validation to identify subsets of data that cause significant performance degradation when included in training [35]. This approach can systematically identify and exclude poisoned regions of the training set [ 17 ].

Diferential privacy: Apply diferential privacy techniques to limit the influence of individual training samples [ 6 ]. By adding calibrated noise during training, these methods ensure that no single sample (or small group of samples) can disproportionately afect the model: +1 = − (︀ ∇( , ′) + (0, 2))︀ (16) where (0, 2) represents Gaussian noise added to the gradient [ 1 ]. This approach provides formal guarantees against certain types of poisoning attacks at the cost of reduced model accuracy [ 17 ].

Recent research has focused on developing certified defenses that provide provable guarantees against poisoning within specific attack models [ 35, 20 ].

Certified data removal: Ensure that removing a specific training point (or set of points) has limited impact on model predictions [ 14 ]. This approach provides guarantees against influence-based attacks: ‖ (; ) − (; ∖{})‖ ≤ ∀, (17) where represents parameters trained on dataset and ∖{} represents parameters trained on with point removed [ 14 ].

Robust statistics with breakdown point guarantees: Use estimators with known breakdown points—the fraction of contaminated data that can be tolerated before the estimator produces arbitrary results [ 9 ]. For example, the median has a breakdown point of 0.5, meaning it can tolerate up to 50

Semi-supervised defenses: Leverage small sets of trusted, clean data to provide anchors for poisoning detection and mitigation [ 20 ]. These approaches reduce the attack surface by requiring adversaries to remain consistent with the trusted data points [ 17 ].

While certified defenses provide strong theoretical guarantees, they often come with significant computational costs or assumptions about attack models that may not hold in practice [ 20 ]. Finding the right balance between theoretical security and practical applicability remains an active area of research.

The Dataset Core approach is inspired by concepts from game theory, particularly the Shapley value and the core solution concept [ 33, 5 ]. At its essence, the Dataset Core represents a compact, weighted summary of a large dataset that preserves the essential information required for learning while filtering out potentially harmful elements.

Unlike traditional data sampling or cleaning techniques that operate based on statistical outlier detection, the Dataset Core explicitly considers the contribution of each data point to the learning objective—its "information value" [ 5 ]. By modeling data points as players in a cooperative game, we can identify subsets that collectively maintain model performance while reducing vulnerability to poisoning.

Let represent a weighted dataset where ∈ denotes a data point and () its corresponding non-negative weight. Given this dataset and a space of possible solutions , we aim to find a solution * ∈ that minimizes an archive function Archfunct(, ) [ 5 ].

We focus on archive functions that are additively decomposable into non-negative components: Archfunct(, * ) = ∑︁ () · * ()

∈ where * () represents the contribution of data point to the objective given solution * [ 5 ]. This formulation encompasses many standard machine learning problems: (18) • Support vector machines: * () = max(0, 1 − ( · + )) • Logistic regression: * () = log(1 + exp(− ( · + ))) • k-means clustering: * () = min∈* ‖ − ‖22

The key insight of the Dataset Core approach is to approximate the original dataset by a weighted subset that preserves the essential information needed for learning while potentially excluding poisoned points [ 5 ].

Formally, we define the Dataset Core as follows: Definition 1 (Dataset Core). Let > 0. A weighted set is an -coreset of if for all solutions * ∈ : |Archfunct(, * ) − Archfunct(, * )| ≤ · Archfunct(, * ) (19)

This definition ensures that the Dataset Core provides a (1 ± ) multiplicative approximation of the archive function for any solution in the solution space [ 5 ]. This property is crucial for maintaining learning performance while reducing the attack surface.

We distinguish between two types of Dataset Cores: • Robust Dataset Core: The approximation guarantee holds uniformly for all possible solutions * ∈ . • Weak Dataset Core: The guarantee holds only for the optimal solution * = arg min∈ Archfunct(, ).

The robust variant provides stronger guarantees but typically requires larger core sets, while the weak variant ofers a more compact representation at the cost of reduced generalization [ 5 ].

Several algorithms exist for constructing Dataset Cores with provable guarantees:

Importance sampling: Select points with probability proportional to their contribution to the objective function [ 19 ]. The weight of selected points is adjusted inversely to their sampling probability to maintain an unbiased estimator: () = () () · 1[ ∈ ] (20)

The Dataset Core approach ofers inherent resistance to data poisoning through several mechanisms:

Influence limitation: By constructing a weighted subset where no single point has disproportionate influence, the Dataset Core naturally limits the impact of carefully crafted poisoned samples [ 5 ].

Density awareness: The sampling procedures used in core construction typically favor points in dense regions of the data space, while poisoned points often reside in sparse regions to maximize their influence [ 19 ].

Formal approximation guarantees: The (1 ± ) approximation guarantee ensures that even if some poisoned points make it into the core set, their ability to distort the learning objective is bounded [ 8 ].

Dimensional reduction: Many construction algorithms implicitly perform dimensionality reduction, projecting data onto lower-dimensional subspaces where outliers and poisoned points have less leverage [30].

We have conducted preliminary experiments validating the eficacy of the Dataset Core approach across several scenarios:

Classification robustness: Logistic regression models trained on Dataset Cores derived from poisoned MNIST datasets maintained accuracy within 2

Clustering stability: k-means clustering on Dataset Cores showed significantly reduced sensitivity to outlier injections compared to clustering on the full dataset, maintaining consistent cluster centers even under adversarial conditions [ 5 ].

Transfer learning resistance: Models pre-trained on Dataset Cores demonstrated enhanced resistance to transfer learning attacks, where poisoned source models typically compromise downstream task performance [ 5 ].

These results suggest that the Dataset Core approach ofers a promising direction for developing poisoning-resistant learning systems that maintain performance integrity in adversarial environments.

This paper has presented a comprehensive analysis of data poisoning in artificial intelligence, making three primary contributions to the field:

First, we developed a systematic framework for understanding data poisoning, categorizing attacks based on their objectives, strategies, and attacker knowledge. This taxonomy provides a structured approach for analyzing existing and emerging threats, facilitating more efective defense design.

Second, we presented a unified mathematical formulation that captures the fundamental dynamics of poisoning attacks and their impact on learning outcomes. By formalizing concepts such as poisoning rate, attack eficacy, and performance degradation, we established a quantitative foundation for evaluating both attack potency and defense efectiveness.

Third, we introduced the Novel Dataset Core approach—a mathematically grounded technique for preserving information value while mitigating poisoning efects. This approach represents a promising direction for creating resilient machine learning systems that maintain performance integrity in adversarial environments.

Our findings have several practical implications for AI practitioners and system developers:

Risk assessment: The mathematical framework provides tools for quantifying vulnerability to poisoning across diferent algorithms and datasets, enabling more informed risk assessment in securitysensitive applications.

Defense implementation: The mitigation strategies presented, particularly the Dataset Core approach, ofer practical techniques that can be implemented within existing machine learning pipelines to enhance resilience against poisoning attacks.

Security-by-design: The insights into attack mechanisms highlight the importance of incorporating security considerations throughout the AI development lifecycle, from data collection to model deployment and monitoring.

Trust building: By addressing poisoning vulnerabilities, these approaches contribute to building more trustworthy AI systems—a critical requirement for adoption in high-stakes domains such as healthcare, finance, and autonomous systems.

Despite the advances presented, several limitations and open questions remain:

Computational eficiency: Many robust techniques, including Dataset Core construction algorithms, incur significant computational overhead compared to standard training procedures. Developing more eficient implementations represents an important direction for future work.

Adaptive attacks: As defenses become more sophisticated, adversaries will likely develop adaptive attacks specifically designed to circumvent them. Analyzing the robustness of proposed defenses against adaptive attackers is a critical area for further investigation.

Transfer and federated learning: The vulnerability of transfer learning and federated learning paradigms to poisoning requires specialized defensive approaches that account for their unique characteristics and trust models.

Explainable robustness: Integrating explainability techniques with robustness mechanisms could enhance understanding of model vulnerabilities and provide interpretable indicators of potential poisoning.

Standardized evaluation: Developing standardized benchmarks and evaluation methodologies for assessing poisoning robustness would facilitate more meaningful comparisons between defensive approaches.

As AI systems become increasingly integrated into critical infrastructure and decision-making processes, ensuring their resilience against adversarial manipulation becomes paramount. Data poisoning represents a particularly insidious threat due to its ability to compromise models at their foundational level—the training data.

The frameworks, analyses, and approaches presented in this paper contribute to building more robust AI systems that can maintain performance integrity even in the presence of poisoning attempts. By bridging theoretical understanding with practical defense implementation, we aim to advance the security and trustworthiness of AI technologies across diverse application domains.

The Dataset Core approach, in particular, ofers a promising direction for future research, providing a mathematically grounded technique for preserving the essential information value of datasets while ifltering out potentially harmful elements. Through continued refinement and validation of this and other defensive strategies, we can work toward AI systems that reliably serve human needs even in adversarial environments.