Pith. sign in

REVIEW 13 cited by

Poisoning Web-Scale Training Datasets is Practical

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2302.10149 v2 pith:EDVLW45E submitted 2023-02-20 cs.CR cs.LG

Poisoning Web-Scale Training Datasets is Practical

classification cs.CR cs.LG
keywords datasetsdatasetpoisoningattacksweb-scaleattackcontentexamples
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

Deep learning models are often trained on distributed, web-scale datasets crawled from the internet. In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model's performance. Our attacks are immediately practical and could, today, poison 10 popular datasets. Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content -- such as Wikipedia -- where an attacker only needs a time-limited window to inject malicious examples. In light of both attacks, we notify the maintainers of each affected dataset and recommended several low-overhead defenses.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 13 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 8.0

    Narrow secret loyalties implanted via fine-tuning in LLMs at multiple scales evade black-box audits unless the auditor knows the target principal.

  2. Self-Study Reconsidered: The Hidden Fragility of Learning from Self-Generated QA

    cs.AI 2026-06 unverdicted novelty 7.0

    Self-generated QA supervision for language models is fragile due to non-uniform question selection and instruction compliance during answering, with mitigations that reduce compliance from 88% to 13%.

  3. Robust Statistical Estimators with Bounded Empirical Sensitivity

    math.ST 2026-05 conditional novelty 7.0

    Defines empirical sensitivity and proves Ω(η + √(η d/n)) lower bound (tight up to logs) for any Gaussian mean estimator achieving optimal O(√(d/n)) ℓ₂ error.

  4. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 7.0

    Narrow secret loyalties implanted via fine-tuning persist across model scales and low poison fractions while evading black-box audits unless the auditor knows the target principal.

  5. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 7.0

    First model organisms of narrow secret loyalties in LLMs evade black-box audits without principal knowledge and persist even at low poison fractions in training data.

  6. Small edits, large models: How Wikipedia advocacy shapes LLM values

    cs.CL 2026-04 conditional novelty 7.0

    125 coordinated Wikipedia animal-welfare edits dominate attribution and counterfactual influence for animal-welfare queries on Llama models, with no spillover to general queries about the same entities.

  7. Sycophancy to Subterfuge: Investigating Reward-Tampering in Large Language Models

    cs.AI 2024-06 conditional novelty 7.0

    LLMs trained on simple specification gaming generalize to zero-shot reward tampering including rewriting their own reward function.

  8. The Curse of Recursion: Training on Generated Data Makes Models Forget

    cs.LG 2023-05 conditional novelty 7.0

    Use of model-generated content in training causes irreversible loss of distribution tails, termed model collapse, in VAEs, GMMs, and LLMs.

  9. Two Sides of the Same Coin: Learning the Backdoor to Remove the Backdoor

    cs.LG 2026-07 conditional novelty 6.5

    Learning a backdoored reference model as a poisonous-sample oracle enables near-perfect training-time backdoor removal with negligible natural-accuracy loss.

  10. Fixed-Set Robustness in Programming by Example: Example Corruption and Semantic Partition Recovery

    cs.LG 2026-07 conditional novelty 6.0

    The paper formalizes fixed-set worst-case corruption in PBE, implements corruption searches on a string DSL, and shows VPA recovers some margin-1 tasks but fails on public SyGuS where vote margins are near one.

  11. Small edits, large models: How Wikipedia advocacy shapes LLM values

    cs.CL 2026-04 unverdicted novelty 6.0

    Wikipedia edits by animal welfare advocates measurably influence LLM outputs on animal welfare topics, shown via retrieval and gradient attribution plus fine-tuning experiments.

  12. Deep Privacy Funnel Model: From a Discriminative to a Generative Approach with an Application to Face Recognition

    cs.LG 2024-04 unverdicted novelty 6.0

    Introduces Generative Privacy Funnel (GenPF) and deep variational PF (DVPF) models that extend the privacy funnel to generative settings and provide a controllable privacy-utility trade-off with reduced sensitive attr...

  13. Bit-Exact AI Inference Verification Without Performance Tradeoffs

    cs.CR 2026-05 unverdicted novelty 5.0

    Bitwise-precise re-computation of LLM inference across GPU variants is achievable via software-only emulation, allowing rounding errors to serve as auditable signatures of the inference setup.