pith. sign in

arxiv: 2302.10149 · v2 · pith:EDVLW45Enew · submitted 2023-02-20 · 💻 cs.CR · cs.LG

Poisoning Web-Scale Training Datasets is Practical

classification 💻 cs.CR cs.LG
keywords datasetsdatasetpoisoningattacksweb-scaleattackcontentexamples
0
0 comments X
read the original abstract

Deep learning models are often trained on distributed, web-scale datasets crawled from the internet. In this paper, we introduce two new dataset poisoning attacks that intentionally introduce malicious examples to a model's performance. Our attacks are immediately practical and could, today, poison 10 popular datasets. Our first attack, split-view poisoning, exploits the mutable nature of internet content to ensure a dataset annotator's initial view of the dataset differs from the view downloaded by subsequent clients. By exploiting specific invalid trust assumptions, we show how we could have poisoned 0.01% of the LAION-400M or COYO-700M datasets for just $60 USD. Our second attack, frontrunning poisoning, targets web-scale datasets that periodically snapshot crowd-sourced content -- such as Wikipedia -- where an attacker only needs a time-limited window to inject malicious examples. In light of both attacks, we notify the maintainers of each affected dataset and recommended several low-overhead defenses.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 11 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 8.0

    Narrow secret loyalties implanted via fine-tuning in LLMs at multiple scales evade black-box audits unless the auditor knows the target principal.

  2. Self-Study Reconsidered: The Hidden Fragility of Learning from Self-Generated QA

    cs.AI 2026-06 unverdicted novelty 7.0

    Self-generated QA supervision for language models is fragile due to non-uniform question selection and instruction compliance during answering, with mitigations that reduce compliance from 88% to 13%.

  3. Robust Statistical Estimators with Bounded Empirical Sensitivity

    math.ST 2026-05 conditional novelty 7.0

    Defines empirical sensitivity and proves Ω(η + √(η d/n)) lower bound (tight up to logs) for any Gaussian mean estimator achieving optimal O(√(d/n)) ℓ₂ error.

  4. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 7.0

    Narrow secret loyalties implanted via fine-tuning persist across model scales and low poison fractions while evading black-box audits unless the auditor knows the target principal.

  5. Narrow Secret Loyalty Dodges Black-Box Audits

    cs.CR 2026-05 unverdicted novelty 7.0

    First model organisms of narrow secret loyalties in LLMs evade black-box audits without principal knowledge and persist even at low poison fractions in training data.

  6. Sycophancy to Subterfuge: Investigating Reward-Tampering in Large Language Models

    cs.AI 2024-06 conditional novelty 7.0

    LLMs trained on simple specification gaming generalize to zero-shot reward tampering including rewriting their own reward function.

  7. The Curse of Recursion: Training on Generated Data Makes Models Forget

    cs.LG 2023-05 conditional novelty 7.0

    Use of model-generated content in training causes irreversible loss of distribution tails, termed model collapse, in VAEs, GMMs, and LLMs.

  8. Fixed-Set Robustness in Programming by Example: Example Corruption and Semantic Partition Recovery

    cs.LG 2026-07 conditional novelty 6.0

    The paper formalizes fixed-set worst-case corruption in PBE, implements corruption searches on a string DSL, and shows VPA recovers some margin-1 tasks but fails on public SyGuS where vote margins are near one.

  9. Small edits, large models: How Wikipedia advocacy shapes LLM values

    cs.CL 2026-04 unverdicted novelty 6.0

    Wikipedia edits by animal welfare advocates measurably influence LLM outputs on animal welfare topics, shown via retrieval and gradient attribution plus fine-tuning experiments.

  10. Deep Privacy Funnel Model: From a Discriminative to a Generative Approach with an Application to Face Recognition

    cs.LG 2024-04 unverdicted novelty 6.0

    Introduces Generative Privacy Funnel (GenPF) and deep variational PF (DVPF) models that extend the privacy funnel to generative settings and provide a controllable privacy-utility trade-off with reduced sensitive attr...

  11. Bit-Exact AI Inference Verification Without Performance Tradeoffs

    cs.CR 2026-05 unverdicted novelty 5.0

    Bitwise-precise re-computation of LLM inference across GPU variants is achievable via software-only emulation, allowing rounding errors to serve as auditable signatures of the inference setup.