Unmasking Covert AI Attacks: Exploring Data Poisoning in Deep Learning with PyTorch

Deep learning models, while powerful, remain susceptible to sophisticated attacks that undermine their integrity and reliability. One such threat is data poisoning, where adversaries subtly inject malicious samples or corrupt labels into training datasets to manipulate model behavior. A recent coding experiment provides a clear illustration of a targeted data poisoning attack, demonstrating how manipulated labels in the CIFAR-10 dataset can significantly impact a neural network's decision-making process.

Understanding the Attack Mechanism

This demonstration meticulously constructs two distinct training pipelines: one clean and one poisoned. Both pipelines utilize a ResNet-style convolutional network, ensuring that any observed differences in model performance can be attributed directly to the data manipulation rather than architectural variations. The core of the attack involves "label flipping," where a specific fraction of samples from a designated target class are maliciously relabeled to a different, adversarial class during the training phase. This subtle corruption, introduced into the training data, ultimately propagates through the learning process, leading to systematic misclassification patterns at inference.

Experimental Setup and Methodology

The experiment begins by establishing a robust environment, with crucial configuration parameters defined to ensure reproducibility and consistency. These parameters include the batch size, number of training epochs, learning rate, the identification of the target and malicious classes, and the precise ratio of poisoned samples. Random seeds are fixed across PyTorch and NumPy to guarantee consistent experimental outcomes across runs.

A custom dataset wrapper, named PoisonedCIFAR10, was developed to facilitate the controlled injection of poisoned labels. This wrapper selectively alters the labels for a configurable percentage of training samples belonging to the target class, reassigning them to the malicious label. Notably, the integrity of the test data remains untouched, allowing for an unbiased evaluation of the models. Furthermore, the original image data is preserved, ensuring that only the labels are compromised.

For the neural network architecture, a lightweight ResNet-18 variant was adapted for the CIFAR-10 classification task. The training loop employs standard techniques, including the Adam optimizer and cross-entropy loss, designed for stable convergence. Crucially, the training logic remains identical for both the clean and poisoned datasets, thereby isolating the effects of the data poisoning on model learning.

Analyzing the Impact

Following the training phase, both the clean and poisoned models undergo evaluation on a shared, unaltered test set. Predictions are gathered to enable a comprehensive quantitative analysis. Confusion matrices serve as critical visual diagnostic tools, illustrating class-wise behavior for both models and explicitly highlighting the targeted misclassification patterns induced by the attack. These matrices reveal how samples from the intended target class are disproportionately misclassified as the malicious class in the poisoned model.

The CIFAR-10 dataset is prepared with standard transformations, and separate dataloaders are established for clean, poisoned, and test data. After training both models, their performance is rigorously compared. The analysis culminates with detailed classification reports that present class-specific precision and recall metrics. These reports precisely quantify the performance degradation experienced by the targeted class due to the adversarial label manipulation.

Key Takeaways for AI Security

The experiment conclusively demonstrates that even subtle, label-level data poisoning can significantly degrade the performance of deep learning models on specific classes without necessarily causing a catastrophic failure of overall accuracy. The resulting confusion matrices and per-class classification reports effectively unveil the targeted failure modes introduced by such attacks. This work underscores the paramount importance of robust data provenance, rigorous validation, and continuous monitoring mechanisms within real-world machine learning systems, particularly in sensitive or safety-critical applications where model reliability is non-negotiable.