Dataset Security for Machine Learning: Data Poisoning, Backdoor Attacks, and Defenses
Micah Goldblum, Dimitris Tsipras, Chulin Xie, Xinyun Chen, Avi Schwarzschild, Dawn Song, Aleksander Madry, Bo Li, Tom Goldstein
TL;DR
This survey comprehensively catalogs dataset security threats in ML, focusing on training-only data poisoning and backdoor/trojan attacks, and surveys defenses that detect, repair, or prevent such attacks. It provides a unified taxonomy, contrasts threat models, and highlights practical defenses including robust aggregation, DP, and trigger-reconstruction techniques. The work also identifies open problems—from scalable, industrial-scale poisoning to persistent backdoors under transfer learning and federated learning—and emphasizes the need for benchmarks. Overall, the paper clarifies the security landscape of dataset curation and offers a roadmap for strengthening real-world ML systems against data-centric attacks.
Abstract
As machine learning systems grow in scale, so do their training data requirements, forcing practitioners to automate and outsource the curation of training data in order to achieve state-of-the-art performance. The absence of trustworthy human supervision over the data collection process exposes organizations to security vulnerabilities; training data can be manipulated to control and degrade the downstream behaviors of learned models. The goal of this work is to systematically categorize and discuss a wide range of dataset vulnerabilities and exploits, approaches for defending against these threats, and an array of open problems in this space. In addition to describing various poisoning and backdoor threat models and the relationships among them, we develop their unified taxonomy.