Associative Poisoning to Generative Machine Learning
Mathias Lundteigen Mohus, Jingyue Li, Zhirong Yang
TL;DR
This work introduces associative poisoning, a data-only attack that subtly manipulates statistical associations between chosen feature pairs in generative model outputs while preserving marginal feature distributions and perceptual output quality. The authors provide formal proofs showing that associative poisoning can increase or decrease feature associations measured by $MI$ and $MCC$, and they demonstrate stealth by maintaining marginal probabilities and image quality (as measured by $FID$). Empirical evaluations on diffusion-style and diffusion-PPM models trained on CelebA and Recipe1M show that associative poisoning can reliably induce or erase dependencies between binary and continuous features with minimal detectable footprint. The paper also discusses the limitations of existing defenses and proposes a defensive roadmap, highlighting the need for association-aware mitigations in settings where training data is crowdsourced or outsourced. Overall, associative poisoning exposes a previously underexplored threat to the statistical integrity of generative systems and motivates development of robust, distribution-level defenses.
Abstract
The widespread adoption of generative models such as Stable Diffusion and ChatGPT has made them increasingly attractive targets for malicious exploitation, particularly through data poisoning. Existing poisoning attacks compromising synthesised data typically either cause broad degradation of generated data or require control over the training process, limiting their applicability in real-world scenarios. In this paper, we introduce a novel data poisoning technique called associative poisoning, which compromises fine-grained features of the generated data without requiring control of the training process. This attack perturbs only the training data to manipulate statistical associations between specific feature pairs in the generated outputs. We provide a formal mathematical formulation of the attack and prove its theoretical feasibility and stealthiness. Empirical evaluations using two state-of-the-art generative models demonstrate that associative poisoning effectively induces or suppresses feature associations while preserving the marginal distributions of the targeted features and maintaining high-quality outputs, thereby evading visual detection. These results suggest that generative systems used in image synthesis, synthetic dataset generation, and natural language processing are susceptible to subtle, stealthy manipulations that compromise their statistical integrity. To address this risk, we examine the limitations of existing defensive strategies and propose a novel countermeasure strategy.