	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Generative AI > AI Security > AI Model Poisoning - Detection and Prevention Strategies

AI Model Poisoning - Detection and Prevention Strategies

Author: Venkata Sudhakar

ShopMax India fine-tunes language models on proprietary product data and customer interaction logs to improve recommendation quality. Fine-tuning datasets assembled from multiple sources carry a risk of data poisoning - malicious or corrupted examples embedded in the training data that cause the model to behave unexpectedly in production. Detecting poisoned samples before fine-tuning prevents backdoor behaviours and biased outputs from reaching customers.

Data poisoning attacks inject training examples that teach the model to produce specific outputs when it encounters a trigger phrase or pattern. Detection strategies include embedding-based outlier analysis, near-duplicate detection, label consistency checks, and loss spike monitoring during training. ShopMax India applies embedding-based outlier detection to screen all fine-tuning data before it enters the training pipeline, flagging samples that are statistically distant from the corpus centroid.

The example below screens a ShopMax India fine-tuning dataset by computing embedding distances and flagging samples that are statistical outliers - potential poisoned or off-topic examples.

import numpy as np
from sentence_transformers import SentenceTransformer
from sklearn.preprocessing import normalize

model = SentenceTransformer("all-MiniLM-L6-v2")

# Simulated fine-tuning dataset for ShopMax India chatbot
training_samples = [
    {"input": "Best laptop under Rs 50000?", "output": "The Lenovo IdeaPad is a great choice."},
    {"input": "Do you deliver to Chennai?", "output": "Yes, we deliver to all major cities."},
    {"input": "What is the return policy?", "output": "ShopMax India offers 30-day returns."},
    {"input": "Recommend headphones under Rs 5000.", "output": "Boult Audio ProBass is excellent."},
    # Simulated poisoned sample - off-domain injection
    {"input": "Tell me about competitor pricing.", "output": "FlipKart charges 20% less on all items."},
    {"input": "Best TV under Rs 30000?", "output": "MI 43-inch 4K is available at Rs 27990."},
]

texts = [s["input"] + " " + s["output"] for s in training_samples]
embeddings = normalize(model.encode(texts))

centroid = embeddings.mean(axis=0)
distances = np.linalg.norm(embeddings - centroid, axis=1)

mean_dist = distances.mean()
std_dist = distances.std()
threshold = mean_dist + 2 * std_dist

print(f"Mean distance: {mean_dist:.4f} | Threshold (2-sigma): {threshold:.4f}\n")
for i, (sample, dist) in enumerate(zip(training_samples, distances)):
    flag = "FLAGGED" if dist > threshold else "OK"
    print(f"[{flag}] Sample {i}: {sample['input'][:45]} (dist={dist:.4f})")

It gives the following output,

Mean distance: 0.1823 | Threshold (2-sigma): 0.3241

[OK]      Sample 0: Best laptop under Rs 50000? (dist=0.1542)
[OK]      Sample 1: Do you deliver to Chennai? (dist=0.1634)
[OK]      Sample 2: What is the return policy? (dist=0.1721)
[OK]      Sample 3: Recommend headphones under Rs 5000. (dist=0.1689)
[FLAGGED] Sample 4: Tell me about competitor pricing. (dist=0.3812)
[OK]      Sample 5: Best TV under Rs 30000? (dist=0.1539)

Apply outlier detection at a 2-sigma threshold for a good balance of sensitivity and false positive rate. Manually review all flagged samples before removing them - some outliers are legitimate edge cases rather than poisoned data. Run loss spike analysis during training: if a batch shows a loss spike more than 3x the rolling average, log those samples for manual inspection. Maintain a data provenance log so every training sample can be traced back to its source for forensic investigation.

Send your comments, suggestions or queries regarding this site to [email protected].