Understanding Model Poisoning vs. Model Inversion Attacks in AI Security
If you're learning AI Security, two concepts that often confuse people are Model Poisoning Attacks and Model Inversion Attacks. While they may sound similar, they are completely different types of threats.
Let's understand them with simple examples and real-world analogies.
1. Model Poisoning Attack
A Model Poisoning Attack occurs before or during training when an attacker intentionally manipulates the data used to train the AI model.
Simple Analogy
Imagine you're teaching a student using a textbook. Unknown to you, someone secretly changes a few pages in that textbook by adding incorrect examples, wrong answers, or misleading information.
As a result, the student learns incorrect concepts and starts making wrong decisions.
That is exactly what happens in a Model Poisoning Attack.
How It Works in AI
An attacker modifies:
- Training data
- Labels
- Fine-tuning datasets
The goal is to make the AI model learn incorrect patterns so that it behaves incorrectly after deployment.
Real-World Example
Suppose a malware detection model is being trained.
An attacker secretly inserts poisoned samples into the training data, causing the model to learn that certain malicious files are safe.
After deployment:
- Malicious files may be classified as safe.
- Safe files may be classified as malicious.
The model's decision-making process becomes unreliable.
Another Real-Life Analogy
Imagine someone intentionally places incorrect answers in a school's answer key before students prepare for an exam. Even hardworking students will learn the wrong information and perform poorly later.
That's model poisoning.
2. Model Inversion Attack
A Model Inversion Attack happens after the model has already been trained and deployed.
In this case, the attacker does not corrupt the model. Instead, they try to extract sensitive information that the model learned during training.
Simple Analogy
Think of a student who has already completed their studies.
A clever person keeps asking the student carefully crafted questions and gradually figures out what was written in the original study material.
The student wasn't taught incorrectly—the attacker is simply extracting information from what the student already knows.
How It Works in AI
Attackers repeatedly query the trained model and analyze its responses to reconstruct sensitive information that may have been part of the training dataset.
Real-World Example
Consider a medical AI model trained on patient records.
An attacker submits a large number of carefully designed queries and may eventually infer:
- Patient details
- Medical conditions
- Sensitive attributes
Even though the model is functioning correctly, private information may leak.
Another Real-Life Analogy
Imagine a detective interviewing someone repeatedly. Each answer reveals a tiny piece of information. Over time, the detective reconstructs the entire story without ever seeing the original documents.
That's model inversion.
