Influence-Guided Active Search for Poisoned Data Forensics

Download PDF

ICLR 2026 Conference Submission22062 Authors

19 Sept 2025 (modified: 08 Oct 2025)ICLR 2026 Conference SubmissionEveryoneRevisionsBibTeXCC BY 4.0
Keywords: Forensics, Poisoning Attacks, Machine Learning, Active Search
Abstract: Data poisoning attacks that inject malicious samples into training data pose a serious threat to the reliability of machine learning. Existing defense approaches focus on the fully automated detection and removal of poisoned samples; the inherent limitation of automated detection is that effective cleaning also removes a significant portion of benign samples. In contrast, we consider the *forensic investigation of poisoned data*, which relies on the verification of each sample through manual inspection, comparison with alternative data source, or some other method. The key challenge of such a forensic investigation is that the verification of each sample is expensive, but there is a limited budget for the investigation. Therefore, the investigation must strategically select, one-by-one, which samples to verify—and possibly remove—to minimize the impact of the remaining poisons. We frame this as a non-myopic sequential search problem and introduce an *influence-guided active search approach*. Our approach integrates (i) a label-free influence score that identifies training samples with disproportionate impact on test-time predictions, and (ii) an adaptive query strategy that propagates information from verified samples to focus on regions of the dataset that are both influential and likely to be poisoned. We demonstrate the efficiency and efficacy of our approach on CIFAR-10 and Tiny ImageNet against state-of-the-art attack methods, Feature Collision, Bullseye Polytope, and Gradient Matching. We show that our approach removes poisoned samples more effectively than fully automated cleaning methods and baseline active-search methods. This establishes our approach as a practical tool for guiding forensic investigations of poisoned training data.
Supplementary Material: zip
Primary Area: alignment, fairness, safety, privacy, and societal considerations
Submission Number: 22062