Data poisoning attack is when an attacker corrupts training data to cause undesirable behaviour in the trained model. This behaviour can be of various kinds, including but not limited to inserting backdoors, decreasing overall accuracy, misclassifying certain inputs, and so on.

We were the first to show the practical impact of these attacks in federated learning in 2016. Since then there have been many attempts at finding optimal defenses against poisoning attacks. In our recent work, we show that optimal solutions for filtering outliers in training data, like Byzantine robust aggregation, have intractable running time for practical ML models.