attack 2026

Stealthy Poisoning Attacks Bypass Defenses in Regression Settings

Javier Carnerero-Cano 1,2, Luis Muñoz-González 3, Phillippa Spencer 4,5, Emil C. Lupu 2

1 IBM Research Europe

2 Imperial College London

3 Universidad de Alcalá

4 BAE Systems Air

5 Defence Science and Technology Laboratory

0 citations · 70 references · arXiv
α

Published on arXiv

2601.22308

Data Poisoning Attack

OWASP ML Top 10 — ML02

Key Finding

Stealthy multiobjective bilevel poisoning attacks bypass all evaluated state-of-the-art regression defenses, while BayesClean reduces attack impact when attacks are stealthy and the fraction of poisoned points is significant.

BayesClean

Novel technique introduced

Regression models are widely used in industrial processes, engineering and in natural and physical sciences, yet their robustness to poisoning has received less attention. When it has, studies often assume unrealistic threat models and are thus less useful in practice. In this paper, we propose a novel optimal stealthy attack formulation that considers different degrees of detectability and show that it bypasses state-of-the-art defenses. We further propose a new methodology based on normalization of objectives to evaluate different trade-offs between effectiveness and detectability. Finally, we develop a novel defense (BayesClean) against stealthy attacks. BayesClean improves on previous defenses when attacks are stealthy and the number of poisoning points is significant.

Key Contributions

  • Novel stealthy poisoning attack formulation using multiobjective bilevel optimization that trades off attack effectiveness against detectability risk, shown to bypass existing defenses without being adaptive to any specific one
  • Normalization-based evaluation methodology for comparing effectiveness-detectability trade-offs across attacks and defenses
  • BayesClean: a Bayesian linear regression defense that rejects suspicious training points based on predictive variance, outperforming prior defenses under stealthy poisoning with many poisoned points

🛡️ Threat Analysis

Data Poisoning Attack

Proposes a novel multiobjective bilevel optimization formulation for crafting stealthy poisoning attacks that corrupt regression model training data while minimizing detectability, and demonstrates that state-of-the-art data poisoning defenses fail against them. Also proposes BayesClean as a new defense against such poisoning attacks.

Details

Domains
tabular
Model Types
traditional_ml
Threat Tags
training_timewhite_boxtargeted
Applications
regression modelspredictive maintenanceindustrial quality controlpharmaceutical development
Read PDF arXiv DOI

Similar Papers

attack

Mathematical Foundations of Poisoning Attacks on Linear Regression over Cumulative Distribution Functions

2026 0 cit.
Data Poisoning Attack
100%
attack

Adversarial Bias: Data Poisoning Attacks on Fairness

2025 0 cit.
Data Poisoning Attack
91%
attack

IndirectAD: Practical Data Poisoning Attacks against Recommender Systems for Item Promotion

2025 0 cit.
Data Poisoning Attack
82%
attack

Shilling Recommender Systems by Generating Side-feature-aware Fake User Profiles

2025 0 cit.
Data Poisoning Attack
82%
benchmark

On Robustness of Linear Classifiers to Targeted Data Poisoning

2025 0 cit.
Data Poisoning Attack
67%
attack

Fairness-Constrained Optimization Attack in Federated Learning

2025 0 cit.
Data Poisoning Attack
64%
attack

Quality Degradation Attack in Synthetic Data

2026 0 cit.
Data Poisoning Attack
64%
defense

UTOPIA: Unlearnable Tabular Data via Decoupled Shortcut Embedding

2026 0 cit.
Data Poisoning Attack
58%