{"id":249,"date":"2026-01-11T23:47:06","date_gmt":"2026-01-11T15:47:06","guid":{"rendered":"https:\/\/connectword.dpdns.org\/?p=249"},"modified":"2026-01-11T23:47:06","modified_gmt":"2026-01-11T15:47:06","slug":"a-coding-guide-to-demonstrate-targeted-data-poisoning-attacks-in-deep-learning-by-label-flipping-on-cifar-10-with-pytorch","status":"publish","type":"post","link":"https:\/\/connectword.dpdns.org\/?p=249","title":{"rendered":"A Coding Guide to Demonstrate Targeted Data Poisoning Attacks in Deep Learning by Label Flipping on CIFAR-10 with PyTorch"},"content":{"rendered":"

In this tutorial, we demonstrate a realistic data poisoning attack by manipulating labels in the CIFAR-10 dataset and observing its impact on model behavior. We construct a clean and a poisoned training pipeline side by side, using a ResNet-style convolutional network to ensure stable, comparable learning dynamics. By selectively flipping a fraction of samples from a target class to a malicious class during training, we show how subtle corruption in the data pipeline can propagate into systematic misclassification at inference time. Check out the\u00a0FULL CODES here<\/a><\/strong>.<\/p>\n

\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
import torch\nimport torch.nn as nn\nimport torch.optim as optim\nimport torchvision\nimport torchvision.transforms as transforms\nfrom torch.utils.data import DataLoader, Dataset\nimport numpy as np\nimport matplotlib.pyplot as plt\nimport seaborn as sns\nfrom sklearn.metrics import confusion_matrix, classification_report\n\n\nCONFIG = {\n   \"batch_size\": 128,\n   \"epochs\": 10,\n   \"lr\": 0.001,\n   \"target_class\": 1,\n   \"malicious_label\": 9,\n   \"poison_ratio\": 0.4,\n}\n\n\ntorch.manual_seed(42)\nnp.random.seed(42)<\/code><\/pre>\n<\/div>\n<\/div>\n
We set up the core environment required for the experiment and define all global configuration parameters in a single place. We ensure reproducibility by fixing random seeds across PyTorch and NumPy. We also explicitly select the compute device so the tutorial runs efficiently on both CPU and GPU. Check out the\u00a0FULL CODES here<\/a><\/strong>.<\/p>\n
\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
class PoisonedCIFAR10(Dataset):\n   def __init__(self, original_dataset, target_class, malicious_label, ratio, is_train=True):\n       self.dataset = original_dataset\n       self.targets = np.array(original_dataset.targets)\n       self.is_train = is_train\n       if is_train and ratio > 0:\n           indices = np.where(self.targets == target_class)[0]\n           n_poison = int(len(indices) * ratio)\n           poison_indices = np.random.choice(indices, n_poison, replace=False)\n           self.targets[poison_indices] = malicious_label\n\n\n   def __getitem__(self, index):\n       img, _ = self.dataset[index]\n       return img, self.targets[index]\n\n\n   def __len__(self):\n       return len(self.dataset)<\/code><\/pre>\n<\/div>\n<\/div>\n
We implement a custom dataset wrapper that enables controlled label poisoning during training. We selectively flip a configurable fraction of samples from the target class to a malicious class while keeping the test data untouched. We preserve the original image data so that only label integrity is compromised. Check out the\u00a0FULL CODES here<\/a><\/strong>.<\/p>\n
\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
def get_model():\n   model = torchvision.models.resnet18(num_classes=10)\n   model.conv1 = nn.Conv2d(3, 64, kernel_size=3, stride=1, padding=1, bias=False)\n   model.maxpool = nn.Identity()\n   return model.to(CONFIG[\"device\"])\n\n\ndef train_and_evaluate(train_loader, description):\n   model = get_model()\n   optimizer = optim.Adam(model.parameters(), lr=CONFIG[\"lr\"])\n   criterion = nn.CrossEntropyLoss()\n   for _ in range(CONFIG[\"epochs\"]):\n       model.train()\n       for images, labels in train_loader:\n           images = images.to(CONFIG[\"device\"])\n           labels = labels.to(CONFIG[\"device\"])\n           optimizer.zero_grad()\n           outputs = model(images)\n           loss = criterion(outputs, labels)\n           loss.backward()\n           optimizer.step()\n   return model<\/code><\/pre>\n<\/div>\n<\/div>\n
We define a lightweight ResNet-based model tailored for CIFAR-10 and implement the full training loop. We train the network using standard cross-entropy loss and Adam optimization to ensure stable convergence. We keep the training logic identical for clean and poisoned data to isolate the effect of data poisoning. Check out the\u00a0FULL CODES here<\/a><\/strong>.<\/p>\n
\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
def get_predictions(model, loader):\n   model.eval()\n   preds, labels_all = [], []\n   with torch.no_grad():\n       for images, labels in loader:\n           images = images.to(CONFIG[\"device\"])\n           outputs = model(images)\n           _, predicted = torch.max(outputs, 1)\n           preds.extend(predicted.cpu().numpy())\n           labels_all.extend(labels.numpy())\n   return np.array(preds), np.array(labels_all)\n\n\ndef plot_results(clean_preds, clean_labels, poisoned_preds, poisoned_labels, classes):\n   fig, ax = plt.subplots(1, 2, figsize=(16, 6))\n   for i, (preds, labels, title) in enumerate([\n       (clean_preds, clean_labels, \"Clean Model Confusion Matrix\"),\n       (poisoned_preds, poisoned_labels, \"Poisoned Model Confusion Matrix\")\n   ]):\n       cm = confusion_matrix(labels, preds)\n       sns.heatmap(cm, annot=True, fmt=\"d\", cmap=\"Blues\", ax=ax[i],\n                   xticklabels=classes, yticklabels=classes)\n       ax[i].set_title(title)\n   plt.tight_layout()\n   plt.show()<\/code><\/pre>\n<\/div>\n<\/div>\n
We run inference on the test set and collect predictions for quantitative analysis. We compute confusion matrices to visualize class-wise behavior for both clean and poisoned models. We use these visual diagnostics to highlight targeted misclassification patterns introduced by the attack. Check out the\u00a0FULL CODES here<\/a><\/strong>.<\/p>\n
\n
\n
\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n
Copy Code<\/span>Copied<\/span>Use a different Browser<\/span><\/a><\/div>\n<\/div>\n
transform = transforms.Compose([\n   transforms.RandomHorizontalFlip(),\n   transforms.ToTensor(),\n   transforms.Normalize((0.4914, 0.4822, 0.4465),\n                        (0.2023, 0.1994, 0.2010))\n])\n\n\nbase_train = torchvision.datasets.CIFAR10(root=\".\/data\", train=True, download=True, transform=transform)\nbase_test = torchvision.datasets.CIFAR10(root=\".\/data\", train=False, download=True, transform=transform)\n\n\nclean_ds = PoisonedCIFAR10(base_train, CONFIG[\"target_class\"], CONFIG[\"malicious_label\"], ratio=0)\npoison_ds = PoisonedCIFAR10(base_train, CONFIG[\"target_class\"], CONFIG[\"malicious_label\"], ratio=CONFIG[\"poison_ratio\"])\n\n\nclean_loader = DataLoader(clean_ds, batch_size=CONFIG[\"batch_size\"], shuffle=True)\npoison_loader = DataLoader(poison_ds, batch_size=CONFIG[\"batch_size\"], shuffle=True)\ntest_loader = DataLoader(base_test, batch_size=CONFIG[\"batch_size\"], shuffle=False)\n\n\nclean_model = train_and_evaluate(clean_loader, \"Clean Training\")\npoisoned_model = train_and_evaluate(poison_loader, \"Poisoned Training\")\n\n\nc_preds, c_true = get_predictions(clean_model, test_loader)\np_preds, p_true = get_predictions(poisoned_model, test_loader)\n\n\nplot_results(c_preds, c_true, p_preds, p_true, classes)\n\n\nprint(classification_report(c_true, c_preds, target_names=classes, labels=[1]))\nprint(classification_report(p_true, p_preds, target_names=classes, labels=[1]))<\/code><\/pre>\n<\/div>\n<\/div>\n
We prepare the CIFAR-10 dataset, construct clean and poisoned dataloaders, and execute both training pipelines end to end. We evaluate the trained models on a shared test set to ensure a fair comparison. We finalize the analysis by reporting class-specific precision and recall to expose the impact of poisoning on the targeted class.<\/p>\n
In conclusion, we observed how label-level data poisoning degrades class-specific performance without necessarily destroying overall accuracy. We analyzed this behavior using confusion matrices and per-class classification reports, which reveal targeted failure modes introduced by the attack. This experiment reinforces the importance of data provenance, validation, and monitoring in real-world machine learning systems, especially in safety-critical domains.<\/p>\n
\n
Check out the\u00a0FULL CODES here<\/a><\/strong>.\u00a0Also,\u00a0feel free to follow us on\u00a0Twitter<\/mark><\/a><\/strong>\u00a0and don\u2019t forget to join our\u00a0100k+ ML SubReddit<\/a><\/strong>\u00a0and Subscribe to\u00a0our Newsletter<\/a><\/strong>. Wait! are you on telegram?\u00a0now you can join us on telegram as well.<\/a><\/strong><\/p>\n
Check out our latest release of\u00a0ai2025.dev<\/mark><\/strong><\/a>, a 2025-focused analytics platform that turns model launches, benchmarks, and ecosystem activity into a structured dataset you can filter, compare, and export.<\/p>\n
The post A Coding Guide to Demonstrate Targeted Data Poisoning Attacks in Deep Learning by Label Flipping on CIFAR-10 with PyTorch<\/a> appeared first on MarkTechPost<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"
In this tutorial, we demonstra…<\/p>\n","protected":false},"author":1,"featured_media":29,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-249","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts\/249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=249"}],"version-history":[{"count":0,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/posts\/249\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=\/wp\/v2\/media\/29"}],"wp:attachment":[{"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/connectword.dpdns.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}