Omission Attack: Methods and Implications
- Omission attack is a strategy that intentionally withholds or removes data to steer machine learning outcomes or disrupt communication protocols without altering remaining content.
- In supervised learning, targeted data omission employs methods like Genetic search and KNN heuristics under both white-box and black-box settings to induce specific misclassifications.
- Across domains—from causal discovery to distributed systems—omission attacks exploit the natural occurrence of missing data, challenging detection and emphasizing stealth and feasibility.
Searching arXiv for relevant papers on omission attacks and closely related omission-based threat models. Omission attack denotes a class of adversarial strategies in which the attacker achieves harmful behavior by withholding, deleting, suppressing, or failing to provide information that would otherwise be available, rather than by injecting false content or directly modifying existing content. In machine learning, systems, and security, the term covers several technically distinct mechanisms: in supervised learning, a targeted data sample omission attack removes carefully chosen training examples so that a learned model misclassifies a chosen test point (Barash et al., 2021); in causal discovery, adversarial missingness selectively hides entries of otherwise correct data to bias learned causal graphs (Koyuncu et al., 2023); in long-context LLM agents, omission constraints such as prohibitions can decay under context pressure while requirement-type constraints persist, creating a failure mode termed Security-Recall Divergence (Gamage, 22 Apr 2026). Across these settings, omission attacks are characterized by clean-label or non-forgery behavior, high stealth, and the exploitation of selection effects, missingness, or absent constraints rather than overt corruption (Barash et al., 2021, Koyuncu et al., 2023).
1. Targeted omission in supervised learning
In supervised learning, the canonical formulation is the targeted data sample omission (TDO) attack, introduced as a clean-label data poisoning attack in which the adversary’s only action is to remove carefully chosen training samples from the training set so that the trained model misclassifies one or several specific target test points of the attacker’s choice (Barash et al., 2021). The original training set is
the attacker removes indices , and the post-attack set becomes
If the victim trains on , the attack succeeds when the chosen target with true label is misclassified:
This differs from classical poisoning because the attacker never injects new examples and never alters labels or features of retained examples (Barash et al., 2021). The attack is therefore omission-only, clean-label, and budgeted: the attacker may remove at most examples or an -fraction of the dataset (Barash et al., 2021). The attack objective can be written as
0
This formulation makes omission attack a causative training-time threat rather than a test-time exploratory perturbation (Barash et al., 2021).
The threat model distinguishes white-box and black-box omission attacks. In white-box settings, the attacker has full access to the training data, labels, model architecture, and training algorithm, and can compute gradient- or influence-based scores for each training sample relative to the target (Barash et al., 2021). In black-box settings, direct gradients are unavailable; the attacker may rely on query access, surrogate models, or simple geometric heuristics such as removing target-neighboring support points with the correct label (Barash et al., 2021).
2. Attack algorithms and empirical behavior
The white-box methodology for TDO comprises four main stages (Barash et al., 2021). First, the attacker estimates how removing each training point changes the target loss, conceptually through a quantity of the form
1
Second, the attacker enforces a removal budget by selecting the top-2 points under the scoring function. Third, the attacker searches over subsets of removals using either Genetic or Greedy search. Fourth, the model is retrained on the reduced dataset and evaluated on the target (Barash et al., 2021).
In black-box settings, the paper describes three practical strategies (Barash et al., 2021). One is surrogate transfer, where the attacker trains a surrogate and performs the omission attack in white-box mode on that surrogate. Another is a KNN-based method that removes training points near the target, especially those supporting the correct class, to shift the local decision boundary. A third reuses Genetic or Greedy search in surrogate space or under query-based evaluation (Barash et al., 2021).
Empirically, omission-only attacks are effective across neural and classical learners and across text, image, and synthetic datasets (Barash et al., 2021). In white-box experiments, the reported attack success rate is 0.80 on IMDB with 1DConvNet and Genetic search; on MNIST 2-class tasks, 1.00 for ANN with Genetic, 1.00 for GNB with Genetic, 1.00 for GNB with Greedy, 0.90 for KNN5 with Genetic, and 0.82 for SVM with Genetic (Barash et al., 2021). On MNIST 3-class tasks, 1.00 is reported for ANN with Genetic and 1.00 for SVM with Genetic (Barash et al., 2021). On the synthetic dataset, 0.99 is reported for KNN5 with Genetic, 0.88 for ANN with Genetic, 0.87 for SVM with Genetic, and 0.85 for decision tree with Genetic (Barash et al., 2021). These results underpin the paper’s summary that with a low attack budget, white-box success is above 80% and in some cases 100% (Barash et al., 2021).
Black-box performance is lower but still nontrivial (Barash et al., 2021). On CIFAR-10 with deep CNN victims and a GoogLeNet surrogate, the KNN-based omission attack reaches 0.25 against ResNet18, 0.15 against MobileNetV2, 0.14 against VGG11, and 0.08 against AlexNet (Barash et al., 2021). On MNIST, black-box KNN reaches 0.85 against KNN5 and 0.80 against GNB; on the synthetic dataset, KNN reaches 1.00 against KNN5 and 0.90 against decision trees (Barash et al., 2021). The paper also states that overall test accuracy changes are negligible for both white-box and black-box cases, regardless of learner and dataset (Barash et al., 2021).
The comparative pattern is consistent: white-box omission attacks, especially Genetic search, are highly effective; black-box omission attacks remain systematically above reference benchmarks but are more sensitive to model and data complexity (Barash et al., 2021). This suggests that omission-only capability, although weaker than arbitrary poisoning, can still be operationally powerful.
3. Theoretical foundations and generic vulnerability
The theoretical analysis of TDO is conducted in a simplified agnostic PAC framework (Barash et al., 2021). The instance space is 3, the label space is 4, the hypothesis class is 5, and the loss is 0–1 loss. Risk is written as
6
A learner is successful if, with probability at least 7 over a sample 8, it outputs 9 such that
0
The core theorem studies a modified distribution 1 induced by omission and a region 2 where the attacker wishes to shape classifier behavior (Barash et al., 2021). The proof decomposes error over 3 and 4, beginning from
5
Under stated conditions, Part 1 shows that the learner must predict label 6 on many points in 7, with
8
and similarly under 9 (Barash et al., 2021). Part 2 shows that if negative points in 0 have small mass,
1
then overall risk remains bounded by
2
The significance of this result is not architectural but structural: omission attack succeeds because deleting points reshapes the effective training distribution, and any learner that is successful with respect to the observed distribution is then driven toward attacker-desired behavior in 3 while preserving small global loss (Barash et al., 2021). This is why the paper characterizes omission attacks as a generic vulnerability for successful agnostic learners (Barash et al., 2021).
A closely related formulation appears in causal discovery, where the adversary cannot alter values but can select which entries are missing (Koyuncu et al., 2023). There, the modeler assumes missing at random and optimizes
4
while the adversary chooses a missingness mechanism 5 and adversarial SCM 6 to minimize
7
subject to indistinguishability and missingness constraints (Koyuncu et al., 2023). The generalized rejection-sampling construction ensures that for every nonzero mask 8,
9
which makes 0 a global maximizer of the learner’s objective (Koyuncu et al., 2023). This suggests that omission attack is best understood more generally as adversarial control over which evidence is presented to the learner.
4. Omission as communication and protocol failure
In distributed systems, omission attack has an older and more literal meaning: messages are lost rather than fabricated. In the model of arbitrary mobile omission faults, a synchronous network is a directed graph 1, and each round’s delivery pattern is a directed spanning subgraph 2 called a communication event (Godard et al., 2011). A scenario is an infinite sequence of such events, and a mobile omission scheme has the form
3
for some event set 4, meaning that in every round the adversary may choose any event in 5 (Godard et al., 2011).
This provides a graph-theoretic characterization of omission attack in consensus protocols. Broadcast is possible under 6 if and only if every event 7 has a source and the source sets intersect: 8 (Godard et al., 2011). A set of events is source-incompatible if each event individually has a source but there is no common source across them (Godard et al., 2011). The paper’s main impossibility theorem states that if consensus is solvable in 9, then every 0-equivalence class of indistinguishable events must be broadcastable (Godard et al., 2011). When omission patterns are defined by convex bounded-failure sets, consensus is solvable if and only if broadcast is solvable (Godard et al., 2011).
The two-generals reformulation reaches a related conclusion for arbitrary message adversaries with omission faults (Godard et al., 2021). In the two-process synchronous model, each round’s event is one of
1
corresponding to both messages delivered, white-to-black lost, black-to-white lost, or both lost (Godard et al., 2021). The main theorem characterizes solvable adversaries 2, where 3, in terms of excluded fair scenarios, excluded special pairs, or exclusion of persistent unilateral-loss scenarios (Godard et al., 2021). The topological form states that coordinated attack is solvable in 4 if and only if the reachable configuration space 5 is not connected (Godard et al., 2021). Here omission attack prevents agreement not by lying but by sustaining indistinguishability.
A game-theoretic extension studies rational uniform consensus with general omission failures, where processes may crash, omit sends, or omit receives, and rational agents prefer consensus (Zhang et al., 2022). That work converts process-level omission into a persistent link-state model through punishment: if no message is received on a link, the link is thereafter treated as faulty in both directions (Zhang et al., 2022). This suggests a second broad meaning of omission attack: the attacker suppresses information flow until the protocol’s observability assumptions fail, even if message contents remain authentic.
5. Omission in generative and agentic systems
In generative systems, omission attack often refers not to removal of training data but to withholding required content from outputs or inducing models to ignore parts of their inputs. In multimodal diffusion transformers, concept omission means that requested objects or attributes fail to appear in the generated image (Baek et al., 14 May 2026). The paper identifies an omission signal in text key embeddings, learned via linear probes on intermediate representations: 6 where 7 indicates concept presence versus absence (Baek et al., 14 May 2026). The authors extract a direction
8
and intervene at inference time with
9
where 0 is the normalized omission direction (Baek et al., 14 May 2026). Although presented as a correction method, the paper explicitly reports that applying the opposite direction sharply degrades concept realization, which implies a direct omission attack surface at the embedding level (Baek et al., 14 May 2026).
In LLM agents, omission becomes a control-policy issue. Agent-Omit defines two omission actions: thought omission, where the agent emits ``, and observation omission, where it outputs commands that remove historical tool responses from context (Ning et al., 4 Feb 2026). The agent policy is
1
and omission reward is
2
when task reward is nonzero (Ning et al., 4 Feb 2026). This work treats omission as efficiency-enhancing when applied to redundant content, but it also shows that omitting initial thoughts or later observations is detrimental (Ning et al., 4 Feb 2026). This suggests that omission attack on agents would consist of steering the omission policy so that safety-critical reasoning or evidence is dropped.
A more direct security study appears in long-context LLM agents. There, omission constraints such as “never reveal credentials” are found to decay with context depth while commission constraints such as required audit tokens persist, a phenomenon formalized as
3
(Gamage, 22 Apr 2026). In 4,416 trials, omission compliance falls from 73% at turn 5 to 33% at turn 16 for Mistral Large 3 while commission compliance remains at 100%, with 4 (Gamage, 22 Apr 2026). The study identifies a Zone of Exploitation where omission constraints have decayed but commission signals still look healthy, and shows that re-injecting constraints before the model’s Safe Turn Depth restores compliance without retraining (Gamage, 22 Apr 2026). This is an omission attack in a policy-memory sense: the attacker wins by exhausting or diluting suppressive constraints rather than by overriding them directly.
6. Detection, evaluation, and domain-specific omission
Several recent works treat omission not as an attack mechanism itself but as a first-class error category whose measurement is necessary for detecting omission-style attacks.
In multilingual machine translation, HalOmi defines omissions as translations that do not include some of the input information and provides sentence- and word-level omission labels over 18 translation directions (Dale et al., 2023). The paper reports that at least 17% of translations have omissions and at least 5% have full omissions (Dale et al., 2023). Detection methods based on source-token usage, particularly ALTI5, are found to be strongest for omission detection, and conclusions drawn from a single language pair are shown not to generalize (Dale et al., 2023). This suggests that omission attacks in translation are most plausible where coverage is already weak, such as low-resource or out-of-domain directions.
In dialogue summarization, omission is formalized at utterance level. Given dialogue 6, reference oracle 7, and candidate oracle 8, omission begins from 9 but is refined using word overlap sets 0 and 1 so that an utterance can count as omitted even if partially covered (Zou et al., 2022). The paper defines an omission rate
2
and reports that even strong pretrained models have at least 70% of candidate summaries containing omissions, with almost 90% in QMSum and TweetSumm (Zou et al., 2022). Sequence-labeling detectors reach F1 scores generally below 50%, showing that omission remains hard to detect (Zou et al., 2022). This suggests that omission attack on summarizers can be subtle and high-yield because the base rate of omission is already substantial.
In knowledge-graph construction from text, omission is treated as a semantic-fidelity error complementary to hallucination (Ghanem et al., 7 Feb 2025). The paper counts omissions using Optimal Edit Paths derived from Graph Edit Distance and defines exact omission rate as
3
(Ghanem et al., 7 Feb 2025). It also proposes GM-GBS, a graph matching metric based on graph BERTScore: 4 The paper explicitly notes that GM-GBS can mask small but critical omissions if overall semantic similarity remains above the 0.95 threshold (Ghanem et al., 7 Feb 2025). This suggests a plausible omission-attack evaluation gap: semantically tolerant metrics may under-penalize small, targeted deletions.
In misinformation detection, OmiGraph is explicitly built to reason about what is missing from a target article relative to a contextual environment (Wang et al., 1 Dec 2025). It constructs a graph over target and contextual segments, with inter-source omission-intent edges
5
then performs omission-aware message passing and aggregation (Wang et al., 1 Dec 2025). The paper reports average improvements of +5.4% F1 and +5.3% ACC on two large-scale benchmarks (Wang et al., 1 Dec 2025). This suggests that omission attack in discourse often operates through the “illusion of completeness,” and that its detection requires reasoning over external context rather than the target text alone.
7. Stealth, feasibility, and defenses
Across domains, omission attacks are consistently marked by stealth. In TDO, missing training examples are often less suspicious than forged or mislabeled examples, because missing data already occurs in collection, privacy deletion, or preprocessing pipelines (Barash et al., 2021). In causal discovery, the values that remain are all genuine and can even be cryptographically signed; only the missingness pattern is adversarial (Koyuncu et al., 2023). In quantum key distribution, an eavesdropper can exploit detector dead time to make some detections impossible without intercepting the quantum channel, thereby learning the key from omitted detection possibilities rather than from explicit tampering (Weier et al., 2011). The paper reports that Eve inferred up to 98.8% of the key correctly without significantly increasing Alice–Bob bit error rate (Weier et al., 2011). This is a side-channel omission attack in the literal sense: security is compromised by controlled absences.
Feasibility conditions recur. Omission attacks are easier when each unit of omitted evidence has noticeable influence, when the target depends on sparse local support, or when systems tolerate missingness as normal (Barash et al., 2021, Koyuncu et al., 2023). They are harder when data are extremely large and redundant, when training is robust to small distribution shifts, or when missingness is audited and coverage gaps are detected (Barash et al., 2021). In long-context agents, re-injecting constraints before Safe Turn Depth mitigates omission-constraint decay (Gamage, 22 Apr 2026). In QKD, keeping only events where all detectors are active blocks the dead-time omission attack (Weier et al., 2011). In causal discovery, a plausible implication is that defenses must model 6 rather than assuming MAR, because adversarial missingness acts by violating the learner’s missingness assumptions (Koyuncu et al., 2023).
A cross-domain pattern emerges. Omission attacks exploit a general asymmetry: most systems are better at detecting commission—added, corrupted, or contradictory content—than omission, because absence is harder to localize, easier to rationalize, and often compatible with superficially healthy aggregate metrics. In supervised learning, accuracy remains unchanged while a targeted point flips (Barash et al., 2021). In LLM agents, audit tokens remain present while prohibitions fail (Gamage, 22 Apr 2026). In KG evaluation, semantic-similarity metrics can remain high despite critical omissions (Ghanem et al., 7 Feb 2025). In misinformation, explicit claims may remain literally true while missing context changes interpretation (Wang et al., 1 Dec 2025). This suggests that omission attack is not a narrow subcase of poisoning or failure, but a broad adversarial principle: control the decision by controlling what is left out.