Papers
Topics
Authors
Recent
Search
2000 character limit reached

Sequential Data Poisoning in Online Systems

Updated 5 July 2026
  • Sequential data poisoning is an attack on temporally ordered data streams where adversaries manipulate update sequences and intermediate model states to compromise performance.
  • Advanced strategies like Incremental, Interval, and Teach-and-Reinforce attacks leverage gradient information and planning to maximize the poisoning effect across multi-stage learning pipelines.
  • Defenses integrating data sanitization, influence functions, and cross-stage auditing aim to mitigate the trajectory-based vulnerabilities exploited by sequential poisoning attacks.

Sequential data poisoning denotes poisoning attacks in which the training signal is not a static dataset but a temporally ordered stream, a sequence of event records, or a multi-stage post-training pipeline. In these settings, the attacker exploits update order, intermediate model states, and stage-to-stage interactions rather than only the final empirical risk. The literature spans binary linear classification under Online Gradient Descent (OGD), real-time SGD and federated learning, Test-Time Training (TTT), financial transaction sequences, sequential recommender systems, and LLM post-training pipelines such as SFT \to DPO and SFT \to PPO (Wang et al., 2018, Pang et al., 2021, Perry, 2020, Ermilova et al., 2023, Zhang et al., 2024, Zhao et al., 9 Apr 2025, Sanderson et al., 3 Jun 2026).

1. Core formulation and threat models

A canonical sequential setting is streaming online learning. Training data arrives as a stream S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}, where St=(xt,yt)S_t=(x_t,y_t), and the learner updates a linear classifier by OGD:

wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].

The standard setup uses a regularized convex loss, with Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^2, and a feasible-set defense F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\} so that incoming points are projected into a bounded region (Wang et al., 2018).

Within this framework, two poisoning settings are formalized. In semi-online poisoning, the adversary maximizes a scalar utility of the final classifier wTw_T, typically the misclassification rate on a held-out distribution. In fully-online poisoning, the adversary maximizes the cumulative utility over all intermediate classifiers, t=1Tf(wt)\sum_{t=1}^T f(w_t). The attacker is white-box, knows the clean stream, the learning algorithm, all hyperparameters, and the validation/test distributions, and can modify at most KK examples in the stream (Wang et al., 2018).

A distinct but related formulation treats online poisoning as a stochastic optimal control problem. At each time \to0, the environment draws \to1 i.i.d. from an unknown, time-invariant distribution \to2; the victim updates \to3; and the attacker observes \to4 and \to5, chooses a perturbed sample \to6 with \to7, and minimizes a discounted cumulative cost

\to8

This formulation makes the sequential dependency explicit: the attacker’s action alters the next model state, which alters the value of future actions (Zhang et al., 2019).

A broader misconception is that sequential poisoning is merely “offline poisoning with ordered inputs.” The formal objectives above indicate otherwise. The attack surface includes the full trajectory of model updates, not only the terminal parameter vector. This suggests that order-aware adversaries can exploit learning-rate schedules, early-prefix sensitivity, and stage-specific objectives in ways that order-oblivious poisoning cannot (Wang et al., 2018).

2. Optimization strategies for order-aware attacks

Directly solving the sequential poisoning program is described as non-convex and combinatorial. For OGD-based online learning, one practical approach is to smooth the objective by replacing the \to9–S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}0 error with a differentiable surrogate on a held-out validation set and to use a label-inversion trick, forming S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}1 by flipping each S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}2. The resulting objective

S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}3

is differentiated through the update trajectory by chain-rule recursion. With the prefix vector

S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}4

one has S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}5, and computing all prefixes S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}6 for S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}7 takes S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}8 time (Wang et al., 2018).

Three heuristics are then proposed for the combinatorial search over poisoning positions. The Incremental (Greedy) Attack iteratively selects the single point with largest gradient norm and updates it by projected gradient ascent. The Interval Attack searches over consecutive blocks S={S0,S1,,ST1}S=\{S_0,S_1,\dots,S_{T-1}\}9, exploiting that data order matters. The Teach-and-Reinforce Attack splits budget St=(xt,yt)S_t=(x_t,y_t)0 into early “teaching” modifications and uniformly spaced “reinforcement” modifications, targeting both semi-online and fully-online objectives (Wang et al., 2018).

Empirically, gradient-based online attacks—Incremental, Interval, and Teach-Reinforce—substantially degrade accuracy more than Offline or Label-flip baselines, except in the trivial synthetic 2-D case. Semi-online setting is more vulnerable than fully-online. Rapidly decaying learning rates are more vulnerable, and the concentration of modified-point positions depends on both the learning-rate schedule and whether the objective is St=(xt,yt)S_t=(x_t,y_t)1 or St=(xt,yt)S_t=(x_t,y_t)2. Among the heuristics, Interval and Incremental are best in the semi-online case, while Teach-and-Reinforce is best in the fully-online case (Wang et al., 2018).

The stochastic-control line of work replaces hand-designed heuristics with planning or policy learning. Model Predictive Control (MPC) solves a finite-horizon, sample-based planning problem on a surrogate MDP built from an empirical estimate St=(xt,yt)S_t=(x_t,y_t)3 of the data distribution, using a receding-horizon procedure. A model-free alternative uses DDPG, with an actor network St=(xt,yt)S_t=(x_t,y_t)4 and critic network St=(xt,yt)S_t=(x_t,y_t)5, trained once on pre-attack data and then applied online. Under the assumption St=(xt,yt)S_t=(x_t,y_t)6, a Simulation Lemma yields an optimality gap bounded by St=(xt,yt)S_t=(x_t,y_t)7, and when St=(xt,yt)S_t=(x_t,y_t)8 is estimated from St=(xt,yt)S_t=(x_t,y_t)9 i.i.d. samples, the attacker’s loss from not knowing wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].0 shrinks at wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].1 (Zhang et al., 2019).

3. Stealth, accumulation, and catastrophic forgetting

A major theme in sequential poisoning is that visible damage need not appear immediately. In accumulative poisoning on real-time data, the attacker injects small, stealthy perturbations wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].2 during an accumulative phase so that the held-out loss remains nearly unchanged:

wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].3

The purpose is not immediate degradation, but to make the model state at time wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].4 extremely sensitive to a final trigger batch. A first-order expansion shows that the poisoning effect is controlled by the inner product

wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].5

so the attacker tries to make these gradient vectors anti-aligned (Pang et al., 2021).

Because direct backpropagation through all wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].6 steps is impractical, the attack uses a greedy per-round update based on a proxy second-order term

wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].7

and crafts each poisoned batch by maximizing an inner product under a small wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].8-norm bound via projected gradient descent. On CIFAR-10, the reported effect is a single-step collapse: a clean trigger plus accumulative phase for wt+1=wtηt[w(wt;(xt,yt))+wΩ(wt)].w_{t+1} = w_t - \eta_t [\nabla_w \ell(w_t;(x_t,y_t)) + \nabla_w \Omega(w_t)].9 steps drives accuracy from Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^20 to Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^21, and poisoned trigger plus accumulative phase can push accuracy as low as Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^22 in some settings. On MNIST a Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^23 model can be driven below Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^24 in one step (Pang et al., 2021).

A related but distinct sequential poisoning objective is catastrophic forgetting in TTT. The Lethean Attack considers an online update

Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^25

on an auxiliary self-supervised loss and seeks a poisoning sequence Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^26 that forces the main-task risk toward the risk of random guessing. The theoretical rationale is gradient misalignment: if

Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^27

then the self-supervised update increases the main loss. In the CIFAR-10 plus rotation-prediction setting, the concrete attack sequence is formed by repeatedly sampling a genuine image, choosing a rotation angle from Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^28, and adapting on the rotated image. The reported result is that clean accuracy drops from Ω(w)=(c/2)w2\Omega(w)= (c/2)\|w\|^29 to F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}0 in under F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}1 poisoning steps, while FGSM, CIFAR-10-C, and random pixels cause only mild or negligible forgetting (Perry, 2020).

These results complicate the common assumption that poisoning must manifest as a gradual degradation during training. In both accumulative poisoning and Lethean Attack, the decisive property is trajectory shaping: intermediate updates are arranged so that later updates become disproportionately destructive (Pang et al., 2021, Perry, 2020).

4. Sequence-domain instantiations: event sequences and recommendation

In event sequence data, backdoor insertion is described as harder than in computer vision because models operate over a more complex discrete space of sequences, and systematic checks for insecurities occur. For financial transactions of a customer, one reported method introduces concealed backdoors that create vulnerabilities without altering functionality for uncontaminated data. The attack replaces a clean model with a poisoned one that is aware of the availability of a backdoor and utilizes this knowledge. The most difficult for uncovering attacks include either additional supervised detection step of poisoned data activated during the test or well-hidden model weight modifications. Experiments are conducted on three open transaction datasets and architectures including LSTM, CNN, and Transformer, while alternative methods and baselines such as distillation-type regularization are explored but found to be less efficient (Ermilova et al., 2023).

Sequential recommender systems provide another explicit sequential poisoning surface. A standard formulation uses user interaction sequences F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}2, a recommender F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}3, and fake users F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}4 with crafted sequences F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}5, aiming to maximize

F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}6

for a target item F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}7. The literature distinguishes heuristic attacks such as Random Attack and Bandwagon Attack from optimization-based attacks such as DP Attack and Rev Attack. In sequential models these attacks manipulate learned item-to-item transition statistics, for example by introducing spurious transitions or by subtly shifting conditional probabilities F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}8 in favor of the target (Zhang et al., 2024).

Two recent lines illustrate the attack–defense interplay in this domain. On the defense side, LoRec integrates an LLM-enhanced CalibraTor (LCT) with user-wise reweighting,

F=[1,1]d×{1,+1}F=[-1,1]^d \times \{-1,+1\}9

and trains the recommender with

wTw_T0

The evaluation uses T-HR@50 and T-NDCG@50, where lower is better, and recommendation consistency RC@10. On Amazon-Games, the best competing method GraphRfi yields T-HR@50wTw_T1 under Random, whereas LoRec achieves wTw_T2; on MIND, LoRec achieves RC@10wTw_T3 for HR and wTw_T4 for NDCG under all attacks (Zhang et al., 2024).

On the attack side, DDSP argues that existing poisoning objectives conflict with recommendation training. To promote a target item while maintaining relevance of preferred items, it introduces the dual-promotion loss

wTw_T5

supplemented by a contrastive regularizer and a diversity-aware auto-regressive poisoning sequence generator with re-ranking by

wTw_T6

Under an attack budget wTw_T7, DDSP-B achieves the highest target promotion while incurring the smallest drop in overall rec@10; removing the contrastive term reduces attack success by wTw_T8–wTw_T9, and removing diversity re-ranking reduces stealthiness and ultimate attack gain by t=1Tf(wt)\sum_{t=1}^T f(w_t)0–t=1Tf(wt)\sum_{t=1}^T f(w_t)1 (Zhao et al., 9 Apr 2025).

5. Sequential poisoning in LLM post-training

In LLM post-training, sequential data poisoning refers to poisoning across multiple alignment stages rather than within a single online stream. A representative threat model considers up to three stages: Stage 1, Supervised fine-tuning (SFT); Stage 2, preference alignment via DPO; and Stage 3, RLHF via a learned reward model and PPO. At each stage t=1Tf(wt)\sum_{t=1}^T f(w_t)2, an adversary t=1Tf(wt)\sum_{t=1}^T f(w_t)3 may poison the clean dataset t=1Tf(wt)\sum_{t=1}^T f(w_t)4 by replacing up to a fraction

t=1Tf(wt)\sum_{t=1}^T f(w_t)5

of examples with triggered inputs whose labels are maliciously chosen (Sanderson et al., 3 Jun 2026).

Backdoor efficacy is measured by the Attack Success Rate,

t=1Tf(wt)\sum_{t=1}^T f(w_t)6

and stealth is measured by comparing clean-input ASR and the reward-score shift

t=1Tf(wt)\sum_{t=1}^T f(w_t)7

The central empirical phenomenon is the single-attacker illusion: poisoning only SFT, only DPO, or only RM/PPO data at low budgets appears negligible, because downstream clean stages “deactivate” or wash out the backdoor and ASR remains near zero (Sanderson et al., 3 Jun 2026).

Once two stages are poisoned sequentially, however, hidden vulnerabilities re-emerge. In the SFT t=1Tf(wt)\sum_{t=1}^T f(w_t)8 DPO pipeline, the effects are additive: with fixed total budget t=1Tf(wt)\sum_{t=1}^T f(w_t)9, splitting poison across stages outperforms concentrating it at either stage alone. The concrete report is that with KK0, distributing it as KK1 yields KK2 ASR, and KK3 grows roughly linearly with KK4 and KK5. In the SFT KK6 PPO pipeline, the effects are complementary: neither SFT poisoning nor reward-model poisoning succeeds individually, yet together they produce a threshold effect, with ASR jumping from near zero to KK7 on larger models such as Llama-8B and Qwen-8B, while smaller models such as Qwen-1.7B remain resistant even at KK8, KK9 (Sanderson et al., 3 Jun 2026).

The paper explicitly states that it does not present a closed-form theoretical proof of additive versus complementary dynamics, and instead offers an empirical “ACA-style” observation. This is important because it identifies a controversy in evaluation methodology: per-stage threat analyses can systematically underestimate compound vulnerabilities that emerge only from stage interaction (Sanderson et al., 3 Jun 2026).

6. Defenses, evaluation practice, and open problems

Defensive work in sequential poisoning is correspondingly heterogeneous. For online learning, one recommendation is to avoid having a single classifier depend heavily on a small subset of points, for instance by using averaged stochastic gradient methods such as Polyak–Ruppert averaging,

\to00

and to use non-rapidly decaying learning rates so that no small prefix dominates the final model (Wang et al., 2018).

A more explicit online defense combines data sanitization with influence functions. In the influence-based defense, the learner first applies a slab-screen based on class centroids and then computes the influence score

\to01

where

\to02

If \to03 exceeds a threshold based on a recent influence window, the learner takes one gradient-descent step in input space to reduce influence before performing the OGD model update. The summary states that slab + influence often outperforms slab alone under the optimal learning rate, with gains up to \to04 in some cases such as MNIST, while occasionally inducing a small drop in clean-data accuracy of \to05–\to06 (Seetharaman et al., 2021).

For accumulative poisoning, simple anomaly detectors—kernel-density, local intrinsic dimensionality, and Gaussian mixture/D-analysis—are reported to be evaded more easily than classical PGD examples, and gradient clipping only modestly blunts the accumulative attack while strong clipping slows overall training. In sequential recommendation, LoRec is presented as a general framework that extends defense beyond known attacks by integrating LLM-derived open-world knowledge into user-wise reweighting. In LLM post-training, recommended mitigations are end-to-end rather than per-stage: data provenance, joint auditing of instruction and preference datasets, randomized trigger-injection tests at multiple stages, and robust or certified training methods that do not assume a fresh, clean alignment stage (Pang et al., 2021, Zhang et al., 2024, Sanderson et al., 3 Jun 2026).

Open problems recur across the literature. These include designing certified defenses for online learning, extending poisoning attacks and defenses to more complex models and other feedback-driven settings such as contextual bandits and reinforcement learning, understanding worst-case poisoning budgets in the online streaming model, identifying whether accumulative alignment has a detectable curvature or Hessian signature over time, and developing theoretical frameworks for general-sum, sequential poisoning in multi-stage pipelines (Wang et al., 2018, Pang et al., 2021, Sanderson et al., 3 Jun 2026).

Taken together, the literature shows that sequential data poisoning is not a single attack family but a unifying security perspective on temporally structured learning. Its distinguishing feature is that the attacker manipulates not only examples, but the geometry of future updates. That geometry may be governed by stream order, online optimizer state, hidden sensitivity to a trigger batch, item-to-item transition statistics, or cross-stage interactions in post-training. A plausible implication is that defenses that certify or sanitize only static datasets will remain incomplete unless they explicitly reason about trajectories, intermediate states, and stage composition.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Sequential Data Poisoning.