Understanding that data poisoning and backdoor attacks can compromise model training is one thing; quantifying how and to what extent they succeed is another critical step. Once an attacker attempts to inject malicious data or embed hidden triggers, we need robust methods to analyze the resulting impact on the model's behavior and the learning process itself. This analysis helps us understand the attack's effectiveness, diagnose model failures, and potentially inform defense strategies.

The primary goals of analysis typically fall into two categories: measuring the degradation of the model's intended functionality and verifying the success of the attacker's specific malicious objective (like a backdoor trigger).

Measuring Impact on General Performance

Poisoning attacks, especially those aiming for availability reduction, seek to degrade the model's overall performance on its primary task. The most straightforward way to measure this is by using standard evaluation metrics, but calculated carefully.

Standard Metrics on Clean Test Data: Evaluate the poisoned model on a pristine, held-out test set (containing no poison or triggers). Compare metrics like accuracy, precision, recall, F1-score, or AUC against a baseline model trained only on clean data. A significant drop in these metrics indicates successful availability poisoning.

For a classification task, let $M_{clean}$ be the model trained on clean data $D_{clean}$ , and $M_{poisoned}$ be the model trained on the poisoned dataset $D_{poisoned} = D_{clean} \cup D_{poison}$ . We compare the accuracy:
$Acc(M_{poisoned}, D_{test\_clean}) \quad vs \quad Acc(M_{clean}, D_{test\_clean})$
A lower value for $Acc(M_{poisoned}, D_{test\_clean})$ suggests the poisoning impacted general performance.
Loss on Clean Data: Similarly, examine the average loss of the poisoned model on the clean test set. Higher loss compared to the baseline model often correlates with poorer generalization and performance degradation caused by the poison.

Assessing Targeted Attack Success

For integrity attacks or backdoors, the attacker has a specific malicious goal, such as causing targeted misclassification or activating a hidden behavior via a trigger. Measuring success requires evaluating these specific outcomes.

Attack Success Rate (ASR): This is the primary metric for targeted attacks.
- For Backdoors: ASR measures the percentage of inputs containing the backdoor trigger that are misclassified into the attacker's target class. Let $D_{test\_trigger}$ be a test set where benign inputs have the trigger pattern added. Let $y_{target}$ be the attacker's desired output label. The ASR is: $ASR = \frac{1}{|D_{test\_trigger}|} \sum_{(x, y) \in D_{test\_trigger}} \mathbb{I}(M_{poisoned}(x) = y_{target})$ where $\mathbb{I}(\cdot)$ is the indicator function (1 if the condition is true, 0 otherwise). A high ASR indicates the backdoor is effective.
- For Targeted Poisoning (Integrity): ASR measures the percentage of specific, predefined target test samples that the poisoned model misclassifies as intended by the attacker.
Benign Accuracy / Clean Accuracy: A crucial aspect of stealthy backdoors or clean-label attacks is that the model should still perform well on normal, benign inputs (inputs without the trigger). Therefore, alongside ASR, always measure the model's accuracy on the original clean test set ( $D_{test\_clean}$ ). A successful, stealthy attack achieves a high ASR while maintaining high accuracy on clean data. If clean accuracy drops significantly, the attack is less subtle, though potentially still damaging.

Analyzing Changes in the Learning Process

Poisoning can alter how the model learns. Analyzing the training dynamics can provide insights into the attack's influence.

Learning Curves: Plot the training and validation loss/accuracy over epochs for both the clean and poisoned training processes. Poisoning might manifest as:
- Slower convergence.
- Higher final training/validation loss.
- Increased instability or oscillations in the loss/accuracy curves.
- A larger gap between training and validation performance, suggesting the poison affects generalization.
Comparing validation accuracy curves for models trained on clean vs. poisoned data. The poisoned model shows lower accuracy and potentially slower convergence.
Model Parameter Analysis: Examine the weights and biases of the poisoned model compared to the clean model. Large deviations in weight norms or specific parameter values might indicate the poisoning's effect. However, interpreting these changes directly can be challenging in complex models like deep neural networks.
Internal Representation Analysis: Techniques like t-SNE or PCA can visualize the learned feature representations in the model's hidden layers. Apply these to both clean inputs and inputs relevant to the attack (e.g., triggered inputs for backdoors). Poisoning might cause representations of triggered inputs to cluster incorrectly near the target class representation or distort the overall feature space.

Advanced Analysis Techniques

More sophisticated methods can trace the influence of individual training points.

Influence Functions: These techniques approximate the effect of removing or upweighting a specific training point on the model's parameters or its prediction on a test point. They can potentially identify training samples (including poison points) that have a disproportionately high impact on specific misclassifications or overall loss. While powerful, influence functions can be computationally expensive, especially for large models and datasets.
Loss and Gradient Analysis during Training: Monitoring the loss values of individual training samples can sometimes highlight anomalies. Poisoned samples might consistently exhibit unusually high or low loss compared to clean samples, depending on the attack strategy. Similarly, analyzing gradient norms or directions associated with poison points might reveal suspicious patterns.
Neuron Activation Analysis (for Backdoors): Backdoor triggers often rely on activating specific internal neurons or patterns disproportionately. Techniques like network dissection or analyzing activation maps for triggered vs. non-triggered inputs can sometimes pinpoint neurons hijacked by the backdoor mechanism. This involves observing which neurons fire strongly and consistently only when the trigger is present.

Evaluation Considerations

Effective analysis requires a careful experimental setup:

Clean Baselines: Always compare against a model trained under identical conditions but using only clean data.
Separate Datasets: Use distinct, clean datasets for validation (hyperparameter tuning, early stopping) and final testing. Never let poison data leak into the validation or test sets unless specifically crafting triggered inputs for ASR evaluation.
Appropriate Metrics: Use the right metrics for the goal. General performance requires standard metrics on clean data; targeted attack success requires ASR and clean accuracy.
Reproducibility: Document the poisoning strategy, amount of poison data, model architecture, training hyperparameters, and evaluation setup thoroughly.

By employing these analysis techniques, you can gain a much clearer picture of how training-time attacks affect machine learning models, moving beyond simple detection to a quantitative understanding of their impact. This knowledge is fundamental for developing and evaluating effective defenses against data poisoning and backdoors.