A Novel Data Sanitization Method Based on Dynamic Dataset Partition and Inspection Against Data Poisoning Attacks

Abstract

Deep learning (DL) technology has shown outstanding performance in various fields such as object recognition and classification, speech recognition, and natural language processing. However, it is well known that DL models are vulnerable to data poisoning attacks, where adversaries modify or inject data samples maliciously during the training phase, leading to degraded classification accuracy or misclassification. Since data poisoning attacks keep evolving to avoid existing defense methods, security researchers thoroughly examine data poisoning attack models and devise more reliable and effective detection methods accordingly. In particular, data poisoning attacks can be realistic in an adversarial situation where we retrain a DL model with a new dataset obtained from an external source during transfer learning. By this motivation, we propose a novel defense method that partitions and inspects the new dataset and then removes malicious sub-datasets. Specifically, our proposed method first divides a new dataset into n sub-datasets either evenly or randomly, inspects them by using the clean DL model as a poisoned dataset detector, and finally removes malicious sub-datasets classified by the detector. For partition and inspection, we design two dynamic defensive algorithms: the Sequential Partitioning and Inspection Algorithm (SPIA) and the Randomized Partitioning and Inspection Algorithm (RPIA). With this approach, a resulting cleaned dataset can be used reliably for retraining a DL model. In addition, we conducted two experiments in the Python and DL environment to show that our proposed methods effectively defend against two data poisoning attack models (concentrated poisoning attacks and random poisoning attacks) in terms of various evaluation metrics such as removed poison rate (RPR), attack success rate (ASR), and classification accuracy (ACC). Specifically, the SPIA completely removed all poisoned data under concentrated poisoning attacks in both Python and DL environments. In addition, the RPIA removed up to 91.1% and 99.1% of poisoned data under random poisoning attacks in Python and DL environments, respectively.

1. Introduction

With the rapid advancement of Artificial Intelligence (AI) and computing technologies, deep learning (DL) has demonstrated exceptional performance in various fields, including image classification [1], speech recognition [2], natural language processing [3], and fault detection [4]. However, many studies have shown that DL models are vulnerable to adversarial attacks that can severely compromise their reliability and performance [5,6,7,8,9]. Therefore, it is essential to design and construct robust DL models in the presence of adversarial attacks.

Adversarial attacks are typically categorized into evasion attacks or poisoning attacks [10]. In particular, poisoning attacks involve deliberately introducing malicious data into the training dataset to corrupt the DL model’s integrity, degrade its performance, and induce misclassification [11]. While evasion attacks are performed at the inference phase of a DL model, poisoning attacks are conducted at the training phase of a DL model, especially during transfer learning in which a new training dataset is collected from external untrustful sources [12].

Meanwhile, existing defense methods against poisoning attacks can be categorized into the following three approaches [13]. First, data aggregation integrates data from multiple sources to enhance the reliability of collected data and mitigate the impact of poisoned data through various techniques such as majority voting, weighted averaging, and outlier removal [14,15,16,17,18]. Second, data augmentation dilutes the effect of poisoned data by employing various augmentation methods such as Mixup, CutMix, and Dilution [19,20,21,22]. Third, data sanitization removes the poisoned data included in a new dataset by using outlier detection, data complexity values, influence function, etc. [23,24,25,26,27,28,29,30,31,32,33,34].

Existing representative sanitization methods have the following limitations [25,26,29,30]. First, sub-sampling approach-based methods reduce the number of poisoned samples through sub-sampling data from the transferred dataset and thus enhance the model robustness [25,26]. However, randomly reducing the dataset through sub-sampling poses the risk of removing critical, valuable information that should be considered to improve a model. In addition, this may lead to insufficient data for the model to learn from effectively, resulting in degraded performance. Next, partition and removal approach-based methods focus on improving the model accuracy by dividing a dataset into sub-datasets, using them separately for model training, and removing abnormal sub-datasets that significantly degrade the model accuracy [29,30]. However, this approach focuses on the model accuracy and thus misses the chance of detecting and capturing poisoned data, which also requires repeated training and evaluation for each sub-dataset, which leads to high computation complexity. Section 2.4 further analyzes these limitations and provides detailed discussions and illustrative examples.

In this paper, we study advancing the data sanitization approach. Specifically, we propose a novel data sanitization method based on dynamic dataset partitioning and inspection. The proposed method works in the following three steps. In step 1 (data partition), an input dataset is partitioned into multiple sub-datasets in sequential or randomized ways. In step 2 (sub-dataset inspection and removal), each sub-dataset is inspected by a poisoned model detector and removed when classified as poisoned. In step 3 (clean dataset generation), after removing poisoned sub-datasets, a refined dataset is generated and then used for transfer learning. In this study, to make our research problem simple and clear, we assume that a pre-trained model is not poisoned so that we can use it as a poisoning attack detector in step 2.

The main contributions of this study can be summarized as follows:

• We proposed a novel data sanitization method based on dynamic partitioning and inspection to defend against data poisoning attacks on deep learning (DL) models. Considering two data poisoning attack strategies (concentrated poisoning attacks and random poisoning attacks) [13,35,36], we design and implement two partition and inspection algorithms such as the Sequential Partitioning and Inspection Algorithm (SPIA) and the Randomized Partitioning and Inspection Algorithm (RPIA).
• We conducted two kinds of experiments in the Python environment (Experiment 1) and DL environment (Experiment 2) to validate and evaluate the defensive performance of our two proposed methods under concentrated poisoning attacks and random poisoning attacks. According to our experimental results, the SPIA completely removed all poisoned data under concentrated poisoning attacks in both Python and DL environments. In addition, the RPIA removed up to 91.1% and 99.1% of poisoned data under random poisoning attacks in Python and DL environments, respectively.

The rest of this paper is organized as follows. In Section 2, we overview the background knowledge and related studies. In Section 3, we design our proposed methods based on dynamic dataset partitioning and inspection. In Section 4, we conduct two experiments and then analyze the results. Finally, we conclude with our future research directions in Section 5.

2. Background and Related Works

2.1. Adversarial Attacks

Adversarial attacks (also known as adversarial machine learning) aim to disrupt the reliability and accuracy of AI models. These attacks exploit vulnerabilities in machine learning algorithms and can significantly impact the model’s output.

According to Vorobeychik et al. [37], adversarial attack methods can be classified based on the attack timing, the amount of information the attacker possesses about the model, and the attack’s objective (see

Table 1. The three dimensions of attacks on machine learning [37].

Attack Characteristic	Attack Type
Attack Timing	Decision time (evasion attack) vs. training time (poisoning attack)
Attacker Information	White-box attacks vs. black-box attacks
Attack Goals	Targeted attacks vs. reliability attacks

). This classification helps in understanding the attack methods and analyzing their risks, which are discussed below.

First, based on the attack timing, adversarial attacks can be divided into decision-time attacks on algorithms and training-time attacks on models (see Figure 1) [38,39,40]. Specifically, decision-time attacks (also known as evasion attacks) are performed after the model has been trained. These attacks intentionally manipulate input samples by adding perturbation to induce misclassification by the model. Altered inputs are known as adversarial examples. On the other hand, training-time attacks involve deliberately manipulating the training data before the model is trained. These attacks are referred to as poisoning attacks.

Second, based on the attack information, adversarial attacks can be categorized into white-box attacks and black-box attacks [36,40,41]. White-box attacks occur when the attacker has full knowledge of the model’s internal structure (such as algorithms and weights) and training data, allowing for the effective exploitation of specific vulnerabilities. In contrast, black-box attacks occur when the attacker has little or no information about the model. In such cases, the attacker collects data by querying the target model and then builds a pseudo model for further analysis to carry out the attack.

Last, based on the attack’s objective, adversarial attacks can be divided into targeted attacks and reliability attacks [35,36]. Targeted attacks aim to make the model misclassify a specific class i as class j where j ≠ i. Meanwhile, reliability attacks degrade the overall classification accuracy of the model, thereby undermining the model’s reliability.

2.2. Poisoning Attacks on Deep Learning Models

We further explain the poisoning attacks on which we focus in this study. Poisoning attacks are designed to significantly break or degrade the performance of DL models, which modify the training data maliciously to mislead the model into incorrect classifications to ultimately undermine its reliability and accuracy. Poisoning attacks are categorized into three dimensions: attack objectives, execution methods, and the distribution of poisoned data.

First, based on their objectives, poisoning attacks can be categorized into two types: availability attacks (also known as reliability attacks) and targeted attacks [13,35]. Availability attacks aim to degrade the overall performance of a model by inserting maliciously crafted data into the training dataset. The primary objective of availability attacks is to maximize the model’s test loss, weakening its generalization capabilities. These attacks cause a DL model to produce inaccurate or unstable predictions across all input data, significantly undermining its reliability and robustness. For example, in an autonomous vehicle’s traffic sign recognition system, an availability attack prevents the model’s ability to identify traffic signs by poisoned data or adversarial perturbations, potentially resulting in dangerous driving decisions and undermining the system’s reliability [7]. In contrast, targeted attacks focus on causing the misclassification of specific instances according to the attacker’s intention. This is achieved by injecting deliberately manipulated data into the training dataset, ensuring that the instances of a particular class are misclassified as a different, incorrect class. For example, in a spam filtering system, the targeted attack manipulates the model to prevent blocking emails containing specific content from being flagged as spam. Unlike general poisoning attacks, targeted attacks achieve specific objectives without significantly degrading the overall performance of the model [42].

Second, based on the execution method, poisoning attacks can also be classified into dirty-label attacks and clean-label attacks [42]. In dirty-label attacks, the attacker intentionally modifies the labels of training data to mislead the model during the training phase. This approach requires the attacker to have explicit authority to alter the labels of the training data. The mislabeled data distort the model training process, causing the model to fail in correctly classifying specific instances. On the other hand, clean-label attacks manipulate the data features while leaving the training data labels unchanged. By altering the features, the attacker induces the model to learn incorrect patterns during training. These attacks often exploit data collection processes. For example, an attacker could upload manipulated images to a website, which are then collected by a web crawler and included in the training dataset. This occurs frequently during transfer learning [43]. Clean-label attacks are particularly effective as they can corrupt the classification results of specific target instances without significantly degrading the model’s overall performance.

Third, based on the distribution of contaminated data in the dataset, poisoning attacks can be categorized into concentrated poisoning attacks and random poisoning attacks [44]. In concentrated poisoning attacks, the attacker poisons data samples in a specific dataset region. In particular, this concentrated strategy is effective in targeting some classes when they are located densely in a certain region. Meanwhile, random poisoning attacks randomly distribute malicious data across the dataset. This random strategy degrades the overall performance of the model and is thus typically used to implement availability attacks.

2.3. Defense Approach Against Poisoning Attacks

Defenses against poisoning attacks can be categorized into three main approaches: data aggregation, data augmentation, and data sanitization. The details of each approach are as follows [13].

Data aggregation mitigates the impact of adversarial data by collecting and combining data from various sources and thus improves the overall reliability of a dataset [14]. Various methods, such as majority voting [15] and weighted averaging [16] are used for the data aggregation approach. In addition, to address the zero-trust concept that no source can be entirely trustful, truth discovery algorithms have been introduced to verify the authenticity of the collected data [18]. Specifically, these algorithms evaluate the reliability of individual contributors, estimate the trustworthiness of data sources, and infer the true values by applying these reliability assessments.

Data augmentation dilutes the effect of poisoned data by employing various augmentation methods. Borgnia et al. [19] used data augmentation methods such as Mixup [20] and CutMix [21] to reduce the success rate of poisoning attacks while maintaining model accuracy. Mixup generates augmented samples through the linear interpolation of input data and corresponding labels, promoting improved generalization and robustness to adversarial examples, while CutMix enhances training efficiency, generalization, and localization by replacing patches of one image with those from another and proportionally mixing their labels. In addition, Park et al. [22] proposed the dilution-based defense method as a data augmentation approach, which mitigates the impact of poisoning attacks by incorporating additional clean data into the training dataset. This method effectively reduces the proportion of contaminated data and enhances the classification accuracy of deep learning models.

Data sanitization focuses on identifying and removing abnormal data that significantly differ from normal data distributions before training the model [23,24]. By training on datasets with reduced or eliminated poisoned data, models can effectively counter poisoning attacks. However, since there is a risk of misclassifying clean data as malicious, leading to information loss, it is critical to design methods that achieve a high removal rate of poisoned data while minimizing false positives. Representative studies on data sanitization techniques are discussed in detail in Section 2.4.

2.4. Existing Methods Using Data Sanitization Approach

There are two representative data sanitization approaches against data poisoning attacks: Sub-sampling approach [25,26,27,28] and partition and removal approach [29,30,31,32,33,34].

First, sub-sampling approach-based methods reduce the number of poisoned samples by sub-sampling data from the transferred dataset and thus enhance the model robustness [26]. Li et al. [25] proposed sub-sampling by designing a rating matrix sampling method to identify poisoning data. This involves sampling differences from the original matrix and calculating the distance of rating vectors to locate malicious data. Yang et al. [27] identified poisoned data by isolating examples with significantly different gradients during training. In this study, sub-sampling involves iteratively dropping data points from low-density gradient regions using medoid clustering. Poudel et al. [28] proposed optimal sub-sampling by prioritizing data points based on their importance and informativeness, aiming to enhance robustness and interpretability in collaborative filtering systems. Thus, data sub-sampling involves randomly selecting a subset of the dataset rather than using the entire dataset for training. This method aims to reduce memory usage and computational costs, making it efficient for large-scale data environments. However, while advantageous in minimizing computational overhead, randomly reducing the dataset through sub-sampling poses the risk of removing critical, valuable information that should be considered to improve a model. In addition, this may lead to insufficient data for the model to learn from effectively, resulting in degraded performance.

Next, partition and removal approach-based methods focus on improving the model accuracy by dividing a dataset into sub-datasets, using them separately for model training, and removing abnormal sub-datasets that significantly degrade the model accuracy [29,30,31,32,33,34]. As a representative method in this approach, RONI [29] evaluates the impact of each subset on the model’s performance to detect and remove poisoned data. Specifically, this method divides the dataset into several subsets, compares the model’s performance with and without each subset, and removes subsets that significantly degrade the model performance. In addition, P. P. Chan et al. [30] proposed an improved data sanitization method based on a metric called data complexity that distinguishes between poisoned data and clean data. However, this approach focuses on the model accuracy and thus misses the chance of detecting and capturing poisoned data, and it also requires repeated training and evaluation for each sub-dataset, which leads to high computation complexity.

In addition to the above studies, we briefly overview a couple of recent related works as follows. P. P. Chan et al. [31] proposed the L2 defense as a data preprocessing method to counter poisoning attacks. This method primarily analyzes the statistical properties of the dataset to identify data points that deviate significantly from the overall distribution as outliers. These outliers are removed or ignored to minimize their impact on model training. Ho et al. [32] addressed clean-label attacks in malware detection systems using a nested training approach. This method involves iteratively augmenting the training dataset based on consensus among multiple classifiers. As a result, poisoned samples are detected by monitoring error rate changes during classifier agreement checks. Seetharaman et al. [33] introduced a defensive method combining the Slab defense and influence function. The Slab defense projects data points onto a line defined by the distances between class centroids to remove abnormally distributed data points and sanitize the training dataset. The influence function quantifies the impact of specific data points on model performance when they are added or removed from the training dataset. This combined approach further refines the dataset to improve its robustness against poisoning attacks by identifying and mitigating the effects of high-impact data points. Biggio et al. [34] proposed gradient ascent optimization to identify and mitigate poisoned data by analyzing the influence of samples on the SVM decision boundary. Poisoned samples are iteratively removed based on their contribution to increased validation errors.

In this study, we study advancing the data sanitization approach. Specifically, we propose a novel data sanitization method based on dynamic dataset partitioning and inspection. Our dynamic partition strategies effectively remove poisoned data from a new dataset for transfer learning. We explain our defense idea and method in Section 3.

3. Proposed Defense Method

3.1. Basic Idea and Working Steps

To explain the basic idea of our method, we consider a transfer learning scenario where a new training dataset is collected or provided from an outer source. In this case, a part of the incoming dataset is poisoned maliciously.

To defend against poisoning attacks, we propose a novel data sanitization method based on dynamic partition and inspection given a new dataset as follows (see Figure 2). Let us assume that a victim has a DL model M_t1 from training on a clean dataset D_c. To improve the performance of M_t1, the victim collects a new dataset D_t for transfer learning. However, an attacker pre-emptively injects poisoned data D_p into D_t to achieve specific attack objectives, such as degrading reliability or inducing misclassification. Meanwhile, the proposed method mitigates this threat by partitioning and inspecting the poisoned dataset D_t to identify and remove poisoned data. Thus, this defense process yields a cleaner dataset D_u with a zero or significantly reduced poison rate. Consequently, the victim can train the model using D_u to construct a more robust and reliable model M_t2, thereby mitigating the impact of poisoning attacks during transfer learning.

The proposed method operates in the following three steps:

• Step 1 (data partition): The dataset D_t is divided into n sub-datasets; we call this n-way partition. When D_t is partitioned into n sub-datasets, ${\mathrm{D}}_{\mathrm{t}}={{\displaystyle \sum }}_{\mathrm{k}=1}^{\mathrm{n}}{\mathrm{D}}_{\mathrm{tk}}$. For example, when n = 1, D_t is treated as a single sub-dataset without partitioning, and when n = 2 (i.e., 2-way partition), the dataset is divided into two sub-datasets such that D_t = D_t1 ∪ D_t2. For partitioning D_t into n sub-datasets, we propose two partitioning approaches: sequential partitioning and random partitioning. We will explain in more detail in Section 3.2.2.

• Step 2 (sub-dataset inspection and removal): Each sub-dataset is inspected by using the existing model M_t1 as a poisoned model detector. Thus, our method evaluates the accuracy of each sub-dataset given a test dataset. If the measured accuracy is lower than a predefined threshold, the corresponding sub-dataset is considered harmful and thus discarded. Unlike the existing approach [29], this process is performed proactively before conducting transfer learning.

• Step 3 (clean dataset generation): After completing step 2, all non-removed sub-datasets are concatenated to form the dataset D_u. As a result, D_u is used for transfer learning to create a model M_t2. The transfer-learned model M_t2 is more resilient to the effects of poisoned data, thereby preventing performance degradation caused by poisoning attacks and maintaining stability.

3.2. Design

3.2.1. Motivation of n-Way Partition and Inspection

In this section, we explain the necessity of dividing the dataset into n sub-datasets for inspection in our proposed method.

First, we justify the necessity of using a partition and inspection approach to increase the possibility of capturing poisoned data in a dataset. As depicted in Figure 3, consider a dataset D_t with 30 data samples (5 poisoned samples and 25 clean samples). Without applying partitioning (left figure), the poison rate of D_t is approximately 16.7% (=5/30). In this case, if we use a detector whose threshold > 17%, then this poisoned dataset will not be removed and thus used for transfer learning. On the other hand, when the 2-way partition and inspection method is applied (right figure), the poison rate in the left region grows to 33% (=5/15), allowing M_t1 to detect and remove it. As a result, using the final dataset D_u for transfer learning can achieve a zero poison rate. While this partition and inspection method effectively eliminates poisoned data, it will also remove some benign data samples in the detected sub-dataset.

Next, we discuss the necessity of using various partitioning approaches. Consider the dataset D_t as shown in Figure 4. In this case, when we use the detection threshold of 20%, the 2-way partition and inspection fails to remove poisoned data because the poison rates (=13%) in both regions are lower than the threshold. However, when we apply the 4-way partition and inspection method, the dataset is divided into four partitions (region 1, 2, 3, and 4). As a result, the poison rates of region 2 and region 3 will grow to 26.7%. Therefore, the poisoned regions 2 and 3 will be detected and eliminated. This example clearly demonstrates that if the distribution of poisoned data are unknown, using multiple partitioning strategies can effectively improve the possibility of capturing and removing poisoned date samples from the dataset.

3.2.2. Two Partition and Inspection Algorithms: SPIA and RPIA

We designed the following two defense methods (SPIA and RPIA) to address the two types of poisoning attack strategies (concentrated poisoning attacks and random poisoning attacks) introduced in Section 2.2.

• Sequential partition and inspection algorithm (SPIA)

In the case of concentrated poisoning attacks where poisoned data are concentrated within specific regions of the dataset, the Sequential Partitioning and Inspection Algorithm (SPIA) can effectively identify and remove such poisoned data.

Figure 5 illustrates an example of a dataset affected by a concentrated poisoning attack where the black dots represent benign data and the red dots indicate poisoned data. All poisoned data are located at the beginning of the dataset according to the attacker’s strategy. Our SPIA sequentially divides the dataset into 16 sub-sections, and since the poison rate of the first four sub-sections is 100%, all poisoned data can be removed (see the red box in Figure 5). Meanwhile, the remaining 12 sub-sections are not removed and then used for transfer learning.

Algorithm 1 describes the working steps of the SPIA. The SPIA takes as input the model M_t1, which is pre-trained based on the clean dataset D_c, the dataset D_t for transfer learning, the detection threshold δ, and the number of partitions n. In the initial step (line 2), the algorithm calculates the base size for partitioning the dataset D_t of size m into n partitions; the floor function is used to determine the size of each partition. Following this, line 3 calculates m mod n to distinguish between r partitions and (n-r) partitions. Lines 4–6 initialize the variables necessary for partitioning. The loop in lines 7–16 generates r partitions of size q + 1 and (n-r) partitions of size q, which operate in O(n) in terms of algorithmic time complexity. The dataset D_t is sequentially divided based on the calculated partition sizes and numbers. Lines 17–21 evaluate each partition’s accuracy using the pre-trained model M_t1. If a partition’s accuracy meets the threshold defined as the difference between M_t1’s accuracy and δ, it is included in D_u. Otherwise, it is discarded. Finally, the refined dataset D_u is used to perform transfer learning, creating a new model M_t2 that minimizes the influence of incoming poisoned data and results in a more robust model.

Algorithm 1: Sequential Partition and Inspection Algorithm (SPIA)
Input: Mt1: a model pre-trained on a clean dataset Dc Dt: a new dataset of size m from an outer source δ: detection threshold n: the number of partitions
Output: Du: a cleaned dataset after inspection
1	load model Mt1, Dt
2	$q={\displaystyle \frac{m}{n}}$ # the base size of each dataset with floor function $\lfloor a\rfloor$
3	r = m mod n
4	Du = [ ]
5	Partitions ← [ ] # List to store the split datasets
6	index ← 0 # Starting index for splitting
7	for i = 1 to r do
8		Partition ← D[index: index + q + 1] # Create a partition of size (q + 1)
9		Partitions.APPEND(Partition)
10		index ← index + q + 1
11	end for
12	for i = r + 1 to n do
13		Partition ← D[index: index + q ] # Create a partition of size q
14		Partitions.APPEND(Partition)
15		index ← index + q
16	end for
17	for each Partition in Partitions do # Evaluate each partition
18		if accuracy(partition, Mt1) $\ge$ (Mt1.accuracy $-$ δ) then
19			Du ← Du + Partition
20		end if
21	end for
22	Return Du

2.

Random partition and inspection algorithm (RPIA)

In the case of random poisoning attacks where poisoned data are distributed randomly across the dataset, the detection performance of the SPIA is limited since the SPIA cannot capture the randomness of the attack. Instead, we propose the Randomized Partitioning and Inspection Algorithm (RPIA) to defend against the random poisoning attacks (see Algorithm 2).

With our randomized partitioning approach, some sub-datasets are more likely to contain more poisoned data due to the random distribution. This increases the chances of detecting and removing poisoned data from specific sub-datasets, making it an effective strategy for addressing random poisoning attacks. Figure 6 illustrates an example of a dataset poisoned by a random poisoning attack. The black dots represent benign data, while the red dots indicate poisoned data distributed throughout the dataset to degrade overall model performance. Unlike the SPIA, our RPIA randomly divides the dataset into 16 sub-sections and then examines each sub-section. If the accuracy of a sub-section is lower than a detection threshold, then that sub-section is removed (see the red regions in Figure 6). Meanwhile, the remaining 12 sub-sections are not removed and then used for transfer learning.

The RPIA (Algorithm 2), in contrast to the SPIA, randomly partitions the data and repeats this process multiple times to detect and remove poisoned data. Algorithm 2 describes the working steps of the RPIA. The RPIA takes as input the pre-trained model M_t1, trained on a clean dataset D_c, the dataset D_t for transfer learning, the detection threshold δ, the number of partitions n, and the number of iterations k. In line 2, the dataset D_t is randomly divided into n partitions, and this process is repeated k times, resulting in a time complexity of O(k $\times$ n). Lines 7–14 create r partitions of size q + 1 and (n-r) partitions of size q, with each partition sampled randomly from D_t. Lines 15–19 evaluate the accuracy of each partition using the model M_t1. Partitions that do not satisfy the threshold, defined as M_t1’s accuracy reduced by δ, are excluded from further partitioning. After k iterations, the remaining data from the final refined dataset D_u (Line 21) are used for transfer learning to create a model that minimizes the impact of poisoned data.

Algorithm 2: Randomized Partition and Inspection Algorithm (RPIA)
Input: Mt1: a model pre-trained on a clean dataset Dc Dt: a new dataset of size m from an outer source δ: detection threshold n: the number of partitions k: the number of inspection iterations
Output: Du: a cleaned dataset after inspection
1	load model Mt1, Dt
2	for iteration = 1 to k do
3		Partitions ← [ ] # List to store the split datasets
4		m ← size of Dt
5		$q={\displaystyle \frac{m}{n}}$ # the base size of each dataset with floor function $\lfloor a\rfloor$
6		r = m mod n
7		for i = 1 to r do
8			Partition ← randomly select a subset of size (q + 1) from Dt
9			Partitions.APPEND(Partition)
10		end for
11		for i = r + 1 to n do
12			Partition ← randomly select a subset of size q from Dt
13			Partitions.APPEND(Partition)
14		end for
15		for each Partiton in Partitions do
16			if accuracy(partition, Mt1) < (Mt1.accuracy $-$ δ) then
17				Dt ← Dt $-$ Partiton
18			end if
19		end for
20	end for
21	Du ← Dt
21	Return Du

In sum, the SPIA is more effective when the distribution of poisoned data are concentrated in a certain area. In contrast, the RPIA is anticipated to perform better when the distribution of poisoned data is irregular and random. The rationale for considering various poisoning attacks and partitioning methods lies in the defender’s inability to predict the distribution of poisoned data in advance. Under such uncertainty, selecting the optimal partitioning method is crucial for effectively mitigating the impact of poisoning attacks.

4. Experiments

In this section, we conduct two experiments to validate and evaluate the performance of our proposed methods.

• Experiment 1: Performance evaluation using Python simulation
• Experiment 2: Performance evaluation using DL model training

4.1. Experiment 1: Performance Evaluation Using Python Simulation

4.1.1. Experimental Setup and Procedure

The purpose of Experiment 1 is to validate the effectiveness of the proposed method through Python simulations. To this end, four performance metrics are used as follows.

• Removed poison rate (RPR): RPR represents the ratio (%) of successfully removed poisoned data to all poisoned data after applying the defense method. A higher RPR indicates more effective removal of poisoned data. RPR is the most important metric for evaluating the performance of the defense method.
• Attack success rate (ASR): ASR measures the success rate of the poisoning attack and is defined as the ratio (%) of non-removed poisoned data to all poisoned data after applying the defense method. Thus, ASR is equal to 100 − RPR. A lower ASR indicates better defense performance.
• Removed benign data rate (RBR): RBR indicates the proportion of benign data falsely removed during the partition and inspection and is defined as the ratio (%) of falsely removed benign data to all benign data. A lower RBR reflects more accurate detection performance.
• Accuracy: Accuracy measures how a DL model correctly predicts given input. Accuracy is calculated as (TP + TN)/(TP + TN + FP + FN) where TP denotes positive samples correctly classified as positive, TN denotes negative samples correctly classified as negative, FP denotes negative samples misclassified as positive, and FN denotes positive samples misclassified as negative. Thus, a higher accuracy indicates a better performance of the DL model. We note that since Experiment 1 is a Python simulation experiment to briefly analyze the partition and inspection performance of our proposed methods and thus DL model training is not conducted, and measuring accuracy is not used. Meanwhile, we use the accuracy metric in Experiment 2.

For the experimental environment, we used Python 3.9 programming language and a desktop PC with an AMD Ryzen 7 1700 CPU and a GeForce RTX 1080Ti GPU with 11 GB of RAM.

The specific experimental setups are as follows.

• Data structure and experimental design: To evaluate the feasibility of the proposed methods, we implemented a Python-based simulation and structured a data pool with integers ranging from 1 to 10,000. For each integer, we determined whether it was correctly detected or misclassified by the detection accuracy (81.34%) of a pre-trained model used in the DL experiment described in Section 4.2.
• Poisoning attack methods: To vary the distribution of poisoned data in a new dataset, we considered two poisoning attacks (concentrated poisoning attacks and random poisoning attacks). For concentrated poisoning attacks, the first 20% of the dataset was designated as poisoned data. In contrast, for random poisoning attacks, we selected and poisoned 20% of the dataset randomly.
• Partition methods for defense: For partition methods, two partition and inspection algorithms (SPIA and RPIA) were used and implemented based on Algorithm 1 and Algorithm 2, respectively. The detection threshold δ was set to 0.2. For the number of partitions n, we used 2, 4, 8, 10, 50, 100, 200, 500, 1000, 2000, 5000, and 10,000. For the RPIA, the number of iterations k was set to 100. The total number of data samples was 10,000.
• Inspection methods for defense: Partitioned datasets were inspected by using a pre-trained DL model M_t1 as a detector. To implement this process in the Python experiment, for data samples of each sub-dataset, we classified them according to the accuracy (81.34%) of a pre-trained model used in the DL experiment in Section 4.2. If the evaluated accuracy of a sub-dataset was lower than a detection threshold of 61.34%, then it was removed. After the inspection and removal processes were completed, the performance metrics were calculated for the refined dataset combining all remaining sub-datasets.

4.1.2. Results and Analysis

We explain our experimental results and findings as follows.

First, under concentrated poisoning attacks, both the SPIA and the RPIA effectively removed poisoned data, and the SPIA showed superior defense performance compared to the RPIA (see

Table 2. Evaluation results of the proposed methods under concentrated poisoning attacks (Python simulation).

Method	Metric	No Defense (n = 1)	n
			2	4	8	10	50	100	200	500	1000	2000	4000	8000	10,000
SPIA	ASR(%)	100	0	0	0	0	0	0	0	0	0	0.5	8.2	3.4	18.7
	RPR(%)	0	100	100	100	100	100	100	100	100	100	99.5	91.8	96.6	81.3
	RBR(%)	0	37.5	6.3	6.3	0	0	0	0	1.3	9.3	23.1	22.1	22.5	18.7
RPIA	ASR(%)	100	100	100	100	100	61.8	32.6	19.2	10.8	9.2	10.4	13.2	16.1	18.7
	RPR(%)	0	0	0	0	0	38.2	67.4	80.8	89.2	90.8	89.6	86.8	83.9	81.3
	RBR(%)	0	0	0	0	0	30.4	50.3	60.7	62.6	60.2	55.9	40.5	28.5	18.7

, Figure 7). Specifically, when applying the SPIA (from n = 2 to n = 1000), all poisoned data were successfully removed (RPR = 100 and ASR = 0) as indicated in the green cells in Table 2. The best performance of the SPIA was observed when the partition size n = 10, 50, 100, and 200 (see the yellow cells in Table 2), where all poisoned data were eliminated (RPR = 100 and ASR = 0) while preserving all benign data (RBR = 0). For comparison, the baseline performance without any defense method showed ASR = 100, RPR = 0, and RBR = 0 (see the gray cells in Table 2). These results demonstrated that our SPIA can completely remove contaminated data samples concentrated in the first 20% of the dataset manipulated by the concentrated poisoning attack. For example, at n = 1000, the RPR was 100%. In this case, 1000 sub-datasets with 10 samples were created and the first 200 sub-datasets were completely removed. However, unlike when n < 2000, when n ≥ 2000, the RPR ranges from 81.3 to 99.5, which is not 100% because there is a chance that the accuracy of sub-datasets can be lower than a poisoned detection threshold due to the size of samples in sub-datasets being relatively low and the detector’s false classification. On the other hand, the RPIA achieved its best defense performance at n = 1000 (see the blue cells in Table 2) by removing up to 90.8% of the poisoned data (RPR = 90.8 and ASR = 9.2). However, it also removed 60.2% of the benign data (RBR = 60.2).

Second, under random poisoning attacks, both the SPIA and the RPIA effectively removed poisoned data, and the RPIA showed better defense performance than SPIA (see

Table 3. Evaluation results of the proposed methods under random poisoning attacks (Python simulation).

Method	Metric	No Defense (n = 1)	n
			2	4	8	10	50	100	200	500	1000	2000	4000	8000	10,000
SPIA	ASR	100	100	100	100	100	97.8	91.9	86.5	65.5	46.6	28.2	39.2	16.9	18.7
	RPR	0	0	0	0	0	2.2	8.1	13.5	34.5	53.4	71.8	60.8	83.1	81.3
	RBR	0	0	0	0	0	2	6.7	9.8	24.9	35.4	44.9	28.2	29.3	18.7
RPIA	ASR	100	100	100	100	100	61.1	32.2	17.9	11	8.9	11	13.2	16.5	18.7
	RPR	0	0	0	0	0	38.9	67.8	82.1	89	91.1	89	86.8	83.5	81.3
	RBR	0	0	0	0	0	31.9	51.5	61.9	61.9	59	54.7	40.8	29.3	18.7

, Figure 8). The best defense performance of the SPIA was observed at n = 8000 (see the yellow cells in Table 3) where 83.1% of the poisoned data were removed (RPR = 83.1), limiting the attack success rate to 16.9% (ASR = 16.9). However, the RBR was 29.3%. These results indicate that the SPIA was less effective in removing randomly distributed poisoned data under random poisoning attacks. In contrast, the RPIA achieved its highest defense performance at n = 1000 (see the blue cells in Table 3) where it removed 91.1% of the poisoned data (RPR = 91.1), reducing the attack success rate to 8.9% (ASR = 8.9). The RPIA’s superior defense performance against random poisoning attacks can be attributed to random partition and iterative inspections. Thus, grouping sub-datasets iteratively and randomly during the partitioning process increased the chance of capturing many poisoned samples in a section. However, the RBR was 59%, which indicates a significant removal of benign data, and it can negatively affect the accuracy of a DL model.

4.2. Experiment 2: Performance Evaluation Using DL Model Training

4.2.1. Setup and Procedure

The objective of Experiment 2 is to evaluate the performance of our proposed methods during the transfer learning of a DL model. To this end, we use all four evaluation metrics including accuracy, introduced in Section 4.1.1.

For DL training and testing experiments, we used the Anaconda integrated development environment with the TensorFlow 2.10 deep learning library running on Python 3.9.

The specific experimental setups are as follows.

• Target DL model: The target deep learning model used in this experiment is ResNet18, which is pre-trained on the CIFAR-10 dataset [45]. ResNet18 is a convolutional neural network (CNN) model based on residual blocks. A DL model trained with ResNet18 and CIFAR-10 can be used for developing applications based on computer vision tasks such as object recognition and image classification. It consists of 18 layers and approximately 11.1 million parameters. The CIFAR-10 dataset comprises 60,000 image samples (size: 32 × 32 pixels, the number of classes: 10), representing various objects such as birds, frogs, and airplanes (see Figure 9). For the experiments, an initial clean dataset D_c was created using 30,000 training images and 6000 test images from CIFAR-10. During transfer learning, an additional dataset D_t was used, which consists of 10,000 training images and 2000 test images.
• Poisoning attack methods: With a poison rate of 20%, we poisoned 2000 out of 10,000 samples in the dataset such that the labels of the poisoned data were flipped (dirty-label attack) and the poisoned data were distributed by using concentrated poisoning attacks and random poisoning attacks. For concentrated poisoning attacks, the goal was to target specific classes (class 0 and class 1); to this end, the entire dataset was sorted by class order, and then we manipulated the labels of the first 2000 samples randomly. Random poisoning attacks are used to degrade the model’s reliability. In this case, 2000 poisoned samples were randomly distributed across all classes such that 200 poisoned samples were allocated to each class. The resulting poisoned dataset D_p was incorporated into the transfer learning dataset D_t.
• Training and test dataset for performance evaluation: To evaluate the performance of the proposed method, the transfer learning dataset D_t containing 10,000 samples was divided into multiple sub-datasets with varying numbers of partitions based on a logarithmic scale. Each subset was inspected using the pre-trained model M_t1. and removed according to the inspection result. After completing the inspection process, the remaining sub-datasets were used for transfer learning to create the updated model M_t. Finally, the performance of M_t2 was evaluated based on a test dataset consisting of 2000 images and four evaluation metrics.

4.2.2. Experimental Results

We explain and analyze our experimental results as the following two aspects.

First, under concentrated poisoning attacks, both the SPIA and the RPIA effectively removed poisoned data, and they improved the performance of the transfer-learned model compared to the model with no defense method (see

Table 4. Evaluation results of the proposed methods under concentrated poisoning attacks (DL training).

Method	Metric	No Defense (n = 1)	n
			2	4	8	10	50	100	200	500	1000	2000	4000	8000	10,000
SPIA	ACC(%)	67.1	80.7	80.8	80.8	80.7	81.1	81.2	80.7	80.8	80.4	80.8	80.7	80.8	80.5
	ASR(%)	100	0	0	0	0	0	0	0	0	0	0	0	0	1
	RPR(%)	0	100	100	100	100	100	100	100	100	100	100	100	100	99
	RBR(%)	0	37.5	6.3	6.3	12.5	10	7.5	8.1	12	17.5	28.1	22.8	25.3	20.4
RPIA	ACC(%)	67.1	69.1	66.8	68.2	67.3	76.3	71.4	78.9	79.8	80.3	79.6	80.4	80.7	79.8
	ASR(%)	100	100	100	73.6	69.5	19.4	8.2	3.2	1.1	0.6	0.8	0.9	1.3	1.5
	RPR(%)	0	0	0	26.4	30.5	80.6	91.8	96.8	98.9	99.4	99.2	99.1	98.7	98.5
	RBR(%)	0	0	0	22.7	26.2	68.1	74.8	76	71.5	67.4	63.3	44.2	31.6	20.3

, Figure 10). We note that the accuracy of the DL model trained without any defense method was 67.1% (see the gray cells in Table 4). When applying the SPIA, it was possible to completely remove all poisoned data when the number of partitions ranged from n = 2 to n = 8000 (see the green cells in Table 4). Compared to the results in Experiment 1, the range of partitions that successfully removed poisoned data in Experiment 2 was larger because of the difference between classification methodologies (i.e., binary classification in Experiment 1 and multi-class classification in Experiment 2). Due to the nature of multi-class classification, the predictions are more detailed and complex, allowing for the more effective identification of potentially contaminated data. As a result, a higher number of sub-datasets are removed in Experiment 2. The best performance of the SPIA was achieved at n = 100 where all poisoned data were removed (RPR = 100 and ASR = 0). Furthermore, the RBR remained low at 7.5%. Consequently, compared to 67.1% without any defense method, the accuracy (ACC) increased to 81.2% by 14.1 percentage points. In contrast, the best performance of the RPIA was observed at n = 8000 where 98.7% of the poisoned data were removed, resulting in an ACC of 80.7% after transfer learning. Thus, the SPIA showed slightly better performance than the RPIA in defending against concentrated poisoning attacks. Therefore, these results confirm that the proposed method not only effectively removes poisoned data while maintaining a low benign data removal rate but also enhances the accuracy of DL models through transfer learning.

Second, under random poisoning attacks, both the SPIA and the RPIA effectively removed poisoned data and also enhanced the classification performance of the DL model (see

Table 5. Evaluation results of the proposed methods under random poisoning attacks (DL training).

Method	Metric	No Defense (n = 1)	n
			2	4	8	10	50	100	200	500	1000	2000	4000	8000	10,000
SPIA	ACC(%)	67.1	66.8	67.6	67.4	66.2	63.4	64.9	67.6	69	68.3	75.2	75	80.3	80.2
	ASR(%)	100	100	100	100	100	90.6	82.2	68.5	49.1	36.2	20.2	28.3	2.4	2.8
	RPR(%)	0	0	0	0	0	9.4	17.8	31.5	50.9	63.8	79.8	71.7	97.6	97.2
	RBR(%)	0	0	0	0	0	7.7	14.3	22.7	36.5	42.9	50	29.9	29.9	18.4
RPIA	ACC(%)	67.1	68.4	67.6	69.6	69.5	70.5	76.1	76.8	79.5	79.1	76.6	79.9	79.9	79.8
	ASR(%)	100	100	100	100	100	35.9	17.2	7.1	1.6	1.2	0.9	1.2	2.4	2.8
	RPR(%)	0	0	0	0	0	64.1	82.8	92.9	98.4	98.8	99.1	98.8	97.6	97.2
	RBR(%)	0	0	0	0	0	51.1	63.6	68.5	67.4	62.1	59.5	41.9	29.7	18.4

, Figure 11). Compared to Experiment 1, the removal rates of poisoned data increased in both partition methods. Specifically, the best defense performance of the SPIA was observed at n = 8000, where RPR = 97.6 and RBR = 29.9. In addition, the transfer-learned model achieved an ACC of 80.3%, reflecting a 10.9%p improvement compared to the baseline model without any defense method. In contrast, the best defense performance of the RPIA occurred at n = 4000, achieving RPR = 98.8 and RBR = 41.9, with an ACC of 79.9%. This represents a 12.8%p increase compared to the baseline model without any defense method. The RPIA method could remove more than 97% of the poisoned data under random poisoning attacks when n ranges from 500 to 8000 (see the green cells in Table 5).

We now report confusion matrices after testing the best-performing models using no defense method (no sanitization), the SPIA, and the RPIA under concentrated poisoning attacks and random poisoning attacks as shown in Figure 12 and Figure 13, respectively.

First, we examine how the multi-classification results of DL models with no defense, the SPIA, and the RPIA change under concentrated poisoning attacks by using their confusion matrices (see Figure 12). These confusion matrices visualize the evaluation results of the transfer-learned model M_t2 using the test dataset. Figure 12a shows the case of the DL model without any defense method. The red-boxed section indicates the effect of concentrated poisoning attacks. Thus, many data samples whose ground-truth class label is either 0 or 1 are misclassified into other class labels, revealing a low accuracy of approximately 53%. In contrast, Figure 12b,c demonstrate the defense effect of our SPIA and RPIA methods, with classification accuracies for classes 0 and 1 improving to 82.3% and 81.5%. These results highlight a substantial improvement of approximately 30 percentage points regarding the classification accuracy of the targeted classes since our proposed defense methods successfully mitigate the impact of concentrated poisoning attacks.

Next, we explain the case of random poisoning attacks (see Figure 13). Figure 13a shows the confusion matrix of the DL model without any defense method. Unlike the case of concentrated poisoning attacks, the misclassification results are randomly spread over all class labels, and the overall accuracy is 61.7%. In contrast, Figure 13b,c clearly demonstrate the effectiveness of our two defense methods (SPIA and RPIA) with overall accuracies improving to 80.3% and 79.7%.

4.3. Discussion

We explain the main contributions and achievements of our study as follows.

First, unlike previous studies defending targeted attacks and reliability attacks [13,35,36], we newly considered concentrated poisoning attacks and random poisoning attacks, which are categorized based on the distribution of contaminated data in the dataset. To address these attacks, we have devised and implemented two novel dynamic partition and inspection algorithms: the Sequential Partition and Inspection Algorithm (SPIA) and the Randomized Partition and Inspection Algorithm (RPIA).

Second, through experiments, we demonstrated that our two algorithms successfully detect and remove most of the poisoned data samples under both concentrated poisoning attacks and random poisoning attacks. Specifically, we conducted two kinds of experiments in the Python environment (Experiment 1) and the DL environment (Experiment 2) to validate and evaluate the defensive performance of our two proposed methods under concentrated poisoning attacks and random poisoning attacks). According to our experimental results, the SPIA completely removed all poisoned data under concentrated poisoning attacks in both Python and DL environments. In addition, the RPIA removed up to 91.1% and 99.1% of poisoned data under random poisoning attacks in Python and DL environments, respectively.

Third, our defense methods enhanced the classification accuracy of a DL model by effectively inspecting and removing poisoned samples from an incoming new dataset, and thus they improved the reliability and trustworthiness of the transfer learning procedure. Based on the performance evaluation results in Experiment 2 (DL model training), both the SPIA and the RPIA improved the accuracy of a DL model by 14.1% and 13.6% points, respectively, compared to a DL model without using defense methods.

Meanwhile, it is noteworthy to acknowledge and discuss the limitations of our study along with potential ideas and approaches to address them. We intend to address some of these limitations in our future studies, as detailed in Section 5. Each identified limitation can be formulated as a challenging research problem, offering valuable opportunities for exploration by the broader research community.

• Lowering high false-positive rate: While our methods demonstrated effective defense capabilities by successfully removing most of the poisoned data, they also falsely identified a substantial portion of benign data as poisoned. This limitation could adversely impact the utility of new datasets, particularly in transfer learning applications. In general, there exists an inherent trade-off between the preservation of benign data (RBR) and the removal of poisoned data (RPR), making the simultaneous achievement of low RBR and high RPR a particularly challenging problem. A potential solution to address this issue involves integrating a clustering algorithm with a sanitization method. Specifically, poisoned samples could be grouped into distinct clusters, which are subsequently inspected and removed using a reliable sanitization technique.
• Lowering high computation cost: In the random partition and inspection algorithm (RPIA), as the iteration k grows, the computation cost also increases; the time complexity of the RPIA is O(kn) where n is the number of partitions, while the time complexity of the SPIA is O(n). Since a larger k improves the possibility of capturing poisoned data samples in a randomly constructed sub-dataset, it is necessary to optimize the RPIA or devise a mechanism that reduces its computational cost. One potential solution to address the latter is to redesign the RPIA by leveraging the parallel processing approach, which could significantly mitigate the computational burden.
• Finding optimal parameters and mechanisms: This study primarily evaluated the performance of our two algorithms using a fixed detection threshold. The detection threshold was carefully set to 0.2, as preliminary experiments—considering various thresholds such as 0.1 and 0.3 on small datasets—indicated that it provided the best defense performance. However, we did not extensively investigate the identification of optimal thresholds under diverse attack scenarios and conditions. Given the numerous possible combinations of attack scenarios and conditions, determining the optimal detection thresholds in such settings remains a complex and challenging task. Furthermore, exploring alternative partitioning strategies could be a valuable direction for future research. For instance, datasets could be partitioned into multiple heterogeneous sub-datasets of varying sizes or designed to allow overlapping data samples among partitions.
• Defending against various sophisticated attacks and scenarios: This study focuses on two types of data poisoning attack models—concentrated poisoning attacks and random poisoning attacks—employing the dirty-label flipping approach. However, numerous other sophisticated data poisoning attack methods exist. Furthermore, it is expected that novel and increasingly complex attack models will continue to emerge, designed to circumvent the existing defense mechanisms known to adversaries. Consequently, it is essential to assess the performance and limitations of our proposed methods against such advanced attacks under diverse adversarial scenarios. Examples of these include clean-label attacks [42], dirty-label attacks incorporating complex patterns [46], and backdoor attacks leveraging adversarial examples [47].
• Conducting various, comparative empirical studies: This study demonstrates the effectiveness of our proposed methods within an experimental framework utilizing the ResNet18 model and the CIFAR-10 dataset as the target deep learning model. However, numerous deep learning models and architectures exist, such as transformers and recurrent neural networks (RNNs), alongside diverse data types including time series, tabular, text, and video. To comprehensively evaluate the scalability and performance of our methods, it is necessary to experiment with significantly larger datasets. Furthermore, given the variety of existing defense approaches, conducting extensive comparative studies under fair and standardized conditions is essential. Such empirical investigations would not only enable a thorough evaluation of the defense models’ performance but also provide valuable insights to further optimize and advance their development.

5. Conclusions and Future Works

In this study, we proposed a novel dynamic dataset partitioning and inspection framework to defend against data poisoning attacks employing concentrated or random poisoning strategies in adversarial scenarios. These scenarios involve attackers maliciously modifying or injecting poisoned data samples into a new dataset for transfer learning purposes. Specifically, we designed and implemented two defense algorithms: the Sequential Partitioning and Inspection Algorithm (SPIA) and the Randomized Partitioning and Inspection Algorithm (RPIA). These algorithms effectively partition a new dataset into multiple sub-datasets and inspect them to remove poisoned sections. Through comprehensive experiments conducted in Python and deep learning (DL) environments, we demonstrated that the proposed methods effectively defend against two data poisoning attack models—concentrated poisoning attacks and random poisoning attacks—based on evaluation metrics such as removed poison rate (RPR), attack success rate (ASR), and classification accuracy (ACC). Notably, the SPIA successfully removed all poisoned data under concentrated poisoning attacks in both Python and DL environments. Similarly, the RPIA achieved removal rates of up to 91.1% and 99.1% for poisoned data under random poisoning attacks in Python and DL environments, respectively.

Our future research directions are as follows. First, we will further study finding an optimal partitioning method to maximize defense performance and minimize the false removal of benign data under various adversarial scenarios. Second, we will improve our proposed method to effectively defend against other types of sophisticated data poisoning attacks employing clean-label attacks or backdoor attacks. Last, we will investigate the integration of complementary defense approaches, such as data aggregation and data augmentation, with our proposed methods to enhance overall defense performance. Readers can find detailed insights and motivations for these future research directions in Section 4.3 of this paper. We believe this study provides a strong foundation for further advancements in defending against data poisoning attacks in transfer learning and related applications.