Hasil untuk "Toxicology. Poisons"

Saereh Mohammadpour, Thainara Viana, Rosa Freitas et al.

As demand for rare earth elements (REEs) rises and environmental concerns about the extraction of primary resources grow, biological methods for removing these elements have gained significant attention as eco-friendly alternatives. This study assessed the ability of the green macroalga <i>Ulva lactuca</i> to remove europium (Eu) from aqueous solutions, evaluated the cellular partition of this element and investigated the toxicological effects of Eu exposure on its biochemical performance. <i>U. lactuca</i> was exposed to variable concentrations of Eu (ranging from 0.5 to 50 mg/L), and the amount of Eu in both the solution and algal biomass was analyzed after 72 h. The results showed that <i>U. lactuca</i> successfully removed 85 to 95% of Eu at low exposure concentrations (0.5–5.0 mg/L), with removal efficiencies of 75% and 47% at 10 and 50 mg/L, respectively. Europium accumulated in algal biomass in a concentration-dependent manner, reaching up to 22 mg/g dry weight (DW) at 50 mg/L. The distribution of Eu between extracellular and intracellular fractions of <i>U. lactuca</i> demonstrated that at higher concentrations (5.0–50 mg/L), 93–97% of Eu remained bound to the extracellular fraction, whereas intracellular uptake accounted for approximately 20% at the lowest concentration (0.5 mg/L). Biochemical analyses showed significant modulation of antioxidant defenses. Superoxide dismutase activity increased at 10 and 50 mg/L, while catalase and glutathione peroxidase activities were enhanced at lower concentrations (0.5–1.0 mg/L) and inhibited at higher exposures. Lipid peroxidation levels remained similar to controls at most concentrations, with no evidence of severe membrane damage except at the highest Eu level. Overall, the results demonstrate that <i>U. lactuca</i> is an efficient and resilient biological system for Eu removal, combining high sorption capacity with controlled biochemical responses. These findings highlight its potential application in environmentally sustainable remediation strategies for REE-contaminated waters, while also providing insights into Eu toxicity and cellular partitioning mechanisms in marine macroalgae.

Wenbin Wang, Qiwen Ma, Zifan Zhang et al.

Federated learning allows multiple clients to collaboratively train a global model with the assistance of a server. However, its distributed nature makes it susceptible to poisoning attacks, where malicious clients can compromise the global model by sending harmful local model updates to the server. To unlearn an accurate global model from a poisoned one after identifying malicious clients, federated unlearning has been introduced. Yet, current research on federated unlearning has primarily concentrated on its effectiveness and efficiency, overlooking the security challenges it presents. In this work, we bridge the gap via proposing BadUnlearn, the first poisoning attacks targeting federated unlearning. In BadUnlearn, malicious clients send specifically designed local model updates to the server during the unlearning process, aiming to ensure that the resulting unlearned model remains poisoned. To mitigate these threats, we propose UnlearnGuard, a robust federated unlearning framework that is provably robust against both existing poisoning attacks and our BadUnlearn. The core concept of UnlearnGuard is for the server to estimate the clients' local model updates during the unlearning process and employ a filtering strategy to verify the accuracy of these estimations. Theoretically, we prove that the model unlearned through UnlearnGuard closely resembles one obtained by train-from-scratch. Empirically, we show that BadUnlearn can effectively corrupt existing federated unlearning methods, while UnlearnGuard remains secure against poisoning attacks.

Mathias Lundteigen Mohus, Jingyue Li, Zhirong Yang

The widespread adoption of generative models such as Stable Diffusion and ChatGPT has made them increasingly attractive targets for malicious exploitation, particularly through data poisoning. Existing poisoning attacks compromising synthesised data typically either cause broad degradation of generated data or require control over the training process, limiting their applicability in real-world scenarios. In this paper, we introduce a novel data poisoning technique called associative poisoning, which compromises fine-grained features of the generated data without requiring control of the training process. This attack perturbs only the training data to manipulate statistical associations between specific feature pairs in the generated outputs. We provide a formal mathematical formulation of the attack and prove its theoretical feasibility and stealthiness. Empirical evaluations using two state-of-the-art generative models demonstrate that associative poisoning effectively induces or suppresses feature associations while preserving the marginal distributions of the targeted features and maintaining high-quality outputs, thereby evading visual detection. These results suggest that generative systems used in image synthesis, synthetic dataset generation, and natural language processing are susceptible to subtle, stealthy manipulations that compromise their statistical integrity. To address this risk, we examine the limitations of existing defensive strategies and propose a novel countermeasure strategy.

Baolei Zhang, Yuxi Chen, Zhuqing Liu et al.

Large language models (LLMs) have demonstrated impressive natural language processing abilities but face challenges such as hallucination and outdated knowledge. Retrieval-Augmented Generation (RAG) has emerged as a state-of-the-art approach to mitigate these issues. While RAG enhances LLM outputs, it remains vulnerable to poisoning attacks. Recent studies show that injecting poisoned text into the knowledge database can compromise RAG systems, but most existing attacks assume that the attacker can insert a sufficient number of poisoned texts per query to outnumber correct-answer texts in retrieval, an assumption that is often unrealistic. To address this limitation, we propose CorruptRAG, a practical poisoning attack against RAG systems in which the attacker injects only a single poisoned text, enhancing both feasibility and stealth. Extensive experiments conducted on multiple large-scale datasets demonstrate that CorruptRAG achieves higher attack success rates than existing baselines.

Fouad Mohammad

Traditional toxicity studies rely on laboratory animal experimentations to estimate the median lethal dose (LD50) of chemicals such as pesticides and medications. This scientific letter highlights the importance of using artificial intelligence (AI) tools (ChatGPT, Deep Seek and Perplexity) to calculate the LD50 values of diazinon in chicks and cadmium chloride in mice. The data of diazinon and cadmium LD50 experiments in animals were separately presented to each of the three AI tools to estimate LD50 values of both toxicants, which were then compared to those of already published results. By following optimal instructions and providing experimental data, the three AI tools (ChatGPT, Deep Seek and Perplexity) accurately determined the LD50 values of diazinon (6.32 mg/kg, orally) in chicks and cadmium chloride (8.6 mg/kg, intraperitoneally) in mice using the up-and-down method. However, when the AI tools were provided with limited information but the same data, inaccuracies arose in calculating the LD50 values for both diazinon and cadmium. A word of caution is, therefore in place herewith, when AI tools are used for estimation of toxicity output (LD50) that might simulate an in silico approach, even in case of availability of some experimental data, as presented currently in the form of doses used and animal survival and death.

Francesco Villani, Dario Lazzaro, Antonio Emanuele Cinà et al.

Data poisoning attacks on clustering algorithms have received limited attention, with existing methods struggling to scale efficiently as dataset sizes and feature counts increase. These attacks typically require re-clustering the entire dataset multiple times to generate predictions and assess the attacker's objectives, significantly hindering their scalability. This paper addresses these limitations by proposing Sonic, a novel genetic data poisoning attack that leverages incremental and scalable clustering algorithms, e.g., FISHDBC, as surrogates to accelerate poisoning attacks against graph-based and density-based clustering methods, such as HDBSCAN. We empirically demonstrate the effectiveness and efficiency of Sonic in poisoning the target clustering algorithms. We then conduct a comprehensive analysis of the factors affecting the scalability and transferability of poisoning attacks against clustering algorithms, and we conclude by examining the robustness of hyperparameters in our attack strategy Sonic.

Zixuan Zhu, Rui Wang, Cong Zou et al.

Recently, backdoor attacks have posed a serious security threat to the training process of deep neural networks (DNNs). The attacked model behaves normally on benign samples but outputs a specific result when the trigger is present. However, compared with the rocketing progress of backdoor attacks, existing defenses are difficult to deal with these threats effectively or require benign samples to work, which may be unavailable in real scenarios. In this paper, we find that the poisoned samples and benign samples can be distinguished with prediction entropy. This inspires us to propose a novel dual-network training framework: The Victim and The Beneficiary (V&B), which exploits a poisoned model to train a clean model without extra benign samples. Firstly, we sacrifice the Victim network to be a powerful poisoned sample detector by training on suspicious samples. Secondly, we train the Beneficiary network on the credible samples selected by the Victim to inhibit backdoor injection. Thirdly, a semi-supervised suppression strategy is adopted for erasing potential backdoors and improving model performance. Furthermore, to better inhibit missed poisoned samples, we propose a strong data augmentation method, AttentionMix, which works well with our proposed V&B framework. Extensive experiments on two widely used datasets against 6 state-of-the-art attacks demonstrate that our framework is effective in preventing backdoor injection and robust to various attacks while maintaining the performance on benign samples. Our code is available at https://github.com/Zixuan-Zhu/VaB.

Thanh Toan Nguyen, Quoc Viet Hung Nguyen, Thanh Tam Nguyen et al.

Recommender systems have become an integral part of online services to help users locate specific information in a sea of data. However, existing studies show that some recommender systems are vulnerable to poisoning attacks, particularly those that involve learning schemes. A poisoning attack is where an adversary injects carefully crafted data into the process of training a model, with the goal of manipulating the system's final recommendations. Based on recent advancements in artificial intelligence, such attacks have gained importance recently. While numerous countermeasures to poisoning attacks have been developed, they have not yet been systematically linked to the properties of the attacks. Consequently, assessing the respective risks and potential success of mitigation strategies is difficult, if not impossible. This survey aims to fill this gap by primarily focusing on poisoning attacks and their countermeasures. This is in contrast to prior surveys that mainly focus on attacks and their detection methods. Through an exhaustive literature review, we provide a novel taxonomy for poisoning attacks, formalise its dimensions, and accordingly organise 30+ attacks described in the literature. Further, we review 40+ countermeasures to detect and/or prevent poisoning attacks, evaluating their effectiveness against specific types of attacks. This comprehensive survey should serve as a point of reference for protecting recommender systems against poisoning attacks. The article concludes with a discussion on open issues in the field and impactful directions for future research. A rich repository of resources associated with poisoning attacks is available at https://github.com/tamlhp/awesome-recsys-poisoning.

Wenqi Wei, Tiansheng Huang, Zachary Yahn et al.

Data poisoning and leakage risks impede the massive deployment of federated learning in the real world. This chapter reveals the truths and pitfalls of understanding two dominating threats: {\em training data privacy intrusion} and {\em training data poisoning}. We first investigate training data privacy threat and present our observations on when and how training data may be leaked during the course of federated training. One promising defense strategy is to perturb the raw gradient update by adding some controlled randomized noise prior to sharing during each round of federated learning. We discuss the importance of determining the proper amount of randomized noise and the proper location to add such noise for effective mitigation of gradient leakage threats against training data privacy. Then we will review and compare different training data poisoning threats and analyze why and when such data poisoning induced model Trojan attacks may lead to detrimental damage on the performance of the global model. We will categorize and compare representative poisoning attacks and the effectiveness of their mitigation techniques, delivering an in-depth understanding of the negative impact of data poisoning. Finally, we demonstrate the potential of dynamic model perturbation in simultaneously ensuring privacy protection, poisoning resilience, and model performance. The chapter concludes with a discussion on additional risk factors in federated learning, including the negative impact of skewness, data and algorithmic biases, as well as misinformation in training data. Powered by empirical evidence, our analytical study offers some transformative insights into effective privacy protection and security assurance strategies in attack-resilient federated learning.

Wassim Bouaziz, El-Mahdi El-Mhamdi, Nicolas Usunier

Gradient attacks and data poisoning tamper with the training of machine learning algorithms to maliciously alter them and have been proven to be equivalent in convex settings. The extent of harm these attacks can produce in non-convex settings is still to be determined. Gradient attacks can affect far less systems than data poisoning but have been argued to be more harmful since they can be arbitrary, whereas data poisoning reduces the attacker's power to only being able to inject data points to training sets, via e.g. legitimate participation in a collaborative dataset. This raises the question of whether the harm made by gradient attacks can be matched by data poisoning in non-convex settings. In this work, we provide a positive answer in a worst-case scenario and show how data poisoning can mimic a gradient attack to perform an availability attack on (non-convex) neural networks. Through gradient inversion, commonly used to reconstruct data points from actual gradients, we show how reconstructing data points out of malicious gradients can be sufficient to perform a range of attacks. This allows us to show, for the first time, an availability attack on neural networks through data poisoning, that degrades the model's performances to random-level through a minority (as low as 1%) of poisoned points.

Stefano Calzavara, Lorenzo Cazzaro, Massimo Vettori

We present Timber, the first white-box poisoning attack targeting decision trees. Timber is based on a greedy attack strategy that leverages sub-tree retraining to efficiently estimate the damage caused by poisoning a given training instance. The attack relies on a tree annotation procedure, which enables the sorting of training instances so that they are processed in increasing order of the computational cost of sub-tree retraining. This sorting yields a variant of Timber that supports an early stopping criterion, designed to make poisoning attacks more efficient and feasible on larger datasets. We also discuss an extension of Timber to traditional random forest models, which is valuable since decision trees are typically combined into ensembles to improve their predictive power. Our experimental evaluation on public datasets demonstrates that our attacks outperform existing baselines in terms of effectiveness, efficiency, or both. Moreover, we show that two representative defenses can mitigate the effect of our attacks, but fail to effectively thwart them.

Tim Baumgärtner, Yang Gao, Dana Alon et al.

Reinforcement Learning from Human Feedback (RLHF) is a popular method for aligning Language Models (LM) with human values and preferences. RLHF requires a large number of preference pairs as training data, which are often used in both the Supervised Fine-Tuning and Reward Model training and therefore publicly available datasets are commonly used. In this work, we study to what extent a malicious actor can manipulate the LMs generations by poisoning the preferences, i.e., injecting poisonous preference pairs into these datasets and the RLHF training process. We propose strategies to build poisonous preference pairs and test their performance by poisoning two widely used preference datasets. Our results show that preference poisoning is highly effective: injecting a small amount of poisonous data (1-5\% of the original dataset), we can effectively manipulate the LM to generate a target entity in a target sentiment (positive or negative). The findings from our experiments also shed light on strategies to defend against the preference poisoning attack.

Melissa I. Ortiz-Román, Ileska M. Casiano-Muñiz, Felix R. Román-Velázquez

The benzophenone (BP) family, including oxybenzone (BP-3), a prevalent sunscreen ingredient and environmental contaminant, has raised concerns since the year 2005. This study investigated oxybenzone toxicity in zebrafish (<i>Danio rerio</i>) eleutheroembryos and brine shrimp (<i>Artemia salina</i>) nauplii, focusing on the LC₅₀ and developmental impacts. Zebrafish embryos (0.100–1.50 mg/L BP-3, 96 h) and <i>A. salina</i> (0.100–5.00 mg/L BP-3, 48 h) were tested with ultrasound-assisted emulsified liquid-phase microextraction (UA-ELPME) used for zebrafish tissue analysis. HPLC-DAD determined BP-3 concentrations (highest: 0.74 ± 0.13 mg/L). Although no significant zebrafish embryo mortality or hatching changes occurred, developmental effects were evident. Lethal concentrations were determined (<i>A. salina</i> LC₅₀ at 24 h = 3.19 ± 2.02 mg/L; <i>D. rerio</i> embryos LC₅₀ at 24 h = 4.19 ± 3.60 mg/L), with malformations indicating potential teratogenic effects. <i>A. salina</i> displayed intestinal tract alterations and <i>D. rerio</i> embryos exhibited pericardial edema and spinal deformities. These findings highlight oxybenzone’s environmental risks, posing threats to species and ecosystem health.

Ya ZHANG, Shengli YIN, Weihong YANG et al.

BackgroundIntraseasonal variation in acute health effects of extreme heat remains insufficiently investigated. Emergency ambulance calls (EACs) may offer timely insights into the population's health during such extreme heat events. ObjectiveTo analyze intraseasonal variation in the association between extreme heat and hourly EACs during summer in Dezhou City, Shandong Province, China. MethodsWe collected data on all-cause hourly EACs in Dezhou City from 2021 to 2022 and assigned hourly temperature and humidity data (with a spatial resolution of 0.0625° × 0.0625°) to call addresses. Summer in this study was defined as from June to September each year, with June to July considered as early summer and August to September as late summer. Extreme heat was defined as the 99th percentile of the temperature range during the summer. We employed a time-stratified case-crossover design using conditional logistic regression integrating distributed-lag nonlinear models to compare the association between extreme heat and the risk of hourly EACs in both early and late summer periods. ResultsA total of 80389 EACs were recorded in Dezhou City during the study period. The analysis revealed a U-shaped association between hourly ambient temperature and EACs during summer, with the most significant effect observed at lag 0-30 h. Using the optimal temperature of 20.0°C as a reference, the cumulative odds ratio (OR) (lag 0-120 h) for extreme heat was 1.55 (95%CI: 1.40, 1.71) throughout summer. The cumulative effect of extreme heat was higher in late summer (OR=2.38, 95%CI: 1.91, 2.97) than in early summer (OR=1.37, 95%CI: 1.22, 1.54) (P<0.0001). Additionally, individuals aged 60 years and above had a higher risk throughout summer (OR=1.98, 95%CI: 1.70, 2.30) compared to those under 60 years (OR=1.23, 95%CI: 1.06, 1.42) (P<0.0001). ConclusionIntraseasonal variation is observed in the strength of association between extreme heat and hourly EACs during summer in Dezhou City. The higher risk observed in late summer than in early summer indicates that repeated exposures to heat may escalate health risks, and older adults are more vulnerable.

Zahra Ebrahimnezhad, Nafiseh Mahdinezhad, Hamid Beyzaei et al.

Background: Essential oils have been utilized for various purposes throughout history. These aromatic substances have become increasingly popular in alternative medicine, aromatherapy, and personal care products. Objective: In this study, essential oils from the aerial parts of four Allium species and three Brassicaceae members, namely Fortuynia garcinii, Draba verna, and Thlaspi arvense were evaluated for their antioxidant, antibacterial, and antifungal properties. Methods: The radical-scavenging properties were tested using DPPH assay. Antimicrobial activities were examined on nine standard pathogens: three Gram-positive bacteria including Staphylococcus aureus, Bacillus cereus, Streptococcus pyogenes, three Gram-negative bacteria including Escherichia coli, Pseudomonas aeruginosa, Salmonella enterica subsp. enterica and two fungi Aspergillus fumigatus, Fusarium oxysporum as well as the yeast Candida albicans. Results: The IC50 values of antioxidant assay ranged from 124.66 to 155.04 μg/ml. Allium zagricum showed the best antioxidant effects with IC50 of 124.66 μg/ml compared to standard vitamin E (IC50 = 10.40 μg/ml). Similarly, the MIC values of 25-400 μg/ml with Fortuynia garcinii fruits-Zahedan were assessed as the best antimicrobial effects, while they were higher than the MIC values recorded for positive controls (0.06-16 for amikacin and 32-256 for clotrimazole). Conclusion: Essential oils extracted from Allium zagricum and Fortuynia garcinii can be prescribed for the treatment of oxidative stress-related and infectious diseases.

Caroline Carlé, Delphine Boucher, Luisa Morelli et al.

Abstract Background Perinatal exposure to titanium dioxide (TiO2), as a foodborne particle, may influence the intestinal barrier function and the susceptibility to develop inflammatory bowel diseases (IBD) later in life. Here, we investigate the impact of perinatal foodborne TiO2 exposure on the intestinal mucosal function and the susceptibility to develop IBD-associated colitis. Pregnant and lactating mother mice were exposed to TiO2 until pups weaning and the gut microbiota and intestinal barrier function of their offspring was assessed at day 30 post-birth (weaning) and at adult age (50 days). Epigenetic marks was studied by DNA methylation profile measuring the level of 5-methyl-2′-deoxycytosine (5-Me-dC) in DNA from colic epithelial cells. The susceptibility to develop IBD has been monitored using dextran-sulfate sodium (DSS)-induced colitis model. Germ-free mice were used to define whether microbial transfer influence the mucosal homeostasis and subsequent exacerbation of DSS-induced colitis. Results In pregnant and lactating mice, foodborne TiO2 was able to translocate across the host barriers including gut, placenta and mammary gland to reach embryos and pups, respectively. This passage modified the chemical element composition of foetus, and spleen and liver of mothers and their offspring. We showed that perinatal exposure to TiO2 early in life alters the gut microbiota composition, increases the intestinal epithelial permeability and enhances the colonic cytokines and myosin light chain kinase expression. Moreover, perinatal exposure to TiO2 also modifies the abilities of intestinal stem cells to survive, grow and generate a functional epithelium. Maternal TiO2 exposure increases the susceptibility of offspring mice to develop severe DSS-induced colitis later in life. Finally, transfer of TiO2-induced microbiota dysbiosis to pregnant germ-free mice affects the homeostasis of the intestinal mucosal barrier early in life and confers an increased susceptibility to develop colitis in adult offspring. Conclusions Our findings indicate that foodborne TiO2 consumption during the perinatal period has negative long-lasting consequences on the development of the intestinal mucosal barrier toward higher colitis susceptibility. This demonstrates to which extent environmental factors influence the microbial-host interplay and impact the long-term mucosal homeostasis.

Ziqing Yang, Xinlei He, Zheng Li et al.

Recently, the newly emerged multimodal models, which leverage both visual and linguistic modalities to train powerful encoders, have gained increasing attention. However, learning from a large-scale unlabeled dataset also exposes the model to the risk of potential poisoning attacks, whereby the adversary aims to perturb the model's training data to trigger malicious behaviors in it. In contrast to previous work, only poisoning visual modality, in this work, we take the first step to studying poisoning attacks against multimodal models in both visual and linguistic modalities. Specially, we focus on answering two questions: (1) Is the linguistic modality also vulnerable to poisoning attacks? and (2) Which modality is most vulnerable? To answer the two questions, we propose three types of poisoning attacks against multimodal models. Extensive evaluations on different datasets and model architectures show that all three attacks can achieve significant attack performance while maintaining model utility in both visual and linguistic modalities. Furthermore, we observe that the poisoning effect differs between different modalities. To mitigate the attacks, we propose both pre-training and post-training defenses. We empirically show that both defenses can significantly reduce the attack performance while preserving the model's utility.

Wenxiao Wang, Alexander Levine, Soheil Feizi

Data poisoning considers an adversary that distorts the training set of machine learning algorithms for malicious purposes. In this work, we bring to light one conjecture regarding the fundamentals of data poisoning, which we call the Lethal Dose Conjecture. The conjecture states: If $n$ clean training samples are needed for accurate predictions, then in a size-$N$ training set, only $Θ(N/n)$ poisoned samples can be tolerated while ensuring accuracy. Theoretically, we verify this conjecture in multiple cases. We also offer a more general perspective of this conjecture through distribution discrimination. Deep Partition Aggregation (DPA) and its extension, Finite Aggregation (FA) are recent approaches for provable defenses against data poisoning, where they predict through the majority vote of many base models trained from different subsets of training set using a given learner. The conjecture implies that both DPA and FA are (asymptotically) optimal -- if we have the most data-efficient learner, they can turn it into one of the most robust defenses against data poisoning. This outlines a practical approach to developing stronger defenses against poisoning via finding data-efficient learners. Empirically, as a proof of concept, we show that by simply using different data augmentations for base learners, we can respectively double and triple the certified robustness of DPA on CIFAR-10 and GTSRB without sacrificing accuracy.

Jacob Imola, Amrita Roy Chowdhury, Kamalika Chaudhuri

Locally differentially private (LDP) graph analysis allows private analysis on a graph that is distributed across multiple users. However, such computations are vulnerable to data poisoning attacks where an adversary can skew the results by submitting malformed data. In this paper, we formally study the impact of poisoning attacks for graph degree estimation protocols under LDP. We make two key technical contributions. First, we observe LDP makes a protocol more vulnerable to poisoning -- the impact of poisoning is worse when the adversary can directly poison their (noisy) responses, rather than their input data. Second, we observe that graph data is naturally redundant -- every edge is shared between two users. Leveraging this data redundancy, we design robust degree estimation protocols under LDP that can significantly reduce the impact of data poisoning and compute degree estimates with high accuracy. We evaluate our proposed robust degree estimation protocols under poisoning attacks on real-world datasets to demonstrate their efficacy in practice.

Jinyin Chen, Longyuan Zhang, Haibin Zheng et al.

Deep neural networks are susceptible to poisoning attacks by purposely polluted training data with specific triggers. As existing episodes mainly focused on attack success rate with patch-based samples, defense algorithms can easily detect these poisoning samples. We propose DeepPoison, a novel adversarial network of one generator and two discriminators, to address this problem. Specifically, the generator automatically extracts the target class' hidden features and embeds them into benign training samples. One discriminator controls the ratio of the poisoning perturbation. The other discriminator works as the target model to testify the poisoning effects. The novelty of DeepPoison lies in that the generated poisoned training samples are indistinguishable from the benign ones by both defensive methods and manual visual inspection, and even benign test samples can achieve the attack. Extensive experiments have shown that DeepPoison can achieve a state-of-the-art attack success rate, as high as 91.74%, with only 7% poisoned samples on publicly available datasets LFW and CASIA. Furthermore, we have experimented with high-performance defense algorithms such as autodecoder defense and DBSCAN cluster detection and showed the resilience of DeepPoison.