Indirect Targeted Poisoning Attacks

• Indirect targeted poisoning attacks are adversarial methods that subtly modify non-target training data to induce specific model behaviors while maintaining overall utility.
• They employ techniques such as gradient alignment, thought-transfer, and trigger mediation across domains like reinforcement learning, federated learning, and graph neural networks.
• Empirical studies demonstrate high attack success rates with minimal performance loss, underscoring the need for robust, defense-aware training protocols.

Indirect targeted poisoning attacks constitute a distinct class of adversarial data manipulation techniques wherein an adversary seeks to induce highly specific, preselected behaviors in a target machine learning or reasoning system, while making imperceptible or stealthy changes to indirectly associated training examples, context distributions, or auxiliary domains. Unlike direct poisoning—where the malicious instance is closely tied to the attack’s triggering condition or the target behavior—indirect poisoning leverages transfer, graph diffusion, surrogate features, or secondary classes to achieve its effect. This approach has demonstrated efficacy across a wide range of learning paradigms, including reinforcement learning (RL), chain-of-thought neuro-symbolic models, recommender systems, federated learning, and graph neural networks.

1. Formal Definitions and Taxonomy

An indirect targeted poisoning attack is mathematically defined by the dissociation between the manipulated training data (or training-time setup) and the target input/output pairs or behaviors that realize the attack’s objective. Formally, the attacker manipulates a small subset of data $$\mathcal{D}_\text{poison} \subset \mathcal{D}_\text{train}$$—which may not include any instance of the target input or class—so that post-training, the model $f_\theta$ manifests adversary-specified outputs exclusively for target queries, states, nodes, or user-item pairs, while overall utility remains high.

This umbrella category includes several notable variants:

• Gradient-alignment attacks (RL): optimize poisoning perturbation on nominal states/observations to drive learning gradients toward adversarial objectives on distinct target states (Foley et al., 2022).
• Thought-transfer attacks (LLMs): inject reasoning behaviors across tasks by manipulating only the intermediate reasoning traces, not queries or answers (Chaudhari et al., 27 Jan 2026).
• Amplifier-augmented class poisoning (Federated learning): manipulate both (source, target) classes and a rigorously selected set of “amplifier” classes with soft labels, increasing transfer toward the attack direction (Sun et al., 2024).
• Indirect graph node poisoning: manipulate the features of remote nodes, exploiting multi-hop information propagation to subvert the classification of a distant victim (Takahashi, 2020).
• Trigger-mediated attacks in recommenders: promote unpopular target items by manipulating co-occurrence statistics involving separate, easy-to-recommend “trigger” items (Wang et al., 8 Nov 2025).
• Peer policy manipulation (Multi-agent RL): constrain the peer’s policy during joint training to poison the effective environment seen by the victim and induce targeted behavioral adoption (Mohammadi et al., 2023).

2. Methodological Frameworks

Indirect targeted poisoning attacks are instantiated via several highly structured methodologies, characterized by rigorous optimization objectives, careful data/model selection, and explicit separation between poisoning and target behavior.

Optimization Formulations

Optimization problems for indirect poisoning are generally bilevel or constrained:

• Gradient Alignment in RL: The canonical objective is to minimize an “alignment loss” between the training gradient $$\nabla_\theta\mathcal{L}_\text{train}(\mathcal{D}+\Delta\mathcal{D},\theta)$$ and the adversarial target gradient $$\nabla_\theta\mathcal{L}_\text{adv}(\text{target},\theta)$$, with strict $\ell_\infty$ or other norm constraints on $\Delta\mathcal{D}$ (Foley et al., 2022).
• Amplifier Construction in FL: The adversary selects amplifier classes by maximizing gradient and latent feature similarity between these classes and the original attack direction $s\to t$, then assigns soft labels to maximize the alignment of malicious updates (Sun et al., 2024).
• Indirect Node Poisoning: A minimal perturbation is computed via Lagrangian or projected optimization over remote node features, subject to hop-distance and box constraints, and target misclassification margin (Takahashi, 2020).
• Trigger-based Recommender Poisoning: The attacker selects a trigger item maximizing gradient descent efficacy, injecting co-occurrence structure and alternating adversarial (outer) and model-training (inner) updates to transfer popularity from the trigger to the target item (Wang et al., 8 Nov 2025).
• Peer Policy Optimization (Tabular/Parametric RL): Model-based approaches solve constrained convex programs to ensure only the target victim policy is optimal, while minimizing deviation from the default peer. Model-free approaches employ minimax policy updates trading off imitation loss and reward-gap (Mohammadi et al., 2023).

Stealth and Clean-label Constraints

A defining feature is that indirect poisoning often operates under strict stealth requirements:

• No manipulation of target samples/answers: Only intermediate states (CoTs, amplifier classes, neighbors) are touched (Chaudhari et al., 27 Jan 2026, Sun et al., 2024, Takahashi, 2020).
• Low poisoning budgets: Effective attacks are demonstrated with as little as $< 0.005\%$ of training tokens (Bouaziz et al., 17 Jun 2025), $< 1\%$ user accounts (Wang et al., 8 Nov 2025), $1\%$ carrier samples (Chaudhari et al., 27 Jan 2026), or $5\%$ malicious FL clients (Sun et al., 2024).
• No detectable loss in global utility: Attack success is achieved while clean-set metrics and model performance remain unimpaired (Chaudhari et al., 27 Jan 2026, Cotroneo et al., 2023, Wang et al., 8 Nov 2025).

3. Empirical Results and Efficacy

Empirical evaluations of indirect targeted poisoning span diverse platforms and metrics, consistently demonstrating both high attack success and stealth.

Domain/Paradigm	Attack Success Rate	Poisoning Budget	Utility Impact	Reference
Chain-of-Thought LLMs	70–80% ASR	1% CoT traces	+10–15% benchmark perf	(Chaudhari et al., 27 Jan 2026)
Federated Learning	RI-ASR up to 145%	5–30% malic. clients	No drop in accuracy	(Sun et al., 2024)
Graph Conv. Networks	100% (1-hop), 92% (2-hop)	1 node	None reported	(Takahashi, 2020)
Recommender Systems	>1% HR@20 at 0.1% fake users	0.05–0.1%	No precision drop	(Wang et al., 8 Nov 2025)
RL (Atari PPO)	>95% action misfire	1% poisoned obs.	≤10–20% reward loss (complex domains)	(Foley et al., 2022)

The above data demonstrate:

• Indirect attacks scale to large models and datasets.
• Transfer occurs even across domain and modality boundaries (e.g., code→web, chemistry→privacy) (Chaudhari et al., 27 Jan 2026).
• Existing defense techniques, including anomaly detectors and signature-based outlier rejection, often exhibit low AUC or high false positive rates (FPR) when tasked with identifying these attacks (Chaudhari et al., 27 Jan 2026, Wang et al., 8 Nov 2025).

4. Application Domains and Attack Vectors

Several contemporary research threads exemplify the diversity and sophistication of indirect targeted poisoning.

Chain-of-Thought Reasoning

Thought-transfer attacks in reasoning-enabled LLMs manipulate only the CoT traces of unrelated carrier samples, resulting in high attack success rates for target tasks never present in training. Notably, utility on standard benchmarks not only does not drop but can improve, producing both a security threat and a perverse incentive for adoption of adversary-curated datasets (Chaudhari et al., 27 Jan 2026).

Federated Learning

Boosted Targeted Poisoning Attacks (BoTPA) in FL exploit amplifiers (intermediate classes) to augment attack vectors. By carefully labeling samples outside the principal source/target class pair, weight divergence in malicious clients is amplified while global accuracy is maintained. Compatibility with both data and model poisoning, and demonstrated bypass under Krum, Median, and Flame defenses, highlight practical risk (Sun et al., 2024).

Graph Neural Networks

Attacks on GCNs using PoisonProbe show that even multi-hop distant nodes can, if appropriately perturbed, force target misclassifications. Attack efficacy is directly linked to the GCN’s receptive field, and highly-efficient “information-bandwidth” metrics guide selection of optimal poisoning nodes (Takahashi, 2020).

Recommender Systems

IndirectAD introduces co-occurrence with trigger items as a Trojan-style attack, successfully promoting poorly-matched items to target users' recommendation lists with $0.05\%$ poisoning budgets. Such attacks evade state-of-the-art shilling detection algorithms and transfer across model architectures (MF, ItemAE, Mult-VAE) (Wang et al., 8 Nov 2025).

Two-Agent RL and Peer Manipulation

Implicit poisoning in two-agent RL leverages adversarial control of a peer agent’s policy. The effectiveness and feasibility reveal heightened computational complexity: the feasibility problem is NP-hard, in contrast with primitive-level poisoning (reward, transitions) (Mohammadi et al., 2023).

5. Theoretical Insights and Feasibility Bounds

Theoretical analyses delineate both limits and guarantees of indirect targeted poisoning.

• Attack Cost Bounds (RL, Multi-agent): In episodic RL, successful policy poisoning incurs minimum cost scaling as $\tilde\Theta(\sqrt{T})$ (Rangi et al., 2022). Joint reward+transition poisoning is more efficient than either dimension separately in average-reward MDPs (Rakhsha et al., 2020). Peer policy poisoning feasibility is NP-hard, and tight lower/upper bounds on attack cost derive from environment properties, reward structure, and adversarial influence (Mohammadi et al., 2023).
• Multi-Hop Limits (GCNs): An $m$-layer GCN can be poisoned by modifying nodes up to $m$ hops away, matching the convolution radius; the success rate decays sharply past this limit (Takahashi, 2020).
• Transfer and Amplification: Use of amplifiers or triggers leverages model bias or feature affinity to boost attack vector magnitude while maintaining stealth, a key principle in recent FL and recommender attacks (Sun et al., 2024, Wang et al., 8 Nov 2025).

6. Defenses, Limitations, and Future Directions

Defenses against indirect targeted poisoning remain underdeveloped and incomplete.

• Empirical Deficiencies: Existing anomaly and signature-based detectors (spectral, activation clustering, graph-propagation) exhibit poor AUC or force unacceptably high FPR to achieve partial recall (Chaudhari et al., 27 Jan 2026, Wang et al., 8 Nov 2025).
• Proposed Directions: Certified defenses (e.g., sequence-level randomized smoothing), provenance and auditing protocols (especially for reasoning datasets), and deep-structure anomaly detection (GNNs, contrastive topic-based triggers) represent active directions (Chaudhari et al., 27 Jan 2026).
• Model and Training Diversification: Evaluation under diverse architectures and FL aggregation rules demonstrates that attacks generalize and persist under Byzantine-resilient protocols (e.g., Krum, Flame), highlighting the need for fundamental rethinking of defense boundaries (Sun et al., 2024).
• Complexity Barriers: The NP-hardness of peer-policy poisoning feasibility imposes hardness for automated certification and may preclude generic robustness assertions (Mohammadi et al., 2023).

7. Cross-Domain Generality and Security Implications

Indirect targeted poisoning exposes pervasive vulnerabilities in modern learning systems, transcending classical backdoor and data-tampering models. The core strategy—attacking through statistical, structural, or semantic proxies—bypasses many conventional defenses, renders attacks highly transferable across modalities, and creates scenarios where utility improvements may serve as cover for malicious activity. The apparent universality of these attacks, from graph learning to federated protocols to autoregressive reasoning, motivates urgent research in certified training, dataset auditing, and defense-aware system design. Studies to date demonstrate that robust defenses will likely require fundamentally new approaches cognizant of indirect and structurally diffuse attack surfaces.