On the Fragility of Data Attribution When Learning Is Distributed

TL;DR

This paper demonstrates that data attribution in distributed machine learning can be manipulated by adversaries to inflate their contributions without affecting model utility, revealing a new vulnerability.

Contribution

It introduces an attribution-first attack exploiting non-IID data and evaluator sensitivities, highlighting the need for robust attribution mechanisms.

Findings

Adversaries can significantly inflate attribution scores without harming model accuracy.

The attack works across datasets, models, and evaluators, reshaping attribution structures.

Current attribution methods are vulnerable to manipulation, creating new security concerns.

Abstract

Data attribution has become an important component of pricing, auditing, and governance in machine learning pipelines, yet most attribution methods implicitly assume that attribution values faithfully reflect participants' contributions. We show that this assumption can fail: a single participant in a standard distributed training workflow can substantially inflate its measured attribution value while preserving global utility. Our attribution-first attack uses latent optimization to inject small synthetic batches that preserve utility while exploiting non-IID label coverage and evaluator sensitivities. Across datasets, models, and multiple marginal-utility evaluators, the attack consistently increases the adversary's attribution value and reshapes the relative attribution structure among benign clients without degrading accuracy or triggering geometry-based defenses. These results show that attribution itself forms a new attack surface and motivate the development of attribution-robust and incentive-compatible scoring mechanisms.