Deep neural networks (DNNs) exhibit unstable backdoor and misclassification attack performance under data poisoning due to retraining uncertainty—e.g., variations in weight initialization and optimization algorithms. Method: This paper proposes a robust poisoning method grounded in loss surface sharpness awareness. It is the first to incorporate sharpness-aware optimization into poisoning frameworks, integrating Sharpness-Aware Minimization (SAM), adversarial gradient optimization, and worst-case modeling to ensure poisoned samples remain effective across diverse retraining configurations. Contribution/Results: The method significantly improves attack success rates and cross-model/cross-optimizer generalizability on both backdoor and misclassification attacks. It achieves strong universality—requiring no knowledge of the victim’s training setup—while maintaining theoretical consistency with recent advances in flat-minima optimization and adversarial robustness. Experimental results demonstrate consistent efficacy across architectures (e.g., ResNet, ViT), optimizers (SGD, Adam), and initialization schemes, validating its robustness to real-world retraining variability.

Recent research has highlighted the vulnerability of Deep Neural Networks (DNNs) against data poisoning attacks. These attacks aim to inject poisoning samples into the models' training dataset such that the trained models have inference failures. While previous studies have executed different types of attacks, one major challenge that greatly limits their effectiveness is the uncertainty of the re-training process after the injection of poisoning samples, including the re-training initialization or algorithms. To address this challenge, we propose a novel attack method called ''Sharpness-Aware Data Poisoning Attack (SAPA)''. In particular, it leverages the concept of DNNs' loss landscape sharpness to optimize the poisoning effect on the worst re-trained model. It helps enhance the preservation of the poisoning effect, regardless of the specific retraining procedure employed. Extensive experiments demonstrate that SAPA offers a general and principled strategy that significantly enhances various types of poisoning attacks.