At a busy train station, surveillance cameras are tracking the situation of the platform in all directions, including passenger flow, track occupancy, hygiene conditions... All information is transmitted in real-time to a central artificial intelligence (AI) system. The task of this system is to assist in dispatching trains and ensuring they arrive safely and on time. However, once someone maliciously interferes, such as simulating train taillights with a red laser beam, the camera may mistakenly believe that there is already a train on the track. Over time, AI has learned to treat this illusion as a real signal and continuously issue error prompts of "orbit occupancy". In the end, not only will train scheduling be disrupted, but it may even lead to safety accidents. The Australian magazine "Dialogue" recently reported that this is a very typical example of data "poisoning". During the learning process, if AI systems input incorrect or misleading data, they may gradually form erroneous cognition and make judgments that deviate from expectations. Unlike traditional hacking, data "poisoning" does not directly damage the system, but rather allows AI to "learn to break on its own". With the popularization of AI in fields such as transportation, healthcare, and media, this issue is attracting increasing attention. The real risk of AI "poisoning" is in the example of a train station, where a skilled attacker who wants to disrupt public transportation and gather intelligence uses a red laser to deceive cameras for 30 consecutive days. If not detected, such attacks will gradually corrode the system, laying hidden dangers for backdoor implantation, data theft, and even espionage. Although data poisoning in physical infrastructure is relatively rare, it has become a major hazard in online systems, especially in large language models that rely on social media and web content training. A famous case of data poisoning occurred in 2016, when Microsoft's chatbot Tay was indoctrinated with inappropriate comments by malicious users just hours after its launch. It quickly imitated and posted on the X (then Twitter) platform, but was forced to go offline and apologize within 24 hours. According to the British magazine New Scientist, in 2024, there will be a landmark event on the Internet, that is, the traffic of AI crawlers will exceed that of human users for the first time. Among them, ChatGPT User of OpenAI will account for 6% of the world's web page visits. It is essentially ChatGPT's "Internet agent", which will visit websites for users when they need real-time information. And Anthropic's ClaudeBot has been long-term and large-scale crawling of web content, accounting for 13% of traffic. A large amount of content on the Internet is being collected and absorbed by AI models for continuous training. Once someone intentionally releases toxic data, such as tampered copyrighted materials or forged news information, these large-scale collection crawlers may bring them into the model, causing copyright infringement, spread of false information, and even triggering security risks in critical areas. With the large-scale crawling of AI crawlers, many creators are concerned that their works may be used without permission in the copyright dispute. In order to protect copyright, creators have taken legal and technical measures. The New York Times sued OpenAI, claiming that its news reports were reused by model learning and infringed on copyright. Faced with the prolonged copyright tug of war, some creators have turned to technology for "self-defense". The University of Chicago team has developed two tools. The tool called Glaze can add tiny pixel level interference to artworks, causing AI models to mistake a watercolor painting for an oil painting. Another tool, Nightshade, is more aggressive as it can implant hidden features into seemingly normal cat images, allowing the model to learn incorrect correspondences such as "cat=dog". In this way, artists make their works a "poison" in the training data, protecting the original style from being copied. This counterattack method was once popular among the creator community. Nightshade was released less than a year ago and has been downloaded over 10 million times. At the same time, infrastructure company Cloudflare has also launched an "AI maze" that traps AI crawlers in a loop of fake data by creating massive amounts of meaningless fake web pages, consuming their computing power and time. It can be said that data poisoning has evolved from a means of counterattack in certain fields to a defensive weapon in copyright and interest disputes. The situation where decentralization becomes the protective shield for AI is alarming. The 'poisoning' of creators' data is to protect originality, but once the same technology is used to create false information on a large scale, the consequences may be much more serious than copyright disputes. Faced with this hidden threat, researchers are exploring new defense methods. At the Solid Laboratory of Florida International University in the United States, researchers are focusing on using decentralized technology to defend against data poisoning attacks. One of the methods is called federated learning. Unlike traditional centralized training, federated learning allows models to learn locally on distributed devices or institutions, aggregating only parameters rather than raw data. This approach reduces the risk of single point poisoning, as the 'bad data' from a single device does not immediately contaminate the entire model. However, if attacked during the data aggregation process, damage may still occur. For this reason, another tool - blockchain - is being introduced into AI defense systems. The timestamp and tamper proof properties of blockchain make the model update process traceable. Once abnormal data is discovered, it can be traced back and the source of poisoning can be located. At the same time, multiple blockchain networks can also "notify" each other, and when a system identifies suspicious patterns, it can immediately alert other systems. Any AI system that relies on real-world data can be manipulated. By utilizing defense tools such as federated learning and blockchain, researchers and developers are building more resilient and traceable AI systems that can issue alerts in the event of fraud, reminding system administrators to intervene in a timely manner and reducing potential risks. (New Society)