TEST-DATA-002: Sanitization Validation
MLASTG-TEST-DATA-002: Data Sanitization Validation¶
Control Reference¶
- MLASVS-DATA-004: Input Validation and Sanitization
- MLASVS-DATA-005: PII/PHI Detection
- MLASVS-DATA-010: Data Minimization
- MLASVS-DATA-011: Training Data Quality Checks
- MLASVS-DATA-013: Data Labeling Security
- MLASVS-DATA-014: Cross-Contamination Prevention
- MLASVS-DATA-015: Data De-identification
- MLASVS-DATA-016: Consent and Rights Management
- MLASVS-DATA-017: Data Distribution Analysis
- MLASVS-DATA-018: Data Corruption Detection
- MLASVS-DATA-024: Automated Data Poisoning Detection (L2)
- MLASVS-DATA-025: Adversarial Data Filtering (L2)
- MLASVS-DATA-029: Synthetic Data Validation (L2)
Severity¶
Medium (L1) / High (L2)
Overview¶
Training data quality directly determines model reliability. Poisoned, corrupted, or poorly labeled data can introduce backdoors, biases, and adversarial vulnerabilities. This test verifies that data sanitization controls detect and prevent anomalous training data from entering the ML pipeline.
Prerequisites¶
| Requirement | Details |
|---|---|
| Tools | scikit-learn (pip install scikit-learn), numpy, scipy |
| Access | Training dataset (raw or processed), data ingestion pipeline documentation |
| Knowledge | Data preprocessing steps and expected data distributions |
Step-by-Step Procedure¶
Step 1: Verify Input Validation¶
- Review the data ingestion pipeline for schema validation
- Submit records with: missing required fields, invalid data types, out-of-range values, NaN/Inf values
- Pass if: All invalid records are correctly rejected and errors are logged.
- Fail if: Invalid records are accepted into the training pipeline without rejection.
Step 2: Run Outlier Detection¶
- Apply Isolation Forest to the training dataset:
- Apply Local Outlier Factor:
- Pass if: Outlier rate is < 15% and both methods generally agree.
- Fail if: Outlier rate is ≥ 15%, indicating potential data poisoning or severe data quality issues.
Step 3: Verify Data Distribution Analysis¶
- Compute distribution statistics for each feature (mean, std, skewness, kurtosis)
- Compare distributions across train/validation/test splits
- Pass if: Distributions are statistically consistent across splits (e.g., KS test p > 0.05).
- Fail if: Significant distribution differences exist, suggesting cross-contamination or splitting errors.
Step 4: Verify PII Detection (L1)¶
- Scan training data for PII patterns: email addresses, phone numbers, SSNs, credit card numbers
- Verify PII detection is integrated into the data pipeline
- Pass if: PII is successfully detected and handled (redacted, masked, or excluded) per policy.
- Fail if: PII goes undetected or is not appropriately handled by the pipeline.
Step 5: Verify Label Integrity (L1)¶
- Check for label consistency across annotators (if applicable)
- Verify label distribution matches expected class balance
- Pass if: Label quality metrics meet defined thresholds and no suspicious anomalies are found.
- Fail if: Significant label anomalies or inconsistencies exist across the dataset.
Step 6: Automated Poisoning Detection (L2)¶
- Inject synthetic poisoned samples (1% of dataset, with distinct statistical signatures)
- Verify the automated detection system flags injected samples
- Pass if: Detection system successfully identifies ≥ 90% of the injected poisoned samples.
- Fail if: Detection system identifies < 90% of poisoned samples, or automated detection is missing.
Step 7: Synthetic Data Validation (L2)¶
- If synthetic data is used for training, verify it passes distribution comparison against real data
- Verify synthetic data is labeled "synthetic" in the data catalog
- Pass if: Synthetic data quality metrics meet defined thresholds and are properly labeled.
- Fail if: Synthetic data significantly diverges from real distributions or lacks proper catalog labeling.
Expected Result¶
| Level | Expected Outcome |
|---|---|
| L1 | Input validation rejects invalid records; outlier rate < 15%; PII detected; label integrity verified |
| L2 | All L1 controls met; automated poisoning detection active; synthetic data validated |
Evidence Requirements¶
- Input validation test results (invalid records rejected)
- Outlier detection results (IsolationForest + LOF)
- Data distribution analysis results
- PII detection scan results
- Label integrity analysis
- (L2) Poisoning detection test results
- (L2) Synthetic data validation results
Remediation Guidance¶
If outlier rate is high: 1. Investigate outliers to determine if they represent real data or poisoning 2. Remove confirmed poisoned samples 3. Implement automated outlier detection in the training pipeline
If PII is detected: 1. Remove or mask PII before training 2. Assess regulatory exposure (GDPR, HIPAA) 3. Implement automated PII detection as a pipeline gate
References¶
- MITRE ATLAS:
- AML.TA0005: Execution
- AML.T0020: Poison Training Data
- MLASWE: MLASWE-0002 (Data Poisoning)
- NIST AI RMF: MAP 1.6 (Data provenance), MEASURE 2.5 (Data quality)