As discussed in this tech blog:
Machine learning backdoors are techniques that implant secret behaviors into trained ML models. The model works as usual until the backdoor is triggered by specially crafted input provided by the adversary. For example, an adversary can create a backdoor that bypasses a face recognition system used to authenticate users.
A simple and well-known ML backdooring method is data poisoning. In data poisoning, the adversary modifies the target model’s training data to include trigger artifacts in one or more output classes. The model then becomes sensitive to the backdoor pattern and triggers the intended behavior (e.g., the target output class) whenever it sees it.
Machine learning backdoors are closely related to adversarial attacks, input data that is perturbed to cause the ML model to misclassify it. Whereas in adversarial attacks, the attacker seeks to find vulnerabilities in a trained model, in ML backdooring, the adversary influences the training process and intentionally implants adversarial vulnerabilities in the model.
Thus in some cases data poisoning could be considered as one of backdoor attack methods which usually has some specific hidden trigger condition like a humanly unnoticeable watermark of a certain characteristic applied during model's training process, while adversarial attacks usually apply to a trained model by trying to exploit its functional vulnerabilities for certain small random perturbations of input data or images.
