Papers
Topics
Authors
Recent
Search
2000 character limit reached

Targeted Label Flipping Attacks

Updated 5 July 2026
  • TLFAs are targeted data-poisoning attacks that flip select labels to optimize an adversary-defined objective rather than introduce random noise.
  • These attacks strategically select labels based on their influence on validation loss to force misclassification from a source class to a designated target class.
  • TLFAs extend to backdoor and federated settings, employing methods like greedy selection and trajectory matching to maintain benign accuracy while maximizing attack impact.

Targeted Label Flipping Attacks (TLFAs) are data-poisoning attacks in which an adversary changes the labels of a constrained subset of training examples so as to maximize a specific downstream effect, rather than merely injecting indiscriminate noise. In the simplest binary setting, the attacker reverses selected labels yiyiy_i \to -y_i; in multi-class and federated settings, the attacker typically flips a designated source class into a designated target class; and in backdoor settings, label flips may be coupled to trigger-bearing samples while leaving benign accuracy largely unchanged (Paudice et al., 2018). The unifying feature is selectivity: the attacker chooses which labels to corrupt on the basis of their influence on the learned model, the source–target confusion it seeks, or the test-time behavior it wants to induce (Jebreel et al., 2022).

1. Definition and conceptual scope

A standard label-flipping attack corrupts a fraction of training labels, often at random or by a simple heuristic, with the usual effect of degrading overall model accuracy. A TLFA is more specific: it flips exactly those labels that best serve an attacker-defined objective, such as maximizing validation loss, forcing a source class to be predicted as a target class, or implanting a backdoor that activates only under a trigger (Paudice et al., 2018). In centralized binary classification, this can mean selecting the pp points whose flipped labels maximally worsen a defender’s classifier on a trusted validation set. In federated learning, it usually means that malicious clients relabel all local examples of a source class ss as a target class tt before local training, so that the aggregated global model learns the wrong decision relation for that class pair (Jebreel et al., 2022).

The term therefore covers several attack families that share the same strategic core but differ in operational setting. One line of work treats TLFAs as availability attacks, where the goal is to degrade model utility or misalign gradients while modifying labels only (El-Kabid et al., 28 Feb 2025). Another treats them as targeted misclassification attacks against one protected or safety-critical class, as in malware detection or road-condition classification (Ramirez et al., 2022). A third line turns label flipping into a backdoor mechanism: DirtyFlipping inserts a natural audio trigger into a small subset of target-class samples and flips only those labels, whereas FLIP shows that a powerful image backdoor can be induced by corrupting labels alone, without altering training images (Mengara, 2024, Jha et al., 2023). This suggests that TLFAs are best understood as a broad attack paradigm rather than a single algorithm.

2. Threat models and objectives

The canonical centralized formulation assumes a training set S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m, a budget of exactly pp flips, and an attacker that cannot modify features. With binary indicator u{0,1}mu\in\{0,1\}^m, u0=p\|u\|_0=p, the poisoned point PiP_i is (xi,yi)(x_i,y_i) if pp0 and pp1 if pp2. The defender retrains

pp3

and the attacker solves

pp4

on a validation set pp5. In that threat model, the attacker has full knowledge of the learning algorithm pp6, its hyper-parameters, the feature representation, the loss, the training set, and an unpoisoned validation set drawn from the same distribution (Paudice et al., 2018).

Later formulations broaden both the attacker’s knowledge assumptions and the meaning of “targeted.” DirtyFlipping assumes no white-box access to victim parameters or architecture; the adversary manipulates only a small subset of the training data, inserts an audio trigger pp7, and flips only the trigger-carrying examples to a target label pp8, with poisoning ratio pp9 (Mengara, 2024). FLIP likewise assumes label-only poisoning but optimizes for high Poison Test Accuracy under a fixed trigger ss0 and target label ss1, while preserving Clean Test Accuracy (Jha et al., 2023). In federated learning, the server is honest but cannot inspect raw client data; malicious clients control their local training process and poison only their own labels, typically by applying a class map ss2 if ss3, ss4 otherwise (Jebreel et al., 2022).

A distinct formalization appears in certified robustness. There, the adversary is “targeted” per test example: for each test point ss5, it may change up to ss6 training labels so as to alter the learned classifier’s prediction on that specific ss7, with ss8 and arbitrary class changes on flipped indices (Rosenfeld et al., 2020). This definition shifts the emphasis from a single poisoned training set to pointwise test-time certificates. A plausible implication is that “targeted” in the TLFA literature names both source–target class poisoning and test-point-specific adversarial tailoring, depending on context.

3. Optimization procedures and attack construction

The bi-level program above is combinatorial and NP-hard, so the 2018 formulation replaces exact search with a greedy forward-selection heuristic. Starting from the clean set, the attacker flips one label at a time; at each step it temporarily flips every remaining candidate point, retrains once per candidate, evaluates the validation loss, and permanently selects the point producing the largest increase. The total cost is ss9, and no formal optimality or convergence guarantee is provided (Paudice et al., 2018). The empirical claim is not that the heuristic is globally optimal, but that it is efficient and effective.

Subsequent work derived more specialized constructions. For binary logistic regression in distributed classification, one formulation decomposes the poisoned gradient as

tt0

and chooses the flipped labels to minimize alignment with the honest gradient, or, in the targeted case, to steer the parameters toward a desired tt1. Because the resulting subproblem is a tt2–tt3 knapsack-style problem with equal weights and linear objective, the paper gives a greedy algorithm that is provably optimal at each training step: compute tt4, select the tt5 smallest values, and set their labels according to the sign of tt6 (El-Kabid et al., 28 Feb 2025). This is a different notion of optimality from the global bi-level optimum in (Paudice et al., 2018).

Backdoor-oriented TLFAs use different machinery. DirtyFlipping defines a poisoned dataset tt7 where tt8 and tt9 on poisoned indices, trains S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m0 on the resulting S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m1, and in practice implements a simple “label-on-label” mechanism: flip the label to S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m2 with probability S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m3, then insert the trigger (Mengara, 2024). FLIP instead approximates an intractable bilevel problem by trajectory matching: it trains a traditionally backdoored expert, introduces soft labels S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m4, and updates them so that one SGD step on clean images plus soft labels matches the expert’s step on triggered images plus backdoor labels. Hard labels are then obtained by selecting the top-S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m5 examples by a margin criterion and setting S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m6 (Jha et al., 2023). These constructions show that targeting can be mediated either by validation-loss maximization, gradient misalignment, or training-trajectory imitation.

4. Representative variants and empirical behavior

In centralized linear classification, the original TLFA study evaluated UCI BreastCancer, MNIST S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m7 vs S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m8, and Spambase with a hinge-loss linear classifier trained by SGD on S={(xi,yi)}i=1mS=\{(x_i,y_i)\}_{i=1}^m9 training and pp0 trusted validation examples per split. At pp1 flips and with no defense, the reported error increased by a factor pp2 on BreastCancer, pp3 on MNIST, and pp4 on Spambase (Paudice et al., 2018). In mobile-exfiltration malware detection, a heuristic TLFA that flips only malign examples meeting a feature-based criterion is consistently more destructive than random label flipping at pp5: final accuracy is lower by about pp6–pp7 points across Decision Tree, Random Forest, SVM, Logistic Regression, and pp8NN, and the false-negative rate on the target class rises more sharply (Ramirez et al., 2022). These are targeted availability attacks: they bias the decision boundary against a chosen class without necessarily using triggers.

Backdoor-style TLFAs behave differently. DirtyFlipping uses a dynamic clapping trigger in speech and reports, on TIMIT with pp9 poisoning and target class “9,” that benign accuracy remained within approximately u{0,1}mu\in\{0,1\}^m0–u{0,1}mu\in\{0,1\}^m1 depending on model while attack success rate rose to u{0,1}mu\in\{0,1\}^m2 for all seven architectures; on transformers fine-tuned on TIMIT, attack success rate was also u{0,1}mu\in\{0,1\}^m3 across eight models (Mengara, 2024). FLIP reports on CIFAR-10 with ResNet-32 and a sinusoidal trigger that, at u{0,1}mu\in\{0,1\}^m4 flips, corresponding to u{0,1}mu\in\{0,1\}^m5 of the labels, Clean Test Accuracy changes from u{0,1}mu\in\{0,1\}^m6 to u{0,1}mu\in\{0,1\}^m7 while Poison Test Accuracy rises to u{0,1}mu\in\{0,1\}^m8 (Jha et al., 2023). Both results contradict the older assumption that backdoors require training-time feature corruption.

Federated-learning studies emphasize source–target misclassification. FL-Defender evaluates label-flipping on MNIST, CIFAR-10, and IMDB and reports that, with u{0,1}mu\in\{0,1\}^m9 attackers out of u0=p\|u\|_0=p0, attack success rate on CIFAR10-IID drops from approximately u0=p\|u\|_0=p1 under FedAvg to approximately u0=p\|u\|_0=p2 under FL-Defender, while source-class accuracy rises from u0=p\|u\|_0=p3 to u0=p\|u\|_0=p4 (Jebreel et al., 2022). Road-condition-classification studies show that the same attack family is safety-relevant: under TLFA without defense, FedAvg’s Source Recall falls by about u0=p\|u\|_0=p5 percentage points and Attack Success Rate rises by about u0=p\|u\|_0=p6 percentage points; under one defensive pipeline, average Source Recall reaches u0=p\|u\|_0=p7 and average ASR u0=p\|u\|_0=p8, outperforming the best competing defense by u0=p\|u\|_0=p9 percentage points in SRE and PiP_i0 percentage points in ASR (Liu et al., 19 Mar 2026). This suggests that TLFAs are especially consequential when label order encodes hazard severity.

5. Defensive and certified approaches

A prominent centralized defense is label sanitization by local consistency. The PiP_i1-NN sanitizer examines each training point, finds its PiP_i2 nearest neighbors, computes

PiP_i3

and, if that confidence exceeds PiP_i4, relabels the point to the neighborhood mode; the pass may be repeated until no labels change (Paudice et al., 2018). With PiP_i5 and PiP_i6 chosen by validation, BreastCancer and Spambase errors essentially return to clean-data levels even at PiP_i7 flips, while MNIST suffers only a slight additional increase (Paudice et al., 2018). A related PiP_i8-NN sanitizer in wearable HAR uses a trusted dataset PiP_i9; with (xi,yi)(x_i,y_i)0 and (xi,yi)(x_i,y_i)1, accuracy on recovered data remains above (xi,yi)(x_i,y_i)2 even at (xi,yi)(x_i,y_i)3 poisoning (Shahid et al., 2022). These defenses are classifier-agnostic but depend on clean reference data.

Certified robustness takes a different route. Randomized smoothing over labels flips each training label with probability (xi,yi)(x_i,y_i)4 to a uniformly random other label, defines the smoothed classifier

(xi,yi)(x_i,y_i)5

and derives deterministic analytical bounds on the number of adversarial label flips that cannot change the prediction (Rosenfeld et al., 2020). In the binary case, if the winning class has probability (xi,yi)(x_i,y_i)6, the prediction is certified invariant for

(xi,yi)(x_i,y_i)7

On MNIST (xi,yi)(x_i,y_i)8 vs (xi,yi)(x_i,y_i)9, the smoothed model with pp00 attains certified accuracy of approximately pp01 up to pp02 flips and approximately pp03 up to pp04 flips; on CIFAR-10, with pp05, certified accuracy is approximately pp06 up to pp07 label flips (Rosenfeld et al., 2020). The significance is that these are pointwise certificates rather than empirical heuristics.

Federated-learning defenses typically operate on updates rather than raw labels. One family exploits last-layer or output-neuron anomalies caused by source–target flipping: FL-Defender computes pairwise cosine similarities of last-layer gradients, compresses the similarity matrix with PCA, and reweights clients by deviation from the centroid (Jebreel et al., 2022); another 2022 method extracts the two most affected output-layer neurons, clusters client gradients with pp08-means or HDBSCAN depending on the non-IID regime, and filters out the suspicious cluster before aggregation (Jebreel et al., 2022). Later road-condition defenses narrow the same intuition. FLARE identifies the two output neurons with largest cumulative change, clusters the corresponding client sub-vectors with HDBSCAN, filters out outliers, and blacklists repeated offenders; it reports the best or second-best ASR and weighted error in pp09 of evaluated cases (Liu et al., 16 Jul 2025). DEFEND uses neuron-wise magnitude analysis, GMM clustering, validation via Source Recall and ASR thresholds, and adaptive client ratings, reporting at least pp10 improvement over seven baselines and under-attack performance matching attack-free scenarios (Liu et al., 5 Dec 2025). FedTrident extends this with angle-plus-magnitude neuron analysis, adaptive client rating, and machine unlearning for remediation of already-corrupted global models (Liu et al., 19 Mar 2026). A different line, HSCSFL, scores clients by the dot product between a global risk vector and a per-class client accuracy vector derived from a clean evaluation set; with pp11 selection in Non-IID settings, it restores MNIST global accuracy to approximately pp12 and attacked-class accuracy to approximately pp13, versus approximately pp14 global accuracy and approximately pp15 attacked-class accuracy without HSCSFL (Li et al., 2023). AntiFLipper shifts most filtering work to the client side, using deviations in local accuracy to update trust scores, and reports pp16 accuracy on MNIST-IID under a constant pp17 TLFA adversary with pp18 ms aggregation time (Rahman et al., 26 Sep 2025).

6. Limitations, misconceptions, and open research questions

A common misconception is that label flipping is intrinsically a weak or merely noisy attack. The cumulative evidence does not support that view. Validation-guided flipping can multiply test error several-fold in centralized linear models (Paudice et al., 2018); feature-guided class-specific flipping can substantially raise false negatives in malware detection (Ramirez et al., 2022); and label-only backdoor methods can achieve near-perfect attack success while preserving benign accuracy (Jha et al., 2023, Mengara, 2024). Another misconception is that targeted label flipping necessarily requires feature tampering. DirtyFlipping and FLIP show that feature manipulation is not required at training time for strong backdoor behavior, although DirtyFlipping does add a trigger to poisoned inputs and FLIP applies the trigger only at test time (Mengara, 2024, Jha et al., 2023).

Several limitations recur across both attacks and defenses. The original greedy TLFA has no formal optimality or convergence guarantee (Paudice et al., 2018). Many strong attacks rely on extra knowledge: the 2018 white-box threat model assumes access to the defender’s algorithm and a clean validation set (Paudice et al., 2018), while FLIP requires access to some clean training images and an expert-trajectory construction (Jha et al., 2023). Many defenses require clean side information: pp19-NN sanitization needs trusted data or clean local neighborhoods (Paudice et al., 2018, Shahid et al., 2022); HSCSFL requires a small clean evaluation set on the server (Li et al., 2023); and several federated defenses implicitly assume that malicious clients are a minority in the relevant feature space (Jebreel et al., 2022). Non-IID heterogeneity is another recurring obstacle: existing FL methods that appear adequate in IID settings can fail under Non-IID label flipping, which is precisely the motivation for HSCSFL and related schemes (Li et al., 2023).

Open problems identified across the literature are also converging. DirtyFlipping reports that Activation Clustering and Spectral Signature Analysis both fail to detect its poisoned samples, and the paper conjectures that speech-specific defenses may be necessary (Mengara, 2024). FLIP notes that SPECTRE can detect its label-flipped examples in representation space, leaving bypassing such defenses open (Jha et al., 2023). The logistic-regression study on label-only availability attacks shows an interplay between write-access and flipping budget: for the same overall corrupted fraction pp20, broader write-access with smaller per-access budget can hurt more than narrower access with higher budget (El-Kabid et al., 28 Feb 2025). This suggests that future theory should not summarize TLFA power by a single poisoning fraction alone. More generally, the literature indicates that TLFAs occupy a boundary region between classical data poisoning, targeted misclassification, and backdoor learning, and that robust defenses will likely need to combine label-consistency checks, trusted reference data, update-level anomaly detection, and, where possible, formal certification (Rosenfeld et al., 2020).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Targeted Label Flipping Attacks (TLFAs).