Targeted Label Flipping Attacks
- TLFAs are targeted data-poisoning attacks that flip select labels to optimize an adversary-defined objective rather than introduce random noise.
- These attacks strategically select labels based on their influence on validation loss to force misclassification from a source class to a designated target class.
- TLFAs extend to backdoor and federated settings, employing methods like greedy selection and trajectory matching to maintain benign accuracy while maximizing attack impact.
Targeted Label Flipping Attacks (TLFAs) are data-poisoning attacks in which an adversary changes the labels of a constrained subset of training examples so as to maximize a specific downstream effect, rather than merely injecting indiscriminate noise. In the simplest binary setting, the attacker reverses selected labels ; in multi-class and federated settings, the attacker typically flips a designated source class into a designated target class; and in backdoor settings, label flips may be coupled to trigger-bearing samples while leaving benign accuracy largely unchanged (Paudice et al., 2018). The unifying feature is selectivity: the attacker chooses which labels to corrupt on the basis of their influence on the learned model, the source–target confusion it seeks, or the test-time behavior it wants to induce (Jebreel et al., 2022).
1. Definition and conceptual scope
A standard label-flipping attack corrupts a fraction of training labels, often at random or by a simple heuristic, with the usual effect of degrading overall model accuracy. A TLFA is more specific: it flips exactly those labels that best serve an attacker-defined objective, such as maximizing validation loss, forcing a source class to be predicted as a target class, or implanting a backdoor that activates only under a trigger (Paudice et al., 2018). In centralized binary classification, this can mean selecting the points whose flipped labels maximally worsen a defender’s classifier on a trusted validation set. In federated learning, it usually means that malicious clients relabel all local examples of a source class as a target class before local training, so that the aggregated global model learns the wrong decision relation for that class pair (Jebreel et al., 2022).
The term therefore covers several attack families that share the same strategic core but differ in operational setting. One line of work treats TLFAs as availability attacks, where the goal is to degrade model utility or misalign gradients while modifying labels only (El-Kabid et al., 28 Feb 2025). Another treats them as targeted misclassification attacks against one protected or safety-critical class, as in malware detection or road-condition classification (Ramirez et al., 2022). A third line turns label flipping into a backdoor mechanism: DirtyFlipping inserts a natural audio trigger into a small subset of target-class samples and flips only those labels, whereas FLIP shows that a powerful image backdoor can be induced by corrupting labels alone, without altering training images (Mengara, 2024, Jha et al., 2023). This suggests that TLFAs are best understood as a broad attack paradigm rather than a single algorithm.
2. Threat models and objectives
The canonical centralized formulation assumes a training set , a budget of exactly flips, and an attacker that cannot modify features. With binary indicator , , the poisoned point is if 0 and 1 if 2. The defender retrains
3
and the attacker solves
4
on a validation set 5. In that threat model, the attacker has full knowledge of the learning algorithm 6, its hyper-parameters, the feature representation, the loss, the training set, and an unpoisoned validation set drawn from the same distribution (Paudice et al., 2018).
Later formulations broaden both the attacker’s knowledge assumptions and the meaning of “targeted.” DirtyFlipping assumes no white-box access to victim parameters or architecture; the adversary manipulates only a small subset of the training data, inserts an audio trigger 7, and flips only the trigger-carrying examples to a target label 8, with poisoning ratio 9 (Mengara, 2024). FLIP likewise assumes label-only poisoning but optimizes for high Poison Test Accuracy under a fixed trigger 0 and target label 1, while preserving Clean Test Accuracy (Jha et al., 2023). In federated learning, the server is honest but cannot inspect raw client data; malicious clients control their local training process and poison only their own labels, typically by applying a class map 2 if 3, 4 otherwise (Jebreel et al., 2022).
A distinct formalization appears in certified robustness. There, the adversary is “targeted” per test example: for each test point 5, it may change up to 6 training labels so as to alter the learned classifier’s prediction on that specific 7, with 8 and arbitrary class changes on flipped indices (Rosenfeld et al., 2020). This definition shifts the emphasis from a single poisoned training set to pointwise test-time certificates. A plausible implication is that “targeted” in the TLFA literature names both source–target class poisoning and test-point-specific adversarial tailoring, depending on context.
3. Optimization procedures and attack construction
The bi-level program above is combinatorial and NP-hard, so the 2018 formulation replaces exact search with a greedy forward-selection heuristic. Starting from the clean set, the attacker flips one label at a time; at each step it temporarily flips every remaining candidate point, retrains once per candidate, evaluates the validation loss, and permanently selects the point producing the largest increase. The total cost is 9, and no formal optimality or convergence guarantee is provided (Paudice et al., 2018). The empirical claim is not that the heuristic is globally optimal, but that it is efficient and effective.
Subsequent work derived more specialized constructions. For binary logistic regression in distributed classification, one formulation decomposes the poisoned gradient as
0
and chooses the flipped labels to minimize alignment with the honest gradient, or, in the targeted case, to steer the parameters toward a desired 1. Because the resulting subproblem is a 2–3 knapsack-style problem with equal weights and linear objective, the paper gives a greedy algorithm that is provably optimal at each training step: compute 4, select the 5 smallest values, and set their labels according to the sign of 6 (El-Kabid et al., 28 Feb 2025). This is a different notion of optimality from the global bi-level optimum in (Paudice et al., 2018).
Backdoor-oriented TLFAs use different machinery. DirtyFlipping defines a poisoned dataset 7 where 8 and 9 on poisoned indices, trains 0 on the resulting 1, and in practice implements a simple “label-on-label” mechanism: flip the label to 2 with probability 3, then insert the trigger (Mengara, 2024). FLIP instead approximates an intractable bilevel problem by trajectory matching: it trains a traditionally backdoored expert, introduces soft labels 4, and updates them so that one SGD step on clean images plus soft labels matches the expert’s step on triggered images plus backdoor labels. Hard labels are then obtained by selecting the top-5 examples by a margin criterion and setting 6 (Jha et al., 2023). These constructions show that targeting can be mediated either by validation-loss maximization, gradient misalignment, or training-trajectory imitation.
4. Representative variants and empirical behavior
In centralized linear classification, the original TLFA study evaluated UCI BreastCancer, MNIST 7 vs 8, and Spambase with a hinge-loss linear classifier trained by SGD on 9 training and 0 trusted validation examples per split. At 1 flips and with no defense, the reported error increased by a factor 2 on BreastCancer, 3 on MNIST, and 4 on Spambase (Paudice et al., 2018). In mobile-exfiltration malware detection, a heuristic TLFA that flips only malign examples meeting a feature-based criterion is consistently more destructive than random label flipping at 5: final accuracy is lower by about 6–7 points across Decision Tree, Random Forest, SVM, Logistic Regression, and 8NN, and the false-negative rate on the target class rises more sharply (Ramirez et al., 2022). These are targeted availability attacks: they bias the decision boundary against a chosen class without necessarily using triggers.
Backdoor-style TLFAs behave differently. DirtyFlipping uses a dynamic clapping trigger in speech and reports, on TIMIT with 9 poisoning and target class “9,” that benign accuracy remained within approximately 0–1 depending on model while attack success rate rose to 2 for all seven architectures; on transformers fine-tuned on TIMIT, attack success rate was also 3 across eight models (Mengara, 2024). FLIP reports on CIFAR-10 with ResNet-32 and a sinusoidal trigger that, at 4 flips, corresponding to 5 of the labels, Clean Test Accuracy changes from 6 to 7 while Poison Test Accuracy rises to 8 (Jha et al., 2023). Both results contradict the older assumption that backdoors require training-time feature corruption.
Federated-learning studies emphasize source–target misclassification. FL-Defender evaluates label-flipping on MNIST, CIFAR-10, and IMDB and reports that, with 9 attackers out of 0, attack success rate on CIFAR10-IID drops from approximately 1 under FedAvg to approximately 2 under FL-Defender, while source-class accuracy rises from 3 to 4 (Jebreel et al., 2022). Road-condition-classification studies show that the same attack family is safety-relevant: under TLFA without defense, FedAvg’s Source Recall falls by about 5 percentage points and Attack Success Rate rises by about 6 percentage points; under one defensive pipeline, average Source Recall reaches 7 and average ASR 8, outperforming the best competing defense by 9 percentage points in SRE and 0 percentage points in ASR (Liu et al., 19 Mar 2026). This suggests that TLFAs are especially consequential when label order encodes hazard severity.
5. Defensive and certified approaches
A prominent centralized defense is label sanitization by local consistency. The 1-NN sanitizer examines each training point, finds its 2 nearest neighbors, computes
3
and, if that confidence exceeds 4, relabels the point to the neighborhood mode; the pass may be repeated until no labels change (Paudice et al., 2018). With 5 and 6 chosen by validation, BreastCancer and Spambase errors essentially return to clean-data levels even at 7 flips, while MNIST suffers only a slight additional increase (Paudice et al., 2018). A related 8-NN sanitizer in wearable HAR uses a trusted dataset 9; with 0 and 1, accuracy on recovered data remains above 2 even at 3 poisoning (Shahid et al., 2022). These defenses are classifier-agnostic but depend on clean reference data.
Certified robustness takes a different route. Randomized smoothing over labels flips each training label with probability 4 to a uniformly random other label, defines the smoothed classifier
5
and derives deterministic analytical bounds on the number of adversarial label flips that cannot change the prediction (Rosenfeld et al., 2020). In the binary case, if the winning class has probability 6, the prediction is certified invariant for
7
On MNIST 8 vs 9, the smoothed model with 00 attains certified accuracy of approximately 01 up to 02 flips and approximately 03 up to 04 flips; on CIFAR-10, with 05, certified accuracy is approximately 06 up to 07 label flips (Rosenfeld et al., 2020). The significance is that these are pointwise certificates rather than empirical heuristics.
Federated-learning defenses typically operate on updates rather than raw labels. One family exploits last-layer or output-neuron anomalies caused by source–target flipping: FL-Defender computes pairwise cosine similarities of last-layer gradients, compresses the similarity matrix with PCA, and reweights clients by deviation from the centroid (Jebreel et al., 2022); another 2022 method extracts the two most affected output-layer neurons, clusters client gradients with 08-means or HDBSCAN depending on the non-IID regime, and filters out the suspicious cluster before aggregation (Jebreel et al., 2022). Later road-condition defenses narrow the same intuition. FLARE identifies the two output neurons with largest cumulative change, clusters the corresponding client sub-vectors with HDBSCAN, filters out outliers, and blacklists repeated offenders; it reports the best or second-best ASR and weighted error in 09 of evaluated cases (Liu et al., 16 Jul 2025). DEFEND uses neuron-wise magnitude analysis, GMM clustering, validation via Source Recall and ASR thresholds, and adaptive client ratings, reporting at least 10 improvement over seven baselines and under-attack performance matching attack-free scenarios (Liu et al., 5 Dec 2025). FedTrident extends this with angle-plus-magnitude neuron analysis, adaptive client rating, and machine unlearning for remediation of already-corrupted global models (Liu et al., 19 Mar 2026). A different line, HSCSFL, scores clients by the dot product between a global risk vector and a per-class client accuracy vector derived from a clean evaluation set; with 11 selection in Non-IID settings, it restores MNIST global accuracy to approximately 12 and attacked-class accuracy to approximately 13, versus approximately 14 global accuracy and approximately 15 attacked-class accuracy without HSCSFL (Li et al., 2023). AntiFLipper shifts most filtering work to the client side, using deviations in local accuracy to update trust scores, and reports 16 accuracy on MNIST-IID under a constant 17 TLFA adversary with 18 ms aggregation time (Rahman et al., 26 Sep 2025).
6. Limitations, misconceptions, and open research questions
A common misconception is that label flipping is intrinsically a weak or merely noisy attack. The cumulative evidence does not support that view. Validation-guided flipping can multiply test error several-fold in centralized linear models (Paudice et al., 2018); feature-guided class-specific flipping can substantially raise false negatives in malware detection (Ramirez et al., 2022); and label-only backdoor methods can achieve near-perfect attack success while preserving benign accuracy (Jha et al., 2023, Mengara, 2024). Another misconception is that targeted label flipping necessarily requires feature tampering. DirtyFlipping and FLIP show that feature manipulation is not required at training time for strong backdoor behavior, although DirtyFlipping does add a trigger to poisoned inputs and FLIP applies the trigger only at test time (Mengara, 2024, Jha et al., 2023).
Several limitations recur across both attacks and defenses. The original greedy TLFA has no formal optimality or convergence guarantee (Paudice et al., 2018). Many strong attacks rely on extra knowledge: the 2018 white-box threat model assumes access to the defender’s algorithm and a clean validation set (Paudice et al., 2018), while FLIP requires access to some clean training images and an expert-trajectory construction (Jha et al., 2023). Many defenses require clean side information: 19-NN sanitization needs trusted data or clean local neighborhoods (Paudice et al., 2018, Shahid et al., 2022); HSCSFL requires a small clean evaluation set on the server (Li et al., 2023); and several federated defenses implicitly assume that malicious clients are a minority in the relevant feature space (Jebreel et al., 2022). Non-IID heterogeneity is another recurring obstacle: existing FL methods that appear adequate in IID settings can fail under Non-IID label flipping, which is precisely the motivation for HSCSFL and related schemes (Li et al., 2023).
Open problems identified across the literature are also converging. DirtyFlipping reports that Activation Clustering and Spectral Signature Analysis both fail to detect its poisoned samples, and the paper conjectures that speech-specific defenses may be necessary (Mengara, 2024). FLIP notes that SPECTRE can detect its label-flipped examples in representation space, leaving bypassing such defenses open (Jha et al., 2023). The logistic-regression study on label-only availability attacks shows an interplay between write-access and flipping budget: for the same overall corrupted fraction 20, broader write-access with smaller per-access budget can hurt more than narrower access with higher budget (El-Kabid et al., 28 Feb 2025). This suggests that future theory should not summarize TLFA power by a single poisoning fraction alone. More generally, the literature indicates that TLFAs occupy a boundary region between classical data poisoning, targeted misclassification, and backdoor learning, and that robust defenses will likely need to combine label-consistency checks, trusted reference data, update-level anomaly detection, and, where possible, formal certification (Rosenfeld et al., 2020).