Approaching the Harm of Gradient Attacks While Only Flipping Labels

📅 2025-02-28
📈 Citations: 0
Influential: 0
📄 PDF

career value

183K/year
🤖 AI Summary
This work investigates whether label-flipping attacks—without modifying input features—can degrade model utility during training to a degree comparable with gradient-based attacks. The authors formalize the “write capability” of label-flipping attacks, propose an attacker-optimized loss function, and systematically analyze both targeted and untargeted flipping strategies. Theoretically and empirically, they demonstrate that even a limited flip budget suffices to render models ineffective under standard distributed learning settings. This study provides the first rigorous proof that pure label flipping alone constitutes a potent availability attack. It further reveals a fundamental trade-off between write capability (i.e., the number of labels an adversary can manipulate) and flip budget, and shows that the resulting utility degradation approaches that of gradient attacks. These findings underscore label flipping as a lightweight yet highly stealthy threat with severe implications for model reliability and trustworthiness in collaborative learning environments.

Technology Category

Application Category

📝 Abstract
Availability attacks are one of the strongest forms of training-phase attacks in machine learning, making the model unusable. While prior work in distributed ML has demonstrated such effect via gradient attacks and, more recently, data poisoning, we ask: can similar damage be inflicted solely by flipping training labels, without altering features? In this work, we introduce a novel formalization of label flipping attacks and derive an attacker-optimized loss function that better illustrates label flipping capabilities. To compare the damaging effect of label flipping with that of gradient attacks, we use a setting that allows us to compare their emph{writing power} on the ML model. Our contribution is threefold, (1) we provide the first evidence for an availability attack through label flipping alone, (2) we shed light on an interesting interplay between what the attacker gains from more emph{write access} versus what they gain from more emph{flipping budget} and (3) we compare the power of targeted label flipping attack to that of an untargeted label flipping attack.
Problem

Research questions and friction points this paper is trying to address.

Investigates harm caused by label flipping attacks in ML.
Compares label flipping damage to gradient attacks.
Explores attacker gains from write access vs flipping budget.
Innovation

Methods, ideas, or system contributions that make the work stand out.

Novel formalization of label flipping attacks
Attacker-optimized loss function for label flipping
Comparison of label flipping and gradient attacks
🔎 Similar Papers
No similar papers found.