Label Noise Detection System Against Label Flipping Attack


 The label flipping attack is a special poisoning attack in the adversarial environment. By adding noise to the data, it destroys the learning process of the model and affects the decision-making performance of the model. Recent literature work uses semi-supervised learning techniques to defend against label flipping attacks. However, these methods require a clean dataset to achieve their goals. This study proposes a novel label noise processing framework to correct the labels of contaminated samples in the data preprocessing stage. Based on five real UCI datasets, we evaluated the effectiveness of the semi-supervised defensive label noise correction algorithm based on the AdaBoost algorithm(AdaSSL). With a noise ratio of 0~20%, we compared the classification performance of six classic machine learning algorithms (NB, LR, SVM, DT, KNN and MLP) under the AdaSSL defense algorithm. The results show that compared with the most advanced semi-supervised defense algorithms in the literature, our algorithm does not need to use an additional dataset. At a noise ratio of 10%, the AdaSSL algorithm is significantly better than state of the art label noise defense technology.


Introduction
Whether the training data is clean plays a role in the performance of the supervised machine learning model. Therefore, preprocessing the data before model training is a very critical step. In the adversarial environment, attackers use the vulnerability of uncertain or untrustworthy data to launch attacks on machine learning [24]. Poisoning attack is a kind of adversarial attack, which affects the learning of the model by tampering with the features and labels of the training data [2,26]. Research against machine learning shows that by sacrificing a small part of training data, optimal poisoning attacks can effectively reduce the model (such as SVM [5], feature selection method [16], DNN [18]) classification performance [20]. The label flipping attack is a very harmful poisoning attack, which deceives the machine learning classifier by tampering with the labels of the training data. Biggio et al. [4] proposed an adversarial-rotating label flipping attack algorithm to destroy the learning process of SVM. Xiao et al. [27] increased the classification error of the classifier on the attack-free dataset by finding a set of optimal label flip sets. Taheri et al. [24] evaluated the impact of a label flipping attack algorithm based on Silhouette clustering on Android malware classification.
It is no general defense mechanism against poisoning attacks in security applications. The current research work is mostly based on a specific application to design a defense mechanism. For example, Paudice et al. [20] use outlier detection algorithms to effectively remove suspicious points in the data, but it is not suitable for dealing with adversarial label flipping attacks. Literature [3] uses principal component analysis and data dimensionality reduction to enhance the robustness of machine learning, but this method is not suitable for large datasets.
The label flipping attack is a destructive label noise, which brings many potential negative effects on classification. For example, label noise will cause the accuracy of predicted data to decrease, increase the complexity of model learning, and so on. There are currently many label noise processing technologies. In [31], the author proposes an adaptive voting correction (AVNC) algorithm to detect noise label. Li et al. [15] proposed a new label noise correction technology-MCC. The author combined the advantages of K-Means clustering algorithm and KNN classification algorithm to estimate the noise rate in the data and divided it into three levels. The correction techniques used for noise at different levels are different. Compared with the previous noise correction technology, this algorithm is not only suitable for two classification problems, but also has good processing ability for the noise existing in multiple classifications.
Similar to most research areas of noise detection mechanisms, this article focuses on the label noise that exists in the binary classification task. From the perspective of label noise, we propose a label noise detection framework, mainly used to solve the degradation of classification performance caused by label flipping attacks. The goal of the label attack is to modify the sample labels of the training set to make the distribution deviate from the true distribution of the data. To solve this problem, we use the AdaBoost algorithm to assign greater weight to the noise samples to find such a type of noise samples, and then relabel these samples with the semi-supervised algorithm. Our contributions are as follows: 1. We propose a label noise detection framework, which reflects the main task of this research. 2. Aiming at the label flipping attack in the data, a semi-supervised label correction algorithm based on the AdaBoost algorithm is proposed. The effectiveness of the method is verified on five real UCI datasets. 3. Compared with the latest semi-supervised defense algorithm, the AdaSSL algorithm proposed in this paper does not need to use an additional clean dataset to correct noisy labels.
The rest of the paper is organized as follows. Section 2 introduces the related work of label noise defense. Section 3 elaborates the proposed label noise detection framework. In Section 4, we show the experimental performance of the algorithm on real datasets. Section 5 compares our algorithm with the latest defense algorithm. Section 6 summarizes the full text and draws our conclusions.

Related work
We review the related work of label noise defense from label noise detection algorithm and label flipping attack defense strategy.

Label noise detection algorithm
The data in practical applications is easily contaminated by label noise, which affects the training of model and reduces the classification accuracy of the prediction stage [9]. The current technology for processing label noise mainly includes three categories: 1) The inherent robustness of the learning algorithm; 2) Data cleaning method; 3) Label noise tolerance algorithm. Researchers often pay attention to the inherent robustness of the loss function or design a new robust loss function to deal with the negative effects of random label noise.
Reference [12] studied the tolerance of risk minimization to label noise and proved the robustness of the 0-1 loss function to uniform and nonuniform noise. The experimental results show that when the loss function has sufficiently large parameter values, the sigmoid loss , ramp loss and probit loss are also tolerant of nonuniform noise. In the multi-classification task, Aritra et al. [11] showed that the loss function based on the absolute value of the error is inherently robust to label noise in neural network learning. However, in the case of using MAE loss, training the network will become very slow, because the gradient will quickly saturate during training. Zhang et al. [32] proposed a new noise robust loss function-truncated Lp loss, which is an extension of the MAE and CCE loss functions, combining the robustness of MAE to noise and the fast convergence speed of the CCE function Features. The ensemble method improves the classification performance of the model by correcting the error of a single classifier. Sluban et al. [23] studied the relationship between integrated diversity and noise detection performance. Studies have shown that using majority voting schemes to increase diversity of the system will not bring better noise detection performance. In the noise detection system based on consensus voting, different systems can obtain higher noise detection recall rates and higher F 1 -score values. Samami et al. [21] improved the shortcomings of the above two voting schemes. They proposed a new classification noise detection strategy, a highly consistent voting filtering method with a hybrid strategy. Using five classification algorithms such as KNN, SVM, DT, NB and SVM to jointly label the data, the noise is divided into three categories: strong noise, semi-strong noise and weak noise.
The superiority of the proposed method is proved under two noise levels of 10% and 15%. Aiming at a large amount of unlabeled and noisy data in the data, Yan et al. [28]proposed an effective robust semi-supervised integrated learning method (ROSSEL). First, they use a set of weak annotators to generate a large number of pseudo-labels for unlabeled data to approximate the real labels of the labeled data. They then use multilabel kernel learning MLKL for weighted label aggregation, which has low time complexity. Aiming at uniformly distributed noise and normally distributed noise, Nicholson et al. [19] proposed a self-trained noise correction algorithm (STC) and a cluster-based noise correction algorithm (CC). Experiments were conducted on binary, multi-class, and crowdsourced datasets, and the results showed that CC showed better performance under the influence of different levels of noise. Li et al. [15] improved the noise correction algorithm based on clustering. They combined the advantages of supervised learning and unsupervised learning algorithms and proposed a new method to improve data quality. Using the KNN algorithm to estimate the noise in the data Level and combine this noise estimation with the correction process.
Studies have shown that smoothing technology can also effectively improve the influence of label noise on the model. Therefore, Lukasik et al. [17] proposed a method that can use label smoothing technology to deal with label noise. Moreover, the author proves through experiments that the label smoothing technology can improve the performance of the model under label noise, and it is quite competitive with the loss correction technology under label noise.
Existing noise detection and recognition techniques usually rely on supervision, but this supervision is not scalable. For this reason, Sharma et al. [22] proposed an unsupervised learning method using Markov random fields to detect label noise and verified its effectiveness through experiments. This method builds a dependency model to estimate the posterior probability of an instance being mislabeled in a given data set and ranks the instances according to the posterior probability.

Label flipping attack defense method
Unlike the label noise detection technology introduced in the previous section, data filtering and robust learning are two commonly used algorithms to defend against poisoning attacks for the purposeful destruction of data by attackers [6]. Data filtering is mainly to identify contaminated samples in the training set and remove them, while the purpose of robust learning is to improve the robustness of the model to noisy data. Because the data will change the geometric features of the data after the induced attack, reference [6] uses data complexity to describe the geometric characteristics of the data set. The author uses three different data complexity methods to describe the characteristics of the dataset from different angles and distinguishes contaminated samples from uncontaminated samples based on the data complexity measurement. The performance of this method is better than the current data filtering method and is suitable for the security field. For label flipping attacks, Paudice et al. [20] proposed a suspicious point data detection and marking algorithm to reduce the negative impact of the attack. The main idea of this algorithm is to use KNN to assign a label to each instance in the training set, but its performance is limited. Based on the characteristics of semi-supervised learning technology, Taheri et al. [24] proposed two semi-supervised algorithms to correct incorrect labels against label flipping attack.

Semi-supervised learning label correction framework based on AdaBoost
The following will introduce the semi-supervised learning label correction framework based on AdaBoost as shown in Figure 1. Our proposed method consists of two main modules. The first module uses the AdaBoost algorithm to calculate the weights of training samples containing noisy labels. It inputs a set of samples with larger sample weights to the semi-supervised learning module. Then in the second part, we use the advantages of semi-supervised learning algorithm to detect and relabel the labels of this group of samples. The technologies used in this framework are discussed in detail below.

Problem definition
We considered the label flipping attack in the binary classification task. Assume that the samples in the training dataset Str = {(x 1 , y 1 ), · · · , (x i , y i ), · · · (x m , y m )} come from unknown distribution D. Where m represents the number of training samples, x i is the feature representation of the training samples, and y {−1, +1} is the sample label contaminated by the label. Let y i be the true label corresponding to the sample x i . If the sample x i is contaminated by label noise, then y i = y i ; otherwise, y i = −y i .

classification algorithm
We used several classic supervised machine learning techniques [25] to classify the binary samples in this study. Each of these algorithms has different characteristics, and we aim to use these algorithms to make a more comprehensive comparison. According to the advantages of the parameters in the learning algorithm, it can be divided into parametric classification and nonparametric classification. In this article, we use two parametric classification methods (i.e. LR and NB) and four non-parametric classification algorithms (SVM, DT, KNN and MLP).
To facilitate use and calculation, the naive Bayes classifier adds the assumption of conditional independence based on the Bayes classifier, which is widely used in text classification and other fields [8]. The imbalance between data categories is a big problem often encountered in machine learning classification. Logistic regression is a linear classifier that is suitable for large samples, and there is an imbalance between data [29]. SVM is a widely used supervised learning technique, which has been successfully applied in various fields [7]. KNN is robust to noisy data. It is an example-based learning algorithm that determines the category of test sample by comparing the labels of the K training samples that are closest to the test sample [13]. The working method of artificial neural network is similar to the way the human brain makes decisions. It uses a more compact network structure to improve the classification accuracy of the model [25]. Compared with neural networks, de-cision trees are a highly understandable model. C4.5 and CART are two decision tree techniques that are currently widely used [14].

Defense strategy
In this section, we discuss the label noise detection framework against label flipping attack. Firstly, capture a labeled set of noise samples based on sensitivity of the AdaBoost algorithm to noise data; and then use the semi-supervised learning algorithm to relabel the label of the sample set. The label noise detection method is shown in Algorithm 1.

Algorithm 1 AdaSSL
Input: X train,Y noise,weak classifier C,iterations T Output: Corrected label Y 1: Initialize the sample weight of each training sample ω 1i = 1 m 2: for i = 1 to T do 3: Use the weak classification algorithm C to train the model to get the classification error rate: Use the AdaBoost algorithm to iteratively update the weights of the incorrectly classified samples of classifier Ct (x i ) = y i 5: end for 6: After T iterations, the final classifier is obtained C (x) = sign T t=1 α t Cm (x) 7: Find a set of samples with larger weights through the final classifier U 8: Use semi-supervised learning algorithm to relabel U to get the label set: Corrected label Y

AdaBoost Algorithm
The AdaBoost algorithm is a Boosting ensemble method for two classifications, first proposed by Freund et al. [10]. The core of the algorithm is to train multiple weak classifiers based on the same training set, and linearly combine these weak classifiers into a strong classifier through T iterative update until a sufficiently small classification error rate is achieved. The error rate of each base classifier is determined by the following Eq. 1: where ω ti is the weight corresponding to the training sample, and Ct (x i ) is the base classifier obtained after t iterations in the training set. The advantage of the AdaBoost algorithm is that it can iteratively update the sample weights of each round. For the samples classified incorrectly in the previous round, AdaBoost will give them a larger sample weight, and the correct samples will reduce their weight. The update process of training sample weights is shown in Eq. 2: where α t is the coefficient of the base classifier Ct (x i ), which represents the importance of the base classifier to decision-making;Z t = m i=1 ω ti e − α t y i Ct(xi) is the normalization factor for sample weight.
The AdaBoost algorithm is very sensitive to noisy data and abnormal data. During the iterative update process of model training, AdaBoost will adjust the sample'weight according to the previous training result. Therefore, given the label noise in the training dataset, we use the iterative principle of AdaBoost algorithm to find a set of suspicious samples with larger sample weights. Next, we input these noise data into the semisupervised learning module and use the advantages of semi-supervised learning technology to further process sample labels.

Semi-supervised learning method
Semi-supervised algorithms are between supervised learning and unsupervised learning. Generally speaking, the tasks of semi-supervised learning are the same as those of supervised learning, and the tasks contain clear goals, such as classification. The semi-supervised learning algorithm is suitable for classification tasks that contain a small number of labeled samples, and the remaining samples are unlabeled. The marked sample can be expressed as Slabel = {(x 1 , y 1 ) , (x 2 , y 2 ) , · · · , (x l , y l )}, The unlabeled sample set are Sunlabel = (x l+1 , x l+2 , · · · , x l+t ). Train the unlabeled sample set by using the labeled sample set, and finally get a classifier to classify the test sample.
The use of semi-supervised learning techniques to label unlabeled samples is generally based on two assumptions: clustering assumptions and manifold assumptions. The clustering hypothesis refers to dividing categories according to the distance between samples; the core idea of the manifold hypothesis is that the data samples in the same local domain have similar characteristics, so the categories to which these samples belong should also be similar. At present, the more popular semi-supervised learning methods include selftraining methods, semi-supervised SVM methods, generative model methods, graph-based semi-supervised learning methods, etc. [1].
The semi-supervised learning technique used in our label noise detection framework is based on the manifold hypothesis, using the labeled dataset to train the model to correct label on the noise data.

Experiment
To evaluate the effectiveness of the proposed label noise detection framework against label flipping attack, we conduct experiments on five standard datasets in the UCI machine learning library. First, the entropy method based label flipping attack [30] is used to artificially introduce 5%, 10%, 15% and 20% label noise; Then we use the machine learning algorithm in section 3.2 to classify the dataset and compare their performance under label attack and defense method; Next,we use the label noise detection framework proposed in Section 3 to correct the noisy dataset; Finally, we again use the above-mentioned machine learning techniques to classify the dataset. The effectiveness of our method is verified by comparing the classification performance before and after the classifier.

Dataset description
We conducted experiments on five UCI datasets: Spambase, Breast-w, Kr-vs-kp, Diabetes and Biodeg. These datasets have a different feature distributions, different number of instances and feature types. Table 1 describes the details of these datasets. We divide the training set and test set according to a 4:1 ratio. Note that the dataset used only standardizes the features of data, and there is no other further processing.

Evaluation metric
To visually show effectiveness of the proposed method, we use evaluation metrics such as Accuracy, F1-score, AUC, Recall, and Precision to show the classification performance of machine learning algorithms on these datasets. The following formulas (3)- (6) give the calculation formulas of these indicators. Among them, TP represents the number of positive samples correctly classified, TN represents the number of correctly classified negative samples, FP represents misclassification of negative samples as positive samples, and FN represents misclassification of positive samples as negative samples. Accuracy indicates the proportion of samples that are predicted to be correct to the total number of samples; For the original sample, Recall represents the probability that the actual positive sample is predicted to be a positive sample; Precision is an evaluation index for the prediction results, which represents the probability that the actual positive samples account for all the predicted samples as positive; F 1 -score is a comprehensive evaluation metric of recall and precision. The higher the F 1 value, the better performance of the model; AUC is used to measure the robustness of the model to noise.

Experimental results
We evaluate the defense performance of the AdaSSL algorithm against label noise attack. We focused on the label flipping attack based on the entropy method. Among them, the noise ratio is defined as the percentage of contaminated samples in training samples. Based on the UCI datasets used in this study, Figure 2 shows the accuracy results of classification model under the entropy method attack and label noise defense strategy. It can be seen from Figure 2 that in the attack interval of [0,0.2], the accuracy value of the machine learning algorithm on the five datasets decreases in the range of 15% to 30%, which illustrates the effectiveness of based on entropy method attack method. Except for the NB classifier, the test accuracy of supervised classifier dropped by about 20% when the attack rate was 20%. It also shows that traditional machine learning classification methods are very sensitive to label noise attack. Figure 2 also shows that using the semi-supervised learning label correction method based on AdaBoost proposed in this paper effectively reduces the attack effect. The performance of the classification model trained on the training set after data label correction is generally better than the classification algorithm under the label noise attack. However, on the Biodeg dataset, our method performs poorly when using the NB classifier. It is because the NB algorithm has better robustness to noise, and NB is a generative model. Using this attack method makes the distribution of the training data of the dataset closer to the test data. Also, on these datasets, our method has improved 3.92%, 6.51%, 7.74%, 0.98% and 3.22% respectively compared to the average classification accuracy under attack. Figures 3 and 4 show the changes of F 1 -score and AUC values on all UCI datasets under label noise pollution and defense strategies. F 1 -score measurement is a comprehensive evaluation metric of recall rate and precision rate. It can be seen from figure 3 that for the drop in F 1 -score value caused by label contamination attack, the AdaSSL label correction method proposed in this study significantly improved the label quality of contaminated samples. For example, on the Biodeg dataset, the F 1 -score of the SVM model drops to 0 at a noise ratio of 20%. It is because the positive samples of test set are misclassified by the model due to influence of the entropy label noise. Through our proposed AdaSSL method to improve the label of the training data, from the experimental results, the F 1 -score of the dataset has been significantly improved. The AUC value can be used to measure the robustness of the classification model to noise. It can be seen from Figure 4 that on these two class datasets, our method significantly improves the label quality of the data attacked by label contamination. Based on this research, the AdaSSL algorithm disinfects tainted data label, which improves the robustness of machine learning algorithms to noise data.

Discussion
To further demonstrate the effectiveness of AdaSSL defense algorithm, we will compare it with the latest three latest semi-supervised label attack defense algorithms (KSSD [20], LSD [24] and CSD [24]). We compared the performance of these defense methods under the entrop method based label flipping attack on the Spambase dataset. We choose SVM, LR and MLP as three representative classification algorithms. As shown in Table 2 and Table 3, we respectively show the Accuracy and F 1 -score values of these defense algorithms at 10% and 20% noise ratios. It can be found from the table that at an attack rate of 10%, the AdaSSL method proposed in this study has the best performance, followed by CSD, KSSD and LSD algorithms. The KSSD has the best defense performance at a noise ratio of 20%, followed by our AdaSSL algorithm. We also found that the performance of KSSD algorithm is the same regardless of the noise ratio of 10% or 20%. It is because the KSSD algorithm uses another clean validation dataset to correct noisy labels.

Conclusion
In this article, we design a novel noise detection framework to defend against label flipping attack. As the core component of the detection framework, the AdaSSL algorithm combines the sensitivity of the AdaBoost algorithm to noise and the features of the semi-supervised learning algorithm to classify unlabeled data to correct noisy labels. We verified the effectiveness of this method on five real UCI data sets, and compared the latest three semi-supervised defense algorithms. In the future, we hope to apply the researched detection framework to specific research fields.   Ning Cheng performed the data analyses and wrote the manuscript; Zhanbo Li helped perform the analysis with constructive discussions.

Compliance with ethical standards
Conflict of interest The authors declare that they have no conflict of interest.
Ethical approval This article does not contain any studies with human participants or animals performed by any of the authors.