Table of Contents
Fetching ...

Res-MIA: A Training-Free Resolution-Based Membership Inference Attack on Federated Learning Models

Mohammad Zare, Pirooz Shamsinejadbabaki

TL;DR

Res-MIA presents a training-free, black-box membership inference attack for federated learning by progressively eroding input resolution and tracking the model’s confidence decay. The attack computes a confidence decay score $S(x)$ across $K$ erosion steps, revealing stronger membership signals for training samples than for unseen data. Empirical results on a federated ResNet-18 trained on CIFAR-10 show Res-MIA achieving up to $AUC=0.88$, outperforming baseline one-shot attacks while incurring modest computational overhead. This work highlights frequency-sensitive overfitting as a key privacy leakage channel and motivates defenses that reduce reliance on high-frequency input cues.

Abstract

Membership inference attacks (MIAs) pose a serious threat to the privacy of machine learning models by allowing adversaries to determine whether a specific data sample was included in the training set. Although federated learning (FL) is widely regarded as a privacy-aware training paradigm due to its decentralized nature, recent evidence shows that the final global model can still leak sensitive membership information through black-box access. In this paper, we introduce Res-MIA, a novel training-free and black-box membership inference attack that exploits the sensitivity of deep models to high-frequency input details. Res-MIA progressively degrades the input resolution using controlled downsampling and restoration operations, and analyzes the resulting confidence decay in the model's predictions. Our key insight is that training samples exhibit a significantly steeper confidence decline under resolution erosion compared to non-member samples, revealing a robust membership signal. Res-MIA requires no shadow models, no auxiliary data, and only a limited number of forward queries to the target model. We evaluate the proposed attack on a federated ResNet-18 trained on CIFAR-10, where it consistently outperforms existing training-free baselines and achieves an AUC of up to 0.88 with minimal computational overhead. These findings highlight frequency-sensitive overfitting as an important and previously underexplored source of privacy leakage in federated learning, and emphasize the need for privacy-aware model designs that reduce reliance on fine-grained, non-robust input features.

Res-MIA: A Training-Free Resolution-Based Membership Inference Attack on Federated Learning Models

TL;DR

Res-MIA presents a training-free, black-box membership inference attack for federated learning by progressively eroding input resolution and tracking the model’s confidence decay. The attack computes a confidence decay score across erosion steps, revealing stronger membership signals for training samples than for unseen data. Empirical results on a federated ResNet-18 trained on CIFAR-10 show Res-MIA achieving up to , outperforming baseline one-shot attacks while incurring modest computational overhead. This work highlights frequency-sensitive overfitting as a key privacy leakage channel and motivates defenses that reduce reliance on high-frequency input cues.

Abstract

Membership inference attacks (MIAs) pose a serious threat to the privacy of machine learning models by allowing adversaries to determine whether a specific data sample was included in the training set. Although federated learning (FL) is widely regarded as a privacy-aware training paradigm due to its decentralized nature, recent evidence shows that the final global model can still leak sensitive membership information through black-box access. In this paper, we introduce Res-MIA, a novel training-free and black-box membership inference attack that exploits the sensitivity of deep models to high-frequency input details. Res-MIA progressively degrades the input resolution using controlled downsampling and restoration operations, and analyzes the resulting confidence decay in the model's predictions. Our key insight is that training samples exhibit a significantly steeper confidence decline under resolution erosion compared to non-member samples, revealing a robust membership signal. Res-MIA requires no shadow models, no auxiliary data, and only a limited number of forward queries to the target model. We evaluate the proposed attack on a federated ResNet-18 trained on CIFAR-10, where it consistently outperforms existing training-free baselines and achieves an AUC of up to 0.88 with minimal computational overhead. These findings highlight frequency-sensitive overfitting as an important and previously underexplored source of privacy leakage in federated learning, and emphasize the need for privacy-aware model designs that reduce reliance on fine-grained, non-robust input features.
Paper Structure (12 sections, 4 equations, 7 figures, 5 tables)

This paper contains 12 sections, 4 equations, 7 figures, 5 tables.

Figures (7)

  • Figure 1: Overview of the Res-MIA attack pipeline. The input image is progressively degraded through resolution erosion. The target model is queried at each erosion step, and the resulting confidence decay is used to infer membership.
  • Figure 2: Illustrative confidence decay curves under progressive image erosion. Member samples exhibit a steeper confidence decline compared to non-member samples.
  • Figure 3: Experimental evaluation pipeline of Res-MIA in a federated learning setting.
  • Figure 4: Examples of progressive image erosion through successive resolution degradation steps.
  • Figure 5: Comparison of AUC values for different membership inference attacks.
  • ...and 2 more figures