Res-MIA: A Training-Free Resolution-Based Membership Inference Attack on Federated Learning Models

TL;DR

Res-MIA is a novel, training-free black-box membership inference attack on federated learning models that exploits the sensitivity of deep models to high-frequency input details, revealing privacy leaks.

Contribution

Introduces Res-MIA, a new attack method that does not require training shadow models or auxiliary data, and effectively detects membership with limited queries.

Findings

Res-MIA achieves up to 0.88 AUC on CIFAR-10 with ResNet-18.

It outperforms existing training-free membership inference baselines.

Frequency-sensitive overfitting is identified as a key privacy leakage source.

Abstract

Membership inference attacks (MIAs) pose a serious threat to the privacy of machine learning models by allowing adversaries to determine whether a specific data sample was included in the training set. Although federated learning (FL) is widely regarded as a privacy-aware training paradigm due to its decentralized nature, recent evidence shows that the final global model can still leak sensitive membership information through black-box access. In this paper, we introduce Res-MIA, a novel training-free and black-box membership inference attack that exploits the sensitivity of deep models to high-frequency input details. Res-MIA progressively degrades the input resolution using controlled downsampling and restoration operations, and analyzes the resulting confidence decay in the model's predictions. Our key insight is that training samples exhibit a significantly steeper confidence decline under resolution erosion compared to non-member samples, revealing a robust membership signal. Res-MIA requires no shadow models, no auxiliary data, and only a limited number of forward queries to the target model. We evaluate the proposed attack on a federated ResNet-18 trained on CIFAR-10, where it consistently outperforms existing training-free baselines and achieves an AUC of up to 0.88 with minimal computational overhead. These findings highlight frequency-sensitive overfitting as an important and previously underexplored source of privacy leakage in federated learning, and emphasize the need for privacy-aware model designs that reduce reliance on fine-grained, non-robust input features.