ML Security PapersMAUI: Reconstructing Private Client Data in Federated Transfer Learning
Ahaan Dabholkar , Atul Sharma , Z. Berkay Celik , Saurabh Bagchi
Published on arXiv
2509.11451
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Achieves 40–120% higher PSNR than prior data reconstruction attacks while remaining stealthy, using only classification head gradients across multiple architectures and batch sizes.
MAUI
Novel technique introduced
Recent works in federated learning (FL) have shown the utility of leveraging transfer learning for balancing the benefits of FL and centralized learning. In this setting, federated training happens after a stable point has been reached through conventional training. Global model weights are first centrally pretrained by the server on a public dataset following which only the last few linear layers (the classification head) of the model are finetuned across clients. In this scenario, existing data reconstruction attacks (DRAs) in FL show two key weaknesses. First, strongly input-correlated gradient information from the initial model layers is never shared, significantly degrading reconstruction accuracy. Second, DRAs in which the server makes highly specific, handcrafted manipulations to the model structure or parameters (for e.g., layers with all zero weights, identity mappings and rows with identical weight patterns) are easily detectable by an active client. Improving on these, we propose MAUI, a stealthy DRA that does not require any overt manipulations to the model architecture or weights, and relies solely on the gradients of the classification head. MAUI first extracts "robust" feature representations of the input batch from the gradients of the classification head and subsequently inverts these representations to the original inputs. We report highly accurate reconstructions on the CIFAR10 and ImageNet datasets on a variety of model architectures including convolution networks (CNN, VGG11), ResNets (18, 50), ShuffleNet-V2 and Vision Transformer (ViT B-32), regardless of the batch size. MAUI significantly outperforms prior DRAs in reconstruction quality, achieving 40-120% higher PSNR scores.
Key Contributions
- MAUI, a stealthy data reconstruction attack requiring no detectable model manipulations, operating solely on classification head gradients in federated transfer learning
- A two-stage pipeline that extracts robust feature representations from classification head gradients and inverts them back to the original input images
- Demonstrated 40–120% higher PSNR over prior DRAs across diverse architectures (CNN, VGG11, ResNet-18/50, ShuffleNet-V2, ViT B-32) at arbitrary batch sizes on CIFAR-10 and ImageNet
🛡️ Threat Analysis
MAUI is a gradient leakage/reconstruction attack in federated learning where a malicious server reconstructs clients' private training data solely from the gradients of the shared classification head — the canonical ML03 threat of adversarial data reconstruction from model gradients in FL.