ML Security PapersAn Efficient Gradient-Based Inference Attack for Federated Learning
Pablo Montaña-Fernández , Ines Ortega-Fernandez
Published on arXiv
2512.15143
Membership Inference Attack
OWASP ML Top 10 — ML04
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Strong MIA performance with comparable compute overhead to prior art; multi-round FL increases vulnerability, aggregators pose greater threat than data owners, and high-dimensional data yields stronger leakage than tabular data.
Gradient Norm Shadow MIA
Novel technique introduced
Federated Learning is a machine learning setting that reduces direct data exposure, improving the privacy guarantees of machine learning models. Yet, the exchange of model updates between the participants and the aggregator can still leak sensitive information. In this work, we present a new gradient-based membership inference attack for federated learning scenarios that exploits the temporal evolution of last-layer gradients across multiple federated rounds. Our method uses the shadow technique to learn round-wise gradient patterns of the training records, requiring no access to the private dataset, and is designed to consider both semi-honest and malicious adversaries (aggregators or data owners). Beyond membership inference, we also provide a natural extension of the proposed attack to discrete attribute inference by contrasting gradient responses under alternative attribute hypotheses. The proposed attacks are model-agnostic, and therefore applicable to any gradient-based model and can be applied to both classification and regression settings. We evaluate the attack on CIFAR-100 and Purchase100 datasets for membership inference and on Breast Cancer Wisconsin for attribute inference. Our findings reveal strong attack performance and comparable computational and memory overhead in membership inference when compared to another attack from the literature. The obtained results emphasize that multi-round federated learning can increase the vulnerability to inference attacks, that aggregators pose a more substantial threat than data owners, and that attack performance is strongly influenced by the nature of the training dataset, with richer, high-dimensional data leading to stronger leakage than simpler tabular data.
Key Contributions
- Novel gradient-based MIA for federated learning that exploits the temporal evolution of last-layer gradient norms across multiple FL rounds using shadow training, requiring no access to private data.
- Computationally efficient design using a single scalar (gradient norm) per round, enabling a lightweight logistic regression attack model applicable at scale.
- Model-agnostic attack applicable to any gradient-based model (classification and regression), with a natural extension to discrete attribute inference.
🛡️ Threat Analysis
Secondary contribution explicitly extends the attack to discrete attribute inference, recovering private training data attributes by contrasting gradient responses under alternative attribute hypotheses — this is recovering private attributes from the model.
Primary contribution is a new membership inference attack (MIA) for federated learning that determines whether specific records were in the training set, using shadow-trained logistic regression on last-layer gradient norms across multiple FL rounds.