Res-MIA: Resolution-Based MI Attack

• The paper introduces a novel training-free, black-box membership inference attack that uses resolution erosion to detect membership in federated models.
• It employs iterative downsampling and nearest-neighbor upsampling to quantify prediction confidence decay, capturing high-frequency overfitting.
• Experimental results on ResNet-18 with CIFAR-10 demonstrate an AUC of 0.88, highlighting significant privacy leakage vulnerabilities.

Res-MIA denotes a training-free, black-box membership inference attack exploiting deep models' sensitivity to high-frequency input details, specifically in federated learning environments. The method operates by repeatedly degrading the input image's resolution and quantifying the prediction confidence decay—an effect rooted in the frequency-dependent overfitting observed in over-parameterized neural networks. Unlike prior training-free attacks, Res-MIA requires no auxiliary data, shadow models, or access beyond standard model output scores, and demonstrates superior performance for federated models such as ResNet-18 trained on datasets like CIFAR-10 (Zare et al., 24 Jan 2026).

1. Formalization of Membership Inference and Resolution Erosion

Let $D_{\text{train}}$ be a private federated training dataset distributed across $N$ clients, with final model $f(\cdot)$ aggregated via FedAvg. Given black-box access to $f$, the adversary's challenge is to decide—for a candidate input $x$—between $H_0: x \notin D_{\text{train}}$ (non-member) and $H_1: x \in D_{\text{train}}$ (member). The adversarial goal is a binary test $\delta(x)\in\{0,1\}$ that maximizes TPR at low FPR.

The theoretical insight underpinning Res-MIA is that neural networks exhibit steeper loss of output confidence on training-set members when high-frequency image content is progressively removed by controlled resolution erosion. This phenomenon is attributed to the model's memorization of non-robust, fine-grained spectral cues present only in member samples.

2. Algorithmic Methodology

Resolution erosion is instantiated by iteratively applying average pooling (downsampling) and nearest-neighbor upsampling to the input image, thereby removing high spatial frequencies without introducing smoothing artifacts. For each degradation level $k$ ($k=0,1,\ldots, K$), the model's maximum predicted probability $N$0 is recorded, with $N$1 and subsequent $N$2 derived as: $N$3 The per-step confidence decay $N$4 is aggregated as the membership score

$N$5

A threshold $N$6 is selected (empirically or via ROC analysis) to determine membership, $N$7 if $N$8, else $N$9.

Key parameters and workflow:

• $f(\cdot)$0 erosion steps with $f(\cdot)$1 downsampling per step (image size $f(\cdot)$2).
• Total queries per sample: $f(\cdot)$3 (batch size $f(\cdot)$4 possible).
• No auxiliary data, shadow models, or white-box information required.

3. Experimental Protocol and Evaluation Setup

The canonical Res-MIA benchmark uses:

• CIFAR-10 dataset (50,000 training, 10,000 test images, $f(\cdot)$5 resolution).
• 10 federated clients ($f(\cdot)$6 samples/client, IID split).
• Global ResNet-18 trained via FedAvg to $f(\cdot)$7 test accuracy.

Attackers evaluate on 2,000 balanced images (1,000 members, 1,000 non-members), querying the model $f(\cdot)$8 times per image to record confidences $f(\cdot)$9 for score computation.

4. Quantitative Results, Ablations, and Analysis

4.1 Main Performance Benchmarks

Res-MIA achieves substantial improvements in black-box membership inference:

Attack Method	AUC	Accuracy	FPR @ TPR=80%
Loss-Based [Yeom ’18]	0.75	0.69	0.38
Entropy-Based [Salem ’19]	0.68	0.64	0.45
Res-MIA (Ours)	0.88	0.81	0.19

The technique is robust across different client splits (AUC $f$0 per client). Ablation highlights:

• Nearest-neighbor upsampling (AUC $f$1) is critical; bilinear yields lower AUC ($f$2).
• $f$3 steps efficiently captures confidence erosion; larger $f$4 marginally increases overhead without notable accuracy gain.

Computational cost: Six forward passes take $f$5 ms per image (single pass $f$6 ms), and computation is fully parallelizable.

4.2 Impact of Resolution and Query Budget

Erosion to $f$7 pixels captures almost all high-frequency attenuation, maximizing AUC. Fewer steps reduce data granularity and decrease AUC; more steps increase query complexity with diminishing returns.

5. Interpretation: Frequency-Sensitive Overfitting and Privacy Leakage

Federated learning models, like their centralized counterparts, are susceptible to frequency-sensitive overfitting. The steep confidence decay in members' predictions under erosion reveals a privacy leakage channel tied to the model’s reliance on fine-grained, non-robust features, which survive only in training set samples.

Res-MIA demonstrates that simple resolution-based transformations—applied in a black-box manner—are sufficient to distinguish members without any side information or complex model architectures. This exposes a vulnerability previously unaddressed by training-free MIA paradigms.

6. Prospective Countermeasures and Open Issues

Several mitigation strategies are proposed:

• Frequency regularization: Penalize high-frequency sensitivity during training (e.g., spectral norm, adversarial high-frequency perturbations).
• Differential privacy (DP): Noise added either to client updates or outputs; strong DP budgets reduce leakage but may harm accuracy.
• Post-processing: Output quantization or calibrated noise injection (e.g., MemGuard) to mask granularity of the confidence decay signal.

Limitations:

• Demonstrated only for small images ($f$8), ResNet-18, and full-confidence output models (label-only variants not directly supported).
• Generalization to larger inputs, other modalities, or non-IID client partitioning remains untested.

Directions for future research include developing attack variants for other data types (text, audio), integrating resolution-based cues with alternative black-box MIAs, and constructing regularization or defense schemes directly targeting frequency overfitting (Zare et al., 24 Jan 2026).

---

Res-MIA, by leveraging confidence decay under systematic resolution erosion, achieves the strongest published training-free membership inference results for federated networks and motivates a fresh focus on the role of fine-grained frequency cues in machine learning privacy.