Profiling Privacy Preservation Against Gradient Inversion Attacks in Tabular Federated Learning
Title: Assessing Privacy Safeguards Against Gradient Inversion in Tabular Federated Learning
Federated learning (FL) allows multiple data owners to collaboratively train machine learning models without pooling raw data, a capability that is particularly valuable in privacy-critical sectors like healthcare and institutional data sharing. In this paradigm, data remains on local clients, with only model updates—such as gradients or model deltas—being transmitted. However, these transmitted updates can inadvertently reveal sensitive client information through gradient inversion attacks (GIAs).
This study investigates the vulnerability of tabular FL to such attacks, operating under an honest-but-curious server threat model. The analysis spans various FL protocols, client batch sizes, training phases, attacker assumptions, model architectures, and task types, including binary classification, multiclass classification, and regression. The research utilizes the MIMIC-IV dataset alongside complementary benchmarks.
The evaluation framework differentiates between numerical and categorical recovery, baseline recoverability, feature-level recovery, and exact match rate (EMR). By employing an exposure-aligned protocol, the study compares FedSGD gradients and FedAvg model deltas based on matched client data exposure rather than matched communication rounds. The investigation encompasses multilayer perceptrons (MLP), ResNet, and FT-Transformer models. To isolate the impact of architecture, the study conducts an MLP grid search varying width, depth, activation functions, normalization techniques, and dropout rates.
Key findings indicate that small client batches and updates derived from few distinct records are the most susceptible to attacks. While larger local batches and more robust aggregation methods mitigate reconstruction efforts, they do not fully eradicate data leakage. The FT-Transformer model proves consistently more resistant to inversion compared to one-hot baselines, whereas reconstructability shows significant variation within the MLP family. These results highlight architecture as a critical, practical variable for privacy in tabular FL. Additionally, the study demonstrates that aggregate reconstruction accuracy may overstate complete record recovery in sparse datasets, underscoring the necessity of using EMR and baseline comparisons for accurate assessment.
Source: arXiv Generated at: 2026-06-02 00:00:00 UTC
