In federated transfer learning, data reconstruction attacks (DRAs) suffer from low reconstruction fidelity due to the absence of shared underlying gradients and are easily detectable as they rely on explicit model tampering. To address these limitations, this paper proposes a stealthy Classification Head Gradient Reconstruction Attack (CHGRA). CHGRA reconstructs high-fidelity inputs solely from the classification head gradients uploaded by clients—without modifying model architecture or parameters—by freezing the backbone network, fine-tuning the classifier, and incorporating a robust feature extraction mechanism. This design significantly enhances attack stealthiness and cross-dataset/architecture generalizability. Extensive experiments on CIFAR-10, ImageNet, and other benchmarks across diverse model architectures demonstrate that CHGRA improves PSNR by 40%–120% over state-of-the-art DRAs, while exhibiting insensitivity to batch size.

Recent works in federated learning (FL) have shown the utility of leveraging transfer learning for balancing the benefits of FL and centralized learning. In this setting, federated training happens after a stable point has been reached through conventional training. Global model weights are first centrally pretrained by the server on a public dataset following which only the last few linear layers (the classification head) of the model are finetuned across clients. In this scenario, existing data reconstruction attacks (DRAs) in FL show two key weaknesses. First, strongly input-correlated gradient information from the initial model layers is never shared, significantly degrading reconstruction accuracy. Second, DRAs in which the server makes highly specific, handcrafted manipulations to the model structure or parameters (for e.g., layers with all zero weights, identity mappings and rows with identical weight patterns) are easily detectable by an active client. Improving on these, we propose MAUI, a stealthy DRA that does not require any overt manipulations to the model architecture or weights, and relies solely on the gradients of the classification head. MAUI first extracts "robust" feature representations of the input batch from the gradients of the classification head and subsequently inverts these representations to the original inputs. We report highly accurate reconstructions on the CIFAR10 and ImageNet datasets on a variety of model architectures including convolution networks (CNN, VGG11), ResNets (18, 50), ShuffleNet-V2 and Vision Transformer (ViT B-32), regardless of the batch size. MAUI significantly outperforms prior DRAs in reconstruction quality, achieving 40-120% higher PSNR scores.