在聯邦學習(Federated Learning, FL)環境中,攻擊者雖僅持有本地端資料,仍可藉由全局模型進行模型逆向攻擊(Model Inversion Attack),試圖重構其他客戶端的私有資料。然而,由於全局模型融合了本地資料的權重,所生成的樣本可能偏向攻擊者自身的資料分佈,導致難以還原其他節點的潛在特徵結構,進而削弱跨節點重構的實質意義。現有基於生成對抗網路(Generative Adversarial Network, GAN)的方法常面臨訓練不穩定與生成品質不一等問題。為解決上述挑戰,本研究提出一種結合擴散模型(Diffusion Model)與遺忘學習(Model Unlearning)技術的逆向攻擊方法 DUFAttack(Diffusion and Unlearning-Based Federated Attacks)。本方法透過遺忘學習剝除本地資料對全局模型的影響,降低生成偏誤,並藉由擴散模型提升樣本生成的穩定性與多樣性。實驗結果顯示,DUFAttack 在全局模型的分類準確率達 84.30%,高於傳統 GAN 方法的 83.11%,同時總訓練與生成時間減少 72.64%。此外所生成樣本更貼近其他客戶端資料的分佈,顯示更佳的跨節點重構能力。本研究亦使用多種資料集進行交叉驗證,證實所提方法具備良好的泛化能力與穩定性。DUFAttack 不僅提升了樣本重構的跨節點準確性與穩定性,亦展現出優於現有方法的效能與效率,為聯邦學習環境中的隱私攻擊研究提供了一種具潛力的新途徑。;In Federated Learning environments, an attacker with access only to local data can still perform a Model Inversion Attack, aiming to reconstruct private data from other clients by leveraging the global model. However, since the global model integrates weights from the attacker′s local data, the generated data may be biased toward the attacker′s own data distribution. This leads to poor reconstruction of features from other clients and weakens the effectiveness of cross-client inference. Existing methods based on Generative Adversarial Network (GAN) often suffer from unstable training and inconsistent generation quality. To address these challenges, this study proposes DUFAttack (Diffusion and Unlearning-Based Federated Attacks), a novel model inversion attack method that combines diffusion models and model unlearning techniques. DUFAttack first removes the influence of local data from the global model through model unlearning, thereby reducing generation bias. It then employs a diffusion model to improve the stability and diversity of generated samples. Experimental results demonstrate that DUFAttack achieves a classification accuracy of 84.30% on the global model, surpassing 83.11% of conventional GAN-based approaches, while reducing total training and generation time by 72.64%. Furthermore, the generated data are less influenced by local data characteristics and more closely align with other clients’ data distributions, indicating improved cross-client reconstruction performance. This study also conducts cross-validation on multiple datasets, confirming the proposed method’s robustness and generalization capability.
