結合擴散模型與遺忘學習之聯邦學習逆向攻擊

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：20

、訪客IP：18.97.14.91

姓名

楊惠隆(Hui-Long Yeo) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

結合擴散模型與遺忘學習之聯邦學習逆向攻擊
(DUFAttack: A Diffusion and Unlearning-Based Approach to Federated Learning Inversion Attacks)

相關論文

★ 無線行動隨意網路上穩定品質服務路由機制之研究	★ 應用多重移動式代理人之網路管理系統
★ 應用移動式代理人之網路協同防衛系統	★ 鏈路狀態資訊不確定下QoS路由之研究
★ 以訊務觀察法改善光突發交換技術之路徑建立效能	★ 感測網路與競局理論應用於舒適性空調之研究
★ 以搜尋樹為基礎之無線感測網路繞徑演算法	★ 基於無線感測網路之行動裝置輕型定位系統
★ 多媒體導覽玩具車	★ 以Smart Floor為基礎之導覽玩具車
★ 行動社群網路服務管理系統－應用於發展遲緩兒家庭	★ 具位置感知之穿戴式行動廣告系統
★ 調適性車載廣播	★ 車載網路上具預警能力之車輛碰撞避免機制
★ 應用於無線車載網路上之合作式交通資訊傳播機制以改善車輛擁塞	★ 智慧都市中應用車載網路以改善壅塞之調適性虛擬交通號誌

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

在聯邦學習（Federated Learning, FL）環境中，攻擊者雖僅持有本地端資料，仍可藉由全局模型進行模型逆向攻擊（Model Inversion Attack），試圖重構其他客戶端的私有資料。然而，由於全局模型融合了本地資料的權重，所生成的樣本可能偏向攻擊者自身的資料分佈，導致難以還原其他節點的潛在特徵結構，進而削弱跨節點重構的實質意義。現有基於生成對抗網路（Generative Adversarial Network, GAN）的方法常面臨訓練不穩定與生成品質不一等問題。為解決上述挑戰，本研究提出一種結合擴散模型（Diffusion Model）與遺忘學習（Model Unlearning）技術的逆向攻擊方法 DUFAttack（Diffusion and Unlearning-Based Federated Attacks）。本方法透過遺忘學習剝除本地資料對全局模型的影響，降低生成偏誤，並藉由擴散模型提升樣本生成的穩定性與多樣性。實驗結果顯示，DUFAttack 在全局模型的分類準確率達 84.30%，高於傳統 GAN 方法的 83.11%，同時總訓練與生成時間減少 72.64%。此外所生成樣本更貼近其他客戶端資料的分佈，顯示更佳的跨節點重構能力。本研究亦使用多種資料集進行交叉驗證，證實所提方法具備良好的泛化能力與穩定性。DUFAttack 不僅提升了樣本重構的跨節點準確性與穩定性，亦展現出優於現有方法的效能與效率，為聯邦學習環境中的隱私攻擊研究提供了一種具潛力的新途徑。

摘要(英)

In Federated Learning environments, an attacker with access only to local data can still perform a Model Inversion Attack, aiming to reconstruct private data from other clients by leveraging the global model. However, since the global model integrates weights from the attacker′s local data, the generated data may be biased toward the attacker′s own data distribution. This leads to poor reconstruction of features from other clients and weakens the effectiveness of cross-client inference. Existing methods based on Generative Adversarial Network (GAN) often suffer from unstable training and inconsistent generation quality. To address these challenges, this study proposes DUFAttack (Diffusion and Unlearning-Based Federated Attacks), a novel model inversion attack method that combines diffusion models and model unlearning techniques. DUFAttack first removes the influence of local data from the global model through model unlearning, thereby reducing generation bias. It then employs a diffusion model to improve the stability and diversity of generated samples. Experimental results demonstrate that DUFAttack achieves a classification accuracy of 84.30% on the global model, surpassing 83.11% of conventional GAN-based approaches, while reducing total training and generation time by 72.64%. Furthermore, the generated data are less influenced by local data characteristics and more closely align with other clients’ data distributions, indicating improved cross-client reconstruction performance. This study also conducts cross-validation on multiple datasets, confirming the proposed method’s robustness and generalization capability.

關鍵字(中)

★ 聯邦學習
★ 模型逆向攻擊
★ 遺忘學習
★ 擴散模型
★ 深度學習安全

關鍵字(英)

★ Federated Learning
★ Model Inversion Attack
★ Model Unlearning
★ Diffusion Model
★ Deep Learning Security

論文目次

目錄
摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vii
表目錄 viii
第一章緒論 1
1.1. 研究動機 2
1.2. 研究目的 3
1.3. 貢獻 4
1.4. 章節架構 5
第二章背景知識與相關研究 6
2.1. 聯邦學習 Federated Learning 6
2.2. 模型逆向攻擊Model Inversion Attack 7
2.3. 生成式人工智慧Generative Artificial Intelligence 8
2.4. 模型遺忘學習Machine Unlearning 9
2.5. 相關研究 10
第三章 DUFAttack架構 14
3.1. 架構方法與設計 14
3.2. 逆向聚合Reverse Aggregation 16
3.2.1. 資料前處理Data Preprocess 17
3.2.2. 聯邦學習Federated Learning 17
3.2.3. 模型遺忘Model Unlearning 18
3.3. 生成器預訓練Generator Pretrain 20
3.3.1. 前向擴散Forward Diffusion 20
3.3.2. 反向去噪Reverse Denoising 21
3.3.3. 模型訓練Model Training 22
3.4. 資料重構Data Reconstruction 23
3.4.1. 分類器引導Classifier Guidance 23
3.4.2. 條件約束Conditional Constraints 25
3.4.3. 資料生成 Data Generation 26
第四章實驗與討論 27
4.1. 系統實作 27
4.2. 實驗指標與評估方法 31
4.2.1. 資料有效性驗證 31
4.2.2. 資料多樣性還原驗證 31
4.3. 情境一：不同超參數設定下的效能分析 32
4.3.1. 實驗一：不同隱藏層數對聯邦學習中訓練時間與分類準確率之影響比較 33
4.3.2. 實驗二：不同遺忘閾值對遺忘後模型準確率之比較 35
4.3.3. 實驗三：不同生成器隱藏層數對生成資料有效性與多樣性之影響比較 38
4.4. 情境二：不同資料量與客戶端組成對效能之影響分析 48
4.4.1. 實驗四：受害者資料量與客戶端組成對有效性與多樣性的影響 49
4.4.2. 實驗五：受害者子分類標籤對有效性與多樣性的影響 52
4.5. 情境三：條件約束與遺忘學習組件對資料重構效能之影響 56
4.5.1. 實驗六：條件約束組件對生成資料有效性與多樣性的影響 56
4.5.2. 實驗七：遺忘學習組件對重構準確性與分佈控制的影響 58
4.6. 情境四：跨方法驗證與攻擊穩健性評估 60
4.6.1. 實驗八：與 VAE 與 GAN 方法之生成資料有效性與多樣性比較分析 60
4.6.2. 實驗九：應用於其他資料集之生成資料有效性與多樣性驗證 65
4.6.3. 實驗十：差分隱私防禦對有效性與多樣性之抑制效果分析 70
4.6.4. 實驗十一：逆向聚合與生成器預訓練模組消融分析 73
第五章結論與未來研究方向 76
5.1. 結論 76
5.2. 研究限制 77
5.3. 未來研究 78
參考文獻 80

參考文獻

[1] D. C. Li, C.-T. Huang, C.-W. Tseng, and L.-D. Chou, “Fuzzy-Based Microservice Resource Management Platform for Edge Computing in the Internet of Things,” Sensors, vol. 21, no. 11, p. 3800, May 2021
[2] W.-P. Lai, Y.-P. Chang, C.-C. Liu, W.-C. Lei, and L.-D. Chou, “Leveraging Edge Computing Resource Orchestration to Improve QoS for IoT,” 2022 13th International Conference on Information and Communication Technology Convergence (ICTC), vol. 239, pp. 395–399, Oct. 2022
[3] C. Zhang, Y. Xie, H. Bai, B. Yu, W. Li, Y. Gao, "A Survey on Federated Learning," Knowledge-Based Systems, vol. 216, pp. 106775, 2021, https://doi.org/10.1016/j.knosys.2021.10677
[4] X. Yin, Y. Zhu, J. Hu, "A Comprehensive Survey of Privacy-preserving Federated Learning," ACM Computing Surveys, vol. 54, no. 6, pp. 1-36, 2021, https://doi.org/10.1145/3460427
[5] M. Ali, F. Naeem, M. Tariq, G. Kaddoum, "Federated Learning for Privacy Preservation in Smart Healthcare Systems: A Comprehensive Survey," IEEE Journal of Biomedical and Health Informatics, vol. 27, no. 2, pp. 778-789, 2023, 10.1109/JBHI.2022.3181823
[6] T. Awosika, R. Shukla, B. Pranggono, "Transparency and Privacy: The Role of Explainable AI and Federated Learning in Financial Fraud Detection," IEEE Access, vol. 12, pp. 64551-64560, 2024, 10.1109/ACCESS.2024.3394528
[7] Y. Xu, M. Xiao, J. Wu, H. Tan, G. Gao, "A Personalized Privacy Preserving Mechanism for Crowdsourced Federated Learning," IEEE Transactions on Mobile Computing, vol. , pp. 1-17, 2023, 10.1109/TMC.2023.3237636
[8] Q. Li, Y. Diao, Q. Chen, B. He, "Federated Learning on Non-IID Data Silos: An Experimental Study," 2022 IEEE 38th International Conference on Data Engineering (ICDE), vol. , pp. 965-978, 2022, 10.1109/ICDE53745.2022.00077
[9] A. Ouadrhiri, A. Abdelhadi, "Differential Privacy for Deep and Federated Learning: A Survey," IEEE Access, vol. 10, pp. 22359-22380, 2022, 10.1109/ACCESS.2022.3151670
[10] Q. Xie, S. Jiang, L. Jiang, Y. Huang, Z. Zhao, S. Khan, W. Dai, Z. Liu, K. Wu, "Efficiency Optimization Techniques in Privacy-Preserving Federated Learning with Homomorphic Encryption: A Brief Survey," IEEE Internet of Things Journal, vol. 11, no. 14, pp. 24569-24580, 2024, 10.1109/JIOT.2024.3382875
[11] S. Dibbo, "SoK: Model Inversion Attack Landscape: Taxonomy, Challenges, and Future Roadmap," 2023 IEEE 36th Computer Security Foundations Symposium (CSF), vol. , pp. 439-456, 2023, 10.1109/CSF57540.2023.00027
[12] A. Hatamizadeh, H. Yin, P. Molchanov, A. Myronenko, W. Li, P. Dogra, A. Feng, M. Flores, J. Kautz, D. Xu, H. Roth, "Do Gradient Inversion Attacks Make Federated Learning Unsafe?," IEEE Transactions on Medical Imaging, vol. 42, no. 7, pp. 2044-2056, 2023, 10.1109/TMI.2023.3239391
[13] X. Yuan, K. Chen, J. Zhang, W. Zhang, N. Yu, Y. Zhang, "Pseudo Label-Guided Model Inversion Attack via Conditional Generative Adversarial Network," Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 3, pp. 3349-3357, 2023, https://doi.org/10.1609/aaai.v37i3.25442
[14] Z. Zhang, M. Li, J. Yu, "On the Convergence and Mode Collapse of GAN," SIGGRAPH Asia 2018 Technical Briefs, vol. , pp. 1-4, 2018, https://doi.org/10.1145/3283254.3283282
[15] F. Croitoru, V. Hondru, R. Ionescu, M. Shah, "Diffusion Models in Vision: A Survey," IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 9, pp. 10850-10869, 2023, 10.1109/TPAMI.2023.3261988
[16] Z. Pan, Z. Wang, C. Li, K. Zheng, B. Wang, X. Tang, J. Zhao, "Federated Unlearning with Gradient Descent and Conflict Mitigation," Proceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 19, pp. 19804-19812, 2025, https://doi.org/10.1609/aaai.v39i19.34181
[17] A. Aggarwal, M. Mittal, G. Battineni, "Generative Adversarial Network: An Overview of Theory and Applications," International Journal of Information Management Data Insights, vol. 1, no. 1, pp. 100004, 2021, https://doi.org/10.1016/j.jjimei.2020.100004
[18] Y. Akkem, S. Biswas, A. Varanasi, "A Comprehensive Review of Synthetic Data Generation in Smart Farming by Using Variational Autoencoder and Generative AdversarialNetwork," Engineering Applications of Artificial Intelligence, vol. 131, pp. 107881, 2024, https://doi.org/10.1016/j.engappai.2024.107881
[19] R. Shenoy, Z. Pan, K. Balakrishnan, "Gradient-Free Classifier Guidance for Diffusion Model Sampling," arXiv preprint, vol. arXiv:2411.15393, https://doi.org/10.48550/arXiv.2411.15393
[20] G. Xia, J. Chen, C. Yu, J. Ma, "Poisoning Attacks in Federated Learning: A Survey," IEEE Access, vol. 11, pp. 10708-10722, 2023, 10.1109/ACCESS.2023.3238823
[21] X. Gong, Y. Chen, Q. Wang, W. Kong, "Backdoor Attacks and Defenses in Federated Learning: State-of-the-Art, Taxonomy, and Future Directions," IEEE Wireless Communications, vol. 30, no. 2, pp. 114-121, 2023, 10.1109/MWC.017.2100714
[22] L. Bai, H. Hu, Q. Ye, H. Li, L. Wang, J. Xu, "Membership Inference Attacks and Defenses in Federated Learning: A Survey," ACM Computing Surveys, vol. 57, no. 4, pp. 1-35, 2024, https://doi.org/10.1145/3704633
[23] W. Jiang, H. Li, G. Xu, T. Zhang, R. Lu, "A Comprehensive Defense Framework Against Model Extraction Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 2, pp. 685-700, 2024, 10.1109/TDSC.2023.3261327
[24] Z. Zhao, C. Feng, W. Hong, J. Jiang, C. Jia, T. Quek, M. Peng, "Federated Learning With Non-IID Data in Wireless Networks," IEEE Transactions on Wireless Communications, vol. 21, no. 3, pp. 1927-1942, 2022, 10.1109/TWC.2021.3108197
[25] X. Li, Z. Song, R. Tao, G. Zhang, "A Convergence Theory for Federated Average: Beyond Smoothness," 2022 IEEE International Conference on Big Data (Big Data), vol. , pp. 1292-1297, 2022, 10.1109/BigData55660.2022.10020426
[26] K. Wang, Z. Ding, D. So, Z. Ding, "Energy Efficient Federated Learning with Age-Weighted FedSGD," 2024 IEEE International Conference on Communications Workshops (ICC Workshops), vol. , pp. 457-462, 2024, 10.1109/ICCWorkshops59551.2024.10615715
[27] Z. Zhang, Q. Liu, Z. Huang, H. Wang, C. Lee, E. Chen, "Model Inversion Attacks Against Graph Neural Networks," IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 9, pp. 8729-8741, 2023, 10.1109/TKDE.2022.3207915
[28] Y. Xu, X. Liu, T. Hu, B. Xin, R. Yang, "Sparse Black-Box Inversion Attack with Limited Information," ICASSP 2023 - 2023 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), vol. , pp. 1-5, 2023, 10.1109/ICASSP49357.2023.10095514
[29] R. Pereira, P. Abreu, P. Rodrigues, "Partial Multiple Imputation with Variational Autoencoders: Tackling Not at Randomness in Healthcare Data," IEEE Journal of Biomedical and Health Informatics, vol. 26, no. 8, pp. 4218-4227, 2022, 10.1109/JBHI.2022.3172656
[30] A. Plumerault, H. Le Borgne, C. Hudelot, "AVAE: Adversarial Variational Auto Encoder," 2020 25th International Conference on Pattern Recognition (ICPR), vol. , pp. 8687-8694, 2021, 10.1109/ICPR48806.2021.9412727
[31] A. Dash, J. Ye, G. Wang, "A Review of Generative Adversarial Networks (GANs) and Its Applications in a Wide Variety of Disciplines: From Medical to Remote Sensing," IEEE Access, vol. 12, pp. 18330-18357, 2024, 10.1109/ACCESS.2023.3346273
[32] Z. Li, P. Xia, R. Tao, H. Niu, and B. Li, “A New Perspective on Stabilizing GANs Training: Direct Adversarial Training,” IEEE Transactions on Emerging Topics in Computational Intelligence, pp. 1–12, 2022, 10.1109/TETCI.2022.3193373
[33] X. Yang, T. Ye, X. Yuan, W. Zhu, X. Mei, F. Zhou, "A Novel Data Augmentation Method Based on Denoising Diffusion Probabilistic Model for Fault Diagnosis Under Imbalanced Data," IEEE Transactions on Industrial Informatics, vol. 20, no. 5, pp. 7820-7831, 2024, 10.1109/TII.2024.3366991
[34] W. Kong, Y. Hao, Q. Guo, Y. Zhao, X. Song, X. Li, M. Zou, Z. Du, R. Zhang, C. Liu, Y. Wen, P. Jin, X. Hu, W. Li, Z. Xu, T. Chen, "Cambricon-D: Full-Network Differential Acceleration for Diffusion Models," 2024 ACM/IEEE 51st Annual International Symposium on Computer Architecture (ISCA), vol. , pp. 903-914, 2024, 10.1109/ISCA59077.2024.00070
[35] A. V S, A. Kulkarni, D. Chawla, A. Rawther, J. Rangareddy, "Diffusion Inference with Dynamic Classifier-free Guidance," 2024 Second International Conference on Inventive Computing and Informatics (ICICI), vol., pp. 53-59, 2024, 10.1109/ICICI62254.2024.00018
[36] N. Lukas, A. Salem, R. Sim, S. Tople, L. Wutschitz, S. Zanella-Béguelin, "Analyzing Leakage of Personally Identifiable Information in Language Models," 2023 IEEE Symposium on Security and Privacy (SP), vol. , pp. 346-363, 2023, 10.1109/SP46215.2023.10179300
[37] V. Chundawat, A. Tarun, M. Mandal, M. Kankanhalli, "Zero-Shot Machine Unlearning," IEEE Transactions on Information Forensics and Security, vol. 18, pp. 2345-2354, 2023, 10.1109/TIFS.2023.3265506
[38] Y. Liu, M. Fan, C. Chen, X. Liu, Z. Ma, L. Wang, J. Ma, "Backdoor Defense with Machine Unlearning," IEEE INFOCOM 2022 - IEEE Conference on Computer Communications, vol. , pp. 280-289, 2022, 10.1109/INFOCOM48880.2022.9796974
[39] Z. Li, L. Wang, G. Chen, Z. Zhang, M. Shafiq, Z. Gu, "E2EGI: End-to-End Gradient Inversion in Federated Learning," IEEE Journal of Biomedical and Health Informatics, vol. 27, no. 2, pp. 756-767, 2023, 10.1109/JBHI.2022.3204455
[40] Y. Sun, Z. Liu, J. Cui, J. Liu, K. Ma, J. Liu, "Client-Side Gradient Inversion Attack in Federated Learning Using Secure Aggregation," IEEE Internet of Things Journal, vol. 11, no. 17, pp. 28774-28786, 2024, 10.1109/JIOT.2024.3405939
[41] H. Zhu, L. Huang, Z. Xie, "GGI: Generative Gradient Inversion Attack in Federated Learning," 2024 6th International Conference on Data-driven Optimization of Complex Systems (DOCS), vol., pp. 379-384, 2024, 10.1109/DOCS63458.2024.10704504
[42] Z. Li, F. Liu, W. Yang, S. Peng, J. Zhou, "A Survey of Convolutional Neural Networks: Analysis, Applications, and Prospects," IEEE Transactions on Neural Networks and Learning Systems, vol. 33, no. 12, pp. 6999-7019, 2022， 10.1109/TNNLS.2021.3084827
[43] O. Li, Y. Hao, Z. Wang, "Model Inversion Attacks Through Target-Specific Conditional Diffusion Models," arXiv preprint, vol. arXiv:2407.11424， 10.48550/arXiv.2407.11424
[44] Y. Wang, C. Si, X. Wu, "Regression Model Fitting under Differential Privacy and Model Inversion Attack," IJCAI′15: Proceedings of the 24th International Conference on Artificial Intelligence, pp. 1003-1009, 2015, 10.5555/2832249.2832388
[45] A. Krizhevsky. "CIFAR-10 and CIFAR-100 datasets" Computer Science University of Toronto. https://www.cs.toronto.edu/~kriz/cifar.html
[46] Z. Liu, P. Luo, X. Wang, X. Tang. "Large-scale CelebFaces Attributes (CelebA) Dataset" The Chinese University of Hong Kong https://mmlab.ie.cuhk.edu.hk/projects/CelebA.html
[47] "Adult" UC Irvine Machine Learning Repository https://archive.ics.uci.edu/dataset/2/adult
[48] A. Shahmiri, C. Ling, C. Li, "Communication-Efficient Laplace Mechanism for Differential Privacy via Random Quantization," ICASSP 2024 - 2024 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), vol. 2024, 10.1109/ICASSP48485.2024.10446221
[49] “Ubuntu 22.04.4 LTS Released” https://fridge.ubuntu.com/2024/02/22/ubuntu-22-04-4-lts-released/
[50] “Engine v26.1 | Docker Docs”https://docs.docker.com/engine/release-notes/26.1/#2613
[51] “PyTorch” https://pytorch.org/
[52] “CUDA Toolkit Documentation 12.1 Update 1” https://docs.nvidia.com/cuda/archive/12.1.1/

指導教授

周立德(Li-Der Chou)

審核日期

2025-8-21

推文