利用擴散模型進行真實資料逆推攻擊

Abstract

隨著大型基石模型的興起，協同推理（Split Inference, SI）成為一種在輕量化邊緣設備與雲端伺服器間部署模型的熱門計算範式，有效解決了資料隱私與計算成本的問題。然而，目前大多數的資料重構攻擊主要集中在較小的卷積神經網路分類模型上，對於協同推理情境下基礎模型的隱私風險研究仍然有限。為了彌補此空白，我們提出了一種基於引導式擴散（Guided Diffusion）的新型資料重建攻擊方法，此方法利用了在大規模數據集上預訓練的潛空間擴散模型（Latent Diffusion Model, LDM）中嵌入的豐富先驗知識。我們的方法在潛空間擴散模型學習的影像先驗上執行迭代重建，能夠有效從中間表示（Intermediate Representations, IR）生成與原始資料高度相似的高保真影像。從大量實驗表明，我們的方法對比與現有最先進的方法，在從視覺基礎模型深層中間表示中重建數據的質量具有顯著優勢。這些結果強調了在協同推理情境下，為大型模型提供更強隱私保護機制的緊迫性。

With the rise of large foundation models, split inference (SI) has emerged as a popular computational paradigm for deploying models across lightweight edge devices and cloud servers, addressing data privacy and computational cost concerns. However, most existing data reconstruction attacks have focused on smaller CNN classification models, leaving the privacy risks of foundation models in SI settings largely unexplored. To address this gap, we propose a novel data reconstruction attack based on guided diffusion, which leverages the rich prior knowledge embedded in a latent diffusion model (LDM) pre-trained on a large-scale dataset. Our method performs iterative reconstruction on the LDM’s learned image prior, effectively generating high-fidelity images resembling the original data from their intermediate representations (IR). Extensive experiments demonstrate that our approach significantly outperforms state-of-the-art methods, both qualitatively and quantitatively, in reconstructing data from deep-layer IRs of the vision foundation model. The results highlight the urgent need for more robust privacy protection mechanisms for large models in SI scenarios.