What Your Features Reveal: Data-Efficient Black-Box Feature Inversion Attack for Split DNNs

TL;DR

This paper introduces FIA-Flow, a novel black-box feature inversion attack that reconstructs high-fidelity images from intermediate features in split DNNs, exposing significant privacy risks.

Contribution

FIA-Flow combines semantic alignment and distribution correction techniques to improve image reconstruction quality from intermediate features, revealing greater privacy leakage.

Findings

FIA-Flow achieves high-fidelity image reconstruction across multiple models.

The attack exposes more severe privacy risks than previous methods.

Effective with few image-feature pairs due to decoupled design.

Abstract

Split DNNs enable edge devices by offloading intensive computation to a cloud server, but this paradigm exposes privacy vulnerabilities, as the intermediate features can be exploited to reconstruct the private inputs via Feature Inversion Attack (FIA). Existing FIA methods often produce limited reconstruction quality, making it difficult to assess the true extent of privacy leakage. To reveal the privacy risk of the leaked features, we introduce FIA-Flow, a black-box FIA framework that achieves high-fidelity image reconstruction from intermediate features. To exploit the semantic information within intermediate features, we design a Latent Feature Space Alignment Module (LFSAM) to bridge the semantic gap between the intermediate feature space and the latent space. Furthermore, to rectify distributional mismatch, we develop Deterministic Inversion Flow Matching (DIFM), which projects off-manifold features onto the target manifold with one-step inference. This decoupled design simplifies learning and enables effective training with few image-feature pairs. To quantify privacy leakage from a human perspective, we also propose two metrics based on a large vision-language model. Experiments show that FIA-Flow achieves more faithful and semantically aligned feature inversion across various models (AlexNet, ResNet, Swin Transformer, DINO, and YOLO11) and layers, revealing a more severe privacy threat in Split DNNs than previously recognized.