Split DNNs enable edge devices by offloading intensive computation to a cloud server, but this paradigm exposes privacy vulnerabilities, as the intermediate features can be exploited to reconstruct the private inputs via Feature Inversion Attack (FIA). Existing FIA methods often produce limited reconstruction quality, making it difficult to assess the true extent of privacy leakage. To reveal the privacy risk of the leaked features, we introduce FIA-Flow, a black-box FIA framework that achieves high-fidelity image reconstruction from intermediate features. To exploit the semantic information within intermediate features, we design a Latent Feature Space Alignment Module (LFSAM) to bridge the semantic gap between the intermediate feature space and the latent space. Furthermore, to rectify distributional mismatch, we develop Deterministic Inversion Flow Matching (DIFM), which projects off-manifold features onto the target manifold with one-step inference. This decoupled design simplifies learning and enables effective training with few image-feature pairs. To quantify privacy leakage from a human perspective, we also propose two metrics based on a large vision-language model. Experiments show that FIA-Flow achieves more faithful and semantically aligned feature inversion across various models (AlexNet, ResNet, Swin Transformer, DINO, and YOLO11) and layers, revealing a more severe privacy threat in Split DNNs than previously recognized.

翻译：拆分式深度神经网络通过将密集计算卸载至云端服务器赋能边缘设备，但这一范式暴露了隐私漏洞，因为中间特征可被利用，通过特征反演攻击重构私有输入。现有特征反演攻击方法通常重构质量有限，难以评估隐私泄露的真实程度。为揭示泄露特征的隐私风险，我们提出了FIA-Flow，一种黑盒特征反演框架，能够从中间特征实现高保真度的图像重建。为利用中间特征中的语义信息，我们设计了潜在特征空间对齐模块，以弥合中间特征空间与潜在空间之间的语义鸿沟。此外，为校正分布失配，我们开发了确定性反演流匹配，通过一步推理将流形外特征投影至目标流形。这种解耦设计简化了学习过程，并使得仅用少量图像-特征对即可进行有效训练。为从人类视角量化隐私泄露，我们还基于大型视觉-语言模型提出了两个评估指标。实验表明，FIA-Flow在多种模型（AlexNet、ResNet、Swin Transformer、DINO和YOLO11）及不同层上实现了更忠实且语义对齐的特征反演，揭示了拆分式深度神经网络中比以往认知更为严重的隐私威胁。