This paper reveals a critical privacy vulnerability in residual neural networks (ResNets): user input data can be inversely reconstructed during inference. Existing inversion methods fail to exploit the intrinsic properties of residual connections, resulting in low-fidelity reconstructions. To address this, we propose PEEL—a novel inversion framework that models residual block outputs as noisy observations of the input and formulates a layer-wise constrained optimization problem. PEEL jointly leverages backward feature inversion and entropy modeling of skip-connection information to enable block-level reversible feature recovery. Theoretical analysis identifies residual connections as the primary leakage channel. Empirical evaluation on facial image datasets demonstrates that PEEL reduces mean squared error (MSE) by an order of magnitude over state-of-the-art methods, strongly validating both its effectiveness and the structural sensitivity of ResNet to inversion attacks.

This paper explores inference-time data leakage risks of deep neural networks (NNs), where a curious and honest model service provider is interested in retrieving users' private data inputs solely based on the model inference results. Particularly, we revisit residual NNs due to their popularity in computer vision and our hypothesis that residual blocks are a primary cause of data leakage owing to the use of skip connections. By formulating inference-time data leakage as a constrained optimization problem, we propose a novel backward feature inversion method, extbf{PEEL}, which can effectively recover block-wise input features from the intermediate output of residual NNs. The surprising results in high-quality input data recovery can be explained by the intuition that the output from these residual blocks can be considered as a noisy version of the input and thus the output retains sufficient information for input recovery. We demonstrate the effectiveness of our layer-by-layer feature inversion method on facial image datasets and pre-trained classifiers. Our results show that PEEL outperforms the state-of-the-art recovery methods by an order of magnitude when evaluated by mean squared error (MSE). The code is available at href{https://github.com/Huzaifa-Arif/PEEL}{https://github.com/Huzaifa-Arif/PEEL}