Problem statement

Our research problem is to reprogram the original feature space into a new feature space that further improve the performance of downstream tasks while avoiding the exposure of sensitive features in a traceable and interpretable way. Formally, given the dataset ({mathcal{D}}={F,s,y}), where F is the original feature set (i.e., feature space) consisting of a set of features f; s is a sensitive feature involving privacy, which used in the reprogramming, but not directly utilized for the prediction; and y is the target label. We use A_pe to refer to the downstream task model, A_pr to refer to the model that predicts sensitive features, and O to refer to the entire set of operators (e.g., “square,” “exp,” “plus,” “multiply,” etc.). Our task is to construct the new feature space (hat{F}) and identify the ideal one F* in reconstruction. The optimization objective can be formulated as follows:

Framework overview

In this paper, we formally propose the (underline{P},text{rivacy-preserving},) (underline{D},text{ata},) (underline{R},text{eprogramming},) (PDR). Figure 4 illustrates the comprehensive framework of PDR, which includes two main steps: (1) privacy-aware knowledge acquisition (Fig. 5); and (2) privacy-preserving feature space generation (Fig. 6).

Privacy-Aware Knowledge Acquisition (Phase 1).

Privacy-Preserving Feature Space Generation (Phase 2).

In the knowledge acquisition phase, we use multi-agent reinforcement learning to implement the selection of candidate features and candidate operations for feature crossing. IB is used to guide the decision-making process of agents. We maximize the mutual information between the new feature space and downstream tasks while minimizing the mutual information between the new feature space and sensitive features. Collected privacy-aware feature sets account for both privacy and performance, which then are serialized as a knowledge base.

In the feature space generation phase, we map the knowledge base into a privacy-aware latent space by a sequence encoder. Two evaluators are used to estimate the performance on downstream tasks and the risk of exposing sensitive information of a reprogramed feature set using the latent representation. We use estimates of downstream task performance to provide gradient guidance, and estimates of risk of privacy exposure to provide gradually tightening constraints. Finally, a sequence decoder is used to decode the updated latent representation.

Privacy-aware knowledge acquisition

Multi-agent reinforcement learning

Multiple interdependent Markov Decision Processes (MDPs) can effectively describe the construction of new features^2,23. We aim to construct feature sets with privacy-aware knowledge in this way to provide high-quality data for subsequent generative models. We decompose this process into three MDPs using a cascading structure of three reinforcement learning agents., including two MDPs for picking features, and one MDP for picking operators.

State Representation R
e
p
f( ⋅ ) & R
e
p
o( ⋅ )

We first represent the features and operators to facilitate model processing. For features, we employ a descriptive statistical technique Repf(⋅) to obtain this state representation²⁴. In detail, we first compute the feature set column-wise descriptive statistics (i.e., count, standard deviation, minimum, maximum, first, second, and third quantile). Then, we calculate the same descriptive statistics on the output of the previous statistics. After that, we can obtain the descriptive matrix and flatten it as the state representation. For the representation of the operator, we pre-determine the types of operations available and then use a one-hot encoding Repo( ⋅ ) to get a representation of the operator.

Reinforcement learning agents

We use the classic DQN structure to implement agents²⁵. We adopt the i^th iteration as an example to describe the cooperation between agents. First, the head feature agent selects feature f_h as the header feature based on the (i−1)^th iteration’s feature space state representation Repf(F_i−1), then the operator agent selects operator o_i based on feature space and header feature Repf(F_i−1)∣∣Repf(f_h), where ∣∣ indicates concatenation. Finally, the tail feature agent selects tail feature f_t as the tail feature based on feature space, header feature and operator Repf(F_i−1)∣∣Repf(f_h)∣∣Repo(o_i). New features f_i are obtained by calculating the head and tail features according to the operator. The (i−1)^th iteration’s feature space F_i−1 combines with new features f_i to be the new feature space F_i.

Privacy-awared decision-making

Feedback-based policy learning is used to optimize each agent to find privacy-aware features. The privacy-aware features should improve performance on downstream tasks, and avoid exposure to sensitive features. Consistent with previous literature^2,3, we consider all features as an entire feature space to avoid the negative impact of complex interdependencies between features, so that sensitive features can be used to produce valuable new features in the reprogramming process without further exposure. We design a privacy-awared reward function ({mathcal{R}}(cdot )) to guide agents’ decision-making according to the IB principle^9,10. We design the reward function from two aspects: (1) maximize the mutual information between the new feature space and the downstream task label, and (2) minimize the mutual information between the new feature space and the sensitive feature.

where ({mathbb{I}}(cdot;cdot)) denotes mutual information, y denotes the groundtruth of the downstream task, s denotes the sensitive feature.

Maximize mutual information lower bound

By maximizing mutual information, we encourage the construction of new feature spaces that can enhance downstream tasks.

where H( ⋅ ) refers to the information entropy, ({mathcal{D}}(cdot )) denote the model of downstream task, ϕ( ⋅ ) is the sigmoid activation. In the above derivation, (a) is the definition of mutual information; (b) is the non-negative property of H(F_i); (c) is the definition of information entropy; (d) is that ∑p(F_i, y) ≤ 1; (e) (phi ({mathcal{D}}({F}_{i}))) is the variational approximation of p(F_i∣y); (f) is because ({mathcal{D}}({F}_{i-1})) is a non-negative constant, and through experiments, we found that using the increments in downstream task performance, rather than the performance itself, provides clearer guidance to the model. Finally, we maximize the incremental performance of the feature space generated by two iterations on the downstream task to maximize the mutual information between the constructed feature space and the downstream task.

Minimize mutual information upper bound

Considering only the performance introduces a risk of exposing sensitive information. To address this, we minimize the mutual information between the new feature space and sensitive features, providing privacy-aware guidance for agents. However, estimating the upper bound of mutual information is an intractable problem. While some studies leverage variational techniques to estimate this upper bound, they heavily rely on prior assumptions^26,27. Therefore, refer to prior works^20,28, we introduce the Hilbert-Schmidt Independence Criterion (HSIC)²⁹ as the approximation of the minimization of ({mathbb{I}}({F}_{i};{s})).

HSIC serves as a statistical measure of dependency, which is formulated as the Hilbert-Schmidt norm, assessing the cross-covariance operator between distributions within the Reproducing Kernel Hilbert Space (RKHS). Given F_i and s, HSIC(F_i, s) is defined as follows:

where ({C}_{{F}_{i}s}) is the cross-covariance operator between the Reproducing Kernel Hilbert Spaces (RKHSs) of F_i and s, ({parallel cdot parallel }_{hs}^{2}) refers to the Hilbert-Schmidt norm, ({K}_{{F}_{i}}) and K_s are two kernel functions for variables F_i and s, ({F}^{{prime}}_{i}) and (s^{prime}) are two independent copies of F_i and s. Given the sampled instances ({({F}_{{i}_{j}},{s}_{j})}_{j = 1}^{n}) from the batch training data, we estimated HSIC as:

where ({K}_{{F}_{i}}) and K_s are used kernel matrices²⁹, with elements ({K}_{{F}_{{i}_{{jj}^{prime} }}}={K}_{{F}_{i}}({F}_{{i}_{j}},{F}_{{i}_{{j}^{prime}}})) and ({K}_{{s}_{{jj}^{prime}}}={K}_{s}({s}_{j},{s}_{{j}^{prime}})), (H={bf{I}}-frac{1}{n}{{bf{11}}}^{T}) is the centering matrix, and Tr( ⋅ ) denotes the trace of matrix. In practice, we adopt the widely used radial basis function (RBF)³⁰ as the kernel function:

where σ is the parameter that controls the sharpness of RBF. In order not to rely on prior assumptions and to calculate more efficiently, we minimize (hat{HSIC}({F}_{i};s)) instead of minimizing ({mathbb{I}}({F}_{i};s)).

Finally, we use the reward function Equation (7) to guide agents to construct new feature spaces that benefit downstream tasks while avoiding sensitive feature exposure:

Feature space serialization

After collecting privacy-aware feature spaces, we represent these privacy-aware feature spaces as a sequence η_p by the convert function ρ( ⋅ ). In detail, we encode all the features and all the operators in a unified token space. For the new feature generated by the original feature, we use Reverse Polish Notation³¹ to represent its generation path. Because of the uniqueness and extensibility of the Reverse Polish Notation, we can encode and optimize more accurately and conveniently. Besides, three special tokens are introduced: 〈SEP〉, 〈SOS〉, and 〈EOS〉, respectively, to mark the split between features, the beginning and end of a feature space. For each feature space from the knowledge base, we perform data augmentation by randomly shuffling the order of features.

Privacy-preserving feature space generation

Supported by rich privacy-aware knowledge, we use generative models to achieve more stable and robust feature space generation³. We use an autoencoder structure to map the feature space in the knowledge base to the latent space and find better points in the latent space guided by the performance of downstream tasks with progressively tightening privacy constraints.

Sequence autoencoder structure

We use serialized feature spaces η_p = ρ(F_p) as privacy-aware knowledge for training encoder Γ_e( ⋅ ) and decoder Γ_d( ⋅ ) to obtain a desired latent space. We adopt a single layer long short-term memory (LSTM)³² as encoder Γ_e( ⋅ ) and we acquire the continuous latent representation E_p of the feature space F_p, denoted by E_p = Γ_e(ρ(F_p)). We adopt a single layer LSTM as decoder Γ_d( ⋅ ). The decoder decodes latent representation into Reverse Polish Notation (hat{{eta }_{p}}) in a sequence-to-sequence way³³. Given the latent representation E_p, to make the generated sequence similar to the real one, we minimize the negative log-likelihood of the distribution, defined as: ({{mathcal{L}}}_{rec}=-log {P}_{{Gamma }_{d}}(hat{{eta }_{p}};{E}_{p})).

Performance and privacy evaluators

To generate the ideal feature space, we first organize the latent space for targeted optimization. Two evaluators are employed to clarify the relationship between latent representations, downstream task performance, and sensitive features. In particular, the performance evaluator Ψ_pe( ⋅ ) models the relationship between latent representations and downstream task performance, which is then used to provide the optimization objective to update latent representations for better downstream performance. The privacy evaluator Ψ_pr( ⋅ ) models the relationship between latent representation and privacy exposure risk, which is then used to provide constraints to keep sensitive features secure.

Performance evaluator

We expect the latent representation to indicate the accuracy of the corresponding feature space on the downstream task so that we can obtain a higher performance feature space by purposefully adjusting the latent representation. We use a performance evaluator to establish this relationship, denoted as (hat{v}={Psi }_{pe}({E}_{p};y)). We use a simple linear layer to implement Ψ_pe( ⋅ ). We train the parameters Ψ_pe of the estimator by minimizing the Mean Squared Error (MSE) between the estimate and the true value (mathop{min }limits_{{Psi }_{pe}}{{mathcal{L}}}_{pe}=MSE(v| hat{v})).

Privacy evaluator

Similarly, we can use the privacy evaluator Ψ_pr( ⋅ ) to assess the extent to which latent representations reveal sensitive features. According to Section “Privacy-Awared Decision-Making”, we leverage HSIC to describe the relationship between feature space and privacy. The privacy estimators estimate the HSIC of latent representations, given as (tilde{HSIC}={Psi }_{pr}({E}_{p};s)). We also use a simple linear layer to implement Ψ_pr( ⋅ ). We train the parameters Ψ_pr of estimator by minimizing the MSE between the estimate and the true value (mathop{min }limits_{{Psi }_{pr}}{{mathcal{L}}}_{pr}=MSE(HSIC({F}_{p};s);tilde{HSIC})).

We use a multi-tasking architecture to train all the structures:

Constrained gradient update

After the encoder and two evaluators are jointly trained, each latent representation in the latent space (1) can reconstruct the feature space; (2) can reflect the performance of the corresponding feature space in the downstream task; (3) can reflect the degree of exposure of sensitive features.

On this basis, we optimize the latent representation to further improve the accuracy of downstream tasks while ensuring privacy. To alleviate the problem of difficulty in training and balancing caused by dual objectives, we distinguish the roles of the two objectives. Performance is used as the optimization goal, and privacy is used as a gradually tightened constraint. The initial constraint allows the model to better inherit privacy-aware knowledge, and the gradually tightened constraint allows the model to focus on performance while also strengthening privacy. Specifically, for the latent representation E_p, under the constraints of the privacy evaluator Ψ_pr(E_p; s), we search toward the gradient direction induced by the performance evaluator Ψ_pe(E_p; y):

we perform this search T times to get ({{hat{{E}}_{p}^{1}},ldots ,{hat{{E}}_{p}^{T}}}) and ({hat{E}}_{p}^{min}) is the result with the best privacy evaluated in the previous search. With continuous iterations, ({hat{E}}_{p}^{min}) will gradually become smaller, and the model needs to meet increasingly tighter privacy constraints. In the implementation, we use projected gradient ascent³⁴ to implement this constraint. We select multiple E_p as seeds for the search and use beam search strategy³³ to determine the best result ({hat{E}}_{p}^{*}). The best updated latent representation is decoded by the decoder to the final feature space F^*.

For better interpretability in practical scenarios, consider a healthcare dataset where age is designated as a sensitive attribute. During latent space optimization, our privacy constraint ensures that newly generated features exhibit minimal statistical dependence on age. For instance, the model may initially explore feature representations that slightly correlate with age but are beneficial for predicting disease risk. As optimization proceeds, the constraint progressively tightens, forcing the latent representation to retain predictive power for disease outcomes while reducing any dependency on age. This reflects real-world privacy protection needs under regulations such as the General Data Protection Regulation in Europe⁴, where indirect leakage of personal attributes must be minimized.

Related work

Data reprogramming

As one essential task within DCAI^1,3,35, data reprogramming aims to enhance the feature space by generating new features in an explainable and traceable way, thereby improving the performance of machine learning models^36,37. Existing methods primarily focus on boosting downstream task performance and can be broadly divided into two categories: (1) Search in discrete spaces^{2,7,8,12,14,23,35,38,39,40,41,42,43,44}: These methods treat data reprogramming n as a discrete space search problem and solutions are based on smart search of optimal combinations of feature crosses. Some works initially add new features to expand the feature space and eventually select only the high-value features to form the final feature set⁵. Some works adopt an iterative-greedy strategy⁶. Effective features are iteratively generated, and significant ones are preserved until the maximum number of iterations is reached. Some methods combine evolutionary algorithms to explore effective feature spaces⁴⁵. (2) Optimization in continuous space^{3,8,46,47,48,49,50}: Such methods represent a feature set as an embedding vector in a feature set embedding space, then identify the optimal embedding point in such embedding space, and finally reconstruct the optimal feature set. However, these methods focus on augmenting data predictive power and lack privacy considerations.

Information bottleneck principle

The IB method is a principle from information theory used to find an optimal balance between compression and prediction^9,10. This principle has been employed to enhance interpretability and disentangle representations^51,52. However, calculating mutual information between high-dimensional variables is challenging. To address this, researchers have used neural networks to approximate and estimate mutual information^26,27,53,54. However, they relatively rely on the prior assumption and the quality of sampling influences the accuracy of the estimation. Instead of directly optimizing, the Hilbert-Schmidt Independence Criterion (HSIC) has been employed as an alternative to assess variable²⁹. Given the challenges in estimating the upper bound of mutual information, we opt for HSIC to approximate and minimize the mutual information between learned representations and sensitive features^20,28,55,56.