Variational Feature Compression for Model-Specific Representations

TL;DR

This paper introduces a variational feature compression method that enhances privacy by suppressing cross-model transfer of representations while maintaining accuracy for specific classifiers.

Contribution

It proposes a novel framework using a variational latent bottleneck and dynamic masking to control downstream model usage without pixel-level reconstruction.

Findings

Retains strong utility for the designated classifier on CIFAR-100.

Reduces unintended classifier accuracy to below 2%.

Achieves over 45 times suppression ratio against unintended models.

Abstract

As deep learning inference is increasingly deployed in shared and cloud-based settings, a growing concern is input repurposing, in which data submitted for one task is reused by unauthorized models for another. Existing privacy defenses largely focus on restricting data access, but provide limited control over what downstream uses a released representation can still support. We propose a feature extraction framework that suppresses cross-model transfer while preserving accuracy for a designated classifier. The framework employs a variational latent bottleneck, trained with a task-driven cross-entropy objective and KL regularization, but without any pixel-level reconstruction loss, to encode inputs into a compact latent space. A dynamic binary mask, computed from per-dimension KL divergence and gradient-based saliency with respect to the frozen target model, suppresses latent dimensions that are uninformative for the intended task. Because saliency computation requires gradient access, the encoder is trained in a white-box setting, whereas inference requires only a forward pass through the frozen target model. On CIFAR-100, the processed representations retain strong utility for the designated classifier while reducing the accuracy of all unintended classifiers to below 2%, yielding a suppression ratio exceeding 45 times relative to unintended models. Preliminary experiments on CIFAR-10, Tiny ImageNet, and Pascal VOC provide exploratory evidence that the approach extends across task settings, although further evaluation is needed to assess robustness against adaptive adversaries.