A Novel Data Obfuscation Framework Integrating Probability Density and Information Entropy for Privacy Preservation

Abstract

Data privacy protection is increasingly critical in fields like healthcare and finance, yet existing methods, such as Fully Homomorphic Encryption (FHE), differential privacy (DP), and federated learning (FL), face limitations like high computational complexity, noise interference, and communication overhead. This paper proposes a novel data obfuscation method based on probability density and information entropy, leveraging a probability density extraction module for global data distribution modeling and an information entropy fusion module for dynamically adjusting the obfuscation intensity. In medical image classification, the method achieved precision, recall, and accuracy of 0.93, 0.89, and 0.91, respectively, with a throughput of 57 FPS, significantly outperforming FHE (0.82, 23 FPS) and DP (0.84, 25 FPS). Similarly, in financial prediction tasks, it achieved precision, recall, and accuracy of 0.95, 0.91, and 0.93, with a throughput of 54 FPS, surpassing traditional approaches. These results highlight the method’s ability to balance privacy protection and task performance effectively, offering a robust solution for advancing privacy-preserving technologies.

1. Introduction

With the rapid development of information technology, data have become essential resources in modern society. However, the efficient utilization of data has also introduced serious security risks [1,2,3], particularly in fields such as healthcare, finance, and economics. Data security issues not only concern individual privacy but may also threaten the healthy development of industries and even social stability [4]. In healthcare scenarios, data such as medical images, health records, and diagnostic information are often highly sensitive [5,6]. If such information is leaked, it could be misused for identity theft, insurance fraud, and other illegal activities [7]. Furthermore, medical data have significant research value, and unprotected data could be exploited without authorization, leading to intellectual property violations [8]. In banking and financial scenarios, if transaction records, account balances, or other financial data are leaked or stolen, it could cause economic losses for individuals and companies and may even trigger a credit crisis [9]. For example, stolen high-frequency trading data could lead to market manipulation, creating instability in the entire financial system [10]. In the field of economic data protection, the economic operation data of enterprises and nations serve as a crucial basis for decision making [11]. If these data are leaked, they could be exploited by competitors, weakening market competitiveness. At the national level, the leakage of economic data could become a strategic tool for adversaries, threatening national economic security [12]. Therefore, how to effectively protect data security during data sharing and analysis has become a key focus for society [5]. The development of data protection technologies not only ensures the privacy and security of individuals but also provides important support for the healthy development of industries, further promoting the deep exploration and application of data value [13].

In the realm of data protection technologies, traditional solutions mainly fall into two categories: encryption-based methods and data obfuscation-based methods [14]. Fully Homomorphic Encryption (FHE) [15] is an encryption method with theoretical completeness that allows computations on encrypted data without decrypting it [16]. This technique ensures high data security through mathematical transformations, representing a significant breakthrough in protecting data privacy. However, the computational overhead of FHE is extremely high, making it unsuitable for practical applications [17]. For instance, in real-time medical data analysis, the high latency of FHE could fail to meet clinical diagnosis time requirements. Differential privacy (DP) [18] is a widely applied data privacy protection technique that introduces noise into the data to protect individual privacy [19]. However, a major issue with DP is that the introduction of noise inevitably impacts the data’s effectiveness, resulting in a decrease in the accuracy of data analysis [20]. For example, in financial forecasting, DP may obscure key details of stock price fluctuations, thus reducing the performance of prediction models. In summary, traditional encryption and obfuscation techniques have a clear conflict between data security and system performance: encryption methods offer high security but poor performance, while obfuscation methods achieve better performance at the cost of some security. This conflict is particularly prominent in modern application scenarios, necessitating new technologies to balance both.

In recent years, with the rapid development of deep learning technologies, deep learning-based models have gradually become an important tool in data protection [21,22]. Deep learning has demonstrated powerful capabilities in feature extraction, pattern recognition, and complex task optimization, providing new ideas for data security protection [23,24,25]. Amanullah et al. [26] proposed a deep learning- and big data-based framework to enhance the security of IoT devices, particularly in terms of adaptability and response speed when facing various network attacks, achieving an accuracy of 98.7%, a precision of 97.5%, and a recall of 96.2%. Chen et al. [27] proposed several deep learning-based network security protection methods aimed at enhancing the defense capabilities and response speeds of systems in smart cities (e.g., traffic, energy, and healthcare) when facing cyber-attacks. Their approach achieved an accuracy of 95.4%, a false positive rate of 2.3%, and an average response time of 0.45 s. However, it was noted that deep learning model training requires a large amount of labeled data and may not perform efficiently on devices with limited computational resources.

Ferrag et al. [28] introduced a new IoT network security protection method by combining federated learning and deep learning, enabling training on multiple IoT nodes without data centralization, thus protecting user privacy. The method showed a detection accuracy of 97.3%, with training efficiency improved by 20% and communication overhead reduced by 15%. However, the method’s performance may be suboptimal in high-latency network environments, and it still faces challenges with computational and communication loads on resource-constrained devices. Kshirsagar et al. [29] proposed a deep learning-based multimedia security solution encompassing identity authentication, encryption, and information hiding to enhance multimedia data security. The experimental results showed that the authentication accuracy was 98.2%, the encryption speed was 200 MB/s, and the information hiding robustness was 95.7%. However, the method depends on high computational resources and may face performance bottlenecks when processing high-resolution data. Rahman et al. [30] studied the security threat posed by adversarial samples to deep learning models for COVID-19, proposing protection methods to enhance model robustness. The experiments showed that the original model had an accuracy of 95.6%, but when subjected to adversarial attacks, the accuracy dropped to 68.3%. This method increases computational overhead and may not be effectively implemented on resource-limited devices. Deep learning models can learn the semantic features of data and abstract them into higher-level representations. This abstraction significantly reduces the risk of direct leakage of original data [31].

Despite the numerous tools that deep learning offers for data security, its application in privacy protection still faces challenges. For instance, deep learning models themselves may become a vector for privacy leakage (such as model inversion attacks), and the high computational costs in both model training and inference still limit their large-scale application in practical scenarios. In response to these challenges, a data obfuscation security framework based on probability density and information entropy is proposed. By combining the feature extraction of probability distributions and the dynamic control of information complexity, this framework achieves a balance between data security and system performance. Compared to existing methods, the innovations of this framework include the following aspects:

• Probability density extraction module: This module is designed to extract probability distribution characteristics from raw data. Compared to traditional random noise methods, it can more accurately capture data characteristics, thereby reducing the performance loss in downstream tasks.
• Information entropy fusion module: This module quantifies the data’s complexity using information entropy and dynamically adjusts the strength of data obfuscation by combining Shannon entropy and conditional entropy. It can effectively protect sensitive information while ensuring the preservation of core data features.
• Multi-scenario validation: The framework’s generality and effectiveness are validated in two typical application scenarios, healthcare and finance. Experiments demonstrate that the proposed method outperforms existing approaches in terms of accuracy, throughput, and security.
• Balance between performance and security: The proposed method significantly improves system efficiency while achieving efficient obfuscation, reducing the computational overhead of encryption and decryption processes and making it suitable for real-time data analysis scenarios.

In conclusion, the proposed method provides a new approach to data protection across multiple scenarios by balancing data security and performance.

2. Related Works

2.1. Encryption-Based Security Methods

Data encryption techniques have always played a significant role in protecting data security. FHE [15,32] is a theoretically complete encryption method that allows computations to be performed directly on encrypted data without decryption. This feature makes it particularly important in scenarios involving highly sensitive data processing [33,34]. The fundamental idea of FHE is to define encryption and decryption functions, $Enc(·)$ and $Dec(·)$, in such a way that operations performed on ciphertext map to equivalent operations on the plaintext. Specifically, for plaintexts x and y, the encryption function satisfies the following relation:

$$Dec\left(Enc\right(x)\oplus Enc(y\left)\right)=x+y$$

(1)

where ⊕ denotes an operation in the ciphertext domain, allowing addition to be carried out on encrypted data. Similarly, FHE supports multiplication, with the following relation:

$$Dec\left(Enc\right(x)\otimes Enc(y\left)\right)=x·y$$

(2)

This property allows arbitrary polynomial computations to be performed in the ciphertext domain. However, since each operation requires high computational complexity for encoding and decoding, the computational cost of FHE is extremely high, especially when dealing with large-scale data. As the data size increases, the performance overhead grows exponentially [35]. This makes FHE unsuitable for real-time applications, such as medical image analysis or high-frequency financial trading predictions. In contrast, Secure Multi-party Computation (SMC) [36] divides the data into several parts and distributes them to different participants for joint computation, without revealing the original data of any individual participant. The core idea of SMC is to break down a computation task into multiple sub-tasks, which are executed by different participants, and the results are later integrated to complete the calculation [37]. For example, an addition task $x+y$, where x can be split into $x_1$ and $x_2$ such that $x=x_1+x_2$, with $x_1$ and $x_2$ being distributed to different participants. Similarly, y can be split into $y_1$ and $y_2$. This method has the advantage of not requiring centralized data processing, but the drawback lies in the frequent communication needed to ensure the correctness of the computation. The communication cost increases significantly with the number of participants and the complexity of the data, leading to performance bottlenecks in high-dimensional data or multi-node scenarios.

2.2. Data Obfuscation-Based Security Methods

Compared to encryption techniques, data obfuscation methods focus on directly perturbing the data itself to achieve privacy protection. DP [38] is one of the most representative methods in this category. The basic principle of DP is to introduce random noise into data queries or statistical results, making it impossible for an attacker to infer specific information about an individual data point [39,40,41]. Mathematically, DP is defined as follows: for any two adjacent datasets D and $D^{\prime }$, if an algorithm $\mathcal{A}$ satisfies

$$P[\mathcal{A}\left(D\right)\in S]\le e^{ϵ}P[\mathcal{A}\left(D^{\prime }\right)\in S]$$

(3)

where S is any subset of the output space and $ϵ$ is the privacy budget, $\mathcal{A}$ is said to satisfy $ϵ$-differential privacy. A smaller $ϵ$ means better privacy protection, but it also results in a larger amount of noise being introduced, which can affect the data’s usability. Specifically, the Laplace mechanism is commonly used to add noise $\eta$ to the query results $f\left(D\right)$ to achieve differential privacy, where the noise $\eta$ follows the distribution

$$\eta \sim \mathrm{Lap}\left(0,{\displaystyle \frac{\Delta f}{ϵ}}\right)$$

(4)

where $\Delta f$ is the global sensitivity of the function f, which measures the maximum impact of a single data point’s change on the output. While this method performs well in privacy protection, the introduction of random noise can severely affect the accuracy of the data. For instance, in financial prediction tasks, random perturbation of key features may obscure important market trends, leading to reduced prediction accuracy. FL [42] is a distributed machine learning method that focuses on local data processing. Models are trained locally at each participant, and their gradient information is aggregated to protect privacy. The training process can be represented as

$${\theta }_t^{k+1}={\theta }_t^k-\eta \nabla L({\theta }_t^k;D_k)$$

(5)

where ${\theta }_t^k$ represents the model parameters at the k-th node at round t, $\eta$ is the learning rate, L is the loss function, and $D_k$ is the dataset of the k-th node. The advantage of FL is that data do not need to be centralized, which reduces the risk of data leakage. However, in complex data scenarios (such as multi-modal data or highly non-independent and identically distributed data), the performance of FL may be limited by the effectiveness of model aggregation, and communication overhead remains a major bottleneck in real-world deployments.

The limitations of the aforementioned methods are addressed by the proposed data obfuscation strategy, which combines probability density and information entropy for targeted data protection. In traditional methods, while FHE offers high security, its computational overhead makes it unsuitable for real-time scenarios. DP, although superior in performance, significantly impacts data usability. Federated learning shows distinct advantages in distributed scenarios but still faces technical challenges in model aggregation and complex environments. By combining feature extraction based on probability density with dynamic control through information entropy, the proposed approach achieves a significant improvement in both data security and task performance. This new solution offers an innovative way to protect sensitive data in healthcare, finance, and other domains where privacy is critical.

3. Materials and Method

3.1. Dataset Collection

A rich and diverse dataset is a crucial prerequisite for the research presented in this study. Large-scale data were collected from two key domains: medical imaging and finance, ensuring both comprehensiveness and depth in the study. Medical imaging data were primarily sourced from internationally recognized image databases, such as Radiopaedia [43] and OpenI. These datasets cover a variety of diseases and cases, such as pneumonia, lung cancer, and brain tumors, with each type of image annotated with detailed case descriptions and diagnostic results. Classification tasks for these datasets include identifying disease severity (e.g., healthy, mild, and severe cases) or distinguishing tumor types in MRI images. These sources were chosen over others for their reliability, standardization, and comprehensive coverage, enhancing the dataset’s robustness and applicability to real-world scenarios. Financial data were obtained from leading financial market websites and included daily stock prices, trading volumes, and macroeconomic indicators. These data have been standardized and span various time periods and market conditions. Specific classification tasks in this domain include predicting price trends (up, down, or unchanged) and categorizing risk levels (low, medium, or high risk) based on historical financial metrics. This setup ensures that the dataset aligns with practical applications in financial prediction and risk assessment. The integration and analysis of these datasets aim to provide a thorough investigation of data obfuscation security methods, demonstrating the versatility of the proposed approach across diverse domains.

3.1.1. Image Data

During the collection of medical imaging data, various types of images were selected, including X-rays, CT scans, and MRI scans, with all data sourced from Radiopaedia [44] and the OpenI [45] medical image repositories. The number of images for each type was determined based on its clinical relevance, frequency of use in diagnostic procedures, and importance in addressing diverse medical scenarios. X-rays were prioritized due to their widespread use in diagnosing common conditions like chest diseases, while CT and MRI scans were included to represent more complex cases requiring advanced imaging techniques. Special attention was given to selecting images that reflect a variety of common diseases and complex cases. To ensure an adequate representation of each modality, the dataset was balanced with 5912 X-rays, 9649 CT scans, and 7345 MRI scans, which provided sufficient data for deep learning model training and evaluation without introducing significant biases, as shown in

Table 1. Data quantities for different medical imaging types.

Image Data Type	Number
X-ray	5912
CT scan	9649
MRI scan	7345

. Each image was accompanied by complete case descriptions and diagnostic results, ensuring both the richness and practical utility of the dataset. Additionally, rigorous data quality checks were applied to exclude low-quality or incomplete images, further enhancing the dataset’s robustness and reliability.

3.1.2. Financial Data

For financial data collection, the focus was primarily on stock price information, sourced from financial information service websites such as Yahoo Finance and Google Finance. Key financial indicators, including stock prices, trading volumes, and market capitalization, were systematically collected. The data span from 2013 to 2024, covering different economic cycles, allowing for an analysis of the impact of economic cycles on the stock market. The data attributes for different years are shown in

Table 2. List of financial indicators considered in data collection.

Category	Financial Indicators
Stock Market	Opening Price, Closing Price, High Price, Low Price, Trading Volume, Market Capitalization
Volatility	Beta Coefficient, Standard Deviation of Returns, Average True Range (ATR)
Liquidity	Bid–Ask Spread, Turnover Ratio, Trading Frequency
Fundamentals	Earnings Per Share (EPS), Price-to-Earnings Ratio (P/E), Price-to-Book Ratio (P/B),
	Return on Equity (ROE), Dividend Yield, Free Cash Flow (FCF)
Macroeconomic	Interest Rate, Inflation Rate, GDP Growth Rate, Unemployment Rate
Sentiment	News Sentiment Score, Social Media Sentiment Index

. To enhance the reliability and accuracy of the research, necessary data cleaning and preprocessing steps were carried out, including the removal of non-trading days, adjustments for stock splits, and the filling in of missing values. This data preparation provides precise baseline information, establishing a solid foundation for subsequent data obfuscation and security analysis.

3.2. Data Augmentation

Data imputation, cleaning, and augmentation are essential steps in building high-quality datasets, directly influencing the performance of subsequent model training and evaluation. Due to differences in data sources and collection methods, issues such as missing data, imbalanced datasets, or abnormal distributions often arise in both financial and medical imaging data. Specific imputation and cleaning methods, as well as data augmentation strategies, have been designed for both financial and medical imaging data to support efficient model training.

3.2.1. Financial Dataset Imputation and Cleaning

Financial data typically appear in the form of time series, such as stock prices, trading volumes, and market indices. These data are strongly time-dependent, but missing values often arise due to reasons like market closures or data collection failures. To ensure data completeness and consistency, missing values must be imputed in a reasonable manner. The basic idea behind missing value imputation is to predict the location of the missing values based on known data points. Common methods include interpolation and time-series forecasting. Interpolation estimates missing values by analyzing the trend between known data points. Let $y_t$ denote the value at time t, and assuming that a missing value exists at t, the value can be estimated using linear interpolation as follows:

$$y_t=y_{t-1}+{\displaystyle \frac{y_{t+1}-y_{t-1}}{t_{t+1}-t_{t-1}}}(t-t_{t-1}),$$

(6)

where $t_{t-1}$ and $t_{t+1}$ are the nearest two non-missing time points. This method assumes linearity between data points and is suitable for small gaps. For time series with more complex nonlinear trends, time-series forecasting models, such as ARIMA or LSTM, can be used to fill in missing values. For example, in an LSTM model, the input time-series data $X=[x_1,x_2,\dots ,x_t]$ pass through the neural network to obtain a predicted value ${\widehat{x}}_{t+1}$ as follows:

$${\widehat{x}}_{t+1}=f(X;\theta ),$$

(7)

where $\theta$ represents the model parameters and $f(·)$ is the mapping function of LSTM. The predicted value ${\widehat{x}}_{t+1}$ is used to fill in the missing value, which helps better capture the time dependence in the data. After completing the missing value imputation, financial data also need to undergo normalization to meet the requirements for model training. Normalization maps data to a specific range, such as $[0,1]$, reducing the impact of different feature scales. Let x denote the data value, with $x_{max}$ and $x_{min}$ being the maximum and minimum values of x. The normalized value is calculated as

$$x^{\prime }={\displaystyle \frac{x-x_{min}}{x_{max}-x_{min}}}.$$

(8)

Normalization helps improve the convergence speed of the optimization process and is particularly useful for financial data training tasks.

3.2.2. Medical Image Data Augmentation

The quality of medical imaging data directly impacts the performance of models in diagnostic tasks. However, due to issues such as insufficient samples or class imbalance in real-world data collection, raw data often cannot meet the deep learning models’ need for large-scale, high-quality training datasets. Data augmentation techniques generate more diverse samples by applying a series of transformations to the raw data, as shown in Figure 1, while retaining key image features, thus significantly improving the model’s generalization ability.

Common medical image augmentation methods include random rotation and flipping, which modify the spatial arrangement of the image to increase data diversity. For example, for a 2D image $I(x,y)$, the random rotation operation can be expressed as

$$I^{\prime }(x^{\prime },y^{\prime })=I(xcos\theta -ysin\theta ,xsin\theta +ycos\theta ),$$

(9)

where $\theta$ is the rotation angle and $(x^{\prime },y^{\prime })$ are the new coordinates after rotation. Random flipping reverses the image along either the horizontal or vertical axis to generate augmented images. Gaussian blur and sharpening techniques adjust the spatial frequency distribution of the image to simulate different imaging conditions. Gaussian blur can be applied by convolving the image $I(x,y)$ with a Gaussian kernel K as follows:

$$I^{\prime }(x,y)=\sum _{u=-k}^k\sum _{v=-k}^{k}K(u,v)I(x+u,y+v),$$

(10)

where $K(u,v)={\displaystyle \frac{1}{2\pi {\sigma }^2}}exp\left(-{\displaystyle \frac{u^2+v^2}{2{\sigma }^2}}\right)$ and $\sigma$ controls the degree of blurring. Conversely, sharpening enhances edge details in the image, increasing its spatial frequency. Synthetic noise augmentation adds random noise to the image to improve the model’s robustness to varying image qualities. If the original image is denoted by $I(x,y)$ and the noise image by $\eta (x,y)$, the augmented image is

$$I^{\prime }(x,y)=I(x,y)+\eta (x,y),$$

(11)

where $\eta (x,y)$ can be Gaussian noise (with mean 0 and standard deviation $\sigma$) or salt-and-pepper noise, depending on the task requirements. The addition of noise simulates fluctuations in image quality due to different imaging devices or environments, thereby enhancing the model’s adaptability to diverse data.

These data augmentation techniques play a crucial role in addressing issues such as insufficient samples and class imbalance in medical image datasets. They help generate a more diverse set of training samples, improving the model’s robustness and performance in real-world applications.

3.3. Proposed Method

This study proposes a data obfuscation security method based on probability density and information entropy, aiming to ensure data security while maintaining high usability and analytical accuracy, as shown in Figure 2.

The entire workflow is divided into five main modules: data input, probability density extraction, information entropy fusion, obfuscation strategy optimization, and final output. The following sections provide a detailed explanation of each module and their interactions. The processed data first enter the probability density extraction module, which is responsible for extracting the probability distribution characteristics of the raw data. This step provides essential information for the subsequent obfuscation strategy. After extracting the probability density features, the data flow to the information entropy fusion module, which serves as the core of the proposed method. The primary objective of this module is to dynamically adjust the obfuscation intensity using information entropy, thereby ensuring data privacy while minimizing the impact on task performance. Subsequently, the data processed by the information entropy fusion module are directed to the fusion loss function module for optimization. In this module, a fusion loss function is designed to simultaneously optimize data security and usability.

3.3.1. Data Obfuscation Strategy Based on Probability Density and Information Entropy

This study proposes a data obfuscation strategy based on probability density and information entropy to address the trade-off between data privacy protection and analytical performance. By coordinating the probability density extraction module and the information entropy fusion module, the strategy achieves the targeted obfuscation of data, balancing privacy protection and task performance, as shown in Figure 3. Figure 3 illustrates the architecture of the proposed data obfuscation strategy, which is composed of three main layers: the Training Management Layer, the Privacy Evaluation Layer, and the Feature Processing Layer. The Training Management Layer oversees the optimization process by iteratively adjusting the parameters based on the loss function, ensuring a balance between privacy protection and task performance. The Privacy Evaluation Layer integrates a privacy discriminator and sensitive information detector, which dynamically assess the risk of privacy leakage and provide feedback to guide the obfuscation intensity. The Feature Processing Layer consists of the Encoder Network, Attribute Suppression Module, and Decoder Network, which work collaboratively to extract features, suppress sensitive attributes, and reconstruct data, retaining core utility while obfuscating sensitive information. These components interact seamlessly to provide a comprehensive solution for data obfuscation.

In its implementation, the probability density extraction module first models the distribution features of the raw data. The raw data $X=\{x_1,x_2,\dots ,x_n\}$ are fed into a kernel density estimator to compute its probability density function (PDF). The kernel density estimation is given by

$$\widehat{f}\left(x\right)={\displaystyle \frac{1}{nh}}\sum _{i=1}^{n}K\left({\displaystyle \frac{x-x_i}{h}}\right),$$

(12)

where $K(·)$ is a Gaussian kernel function and h is the bandwidth parameter. The distribution features generated by kernel density estimation are further processed by a deep neural network. The network consists of three convolutional layers (each with kernel size $3\times 3$, 64 channels, and ReLU activation), followed by two fully connected layers with 128 and 64 nodes, respectively. The final output is a high-dimensional distribution feature vector representing the data’s distribution pattern in the feature space. The probability density feature vector is then fed into the information entropy fusion module. This module dynamically adjusts the obfuscation intensity using information entropy, $H\left(X\right)$, a key metric for measuring data uncertainty, defined as

$$H\left(X\right)=-\sum _{i}P\left(x_i\right)logP\left(x_i\right),$$

(13)

where $P\left(x_i\right)$ represents the probability of data point $x_i$. Information entropy is computed based on the distribution features generated by the probability density extraction module, with the intensity of obfuscation adjusted based on these entropy values. For data points with higher information entropy (indicating higher sensitivity), stronger obfuscation is applied. Conversely, data points with lower entropy (indicating lower sensitivity) are subject to milder obfuscation. The dynamic adjustment of the obfuscation intensity allows the model to target data regions that are more sensitive to perturbations, applying stronger obfuscation where privacy is more critical while minimizing the impact on less sensitive regions. The obfuscation process is implemented using the following formula:

$$M\left(x\right)=\alpha ·G\left(x\right)+\beta ·T\left(x\right),$$

(14)

where $G\left(x\right)$ represents Gaussian noise-based obfuscation, $T\left(x\right)$ represents gradient perturbation-based obfuscation, and $\alpha$ and $\beta$ are dynamically generated weights based on information entropy, satisfying $\alpha +\beta =1$. Gaussian noise follows the distribution

$$\eta \sim \mathcal{N}(0,{\sigma }^2),$$

(15)

while gradient perturbation is generated using the gradient information of the task model, defined as

$$T\left(x\right)=x+ϵ·{\nabla }_{x}L(f\left(x\right),y),$$

(16)

where $ϵ$ is the perturbation strength and ${\nabla }_{x}L(f\left(x\right),y)$ is the gradient of the loss function L with respect to the input data x. The information entropy fusion module also includes an entropy map generator to apply higher-intensity obfuscation to sensitive regions in specific contexts. For example, in medical imaging tasks, the entropy map identifies lesion areas for targeted protection. Local entropy is computed by combining distribution features and domain priors, using the formula

$$H_{\mathrm{local}}\left(x\right)=-\sum _j{P}_j\left(x\right)log{P}_j\left(x\right),$$

(17)

where $P_j\left(x\right)$ represents the probability distribution of pixel x within a local window. By combining probability density extraction and information entropy fusion, the proposed method preserves the global distribution of the data while protecting sensitive information. A mathematical analysis of this design demonstrates that the probability density extraction module provides precise modeling of data distributions, ensuring that obfuscated data retain the core characteristics required for analytical tasks. Meanwhile, the information entropy fusion module dynamically adjusts the obfuscation intensity, reducing the adverse effects of over-obfuscation on task performance.

In practical applications, this design offers several advantages. First, the efficient modeling capability of the probability density extraction module enhances the obfuscation strategy’s adaptability to data distributions, ensuring that obfuscated data align with downstream task requirements. Second, the dynamic adjustment mechanism of the information entropy fusion module significantly reduces the conflict between privacy protection and task performance, making it suitable for various scenarios, such as medical image analysis and financial data prediction. Finally, the inclusion of the entropy map generator allows for the targeted protection of sensitive regions within the data, providing an effective solution for privacy-sensitive domains like healthcare and finance.

3.3.2. Probability Density Extraction Module

The proposed probability density extraction module aims to capture the global distribution characteristics of raw data, providing precise probabilistic features to the subsequent information entropy fusion module, as shown in Figure 4. Unlike attention mechanisms that focus on feature weighting, this module emphasizes the consistency of data distribution on a global scale. While attention mechanisms typically assign different weights to specific regions of features to enhance task-specific performance, the probability density extraction module models the data’s probability distribution to ensure that the obfuscated data retain statistical characteristics similar to the original data.

In its design, the probability density extraction module integrates kernel density estimation (KDE) and convolutional neural networks (CNNs) to transform raw data into high-dimensional distribution features. The input data have dimensions $W\times H\times C$, where $W=128$, $H=128$, and $C=3$, which are chosen to accommodate common image inputs. First, KDE calculates the probability distribution of the data. The formula for KDE is as follows:

$$\widehat{f}\left(x\right)={\displaystyle \frac{1}{nh}}\sum _{i=1}^{n}K\left({\displaystyle \frac{x-x_i}{h}}\right),$$

(18)

where $K\left(x\right)$ is the Gaussian kernel function defined as

$$K\left(x\right)={\displaystyle \frac{1}{\sqrt{2\pi }}}{e}^{-{\displaystyle \frac{x^2}{2}}}.$$

(19)

This process generates the initial probability density distribution of the data, capturing its global characteristics. Subsequently, the input data undergo feature extraction through a three-layer convolutional neural network. The first convolutional layer uses kernels of size $3\times 3$, with 64 channels, a stride of 1, and ReLU as the activation function. The second convolutional layer increases the number of channels to 128, with the same kernel size but a stride of 2. The third convolutional layer uses 256 channels, with a kernel size of $3\times 3$ and a stride of 2. The computation for each convolutional layer is defined as

$$F_l=\sigma (W_l\ast F_{l-1}+b_l),$$

(20)

where ∗ denotes the convolution operation, $W_l$ and $b_l$ represent the weights and biases of the l-th layer, and $\sigma$ is the ReLU activation function. After the convolution operations, the feature maps are flattened and passed through the fully connected layers to generate high-dimensional distribution feature vectors. This process is represented as

$$Z=\varphi (W{Z}_{l-1}+b),$$

(21)

where $\varphi$ is a nonlinear activation function. The final output is a distribution feature vector with a dimension of $1\times 64$. To validate the accuracy and fidelity of the estimated probability density, several additional validation methods are employed beyond the L_density loss term. In practice, the performance of the KDE-based density estimation is evaluated through its consistency with the true data distribution using the Kullback–Leibler (KL) divergence, which measures the discrepancy between the true and estimated probability distributions. The KL divergence is defined as

$$D_{\mathrm{KL}}\left(P\right|\left|Q\right)=\sum _{x}P\left(x\right)log{\displaystyle \frac{P\left(x\right)}{Q\left(x\right)}},$$

(22)

where $P\left(x\right)$ represents the true probability density and $Q\left(x\right)$ is the estimated probability density generated by the module. Minimizing the KL divergence ensures that the estimated density closely matches the true data distribution, providing a more robust validation of the global distribution characteristics captured by the module. Additionally, the ability of the module to retain global distribution characteristics is further validated through a data reconstruction process. In this process, new data samples are generated using the estimated probability density and compared to the original data to ensure that the generated samples preserve key statistical features, such as mean and variance. If the reconstructed samples closely match the original data in terms of these statistical measures, it indicates that the module effectively retains the data’s global distribution features. Furthermore, the module’s ability to handle various data subsets is tested to ensure consistency across different types of data. This is done by applying KDE to different data subsets (e.g., different categories, time periods, or regions) and comparing the distribution properties of these subsets. If the density estimates exhibit consistent global statistical characteristics across different subsets, it further validates that the probability density extraction module is capturing the global distribution of the data in a comprehensive manner.

This module’s design offers several significant advantages. First, by combining kernel density estimation (KDE) with convolutional feature extraction, it ensures that the obfuscated data statistically retain the original data’s distribution properties. The use of KDE allows for non-parametric estimation of the data’s probability distribution, which is particularly effective for capturing complex and high-dimensional data distributions without making assumptions about the underlying distribution. Unlike parametric methods, KDE is flexible and can adapt to various data characteristics. Convolutional neural networks (CNNs) are employed to enhance this process by extracting high-level features that capture the underlying patterns in the data. CNNs are well suited for handling large, high-dimensional datasets such as images, where local patterns and hierarchical structures are important. This combination of KDE and CNNs ensures a robust, flexible approach to modeling data distributions that can adapt to different types of data while preserving the statistical characteristics of the original data. Second, as the output features represent global distribution characteristics rather than task-specific target features, the module achieves a high degree of task independence and adaptability. Finally, the module seamlessly integrates with the information entropy fusion module, providing high-quality probabilistic features to support the effectiveness of the obfuscation strategy.

3.3.3. Fusion Loss Function

The proposed fusion loss function is designed to balance the trade-off between data obfuscation security and task performance, ensuring that the obfuscated data protect privacy while minimally impacting downstream task model training and inference. Unlike traditional loss functions that optimize a single objective (such as task performance or privacy protection), the fusion loss function combines security loss and performance loss into a multi-objective optimization framework. This approach ensures that the obfuscated data achieve an optimal balance between privacy and task relevance. The fusion loss function consists of two components: security loss and performance loss. It is defined as

$$L_{\mathrm{fusion}}={\lambda }_1{L}_{\sec \mathrm{urity}}+{\lambda }_2{L}_{\mathrm{performance}},$$

(23)

where ${\lambda }_1$ and ${\lambda }_2$ are weighting parameters that balance the contributions of the two loss components to the overall optimization. Security loss quantifies the privacy protection effect of the obfuscation strategy by comparing the information entropy of the obfuscated data with that of the original data. It is defined as

$$L_{\sec \mathrm{urity}}={\displaystyle \frac{1}{n}}\sum _{i=1}^n\left|H\left(x_i\right)-H\left(M\left(x_i\right)\right)\right|,$$

(24)

where $H\left(x_i\right)$ and $H\left(M\left(x_i\right)\right)$ represent the information entropy of the original data $x_i$ and the obfuscated data $M\left(x_i\right)$, respectively. Minimizing this loss ensures an appropriate entropy difference between the original and obfuscated data, enhancing privacy protection strength. Performance loss measures the impact of the obfuscated data on the task model and is defined as

$$L_{\mathrm{performance}}={\displaystyle \frac{1}{m}}\sum _{j=1}^m{\left|f\left(x_j\right)-f\left(M\left(x_j\right)\right)\right|}^2,$$

(25)

where $f\left(x_j\right)$ and $f\left(M\left(x_j\right)\right)$ denote the task model outputs for the original data $x_j$ and the obfuscated data $M\left(x_j\right)$, respectively. Minimizing this loss ensures that the predictions on the obfuscated data remain as close as possible to those on the original data, reducing the performance impact.

The fusion loss function is closely integrated with the information entropy fusion module, dynamically adjusting the obfuscation intensity to further optimize the data obfuscation strategy. The obfuscated data $M\left(x\right)$ generated by the information entropy fusion module are defined as

$$M\left(x\right)=\alpha ·G\left(x\right)+\beta ·T\left(x\right),$$

(26)

where $G\left(x\right)$ represents Gaussian noise-based obfuscation, $T\left(x\right)$ represents gradient perturbation-based obfuscation, and the weights $\alpha$ and $\beta$ are dynamically generated based on information entropy, satisfying $\alpha +\beta =1$. By substituting $M\left(x\right)$ into the fusion loss function, the calculations for both security loss and performance loss are based on the dynamically adjusted obfuscated data, enabling more flexible privacy protection and task optimization.

To demonstrate that the fusion loss function achieves a balance between privacy protection and task performance, we define the following optimization objective:

$$\mathcal{L}={\lambda }_1\left({\displaystyle \frac{1}{n}}\sum _{i=1}^n\left|H\left(x_i\right)-H\left(M\left(x_i\right)\right)\right|\right)+{\lambda }_2\left({\displaystyle \frac{1}{m}}\sum _{j=1}^m{\left|f\left(x_j\right)-f\left(M\left(x_j\right)\right)\right|}^2\right).$$

(27)

The first term represents the privacy protection objective, while the second term represents the task performance objective. By jointly optimizing this objective function, the obfuscated data can meet privacy protection requirements while retaining features useful for the task model. During gradient descent, the optimization direction for the obfuscated data $M\left(x\right)$ is determined by the following partial derivative:

$${\displaystyle \frac{\partial \mathcal{L}}{\partial M\left(x\right)}}={\lambda }_1·{\displaystyle \frac{\partial L_{\sec \mathrm{urity}}}{\partial M\left(x\right)}}+{\lambda }_2·{\displaystyle \frac{\partial L_{\mathrm{performance}}}{\partial M\left(x\right)}}.$$

(28)

By adjusting the weights ${\lambda }_1$ and ${\lambda }_2$, the objectives of privacy protection and task performance can be dynamically balanced, achieving the optimal obfuscation strategy. The fusion loss function is designed with the dual objectives of privacy protection and task performance, offering the following advantages:

• Introducing information entropy as a metric for privacy protection ensures that the obfuscated data effectively protect sensitive information while preserving global distribution characteristics.
• The design of performance loss directly quantifies the impact of the obfuscated data on downstream models, ensuring that the obfuscated data remain applicable to the original task.
• Combined with the information entropy fusion module, the fusion loss function enables dynamic adjustment of obfuscation strategies, making it adaptable to varying privacy protection needs and task requirements.

3.4. Experimental Setup

3.4.1. Hardware and Software Platforms

The experiments were conducted on an NVIDIA A100 GPU, a high-performance unit designed for artificial intelligence and high-performance computing, offering powerful computational capabilities, a large memory capacity (up to 80 GB), and Tensor cores for accelerating deep learning tasks. To enhance efficiency, the Multi-Instance GPU (MIG) feature was utilized for resource sharing and multi-tasking. On the software side, PyTorch 1.8 served as the primary framework for model construction and training, leveraging its dynamic computational graph and user-friendly API. CUDA and cuDNN were integrated to accelerate key operations like convolution and backpropagation, while NumPy 2.x, Pandas, and Matplotlib were employed for data processing and visualization. This hardware–software integration ensured efficient data handling, model training, and results analysis, supporting this study’s experimental needs.

3.4.2. Optimizer Configuration and Hyperparameter Settings

The Adam optimizer, known for its superior performance in deep learning, was selected for this study due to its ability to achieve fast convergence and stability. Adam combines momentum and adaptive learning rates, dynamically adjusting the step size based on the first- and second-moment estimates of the gradients during each parameter update. Specifically, the update rules for Adam are as follows:

$$m_t={\beta }_1{m}_{t-1}+(1-{\beta }_1)g_t,v_t={\beta }_2{v}_{t-1}+(1-{\beta }_2)g_t^2,$$

(29)

$${\widehat{m}}_t={\displaystyle \frac{m_t}{1-{\beta }_1^t}},{\widehat{v}}_t={\displaystyle \frac{v_t}{1-{\beta }_2^t}},$$

(30)

$${\theta }_{t+1}={\theta }_t-\eta {\displaystyle \frac{{\widehat{m}}_t}{\sqrt{{\widehat{v}}_t}+ϵ}},$$

(31)

where $m_t$ and $v_t$ represent the first and second-moment estimates of the gradients, ${\beta }_1$ and ${\beta }_2$ are the decay rates, and $\eta$ is the learning rate, which was set to 0.001 for this study. The adaptive nature of Adam makes it particularly effective at handling sparse gradients or noisy data. The hyperparameters ${\beta }_1$ and ${\beta }_2$ were set to 0.9 and 0.999, respectively, following standard settings commonly used for the Adam optimizer. To ensure the model’s robustness across different data distributions, the dataset was divided and preprocessed appropriately. The dataset was split into training, validation, and test sets with an 80:10:10 ratio, with 80% of the data used for model training, 10% for validation to adjust the hyperparameters, and the remaining 10% for evaluating the model’s final performance. The dataset used for training consisted of 10,000 samples, the validation set contained 1250 samples, and the test set also included 1250 samples.

During training, 5-fold cross-validation was employed, where the training data were divided into five subsets. In each round, one subset was used as the validation set, while the remaining subsets were used for training. This process was repeated five times, and the final model performance was evaluated based on the average performance across all five folds. The average results from cross-validation help mitigate errors arising from a single split, thus improving the model’s generalization ability. To ensure consistent evaluation across different tasks, cross-validation was conducted for both the medical image dataset and the financial dataset separately, allowing for task-specific adjustments. The specific hyperparameter settings involved grid search optimization for the obfuscation strength parameter. The obfuscation strength $\alpha$, which determines the level of perturbation applied in the data obfuscation strategy, was searched within the range of $[0.1, 1.0]$ with a step size of 0.1. For each value of $\alpha$, the model was trained and validated, and the optimal value was selected based on performance metrics on the validation set. In each experiment, the value of $\alpha$ was applied during model training, and the optimal value was selected based on performance metrics (e.g., accuracy and precision) on the validation set. The grid search was conducted over a total of 10 different values of $\alpha$. Grid search systematically explores the parameter space, ensuring the optimal configuration for the specific task. In addition, the hyperparameters ${\lambda }_1$ and ${\lambda }_2$, which control the trade-off between the information entropy loss and the probability density estimation loss, were also tuned through grid search. The values of ${\lambda }_1$ and ${\lambda }_2$ were searched within the range of $[0.1,1.0]$ with a step size of 0.1. The optimal values of ${\lambda }_1$ and ${\lambda }_2$ were determined based on the performance of the model on the validation set, ensuring a balanced loss function that effectively incorporates both privacy protection and task performance. The grid search approach was essential for ensuring that the combination of ${\lambda }_1$ and ${\lambda }_2$ contributed effectively to the task-specific needs, without compromising either privacy or performance.

3.5. Baselines

To comprehensively evaluate the effectiveness of the proposed method, several state-of-the-art privacy protection techniques were selected as baselines, including FHE [15], DP [38], SMC [36], and FL [42]. The core concept of Fully Homomorphic Encryption is to perform computations directly on ciphertext without decryption, ensuring high security. Differential privacy protects privacy by adding noise to data or query results, which enhances the training and inference performance of the framework. Secure Multi-party Computation distributes data to different participants and jointly completes computations. After dividing the computation task into sub-tasks, the results are aggregated to perform the overall operation. For example, the distributed implementation of an addition task is $z=z_1+z_2$, where $z_1=x_1+y_1$ and $z_2=x_2+y_2$. Federated learning updates a global model by training models locally and aggregating gradients from all participants, as defined by

$${\theta }_t={\displaystyle \frac{1}{K}}\sum _{k=1}^K{\theta }_t^k,$$

(32)

where ${\theta }_t^k$ denotes the parameter updates for the k-th node, and although it effectively avoids privacy risks associated with data centralization, it still faces challenges in model aggregation and complex scenarios. These methods address data privacy protection from various perspectives.

3.6. Evaluation Metrics

To evaluate the performance of the proposed method comprehensively, multiple important metrics were employed, including accuracy, precision, recall, and Frames Per Second (FPS). These metrics assess the model’s performance in different dimensions, focusing on both classification accuracy and the efficiency of model operation. Accuracy is defined as the ratio of correctly classified samples to the total number of samples:

$$\mathrm{Accuracy}={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}},$$

(33)

where $TP$ represents true positive samples, $TN$ denotes true negative samples, $FP$ is the false positive sample count, and $FN$ is the false negative sample count. Accuracy reflects the overall correctness of the model, but it may be limited in cases of severely imbalanced classes, requiring the use of other metrics for comprehensive evaluation. Precision measures the proportion of predicted positive samples that are actually positive. Its mathematical definition is

$$\mathrm{Precision}={\displaystyle \frac{TP}{TP+FP}}.$$

(34)

A high precision indicates that the model’s predictions for positive classes are reliable and help reduce false positives. This is particularly important in medical imaging diagnostics, where the aim is to avoid misdiagnosing healthy samples as patients. Recall describes the proportion of actual positive samples that are correctly predicted by the model, defined as

$$\mathrm{Recall}={\displaystyle \frac{TP}{TP+FN}}.$$

(35)

Recall reflects the model’s ability to identify positive samples. A high recall means the model can identify as many actual positive samples as possible, which is crucial for disease screening tasks. For example, in cancer detection, a high recall minimizes the possibility of missed diagnoses. FPS is an important metric for assessing the efficiency of model execution, representing the number of samples the model can process per unit of time. Given that the model processes n samples in time t, FPS is defined as:

$$\mathrm{FPS}={\displaystyle \frac{n}{t}}.$$

(36)

A higher FPS indicates higher model efficiency, which is particularly crucial for real-time applications such as financial market predictions or dynamic medical image analysis.

4. Results and Discussion

4.1. Implementation Details and Configurations of Baseline Methods

FHE was implemented using the widely recognized HElib library, which supports arithmetic operations on encrypted data. The encryption parameters were set to ensure a balance between computational efficiency and security strength, with a key size of 2048 bits. For operations involving addition and multiplication, the ciphertext modulus was carefully chosen to avoid excessive noise accumulation. During the experiments, encrypted medical and financial data were processed directly without decryption, following the standard FHE workflow. For DP, we employed the Laplace mechanism to ensure $\epsilon$-differential privacy, where $\epsilon$ was set to 0.5 for a moderate privacy–utility trade-off. Noise was added to each query result based on the sensitivity of the function being evaluated. For medical image classification, pixel intensity values were perturbed; for financial predictions, noise was applied to key features such as stock prices and trading volumes. The resulting data retained privacy guarantees but at the expense of reduced accuracy due to noise interference.

SMC was implemented using a custom setup in a distributed environment. Data were partitioned into shares and distributed among three parties, each performing partial computations. The computations were securely aggregated to reconstruct the final results. The communication protocol followed the GMW protocol, ensuring privacy during the intermediate steps. FL was implemented using a federated setup, where models were trained locally on multiple nodes. Each node processed a subset of the data and shared gradient updates with a central server. The Federated Averaging Algorithm was employed to aggregate these updates into a global model. To ensure privacy, we used differential privacy at the gradient level, introducing noise during transmission. The FL setup used five client nodes and a communication round limit of 50. All baseline methods were tested on the same hardware and software environment to ensure consistency. The experiments were conducted using an NVIDIA A100 GPU with 80 GB of memory, leveraging PyTorch 1.12 for implementation.

4.2. Medical Image Classification Results

The objective of this experiment was to evaluate the performance of different data protection strategies in medical image classification tasks, focusing on four key metrics: precision, recall, accuracy, and FPS. This study aimed to validate whether the proposed data obfuscation method based on probability density and information entropy could balance privacy protection with task performance. Comparisons were drawn with traditional methods, such as FHE, DP, Multi-party Computation (MPC), and FL, to provide optimized solutions for medical image analysis tasks.

As shown in

Table 3. Medical image classification results.

Model	Precision	Recall	Accuracy	FPS
FHE [46]	0.82	0.79	0.80	23
DP [47]	0.84	0.81	0.83	25
MPC [48]	0.86	0.83	0.85	30
FL [49]	0.88	0.86	0.87	45
Proposed Method	0.93	0.89	0.91	57

, the performance of different models varied significantly across the four evaluation metrics. FHE demonstrated strong privacy protection capabilities but suffered from high computational complexity, resulting in lower classification performance (precision: 0.82; recall: 0.79; accuracy: 0.80) and a low processing speed (FPS: 23). While DP improved processing efficiency (FPS: 25) by introducing random noise, the added noise compromised the model’s classification performance (precision: 0.84; recall: 0.81; accuracy: 0.83). MPC leveraged data partitioning and distributed computation to enhance processing efficiency (FPS: 30), achieving moderate performance improvements (precision: 0.86; recall: 0.83; accuracy: 0.85). FL, which avoids direct data sharing, achieved higher classification accuracy (precision: 0.88; recall: 0.86; accuracy: 0.87) through global model aggregation, alongside significantly better processing efficiency (FPS: 45). In contrast, the proposed method achieved the best overall performance (precision: 0.93; recall: 0.89; accuracy: 0.91; FPS: 57), indicating that the data obfuscation strategy based on probability density and information entropy strikes a superior balance between privacy protection and task performance. Theoretically, the superior results of the proposed method stem from its innovative design. FHE relies on complex mathematical transformations, ensuring strong security but incurring significant computational costs, reflected in its low FPS value. DP’s approach of introducing random noise provides privacy protection but mathematically diminishes the validity of the data, leading to decreased classification performance. MPC employs secret-sharing protocols to improve task performance to some extent but is limited by high communication overhead in complex scenarios. FL avoids privacy breaches through distributed data modeling, and its global model aggregation strategy significantly enhances classification performance. However, FL may encounter inconsistencies in model aggregation under highly diverse data distributions. The proposed method models the global distribution characteristics of the data through the probability density extraction module and dynamically adjusts the obfuscation intensity via the information entropy fusion module. This ensures, mathematically, that the obfuscated data maintain global consistency and preserve the core features of the original data. The design avoids FHE’s high computational cost, mitigates DP’s noise-induced interference, and surpasses FL’s communication bottlenecks through a lightweight model architecture. Ultimately, its outstanding mathematical properties enable the proposed method to balance efficiency and accuracy in practical applications, providing new possibilities for medical image classification.

4.3. Financial Prediction Regression Results

This experiment aimed to evaluate the performance of different privacy protection strategies in financial prediction regression tasks, with a focus on analyzing the ability of each model to capture the dynamic characteristics in time-series data and their impact on privacy protection. Unlike medical image classification, time-series data emphasize the sequential and trend relationships between data points, posing higher demands on the balance between predictive accuracy and privacy protection. As shown in

Table 4. Financial prediction regression results.

Model	Precision	Recall	Accuracy	FPS
FHE [46]	0.85	0.82	0.83	25
DP [47]	0.87	0.84	0.86	28
MPC [48]	0.89	0.86	0.88	35
FL [49]	0.92	0.89	0.90	45
Proposed Method	0.95	0.91	0.93	54

, the proposed method outperformed all other methods across all evaluation metrics (precision: 0.95; recall: 0.91; accuracy: 0.93; FPS: 54), demonstrating its strong adaptability and performance advantages in handling time-dependent data.

Theoretically, the characteristics of time-series data require models to effectively capture trends and changes over time. Traditional methods, such as DP and MPC, exhibit weaker capabilities in preserving such information due to noise interference or communication overhead, which reduce their ability to represent temporal patterns. While FL improves local modeling and global aggregation, it struggles to maintain the integrity of global time-series features in non-independent and identically distributed (Non-IID) data scenarios. The proposed method leverages the probability density extraction module to model the global distribution characteristics of time-series data, effectively capturing trend information. Combined with dynamic obfuscation adjustments through the information entropy fusion module, it ensures that the obfuscated data retain the ability to express critical temporal features. Furthermore, the performance loss term in the fusion loss function directly optimizes the prediction error for time-series data, enabling the model to balance the trade-off between privacy protection and temporal pattern preservation. These designs mathematically ensure the integrity of trend capturing in time-series data, providing a highly efficient and secure solution for financial prediction tasks.

4.4. Impact Analysis and Ablation Study on the Information Entropy Fusion Module

The ablation study on the information entropy fusion module aimed to validate its role in privacy protection and model performance, assessing its impact on the data obfuscation intensity under different entropy control strategies, as shown in

Table 5. Ablation study on the information entropy fusion module.

Experiment Group	RASR (%)	Wasserstein Dist.	Accuracy	F1 Score	MSE	Delay (s)
Baseline (Full Model)	12.3	0.54	92.1	0.89	0.042	1.32
No Entropy Fusion	24.7	0.87	85.3	0.81	0.097	1.18
Fixed Obfuscation	19.8	0.74	88.2	0.85	0.063	1.24
Random Obfuscation	27.1	1.02	80.7	0.76	0.132	1.08
Shannon Entropy	14.6	0.60	91.0	0.87	0.049	1.41

. The experiment sets up multiple comparison groups, including removing the information entropy fusion module (No Entropy Fusion), using a fixed obfuscation intensity (Fixed Obfuscation), applying random obfuscation (Random Obfuscation), and employing Shannon entropy as the entropy metric (Shannon Entropy), while comparing these against the full model (Baseline Full Model). This study primarily evaluated six key metrics: reconstruction attack success rate (RASR), Wasserstein distance, classification accuracy, F1 score, mean squared error (MSE), and computation delay. RASR reflects the security of the obfuscated data, the Wasserstein distance measures the distributional similarity between the obfuscated and original data, while accuracy, F1 score, and MSE assess the model’s performance under different obfuscation strategies. The results demonstrate that the full model achieved the best balance across all metrics, indicating that the information entropy fusion module effectively adjusts the data obfuscation intensity, enhancing data security while preserving task utility as much as possible.

From a mathematical perspective, these results primarily stem from the ability of the information entropy fusion module to dynamically adjust the obfuscation intensity based on data uncertainty. The superior performance of the baseline group indicates that global information entropy effectively modulates the level of obfuscation across different regions of the data, achieving an optimal trade-off between privacy protection and data utility. In contrast, removing the information entropy fusion module (No Entropy Fusion) increases the RASR to 24.7%, suggesting that obfuscation effectiveness declines, while the Wasserstein distance increases to 0.87, indicating significant deviation from the original data distribution, which, in turn, degrades classification accuracy. Fixed Obfuscation reduces the RASR but fails to adaptively adjust the obfuscation intensity, leading to insufficient protection of critical data regions and a drop in accuracy to 88.2%. Random Obfuscation performs the worst, exhibiting the highest RASR (27.1%), which suggests that arbitrary perturbations disrupt the data structure, significantly impairing task performance. The Shannon entropy approach yields suboptimal performance—while it improves over No Entropy Fusion, it still lags behind the full model, likely due to the limited generalization ability of a single entropy metric in complex data distributions. Therefore, the experimental results strongly validate the effectiveness of the information entropy fusion module, demonstrating that the dynamically entropy-adjusted obfuscation strategy achieves a superior balance between data security and task utility.

4.5. Ablation Study on the Sensitivity of the Proposed Method to Non-Stationary Distributions in Time-Series Data

This experiment aimed to evaluate the stability of the proposed information entropy fusion-based obfuscation method under non-stationary time-series data conditions (i.e., concept drift), particularly in cases where data distribution undergoes gradual changes, sudden shifts, or periodic variations. The adaptability of the obfuscation strategy and its impact on both privacy protection and task performance were assessed. The experiment utilized financial time-series data and synthetic time-series data, simulating real-world applications through various types of concept drift. A systematic comparison was conducted between the full information entropy fusion model (Baseline), a fixed obfuscation strength (Fixed Obfuscation), no obfuscation (No Obfuscation), and random obfuscation (Random Obfuscation) to analyze the effectiveness of the information entropy fusion module. Different types of concept drift were simulated to examine the adaptability of the obfuscation strategy. Gradual Drift: The data distribution changes progressively over time, such as slow market trends rising or declining. Sudden Drift: A drastic change in data occurs at a specific time point, such as a black swan event in financial markets. Recurring Drift: The data distribution follows a periodic pattern, such as economic cycles or market fluctuations. Mixed Drift: A combination of gradual and sudden drift to simulate complex market dynamics, where long-term trends coexist with short-term disruptions.

The experimental results in

Table 6. Ablation study on the sensitivity of the proposed method to non-stationary distributions in time-series data.

Experiment Group	RASR (%)	Entropy Change Rate	MSE	RMSE	Acc.	Pre.
Baseline (Full Model)	11.8	0.67	0.045	0.212	91.5	0.88
No Obfuscation	35.7	0.02	0.032	0.178	94.3	0.92
Fixed Obfuscation	22.4	0.45	0.078	0.264	86.2	0.81
Random Obfuscation	27.1	0.30	0.093	0.289	79.6	0.74
Gradual-Drift Adaptation	14.2	0.61	0.048	0.219	90.8	0.87
Sudden-Drift Adaptation	15.9	0.58	0.052	0.227	89.6	0.85
Recurring-Drift Adaptation	13.5	0.63	0.046	0.215	91.2	0.88
Mixed-Drift Adaptation	16.7	0.56	0.057	0.231	88.9	0.84

indicate that the full information entropy fusion model (Baseline) maintained a low reconstruction attack success rate of 11.8% and a high entropy change rate of 0.67 across all concept-drift scenarios, demonstrating that the method effectively adjusted the obfuscation intensity dynamically and preserved strong privacy protection, even when the data distribution shifted. Additionally, the baseline model achieved near-optimal performance in regression tasks (MSE = 0.045; RMSE = 0.212) and classification tasks (accuracy = 91.5%; precision = 0.88; recall = 0.86), indicating that it maintained predictive performance while ensuring privacy. In contrast, the fixed obfuscation strategy (Fixed Obfuscation), due to its lack of adaptation to time-series distribution drift, experienced an increase in RASR to 22.4% and a drop in the entropy change rate to 0.45, reducing privacy protection effectiveness, while its classification and regression performance also degraded (MSE = 0.078; accuracy = 86.2%). The random obfuscation strategy (Random Obfuscation) further exhibited instability, with the highest RASR (27.1%) and a significant drop in task performance (accuracy = 79.6%), indicating that random perturbations failed to maintain the statistical consistency of the data, thereby impairing the model’s learning ability. The no-obfuscation strategy (No Obfuscation) achieved the best task performance (accuracy = 94.3%) but exhibited the highest RASR (35.7%), posing a severe privacy leakage risk.

From a mathematical perspective, the superiority of the baseline model stems from the dynamic adjustment mechanism of the information entropy fusion module, where the obfuscation parameter ${\alpha }_t$ is adaptively regulated based on the time-series data entropy $H_t$. This ensures that the level of data obfuscation is adjusted in response to changes in the statistical properties of the data. In the gradual-drift scenario, this mechanism continuously adapts ${\alpha }_t$ to match long-term trend changes. In sudden-drift scenarios, abrupt entropy changes allow for the rapid adjustment of the obfuscation intensity, effectively countering drastic distribution shifts. In recurring-drift scenarios, the entropy metric captures periodic patterns in the data, balancing privacy protection and task performance. In contrast, the fixed obfuscation strategy, which lacks dynamic adaptation, leads to either insufficient or excessive obfuscation under concept-drift conditions. Since it does not consider data-specific characteristics, the random obfuscation strategy results in suboptimal privacy protection and predictive performance. Consequently, the experimental results confirm the effectiveness of the information entropy fusion module in non-stationary time-series environments and demonstrate its ability to dynamically balance privacy protection and task performance.

4.6. Discussion on Throughput

This study comprehensively compares the throughput (FPS) of different data protection strategies across two tasks: medical image classification and financial prediction regression. The experimental results clearly reveal the differences in throughput and their underlying reasons. Throughput directly reflects the operational efficiency of a model and serves as a crucial metric for evaluating the practical applicability of privacy protection techniques. The results show that traditional methods, such as FHE and DP, have significantly lower throughput compared to other methods due to their inherent design characteristics. FHE’s high computational complexity in encryption and decryption processes results in FPS values of only 23 and 25 for medical image classification and financial prediction, respectively, making it unsuitable for real-time tasks. DP achieves a slight improvement in throughput by introducing noise but remains constrained by the computational overhead of noise generation. In contrast, MPC improves computational efficiency through distributed processing, raising throughput to 30 and 35 for the two tasks. However, its communication overhead poses a major limitation in complex scenarios. Federated learning significantly enhances throughput to 45 in both tasks by leveraging local modeling and avoiding direct data transmission. Nevertheless, the proposed method achieves the highest throughput, reaching 57 and 54 for medical image classification and financial prediction, respectively. This improvement is attributed to its lightweight design, including the probability density extraction module and the information entropy fusion module, as well as the optimization of the fusion loss function, which reduces the computational complexity of data obfuscation. This high throughput not only highlights the superiority of the proposed method’s theoretical design but also demonstrates its practical value in scenarios requiring efficient processing of large-scale data.

4.7. Ablation Study on Different Data Obfuscation Methods

This experiment aimed to validate the advantages of the proposed method in medical image classification and financial prediction regression tasks through an ablation study on different data obfuscation strategies. Specifically, the experiment compared obfuscation methods based on gradient information, pure Gaussian noise, and the proposed strategy based on probability density and information entropy, as shown in Figure 5.

The goal was to comprehensively analyze the impact of these methods on privacy protection strength, task performance, and operational efficiency. As shown in

Table 7. Ablation study results.

Model	Precision	Recall	Accuracy	FPS
Gradient-based Obfuscation (Medical)	0.69	0.64	0.67	32
Pure Gaussian Noise (Medical)	0.82	0.76	0.79	48
Proposed Method (Medical)	0.93	0.89	0.91	57
Gradient-based Obfuscation (Financial)	0.71	0.67	0.69	41
Pure Gaussian Noise (Financial)	0.85	0.80	0.83	49
Proposed Method (Financial)	0.95	0.91	0.93	54

, the gradient-based obfuscation method performed poorly in both tasks, achieving precision, recall, and accuracy of 0.69, 0.64, and 0.67, respectively, for medical image classification, with a throughput of 32 FPS. The corresponding metrics for financial prediction were 0.71, 0.67, and 0.69, with a throughput of 41 FPS. In contrast, the pure Gaussian noise method significantly improved throughput (FPS), reaching 48 and 49 for medical image classification and financial prediction, respectively. However, its disruptive effect on data distribution led to a decline in performance, weakening task-specific characteristics. The proposed method achieved the best results in both tasks, with precision, recall, and accuracy of 0.93, 0.89, and 0.91 for medical image classification and 0.95, 0.91, and 0.93 for financial prediction, while also achieving the highest FPS (57 for medical image classification and 54 for financial prediction). This demonstrates its comprehensive advantages in task performance and operational efficiency.

From a theoretical perspective, the differences in experimental results stem from the varying capabilities of these obfuscation strategies to preserve data features while protecting privacy. The gradient-based obfuscation method achieves privacy protection by introducing gradient perturbations, but its reliance on task model gradient updates makes it susceptible to gradient instability and noise accumulation. This significantly weakens its ability to retain the core features of the original data, particularly in image classification and time-series prediction tasks, resulting in lower task performance. The pure Gaussian noise method relies on random sampling from a Gaussian distribution, which provides substantial privacy protection. However, the global nature of the noise disrupts the alignment between the obfuscated and original data distributions, reducing the model’s ability to capture critical features. The proposed method, on the other hand, leverages the probability density extraction module to model the global distribution of the data, while the information entropy fusion module dynamically adjusts the obfuscation intensity. Mathematically, this ensures that the statistical properties of the obfuscated data align closely with those of the original data, while sensitive information is selectively protected. Additionally, the lightweight architecture of the proposed method effectively reduces computational complexity, further improving throughput. This multi-module collaborative optimization design demonstrates strong adaptability and advantages across both task scenarios, providing a robust theoretical and practical framework for privacy preservation and efficient data analysis.

5. Conclusions

As the demand for data privacy protection continues to grow, balancing privacy preservation and task performance has become a significant challenge in data analysis. Traditional methods such as FHE, DP, MPC, and FL have achieved notable success in privacy protection and data utility. However, these approaches face significant limitations, including high computational complexity, noise interference, and communication overhead. To address these issues, this paper proposes a novel data obfuscation method based on probability density and information entropy, with a design that directly addresses the trade-offs observed in traditional techniques. By integrating a probability density extraction module and an information entropy fusion module, the method models the global distribution of data and dynamically adjusts the obfuscation intensity. Additionally, a fusion loss function is designed to optimize the balance between privacy protection and task performance. Experimental results provide strong evidence for the method’s effectiveness. In medical image classification, the proposed method achieved precision, recall, and accuracy of 0.93, 0.89, and 0.91, respectively, with a throughput of 57 FPS, demonstrating its ability to preserve data utility while ensuring privacy. Compared to FHE (precision: 0.82; throughput: 23 FPS) and DP (precision: 0.84; throughput: 25 FPS), the method achieved clear improvements by reducing computational overhead and noise-induced performance degradation. Similarly, in financial prediction tasks, the proposed method exhibited excellent capability in capturing temporal features, achieving precision, recall, and accuracy of 0.95, 0.91, and 0.93, with a throughput of 54 FPS, far surpassing traditional methods. These results highlight not only the superior performance of the proposed modules but also their ability to adapt to different types of data, such as medical images and time-series data, effectively addressing privacy and utility concerns in diverse scenarios.

Furthermore, ablation experiments provided detailed insights into the contributions of individual components, such as the probability density extraction module and the information entropy fusion module, to the overall system performance. Specifically, the experiments confirmed that the dynamic adjustment of the obfuscation intensity significantly enhances privacy protection while maintaining task relevance. Compared with gradient-based obfuscation and pure Gaussian noise methods, the proposed method preserves statistical characteristics more effectively, ensuring that the obfuscated data remain analytically valid for downstream tasks. In conclusion, the integration of probability density modeling and dynamic obfuscation adjustment offers a robust framework for balancing privacy and performance. The superior experimental results, supported by ablation studies and comparative analyses, underscore the effectiveness of this approach in real-world applications. These findings lay a solid foundation for extending the proposed method to other privacy-sensitive domains while further optimizing its efficiency and scalability.