This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

Adversarial Steganography Embedding via

Stego Generation and Selection
Minglin Liu, Tingting Song, Weiqi Luo, Senior Member, IEEE, Peijia Zheng, and Jiwu Huang, Fellow, IEEE

Abstract—The recent literature has shown that adversarial embedding has promise for enhancing the security of steganography.
However, existing methods achieve the final stego mainly based on a pre-trained Convolutional Neural Network (CNN)-based
steganalyzer without considering any other steganalytic features. When the steganalyzer is re-trained, its performance usually drops
significantly. We propose a novel adversarial embedding method via stego generation and selection. To improve the diversity of the
stego images, this method firstly randomly generates many candidate stegos according to the amplitudes of the gradients and
embedding costs of a given cover. Since the image residuals are the commonly used low-level features in many steganalyzers, the
proposed method carefully designs different adaptive high-pass filters to calculate the image residuals, and then selects a final stego
from among those candidate stegos which can successfully fool the pre-trained steganalyzer, according to the residual distance
between stego and the cover. Extensive experimental evaluations on re-trained CNN-based and traditional steganalyzers demonstrate
that the proposed method can significantly enhance the security of the modern steganographic methods in both spatial and JPEG
domains, and achieve much better performance than related adversarial embedding methods.

Index Terms—Steganography, Steganalysis, Adversarial Examples, Convolutional Neural Network

1 I NTRODUCTION On the contrary of image steganography, steganalysis

I MAGE steganography aims at imperceptably hiding a
secret message in a digital image. Most of the recent
steganographic methods have been designed within the
distortion minimization framework [2]. With syndrome-
trellis code (STC) [3], the design of the embedding cost
for each embedding unit (i.e., pixel or DCT coefficient) be-
comes the key issue in modern steganography within such
a framework. By now, many effective steganographic meth-
ods have been proposed. In the spatial domain, WOW [4]
and UNIWARD (including S-UNIWARD and J-UNIWARD)
[5] predict the image contents using several directional high-
pass filters to get the directional residuals, and then assign
high costs to the more predictable regions. HILL [6] uses
a high-pass filter to locate the less predictable pixels, and
then uses two low-pass filters to cluster the low cost values.
MiPOD [7] estimates the variances of local pixels with a
multivariate Gaussian model and assigns low costs to pixels
with high variances. CMD-based [8] and SMD-based [9]
methods embed secret messages group by group and design
asymmetric embedding costs to cluster the modifications. In
the JPEG domain, UED [10] uniformly spreads the embed-
ding modifications on quantized DCT coefficients. UERD
[11] is an improved version of UED, with a performance
comparable with that of J-UNIWARD [5].
• M. Liu, T. Song, W. Luo and P. Zheng are with GuangDong Province
Key Lab of Information Security Technology and School of Computer
Science and Engineering, Sun Yat-sen University, Guangdong 510000,
China. E-mail: {liumlin6, songtt3}@mail2.sysu.edu.cn, {luoweiqi, zheng-
peijia}@mail.sysu.edu.cn.
• J. Huang is with College of Information Engineering, Shenzhen Univer-
sity, Shenzhen 518052, China.
E-mail:
tries to identify stego images from cover images. Typically,
steganalytic methods can be divided into two categories:
traditional steganalyzers based on hand-crafted features,
and current steganalyzers based on CNN. Traditional ste-
ganalyzers, such as SRM [12] and GFR [13], firstly calculate
the image residuals with some high-pass filters, and then
obtain some statistical steganalytic features based on the
residuals, finally combining the ensemble classifiers [14]
for the classification. According to the adaptive property of
modern steganography, some content adaptive steganalyz-
ers [15–18] have been proposed to improve the traditional
steganalyzers. Compared with traditional ones, some CNN-
based steganalyzers, such as Xu-Net [19, 20], Deng-Net
[21] and SRNet [22], have recently achieved very good
performance for detecting modern steganography. Nowa-
days, CNN-based steganalyzers have achieved state-of-the-
art results both in spatial and JPEG domains.
Since typical CNN models are vulnerable to adversarial
attacks [30, 31], several adversarial embedding methods [23–
29] have been proposed to fool the modern CNN-based ste-
ganalyzers and thus enhance the security of steganography.
For instance, the method in [23] tries to iteratively construct
enhanced covers based on adversarial examples. It then em-
beds the secret messages in the resulting enhanced covers.
Adversarial embedding (ADV-EMB) [24] divides the cover
image into two parts. It firstly embeds some of the secret
message into the first part using an existing steganography,
and then calculates the gradients of the partially embedded
stego. Finally, it embeds the rest of the secret message into
the other part based on the gradient signs to get a stego.
ADV-EMB iteratively adjusts the proportion of the image

[email protected]. partition from big to small, and repeats the above operations
The work is an extended version of our preliminary paper [1] at ICASSP 2021. until the stego can fool the targeted steganalyzer. The ad-
Corresponding author: Weiqi Luo. versarial enhancing method (AEN) [25] adaptively adjusts

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

TABLE 1
The main differences between existing steganographic methods based on adversarial examples.

Method Selected Embedding Units Modification Method Residual Based Domain

Method [23] All Pixels None No Spatial
ADV-EMB [24] Random Part Multiplication No Spatial & JPEG
Non-Iteratively AEN [25] Gradient Based Multiplication No Spatial
Method [1] Cost & Gradient Based Addition Yes Spatial
Min-Max [26, 27] Random Part Multiplication No Spatial & JPEG
Iteratively
JS-IAE [28] Gradient Based Addition No JPEG
Method [29] All Samples Addition No Audio

TABLE 2
The main differences between the algorithm design of the proposed method and that in our previous paper [1].

Algorithm Module Method [1] Proposed

Relation of Parameters p1 &p2 p1 = p2 Independent
Stego Generation
Distribution of Parameters p1 &p2 p1 ∼ U (0.25 × payload, payload) p1 ∼ U (0, 1); p2 ∼ U (0, 1)
Cost Updating Rule Addition Multiplication
Based on Targeted Steganalyzer No Yes
Stego Selection
Yes, New high-pass filter sets
Based on Residual Distance Yes
are designed for JPEG Steganography

the original embedding costs according to the amplitudes
and signs of the gradients. Min-Max [26, 27] is an iterative
version of ADV-EMB [24], which mainly uses a min-max
strategy to select good stegos for training steganalyzers
during the iterations. JS-IAE [28] and the method of [29]
employ another way to cluster the cost modifications in
previous iterations. Usually, iterative methods can further
improve the non-iterative ones. However, they are usually
time consuming.
The existing adversarial embedding methods just use
the gradients from a pre-trained CNN-based steganalyzer
(or, in iterative methods, several steganalyzers) to construct
the final stego. Other steganalytic features have not been
fully explored. In [1], we previously proposed an adver-
sarial steganography embedding via stego generation and
selection. The main differences of the existing adversarial
embedding methods from our previous method [1] are
illustrated in Table 1. This method firstly generates many
candidate stegos based on the gradients and embedding
costs to improve the diversity of the stegos. In this way, it is
expected that the steganalyzers have more difficulty catch-
ing the steganographic pattern. Furthermore, the method
selects a final stego from among all the candidate stegos
to minimize the residual distance between the stego and
the cover. In this way, the security can be enhanced, since
many steganalyzers focus on analyzing the steganography
artifacts in the image residual domain. The experimental
results show that this method is very effective in the spatial
domain. However, the performance is far from satisfactory
in the JPEG domain (see Table 9). In this paper, we have
further improved its performance in the spatial domain and
extend its generality in the JPEG domain. As illustrated in
Table 2, the main differences, in terms of the design of the
algorithm, between the proposed method in this paper and
our previous method [1] are as follows:
• In Stego Generation: To further improve the diversity
of the generated stegos, we employ two independent
random variables (i.e., p1 , p2 rather than two equal
variables in method [1]) and expand the range of
parameters into (0, 1) to control the magnitude of the
gradients and original embedding costs for selecting
the embedding units. Unlike the additive way in [1],
we employ multiplication to adjust the correspond-
ing costs of the selected embedding units.
• In Stego Selection: The proposed method for se-
lecting the stegos consists of two parts: selecting
via fooling the targeted steganalyzer and selecting
via minimizing the residual distance. In addition,
new sets of high-pass filters are designed for JPEG
steganography. In this way, both the high-level (i.e.,
fooling a targeted steganalyzer) and the low-level
(i.e., image residuals) steganalytic features can be
considered simultaneously in the proposed method.
In addition to the above improvements in the algorithm
design, we provide more experimental results and analysis
in this paper. For instance, parameter analysis about the
adversarial magnitude α and the number of generated ste-
gos N (see Section 4.1); comparative studies about different
designs in the stego generation and selection modules (see
Section 4.2); comparison of execution times (see 4.8). To
show the effectiveness of the proposed method, a compari-
son is carried out with some adversarial embedding meth-
ods (see Section 4.5) rather than just considering original
steganography in our previous method [1]. Furthermore,
different partition on BOSSBase + BOWS2 (see Section 4.6)
and the bigger ALASKA2 dataset (see Section 4.7) are also
included in order to evaluate the security. Extensive results
show that the proposed method can significantly enhance
the security of modern steganographic methods both in the
spatial and JPEG domains, and perform much better than

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041
those in our previous method [1] and than related methods
based on adversarial examples.
The rest of this paper is organized as follows. Section 2
presents a brief overview of related steganographic meth-
ods based on adversarial examples. Section 3 presents the
proposed method in detail. Section 4 presents comparative
results and discussions. Concluding remarks and prospects
for future research are presented in Section 5.
2 R ELATED R ESEARCH
Recently, several adversarial embedding methods have been
proposed for enhancing the security of existing steganogra-
phy. The existing methods have to train a targeted CNN-
based steganalyzer in advance, and then select embedding
units for subsequent cost modification according to the
gradients from the pre-trained steganalyzer. Multiplication
and addition are two typical methods for adjusting the
embedding costs. Note that if the targeted steganalyzer is
iteratively updated, we call the corresponding adversarial
embedding methods ‘iterative’. Otherwise, they are called
‘non-iterative,’ even if some embedding costs have been
iteratively updated, such as ADV-EMB [24]. Table 1 shows
the main differences regarding some typical adversarial
embedding methods. We will describe them briefly in the
following.
2.1 Non-Iterative Adversarial Embedding Methods
Non-iterative adversarial embedding methods, such as [23–
25], mainly depend on a fixed pre-trained targeted stegana-
lyzer. For instance, the method of [23] iteratively constructs
enhanced covers based on adversarial examples, and then
embeds the secret messages into the enhanced covers until
the corresponding stego can mislead the targeted stegan-
alyzer. The results in [23] show that the resulting stegos
can successfully fool the pre-trained steganalyzer. However,
they are easily detected by some traditional steganalyzers
based on hand-crafted features. ADV-EMB firstly randomly
divides the cover image into two groups. It then embeds
part of the secret message into the first group, and ob-
tains the corresponding gradients based on a pre-trained
steganalyzer. After adjusting the embedding costs in the
second group according to the gradient signs, it finally
embeds the remaining part of the message into the second
group to get the final stego. ADV-EMB iteratively adjusts
the proportion between the two groups, and repeats the
above operations until the final stego is able to fool the pre-
trained steganalyzer. The experimental results in [24] show
that ADV-EMB can effectively improve the steganography
security both in the spatial and JPEG domains even if
the steganalyzers are re-trained or other steganalyzers are
used for evaluating the security. AEN [25] employs another
method to adaptively adjust the embedding costs according
to the signs and amplitudes of the gradients based on the
pre-trained steganalyzer. The experimental results in [25]
show that AEN can improve the security of some modern
steganography in the spatial domain. In [1], we proposed
an adversarial embedding method via stego generation and
selection, and showed that it can significantly improve
steganography security in the spatial domain.
© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
2.2 Iterative Adversarial Embedding Methods
Typically, adversarial embedding methods as described in
the previous section 2.1 find it easy to fool a fixed CNN-
based steganalyzer due to the vulnerability of the CNN.
However, when the targeted steganalyzer is re-trained
based on the resulting stegos, the steganography security
usually drops significantly. Iterative adversarial embedding,
such as [26–29], may be an effective way to deal with this
problem. In each iteration, this kind of method firstly com-
putes the gradients according to the steganalytic networks
in the previous iterations, and then generates stegos based
on the gradients and updates the targeted steganalyzer.
The above operations are repeated until the resulting stegos
converge to satisfactory results. Taking Min-Max [26, 27] for
example, in each iteration, it uses the main algorithm of
ADV-EMB to generate adversarial examples, and selects the
least detectable stegos evaluated by the best steganalyzer
among all the steganalyzers in previous iterations to train a
new steganalyzer. JS-IAE [28] and the method of [29] update
the original embedding costs by superimposing cost modi-
fications in all previous iterations. The experimental results
show that these iterative adversarial embedding methods
are improvements of the corresponding non-iterative ones.
However, they are quite time consuming, especially when
the number of iterations is large.
3 T HE P ROPOSED M ETHOD
In this paper, we propose a non-iterative adversarial
embedding method to enhance the security of the steganog-
raphy. As illustrated in Fig. 1, the framework of the pro-
posed steganography includes three steps: steganalytic net-
work pre-training, stego generation, and stego selection.
Like most related methods, the proposed method firstly
trains a targeted CNN-based steganalyzer according to the
steganography to be enhanced. Note that existing non-
iterative methods (or iterative methods in each iteration)
usually generate only one stego to fool a targeted ste-
ganalyzer. To improve the diversity of the stego, the pro-
posed method firstly generates many candidate stegos by
adjusting some embedding costs according to the cover
gradients and embedding costs of a given cover. For those
generated stegos which can fool the targeted steganalyzer,
the corresponding steganography modifications are usually
different even though exactly the same secret message is
being embedded. Thus, their security performances against
re-trained targeted steganalyzer and/or other ones are also
different. To select a better stego from among these can-
didates, the proposed method takes into consideration the
residual distance between the stego and the cover. It is
expected that the smaller the distance, the smaller the sta-
tistical difference between the cover and stego, and thus the
greater the security of the resulting stego. In the following,
we will give these three steps of the proposed method in
detail.
3.1 Pre-Training the Steganalytic Network
In this step, we firstly collect a set CT of cover images and
obtain the corresponding set ST of stego images according
to an existing steganographic method F (e.g., HILL and J-
UNIWARD) to be enhanced for a given embedding payload
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

Computing Residual with 𝐻𝑐

Computing Adaptive High Pass

Cover 𝑐 ∈ 𝓒𝑨 Adaptive High Filter Set 𝐻𝑐
Cover Set 𝓒𝑻
Pass Filters
Steganography F
Steganalytic Gradient Map Original Cost ∃ 𝑠𝑖 ,i=0,1, … , 𝑁
Network 𝑁𝑇 𝐺𝑐 Map 𝜌0 fool 𝑁𝑇 ? No
𝑝1 𝑝2
Yes
Original Cost
Map Set 𝝆𝓒𝑻 Available Stegos
Adjusting Costs {𝑧1 , 𝑧2 , … , 𝑧𝑀 }
STC Computing Residuals with 𝐻𝑐
𝜌0 and Modified
Versions {𝜌1 , 𝜌2 , … , 𝜌𝑁 } Residuals for Cover 𝑟𝑐 and
for Stegos {𝑟1 , 𝑟2 , … , 𝑟𝑀 }
STC
Computing Minimum Distance
Stego Set 𝓢𝑻 Candidate Stegos
{𝑠0 , 𝑠1 , 𝑠2 , … , 𝑠𝑁 } j = arg min ‖𝑟𝑖 − 𝑟𝑐 ‖1
𝑖=1,2,…,𝑀
Obtaining Corresponding stego
Selected Stego Selected Stego
Step #1: Pre-Training 𝑠 = 𝑧𝑗 𝑠 = 𝑠0
Steganalytic Network Step #2: Stego Generation Step #3: Stego Selection

Fig. 1. The framework of the proposed method.

as follows: For any given cover c ∈ CT , the cost function
ρ0 is firstly computed via the steganography F , and then
the corresponding stego image s0 can be obtained via em-
bedding the secret messages m into cover image c using the
STC embedding simulator [2] as follows.
s0 = hemb (c, m, ρ0 + , ρ0 − ).
+ −
Note that ρ0 = ρ0 = ρ0 . Then we divide the image sets
CT and ST into two parts: a training set and a validation
set. Note that there is no need for a testing set since we
aim to pre-train a CNN-based steganalyzer in this step. The
targeted steganalyzer NT is trained on the training set, and
the best validation snapshot in the last epochs will be taken
as the result of the training. All the training details follow
the original settings in the original papers. Any given image
x is predicted based on the output value of the steganalyzer
NT , as follows,
 we introduce a pair (p1 , p2 ) of parameters to control the
x is cover, if NT (x) < 0.5,
(2)
x is stego, if NT (x) ≥ 0.5,
where NT (x) ∈ [0, 1] is the classification probability of x
using steganalyzer NT , the label of the cover is set to be 0,
and the label of the stego is set to be 1.
3.2 Stego Generation
For any cover image c ∈ CA , where CA ∩ CT = ∅, we firstly
compute its original cost function ρ0 by F . We then feed the
cover image c into the pre-trained steganalyzer NT obtained
in Step #1 to calculate the gradient map Gc of cover c using
a back propagation algorithm as follows,
Gc = ∇c L(c, t; NT ),
(3)
L(c, t; NT ) = −t log(NT (c)) − (1 − t) log(1 − NT (c)).
where the parameter t is the image label: t = 0 denotes the
cover, while t = 1 denotes the stego. Note that here we set
t = 0 in order to make the resulting images more likely to
be judged as covers by the targeted steganalyzer NT . Here,
L is a binary cross entropy loss function.
To select good embedding units for the subsequent
cost updating, two important maps that significantly affect
the steganography security are considered in the proposed
(1)
method, that is, the gradient map Gc and the original cost
map ρ0 . According to the property of gradients, those em-
bedding units located at larger magnitudes of the gradient
(i.e., |Gc |) have a greater effect on the classification perfor-
mance of the targeted steganalyzer NT . According to the
definition of embedding cost, those embedding units with
smaller embedding costs (i.e., ρ0 ) introduce less detectable
artifacts into the resulting stegos. Based on our experi-
ments, the numbers of selected embedding units affect the
steganography security, and the optimal numbers are differ-
ent for different images. In the proposed method, therefore,
corresponding modification rates based on the two issues:
selecting those embedding units with the larger p1 magni-
tude of gradients (denoted by T op|Gc | (p1 )) and with smaller
p2 embedding costs (denoted by Bottomρ0 (p2 )) simulta-
neously, where (p1 , p2 ) is a bivariate continuous random
variable and 0 ≤ p1 ≤ 1, 0 ≤ p2 ≤ 1. Note that here both
the relation between p1 and p2 and their distributions could
affect the steganography security. Based on our extensive
experiments, we have found that one obtains better security
when p1 and p2 are independent and the following joint
distribution of the two random variables is used in the
proposed method.

1, 0 ≤ p1 ≤ 1, 0 ≤ p2 ≤ 1,
f (p1 , p2 ) = (4)
0, otherwise.
We generate N pairs of (p1 , p2 ) independently. For the k -th
pair (p1 , p2 )k , k = 1, 2, . . . , N , we firstly select the set Mρ of

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041
embedding units according to the two parameters p1 and p2
as follows,
Mρ = {(i, j)|(i, j) ∈ T op|Gc | (p1 ) ∩ Bottomρ0 (p2 )},
and then for any embedding unit (i, j) in Mp , we update the
corresponding costs according to the signs of Gc as follows,
 +
+ ρ0 (i, j) ∗ α, if Gc (i, j) > 0,
ρk (i, j) =
ρ+
0 (i, j), otherwise,
ρ−

ρ− 0 (i, j) ∗ α, if Gc (i, j) < 0,
k (i, j) = ρ−
0 (i, j), otherwise,
where α denotes the adversarial magnitude (α > 1); ρ0 =
(ρ+ − + −
0 , ρ0 ), respectively, ρk = (ρk , ρk ) denote the original
cost map calculated by the steganography F and the k -th
modified version. Note that some embedding costs in ρ0 will
−
become asymmetric (i.e., ρ(i, j)+ k ̸= ρ(i, j)k ), when k > 0.
In addition, we update the embedding costs multiplicatively
rather than additively in our previous method [1].
Based on the original cost map ρ0 and the N modified
cost versions ρk , k = 1, 2, . . . , N , we finally generate N + 1
candidate stegos (i.e., s0 , s1 , s2 , . . . , sN ) by embedding the
2
exact same secret message m into a given cover c with the
[c, cT ] − [ĉ, cˆT ]
. (10)
STC embedding simulator as follows:
sk = hemb (c, m, ρk + , ρk − ), 0 ≤ k ≤ N.
3.3 Stego Selection
In this step, we aim to select the final stego from the
N + 1 candidate stegos generated in the previous step. The
proposed method for selecting this stego has two parts:
selection via fooling the targeted steganalyzer and selection
via minimizing the residual distance. We will introduce
them separately in the next two subsections.
3.3.1 Selecting via Fooling the Targeted Steganalyzer
Besides the original stego s0 , we randomly generate N other
candidate stegos (viz., s1 , . . . , sN ) based on the gradients
calculated by the pre-trained steganalyzer NT and the origi-
nal embedding costs. Therefore, these good candidate stegos
should be able to successfully fool the steganalyzer NT . To
this end, we firstly feed N + 1 stegos into NT , and then
select the best ones as follows,
Z = {z|z ∈ {s0 , s1 , . . . , sN } & NT (z) < 0.5},
where Z denotes the set of stegos selected in this step.
Note that if NT (z) < 0.5, the input stego image z will be
predicted as the cover, meaning that the candidate stego z
fooled the targeted steganalyzer NT in this case. If there is
no available stego (i.e., Z = ∅), the stego selection process is
broken off, and we set the final stego to be the original stego
(i.e., s = s0 ). Otherwise, there are M (M = |Z|, 1 ≤ M ≤
N + 1) available stegos Z = {z1 , z2 , . . . , zM }, and we will
select the final stego by minimizing the residual distance
between the cover and the available stegos in the following
subsection.
© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
3.3.2 Selecting via Minimizing the Residual Distance
Since many existing steganalytic methods focus on ana-
lyzing the steganography artifacts in the image residual
domain, it is expected that the smaller the residual distance
(5) between the stego and the cover, the smaller the statistical
difference between them, and thus the greater the security
of the resulting stego. Based on this assumption, we aim
to select the final stego from among Z = {z1 , z2 , . . . , zM }
based on minimizing the residual distance.
To measure the residual distance between the stego
(6) and the cover, we firstly obtain the set Hc of adaptive
high-pass filters for the given cover c, where Hc is con-
structed by a base filter B1×w of size 1 × w (denotes by
B1×w = [b1 , . . . , 0, . . . , bw ]). As in our previous paper [32],
let w be an odd number, and the central element of B1×w
initially set to 0. Using the base filter B1×w , we predict
the cover c and its transposed version cT by a convolution
operation:
ĉ = c ⊗ B1×w ; cˆT = cT ⊗ B1×w . (9)
Here, ⊗ denotes convolution. Then the other elements of
B can be determined by minimizing the mean square error
between [ĉ, cˆT ] and [c, cT ]:
B1×w = arg min
B1×w 2
Finally, we set the central element of B1×w to be -1. To
(7) achieve better security improvements 1 , the sets Hc of high-
pass filter are designed as follows:
(
{B1×7 , B1×7 T , B1×7 ⊗ B1×7 T }, Spatial domain,
Hc =
{B1×3 , B1×3 T }, JP EG domain.
(11)
Employing the resulting set Hc of filters, we calcu-
late the corresponding image residuals of the cover c and
those available stegos z1 , z2 , . . . , zM , denoted by rc and
ri , i = 1, 2, . . . , M respectively. Define the residual distance
di between c and the i-th stego by
di = ∥ri − rc ∥1
(12)
X
= |zi ⊗ hc − c ⊗ hc |.
hc ∈Hc
The final stego s is given by
s = zj , j = arg min di . (13)
i=1,2,...,M
The whole process of the proposed method has been
(8)
described in the above subsections. To make the process
of stego generation and selection clearer, we give another
illustration of the algorithm of stego generation and selec-
tion with numerical pixel values in Fig. 2. Furthermore, ex-
amples of the image before and after embedding messages
with the proposed method are shown in Fig. 3. As shown
in Fig. 3, there are no obvious visual artifacts left in the
resulting stego even when the payload is as high as 0.4
bpp/bpnzac.
1. Actually, we have tested many other fixed high-pass filters for
calculating image residuals, such as filters from SRM and GFR, and
found that the proposed filters work better.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

Selected Embedding Units by 𝑇𝑜𝑝 𝐺𝑐 (𝑝1 ); Selected Embedding Units by 𝑀𝜌 ∩ (𝑆𝑖𝑔𝑛(𝐺𝑐 ) = +1)

Selected Embedding Units by 𝐿𝑜𝑤𝜌0 (𝑝2 ); Selected Embedding Units by 𝑀𝜌 ∩ (𝑆𝑖𝑔𝑛(𝐺𝑐 ) = −1 )

Final Costs/Elements Modification Location Obtaining Cost Modification Locations 𝑀𝜌 with Equation (5) and
Updating Costs with Equation (6)
𝟑 −𝟒 𝟏𝟐 −𝟐 12 6 1 7
𝟑 −𝟒 −𝟏𝟐 −𝟐 𝟕 𝟏𝟓 𝟔 𝟏𝟎 4 22 15 16
Computing Gradients 𝟕 𝟏𝟓 𝟔 𝟏𝟎 𝟏𝟔 −𝟗 −𝟓 −𝟏𝟒 9 5 13 8
12 6 1 7
with Equation (3) 𝟏𝟔 −𝟗 −𝟓 −𝟏𝟒 𝟏𝟑 −𝟖 𝟏𝟏 −𝟏 14 3 10 2
4 11 15 16
𝟏𝟑 −𝟖 𝟏𝟏 −𝟏 𝑇𝑜𝑝 𝐺𝑐 (0.3) 𝜌1+
9 5 13 8
𝐺𝑐
12 6 1 7 14 3 10 2 12 6 2 7
5 3 17 1
4 2 15 16 𝑀𝜌 with (𝑝1 , 𝑝2 )1 4 11 15 16
16 5 11 12
9 5 13 8 9 5 13 8
8 2 10 7
14 3 10 11 14 3 10 2
18 4 2 10
12 6 1 7 𝐿𝑜𝑤𝜌0 (0.4) 𝜌1−

…
Part Cover 𝑐
Steganography 𝑭 4 11 15 16

Cover Image 9 5 13 8 𝟑 −𝟒 𝟏𝟐 −𝟐 12 6 1 7
14 3 10 2 𝟕 𝟏𝟓 𝟔 𝟏𝟎 8 22 15 16
𝜌0+ = 𝜌0− =𝜌0 𝟏𝟔 −𝟗 −𝟓 −𝟏𝟒 18 5 13 8
12 6 1 7
𝟏𝟑 −𝟖 𝟏𝟏 −𝟏 14 3 20 2
4 11 15 16
𝑇𝑜𝑝 𝐺𝑐 (0.8) 𝜌𝑁+
9 5 13 8
Sample from Equation (4): 12 12 2 7
12 6 1 7 14 3 10 2
(𝑝1 , 𝑝2 )1 = (0.3,0.4),
4 11 15 16
..., 4 2 15 16 𝑀𝜌 with (𝑝1 , 𝑝2 )𝑁
(𝑝1 , 𝑝2 )𝑁 = (0.8,0.7) 9 5 13 8 9 10 13 16

14 3 10 11 14 6 10 2

𝐿𝑜𝑤𝜌0 (0.7) 𝜌𝑁−

Computing Selecting Stego via 𝑵𝑻 Generating Stego with Equation (7)

5 3 17 1 HPF Residuals
with Equation (12) 5 3 18 1 5 3 17 1 5 3 17 2 5 3 18 1 5 3 17 1
15 5 11 12
8 2 10 7
16 4 11 12 … 15 5 11 12 16 5 11 12 16 4 11 12 … 15 5 11 12
Selecting 8 2 10 7 8 2 10 7 8 1 10 7 8 2 10 7 8 2 10 7
18 5 2 10 Final Stego
18 4 2 10 18 5 2 10 18 4 2 10 18 4 2 10 18 5 2 10
Part Stego 𝑠 with Equation (13)
𝑧1 𝑧𝑀 𝑠0 𝑠1 𝑠𝑁
Stego Image

Fig. 2. Illustration of stego generation and selection in the proposed method.

4 E XPERIMENTAL R ESULTS AND A NALYSIS

Spatial Domain
In our experiments, 20,000 grayscale images of size 512×512 JPEG Domain

were taken from BOSSBase ver1.01 [33] and BOWS2 [34].

As in [22] and [24], we firstly resize all images to 256 ×
256 using “imresize” in Matlab with default settings. As in
related methods [1, 24, 25, 28], the resulting image dataset C
is then randomly divided into two equal non-overlapping Part cover Part cover

parts, viz., CT and CA . The set CT includes 10,000 images Image Example

(8,000 for training and 2,000 for validating) to train a CNN-

based steganalyzer NT in step #1, having selected Deng-
Net [21] as the targeted steganalyzer. For each cover in CA ,
we can generate a final stego with the proposed method.
Finally, we obtain 10,000 cover–stego pairs for the image
set CT . To evaluate the security of the steganography, we Part stego Part stego

randomly divided these 10,000 pairs into two equal parts:

the first part is used to re-train a steganalyzer, while the Fig. 3. An image cover vs. the resulting stego generated by the proposed
second part is used for evaluating the security. For the sake method at embedding payloads of 0.4 bpp/bpnzac.
of having a fair comparison, we evaluated the security of
the proposed method and the related ones on exactly the
same image dataset and partition. lyzers (GFR and SCA-GFR) and three CNN-based stegan-
alyzers (Xu-Net, Deng-Net and SRNet) are included. The
In the spatial domain, five steganographic methods, training strategies of the CNN-based steganalyzers (viz.,
including WOW, S-UNIWARD, MiPOD, HILL and CMD- Xu-Net, Deng-Net and SRNet) are exactly the same as re-
HILL, and five steganalyzers, including two traditional ste- ported in [19–22], including the number of training epochs,
ganalyzers (SRM and maxSRMd2) with the ensemble clas- the optimizer, the loss function, the learning rate, the weight
sifiers and three CNN-based steganalyzers (Xu-Net, Deng- decay, and the number of training epochs.
Net and SRNet) are included. In the JPEG domain, two
steganographic methods, J-UNIWARD and UERD, and five Note that to achieve more convincing results, we ran-
modern steganalyzers, including two traditional stegana- domly split CT and CA three times and report the average

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

8 6 8 2
H IL L 0 .4 b p p w it h S R M
8 4 8 0
H IL L 0 .4 b p p w it h D e n g -N e t
J -U N IW A R D 0 .4 b p n z a c w ith G F R O r ig in a l H I L L w ith D e n g -N e t
8 2
J -U N IW A R D 0 .4 b p n z a c w ith D e n g -N e t 7 8

)
)
8 0

D e te c tio n A c c u r a c y (%
D e te c tio n A c c u r a c y (%

7 6
7 8
7 4 H I L L w ith S R M
7 6
H I L L w ith D e n g -N e t
7 4 7 2 O r ig in a l H I L L w ith S R M

7 2 7 0

7 0 6 8

6 8
6 6
6 6
1 2 3 4 5 6 7 8 9 1 0 1 2 3 5 1 0 2 0 3 0 5 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0

A d v e r s a r ia l M a g n itu d e N u m b e r o f G e n e r a te d S te g o s
(a) Average detection accuracy for HILL
Fig. 4. Average detection accuracies with increasing α from 1 to 10.
O r ig in a l J -U N I W A R D w ith D e n g -N e t
8 5
results in all the following experiments. J -U N I W A R D w ith G F R
J -U N I W A R D w ith D e n g -N e t

)
8 0

D e te c tio n A c c u r a c y (%
O r ig in a l J -U N I W A R D w ith G F R
4.1 Parameter Selection
There are two important parameters in the proposed
7 5
method: the adversarial magnitude α (where α > 1) for
adjusting the original costs, and the number of generated
stegos N . To obtain the optimal pair (α, N ) of parameters, 7 0

the brute-force search method is impossible since the opti-

mization problem is nonconvex and the number of combi- 6 5
nations of the parameters is infinite. For the sake of simplifi-
cation, we reduce the parameter space to α ∈ {2, 3, . . . , 10} 1 2 3 5 1 0 2 0 3 0 5 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0
and N ∈ {1, 2, 3, 5, 10, 20, 30, 50, 100, 200, 300, 400, 500}. In N u m b e r o f G e n e r a te d S te g o s
our experiments, we use a greedy algorithm to select the
(b) Average detection accuracy for J-UNIWARD
best parameters. Firstly, we fix N = 100 and search for
the optimal parameter α for HILL at 0.4 bpp evaluated Fig. 5. Average detection accuracies with increasing N from 1 to 500.
with SRM and Deng-Net, and for J-UNIWARD with quality
factor 75 at 0.4 bpnzac evaluated on GFR and Deng-Net.
Then, we fix the resulting α, and evaluate the security significantly for different N . When N = 100, the
performance as N varies. proposed method can achieve better results both for
Deng-Net and SRM.
4.1.1 Adversarial Magnitude α • Compared with the original J-UNIWARD, the se-
In this section, we will analyze the effect of α on the curity performances are also significantly enhanced
security of the steganography. Note that here the baseline for all N . However, the security performances tend
is α = 1, which means that none of the original costs of to decrease with increasing the parameter N . When
the steganography F will change after using the proposed N = 1, the proposed method can achieve the best
method according to Equation 6. The average detection results both for Deng-Net and SRM.
accuracies are shown in Fig. 4, where we can see that,
For simplicity, we fix the adversarial magnitude α = 2,
compared with the baseline, all security performances are
and we fix N = 100 for all steganographic methods in the
enhanced when α > 1. When α = 2, the proposed method
spatial domain and N = 1 for JPEG steganography in all
can achieve better results for both HILL and J-UNIWARD.
the following experiments, although such parameters were
Thus, we fix α = 2 in the following experiments.
determined by special steganographic methods (with a fixed
payload), steganalyzers, and image dataset.
4.1.2 Number of Generated Stegos N
In this section, we will analyze the impact of the number
of generated stegos on the steganography security. The 4.2 Different Designs in Stego Generation & Selection
average detection accuracies are shown in Fig. 5, which
Compared with our previous method [1], we have made
allows us to make the following observations:
several improvements both in the generation and the se-
• Compared with the original HILL, the security per- lection of the stegos in the proposed framework, as illus-
formances are significantly enhanced for all N . The trated in Table 2. To determine the real sources of these
improvements are around 4% for SRM and 5% for improvements, we conducted the following comparative
Deng-Net. The security performances do not change experiments.

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

TABLE 3
Average detection accuracy (%) evaluated on the targeted steganalyzer (Deng-Net) in the spatial domain. Those values with an asterisk (*) are the
best results in the corresponding cases. The last column gives the average improvements over four payloads for a given steganography. The last
row gives the average improvements for a given payload.

0.1 bpp 0.2 bpp 0.3 bpp 0.4 bpp

Steganography Average
Original Proposed Original Proposed Original Proposed Original Proposed
WOW 66.96 53.44* 77.14 58.79* 83.36 63.30* 87.68 67.07* ↓ 18.14
S-UNIWARD 61.93 50.74* 72.90 56.80* 80.69 61.06* 85.49 65.08* ↓ 16.83
MiPOD 58.06 45.44* 68.12 48.47* 74.85 52.35* 80.42 57.31* ↓ 19.47
HILL 61.48 46.40* 69.96 49.84* 76.35 53.35* 80.95 55.55* ↓ 20.90
CMD-HILL 58.08 51.64* 66.34 49.63* 72.19 51.63* 76.32 54.39* ↓ 16.41
Average - ↓ 11.77 - ↓ 18.19 - ↓ 21.15 - ↓ 22.29

TABLE 4
Average detection accuracy (%) evaluated on the targeted steganalyzer (Deng-Net) in the JPEG domain. Those values with an asterisk (*) are the
best results in the corresponding cases. The last column gives the average improvements over four payloads for a given steganography. The last
row denotes the average improvements over a given payload.

0.1 bpnzac 0.2 bpnzac 0.3 bpnzac 0.4 bpnzac

Steganography Average
Original Proposed Original Proposed Original Proposed Original Proposed
J-UNIWARD (QF=75) 58.20 45.33* 69.92 49.48* 78.73 54.95* 85.32 58.88* ↓ 20.88
J-UNIWARD (QF=95) 50.29 48.10* 52.38 42.98* 62.25 45.01* 70.37 48.78* ↓ 12.61
UERD (QF=75) 66.65 49.04* 80.64 54.17* 87.75 59.81* 92.00 64.28* ↓ 24.94
UERD (QF=95) 50.57 45.08* 67.46 47.13* 77.22 50.77* 84.38 54.07* ↓ 20.82
Average - ↓ 9.54 - ↓ 19.16 - ↓ 24.03 - ↓ 26.52

TABLE 5 selection is very promising for enhancing steganog-

Average detection accuracy (%) with different stego generation and raphy security.
selection algorithms. Those values with an asterisk (*) are the best
results in the corresponding cases, while the underlined values are the • Among the four combinations, the proposed method
worst results in the corresponding cases. always works the best in all cases, especially in the
JPEG domain. Compared with our previous method
HILL J-UNIWARD [1], in the spatial domain the proposed method can
Method achieve security improvements of 1.41% over SRM
SRM Deng-Net GFR Deng-Net
and and 0.61% over Deng-Net. In the JPEG domain,
Original Steganography 70.10 80.95 76.94 85.32 these become 10.97% and 13.16%. These results
Method [1] 68.15 76.77 75.95 83.45 indicate that the different algorithm designs used
Generation [1] & in the stego generation and selection modules will
67.88 82.93 75.69 82.68
Selection {Proposed} significantly affect the security performance, and the
Generation {Proposed} algorithm designs in this paper outperform our pre-
69.43 80.42 74.79 84.27
& Selection [1] vious ones. More comparisons between the proposed
Proposed 66.74* 76.16* 64.98* 70.29* method and our previous method [1] are shown in
subsequent sections.

Since there are two important modules (viz., stego gen-

eration and stego selection) in the proposed framework,
there are in all four combinations of the two different
modules if partly using the proposed method and partly our
previous one [1], namely, “Generation [1] & Selection [1]”
(i.e., Method [1]); “Generation [1] & Selection {Proposed}”;
“Generation {Proposed} & Selection [1]”; and “Generation
{Proposed} & Selection {Proposed}” (i.e., Proposed).
The experimental results evaluated on HILL 0.4 bpp in
the spatial domain and J-UNIWARD 0.4 bpnzac with quality
factor 75 in the JPEG domain are shown in Table 5, which
leads us to make two following observations:
• All the four combinations outperform the original
steganographic methods, both in the spatial and
the JPEG domains, which means that the proposed
steganographic framework via stego generation and
4.3 Security Evaluation on Pre-Trained Targeted Ste-
ganalyzer
The proposed method is designed to fool the pre-trained
targeted steganalyzer NT (namely, Deng-Net in our exper-
iments) in step #1. In this section, we show the security
performances evaluated on NT . The average detection ac-
curacies are shown in Table 3 for spatial steganography and
Table 4 for JPEG steganography. These two tables lead us to
make the two observations which follow.
• The proposed method can successfully fool the pre-
trained target steganalyzer NT for all the stegano-
graphic methods at all payloads. For instance, the
security improvements for HILL at 0.4 bpp and J-
UNIWARD with quality factor 75 at 0.4 bpnzac are
over 25%.

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

TABLE 6
Average detection accuracy (%) evaluated on four re-trained steganalyzers in spatial domain. Those values with an asterisk (*) are the best results
in the corresponding cases. The last column gives the average improvements over four different steganalyzers for a given steganography and
payload.

Payload SRM maxSRMd2 Deng-Net SRNet Average

Steganography
(bpp) Proposed
Original Proposed Original Proposed Original Proposed Original Proposed
0.1 56.53 55.19* 65.27 61.37* 66.96 61.85* 66.98 62.07* ↓ 3.82
0.2 63.82 61.17* 72.46 67.71* 77.14 72.34* 76.43 70.79* ↓ 4.46
WOW
0.3 70.40 67.20* 77.91 72.88* 83.36 79.04* 82.89 77.29* ↓ 4.54
0.4 76.26 71.79* 81.97 77.64* 87.68 83.90* 86.85 81.95* ↓ 4.37
0.1 55.86 54.80* 59.61 56.68* 61.93 58.79* 61.75 58.75* ↓ 2.53
0.2 63.16 61.55* 66.88 62.74* 72.90 68.20* 71.25 67.12* ↓ 3.65
S-UNIWARD
0.3 70.01 67.23* 72.44 67.78* 80.69 76.46* 78.68 74.40* ↓ 3.99
0.4 75.97 72.44* 77.48 71.94* 85.49 82.46* 83.56 79.99* ↓ 3.92
0.1 54.56 53.58* 56.24 54.53* 58.06 54.49* 58.57 55.03* ↓ 2.45
0.2 60.00 57.79* 63.08 59.27* 68.12 61.67* 67.37 61.00* ↓ 4.71
MiPOD
0.3 65.34 62.39* 68.18 64.18* 74.85 68.21* 73.86 67.60* ↓ 4.96
0.4 70.35 66.93* 73.16 68.99* 80.42 73.82* 78.48 71.55* ↓ 5.28
0.1 53.60 52.53* 58.62 55.78* 61.48 55.88* 61.48 56.50* ↓ 3.62
0.2 59.45 56.77* 65.02 60.58* 69.96 64.03* 69.48 63.47* ↓ 4.77
HILL
0.3 64.51 62.20* 69.84 65.48* 76.35 70.82* 75.51 69.29* ↓ 4.61
0.4 70.10 66.74* 74.57 69.45* 80.95 76.16* 80.03 73.87* ↓ 4.86
0.1 52.36 52.12* 56.71 55.20* 58.08 54.05* 59.06 56.19* ↓ 2.16
0.2 56.03 54.76* 61.27 58.52* 66.34 60.65* 65.75 60.37* ↓ 3.77
CMD-HILL
0.3 60.04 58.39* 65.26 61.80* 72.19 66.15* 71.04 65.11* ↓ 4.27
0.4 64.40 62.49* 68.89 65.38* 76.32 71.75* 75.19 68.99* ↓ 4.05

TABLE 7
Average detection accuracy (%) evaluated on four re-trained steganalyzers in JPEG domain. Those values with an asterisk (*) are the best results
in the corresponding cases. The last column denotes the average improvements over four different steganalyzers for a given steganography and
payload.

Steganography Payload GFR SCA-GFR Deng-Net SRNet Average

(Quality Factor) (bpnzac) Proposed
Original Proposed Original Proposed Original Proposed Original Proposed
0.1 54.55 52.34* 55.59 52.86* 58.20 51.07* 59.58 55.52* ↓ 4.03
J-UNIWARD 0.2 60.99 55.68* 63.08 56.33* 69.92 55.22* 69.93 62.28* ↓ 8.60
(QF=75) 0.3 69.14 60.14* 71.07 60.56* 78.73 62.44* 78.37 69.27* ↓ 11.23
0.4 76.94 64.98* 78.49 64.49* 85.32 70.29* 85.72 74.03* ↓ 13.17
0.1 50.79 50.71* 51.34 51.32* 50.29 49.97* 52.76 51.58* ↓ 0.40
J-UNIWARD 0.2 53.40 52.53* 53.59 52.75* 52.38 50.01* 57.35 53.87* ↓ 1.89
(QF=95) 0.3 57.11 54.03* 58.30 54.59* 62.25 51.59* 63.11 55.81* ↓ 6.19
0.4 62.16 56.05* 63.37 57.02* 70.37 55.19* 68.59 60.01* ↓ 9.06
0.1 54.92 52.81* 58.82 54.16* 66.65 55.73* 69.56 59.77* ↓ 6.87
UERD 0.2 62.28 57.27* 67.66 59.41* 80.64 68.27* 81.98 69.86* ↓ 9.44
(QF=75) 0.3 70.26 62.76* 74.69 64.47* 87.75 77.56* 88.88 77.76* ↓ 9.76
0.4 77.01 67.96* 81.04 70.05* 92.00 84.71* 91.26 83.75* ↓ 8.71
0.1 52.08 51.01* 54.21 51.91* 50.57 50.06* 59.10 53.45* ↓ 2.38
UERD 0.2 55.76 52.56* 58.87 53.97* 67.46 55.58* 69.20 58.74* ↓ 7.61
(QF=95) 0.3 60.01 55.16* 64.85 57.25* 77.22 64.37* 77.90 65.15* ↓ 9.51
0.4 65.77 58.41* 70.20 61.11* 84.38 71.11* 84.07 70.10* ↓ 10.92

• For a given steganographic method, the average
improvements usually increase with increasing pay-
load. As shown in the “Average” rows in Table 3
and Table 4, the average improvements in the spatial
domain for 0.1 − 0.4 bpp are around 12%, 18%, 21%
and 22%, respectively. The average improvements in
the JPEG domain for 0.1 − 0.4 bpnzac are around
10%, 19%, 24% and 26% respectively.
4.4 Security Evaluation on Re-Trained Steganalyzers
In real applications, the detector usually retrains the tar-
geted steganalytic network (viz., Deng-Net) and/or em-
ploys other steganalyzers for security evaluation. The av-
erage detection accuracies evaluated on some re-trained ste-
ganalyzers are shown in Table 6 for spatial steganography
and Table 7 for JPEG steganography. These two tables lead
us to make the three following observations:
• The proposed method can enhance the security of
the original steganography in all cases, both in the
spatial domain and the JPEG domain. Taking Mi-
POD at 0.4 bpp and J-UNIWARD (QF = 75) at
0.4 bpnzac, for example, the proposed method can
achieve improvements of over 5% and 13%, which

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

10

TABLE 8
Average detection accuracy (%) of the proposed method, ADV-EMB [24], AEN [25] and Method [1] in spatial domain. The last column gives the
average improvements for a given enhancement method. Those values with an asterisk (*) are the best results, while underlined values are the
worst results in the corresponding cases.

SRM Xu-Net Deng-Net SRNet

Steganography Methods Average
0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp
Original 63.16 75.97 59.64 71.76 72.90 85.49 71.25 83.56 -
ADV-EMB{Xu-Net} 63.44 75.72 60.28 68.89 72.53 85.63 70.33 82.74 ↓ 0.52
ADV-EMB{Deng-Net} 62.97 75.10 57.95 70.59 69.91 84.19 68.81 81.73 ↓ 1.56
S-UNIWARD AEN{Xu-Net} 62.95 75.29 58.50 69.71 72.53 85.71 72.18 84.15 ↓ 0.34
AEN{Deng-Net} 62.84 75.19 59.20 70.91 72.07 84.98 70.26 82.58 ↓ 0.71
Method [1] 61.85 74.02 58.47 70.34 69.47 83.97 68.21 82.20 ↓ 1.90
Proposed 61.55* 72.44* 57.31* 67.29* 68.20* 82.46* 67.12* 79.99* ↓ 3.42*
Original 59.45 70.10 59.59 70.66 69.96 80.95 69.48 80.03 -
ADV-EMB{Xu-Net} 59.22 70.13 59.57 68.21 70.12 81.46 69.79 79.02 ↓ 0.34
ADV-EMB{Deng-Net} 57.63 67.44 56.73* 66.50 66.64 77.98 66.13 76.49 ↓ 3.09
HILL AEN{Xu-Net} 59.11 69.92 58.78 69.82 70.25 80.79 70.32 79.72 ↓ 0.19
AEN{Deng-Net} 58.96 69.93 60.14 70.14 70.06 80.80 68.99 79.16 ↓ 0.26
Method [1] 56.93 68.15 58.29 68.11 64.04 76.77 64.53 76.24 ↓ 3.40
Proposed 56.77* 66.74* 56.83 65.90* 64.03* 76.16* 63.47* 73.87* ↓ 4.56*

TABLE 9
Average detection accuracy (%) of the proposed method, ADV-EMB [24] and Method [1] in JPEG domain. The last column gives the average
improvements for a given enhancement method. Those values with an asterisk (*) are the best results, while underlined values are the worst
results in the corresponding cases.

GFR Xu-Net Deng-Net SRNet

Steganography Methods Average
QF = 75 QF=95 QF = 75 QF=95 QF = 75 QF=95 QF = 75 QF=95
Original 76.94 62.16 73.60 62.46 85.32 70.37 85.72 68.59 -
ADV-EMB{Xu-Net} 74.45 59.80 62.77 56.11 83.29 66.32 83.67 66.95 ↓ 3.97
ADV-EMB{Deng-Net} 68.61 58.24 65.47 56.05 78.21 59.19 78.64 63.57 ↓ 7.15
J-UNIWARD
Method [1] 75.95 62.39 71.93 62.19 83.45 69.65 85.47 69.15 ↓ 0.62
Proposed 64.98* 56.05* 61.10* 51.95* 70.29* 55.19* 74.03* 60.01* ↓ 11.45*
Original 77.01 65.77 83.68 77.39 92.00 84.38 91.26 84.07 -
ADV-EMB{Xu-Net} 75.39 62.54 76.78 69.17 91.84 82.87 90.98 80.37 ↓ 3.20
UERD ADV-EMB{Deng-Net} 69.53 60.25 78.98 69.95 88.88 78.97 87.12 76.08 ↓ 5.72
Method [1] 77.18 65.64 83.63 76.67 92.35 84.58 90.72 80.95 ↓ 0.48
Proposed 67.96* 58.41* 75.74* 63.95* 84.71* 71.11* 83.75* 70.10* ↓ 9.98*

are significant for modern steganography. Note that
the proposed method is also effective for steganog-
raphy with asymmetric embedding. Taking CMD-
HILL at 0.4bpp, for instance, the proposed method
achieves over 4% improvement.
• The proposed method was originally designed to
fool a specific CNN-based steganalyzer (namely,
Deng-Net in our experiments). The results in Table
6 and Table 7 show that it is also effective at fooling
other CNN-based steganalyzers, such as Xu-Net and
SRNet and traditional steganalyzers based on hand-
crafted features, such as SRM and maxSRMd2 in the
spatial domain, and GFR and SCA-GFR in the JPEG
domain. This is mainly due to the adversarial sample
transferability [35–37], which is the property that the
adversarial samples produced to mislead a special
model are able to mislead other models, so long as
those models were trained to perform the same task.
• Compared with the corresponding results in Table 3
and Table 4, the average improvements against the
re-trained Deng-Net (i.e., the third column in Table
6 and Table 7) become relatively smaller. However,
the proposed method also achieves improvements of
4.93% in the spatial domain and 10.06% in the JPEG
domain.
4.5 Comparison with Related Methods
As shown in Table 1, there are several non-iterative meth-
ods based on adversarial embedding. In this section, we
will compare the proposed method with our preliminary
method, that of [1], and two recent methods: ADV-EMB [24]
and AEN [25] in the spatial domain and ADV-EMB in the
JPEG domain. Note that the targeted steganalyzer of ADV-
EMB and AEN is Xu-Net, while the targeted steganalyzer of
the proposed method is Deng-Net. For the sake of a fair
comparison, both Xu-Net and Deng-Net are used as the
targeted steganalyzer in ADV-EMB and AEN, denoted by
ADV-EMB{Xu-Net}, ADV-EMB{Deng-Net}, AEN{Xu-Net}
and AEN{Deng-Net} respectively.
4.5.1 Comparisons in the Spatial Domain
Since the optimal parameters for S-UNIWARD and HILL
are given in AEN, the two steganographic methods are

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

11

TABLE 10
Average detection accuracy (%) of the proposed method, ADV-EMB [24] and Method [1] with different dataset division on BOSSBase and BOWS2
in spatial domain. The last column gives the average improvements for a given enhancement method. Those values with an asterisk (*) are the
best results, while underlined values are the worst results in the corresponding cases.

SRM Deng-Net SRNet

Steganography Methods Average
0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp
Original 65.96 77.68 79.23 89.15 79.15 89.46 -
ADV-EMB{Deng-Net} 65.43 78.10 73.55 84.55 74.75 86.70 ↓ 2.93
S-UNIWARD
Method [1] 66.47 77.48 72.41 84.99 74.57 86.50 ↓ 3.04
Proposed 63.13* 74.29* 71.87* 82.40* 73.55* 84.54* ↓ 5.14*
Original 61.21 71.80 76.75 84.70 75.71 85.29 -
ADV-EMB{Deng-Net} 59.83 69.88 73.03 82.65 73.60 84.75 ↓ 1.95
HILL
Method [1] 61.04 72.57 72.70 80.70 71.73 83.05 ↓ 2.28
Proposed 59.05* 68.28* 69.46* 77.85* 68.45* 79.21* ↓ 5.53*

TABLE 11
Average detection accuracy (%) of the proposed method, ADV-EMB [24] and Method [1] with different dataset division on BOSSBase and BOWS2
in the JPEG domain. The last column gives the average improvements for a given enhancement method. Those values with an asterisk (*) are the
best results, while underlined values are the worst results in the corresponding cases.

GFR Deng-Net SRNet

Steganography Methods Average
QF = 75 QF=95 QF = 75 QF=95 QF = 75 QF=95
Original 79.41 64.95 91.85 79.75 93.10 81.80 -
ADV-EMB{Deng-Net} 70.13 56.38 85.85 72.24 85.65 71.85 ↓ 8.13
J-UNIWARD
Method [1] 78.56 62.73 89.98 78.51 90.99 79.88 ↓ 1.70
Proposed 67.17* 55.96* 81.15* 69.08* 82.12* 67.48* ↓ 11.32*
Original 79.44 67.61 96.25 90.69 96.65 91.60 -
ADV-EMB{Deng-Net} 71.74 61.39 93.10 87.30 94.11 87.50 ↓ 4.52
UERD
Method [1] 78.01 66.73 94.24 88.10 94.30 89.45 ↓ 1.90
Proposed 70.90* 59.34* 89.45* 80.69* 90.37* 81.67* ↓ 8.30*

considered in this section. The average detection accuracies
are shown in Table 8, which leads us to make the two
following observations:
• The proposed method can achieve the best perfor-
mance in almost every case. The average improve-
ment of the proposed method for S-UNIWARD is
3.42% and for HILL it is 4.56%, while the current
best related method is our previous method [1],
which achieves improvements of 1.90% and 3.40%.
Although AEN also enhances the security of the
steganography, the improvements are slight (less
than 0.75% in all cases).
• The targeted steganalyzer is one of the important fac-
tors that can affect the security performance. Based
on our experiments, Deng-Net is better than Xu-Net
both for ADV-EMB and AEN. Taking S-UNIWARD,
for example, ADV-EMB{Xu-Net} achieves an av-
erage improvement of 0.52%, and AEN{Xu-Net}
0.34%, and these increase to 1.56% and 0.71% when
their targeted steganalyzers are changed to Deng-
Net.
4.5.2 Comparisons in the JPEG domain
The comparisons are shown in Table 9. An examination of
Table 9 leads to two observations similar to those made in
the previous subsection.
• The proposed method always achieves the best per-
formance in every case. On average, the proposed
method achieves an improvement of over 9.9%,
while the current best method is ADV-EMB, which
achieves less than 7.2%. Note that our previous
method [1] just improves the original steganography
slightly (less than 0.65% on average). In some cases,
it even works more poorly than the original ones.
• Compared with Xu-Net, Deng-Net is a better tar-
geted steganalytic network for ADV-EMB. Tak-
ing J-UNIWARD, for example, ADV-EMB{Xu-Net}
achieves an average improvement 3.97%, which be-
comes 7.15% for ADV-EMB{Deng-Net}.
4.6 Security Evaluation on Different Dataset Division
on BOSSBase and BOWS2
Since different ways of dataset division probably affect the
security performance, in this section, we also give some
comparative results on another division of the dataset on
BOSSBase and BOWS2. As in [21, 22], the training set
consists of 14, 000 images (10,000 images from BOWS2
and 4,000 images chosen at random from BOSSBase), the
validation set consists of 1, 000 images chosen at random
from BOSSBase and the test set consists of the remaining
5,000 images of BOSSBase. For simplicity, ADV-EMB{Deng-
Net} and our previous method [1] are considered since
they can obtain better improvements of the security than
the related methods (see Table 8 and Table 9 for details).
The comparative results are shown in Table 10 and Table
11. From these two tables, we observe that the proposed

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

12

TABLE 12
Average detection accuracy (%) of the proposed method, ADV-EMB [24] and Method [1] on ALASKA2 dataset in spatial domain. The last column
gives the average improvements for a given enhancement method. Those values with an asterisk (*) are the best results, while the underlined
values are the worst results in the corresponding cases.

SRM Deng-Net SRNet

Steganography Methods Average
0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp 0.2 bpp 0.4 bpp
Original 57.98 65.27 57.39 65.65 55.14 63.48 -
ADV-EMB{Deng-Net} 57.34 64.11 56.37* 63.88 54.86 62.13 ↓ 1.04
S-UNIWARD
Method [1] 57.96 65.04 57.56 65.33 55.27 62.90 ↓ 0.14
Proposed 57.13* 63.99* 56.52 62.20* 54.45* 60.77* ↓ 1.64*
Original 56.55 63.42 60.28 70.63 60.36 68.21 -
ADV-EMB{Deng-Net} 56.59 62.85 59.32 67.56 57.34 64.39 ↓ 1.90
HILL
Method [1] 56.51 63.23 61.15 71.39 59.24 67.18 ↓ 0.13
Proposed 56.32* 62.28* 58.39* 66.95* 57.02* 63.45* ↓ 2.51*

TABLE 13
Average detection accuracy (%) of the proposed method, ADV-EMB [24] and Method [1] on ALASKA2 dataset in JPEG domain. The last column
gives the average improvements for a given enhancement method. Those values with an asterisk (*) are the best results, while underlined values
are the worst results in the corresponding cases.

GFR Deng-Net SRNet

Steganography Methods Average
QF = 75 QF=95 QF = 75 QF=95 QF = 75 QF=95
Original 78.15 60.15 83.28 60.93 84.81 63.81 -
ADV-EMB{Deng-Net} 70.32 55.76 74.22 56.90 75.90 57.61 ↓ 6.74
J-UNIWARD
Method [1] 77.27 60.55 81.10 59.84 82.61 62.93 ↓ 1.14
Proposed 67.52* 54.50* 69.78* 55.85* 69.12* 54.82* ↓ 9.92*
Original 76.18 60.68 85.79 69.37 87.34 69.74 -
ADV-EMB{Deng-Net} 69.09 55.71 82.69 62.09 80.64 62.10 ↓ 6.13
UERD
Method [1] 74.62 59.73 84.03 68.16 84.88 68.07 ↓ 1.60
Proposed 68.57* 54.90* 77.97* 57.51* 76.12* 59.26* ↓ 9.13*

method always achieves the best security performance com- TABLE 14

pared with the related methods, in all cases. On average, the
security performances are similar to those reported in Table
8 and Table 9.
4.7 Security Evaluation on ALASKA2 Dateset
Different image datasets will also yield different security
performances. In this section, we present some comparative
results evaluated on the ALASKA2 [38] dataset. In our
experiments, we randomly selected 40, 000 images from the
ALASKA2 dataset (20, 000 for training, 5, 000 for valida-
tion, and the remaining 15, 000 for testing). Also, ADV-
EMB{Deng-Net} and our previous method [1] are consid-
ered for comparison. The detection accuracies are shown
in Table 12 and Table 13. These two tables lead to the two
following observations:
• Except for one case in the spatial domain, the pro-
posed method always achieves the best security per-
formance compared with related methods.
• The security improvements are significant, especially
for JPEG steganography. Compared with original
steganography, the proposed method achieves an
average improvement of over 1.64% in the spatial
domain, and over 9.13% in the JPEG domain. Com-
pared with ADV-EMB{Deng-Net}, we obtain in the
spatial domain, an average improvement by around
0.6%, and in the JPEG domain, this is around 3%.
Average execution times for different adversarial embedding methods.
Method
Average Execution Times (s)
Spatial JPEG
AEN 0.19 -
ADV-EMB 1.21 0.57
Method [1] 2.56 2.78
Proposed 2.72 0.53
4.8 Comparison of Execution Times
In this section, we will present the average execution times
for the proposed method and related methods. For the sake
of having a fair comparison, all the experimental results
were evaluated on the same server: Inter(R) Core(TM) i7-
6900K CPU @ 3.20 GHz and NVIDIA TITAN Xp GPU with
12G memory. The average results evaluated on generating
40,000 stegos (HILL & S-UNIWARD at 0.2 bpp and 0.4 bpp
in the spatial domain; J-UNIWARD & UERD at 0.4 bpnzac
with quality factor 75 and 95 in the JPEG domain) are shown
in Table 14, where we can see that the proposed method has
the longest execution time (2.72 s) in the spatial domain,
which is around twice that of ADV-EMB{Deng-Net}. The
main reason for this is that the proposed method needs to
generate many candidate stegos (N = 100). In the JPEG
domain, however, the proposed method is the fastest since
the number of generated stegos is reduced to 1. Note that
AEN needs only 0.19 s in the spatial domain. However, its
security performance is poorer than ADV-EMB{Deng-Net}

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

13

9 0

7 0
8 0

6 0
)

)
7 0
S u c c e ss R a te (%

S u c c e ss R a te (%
5 0
6 0
W O W
J -U N IW A R D w ith Q F = 7 5
S -U N IW A R D 4 0
5 0 J -U N IW A R D w ith Q F = 9 5
H IL L
U E R D w ith Q F = 7 5
M iP O D
U E R D w ith Q F = 9 5
4 0 C M D -H IL L 3 0

0 .1 0 .2 0 .3 0 .4 0 .1 0 .2 0 .3 0 .4
P a y lo a d (b p p ) P a y lo a d (b p n z a c )
(a) Success rate in spatial domain (b) Success rate in JPEG domain
Fig. 6. Average success rates (a) For five modern steganographic methods, namely, WOW, S-UNIWARD, MiPOD, HILL and CMD-HILL in spatial
domain; (b) For J-UNIWAED and UERD with different quality factors in JPEG domain and different payloads.

(a) HILL 0.2 bpp (b) J-UNIWARD (QF=75) 0.2 bpnzac (c) CMD-HILL 0.2 bpp

(d) HILL 0.4 bpp (e) J-UNIWARD (QF=75) 0.4 bpnzac (f) CMD-HILL 0.4 bpp
Fig. 7. Distributions of parameter pairs (p1 , p2 ) for HILL, J-UNIWRAD and CMD-HILL

and the proposed method, as shown by the results in Table 4.9.1 Analysis of Success Rate
8. In addition, AEN does not work in the JPEG domain at In addition to the original stego (s0 ), the proposed method
all. tries to generate other candidate stegos (s1 , s2 , . . . , sN ). If
the final stego is not s0 , we say that the proposed method
successfully generates stegos that are better than the original
4.9 Statistical Analysis one. Thus, we define the success rate as follows:
P
In this section, we firstly give an analysis for different I(s ̸= s0 )
c∈CA
cost updating rules, and we would provide two statistics Rs = , (14)
|CA |
about the proposed method: the success rate (to measure the
efficiency of the generated stegos) and the distribution of the where for a given cover c ∈ CA , s is the final stego with the
pairs (p1 , p2 ) of parameter used in the stego generation. proposed method, I is an indicator function, and |CA | is the

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041
number of elements in CA .
The success rates for different steganographic methods
and payloads are shown in Fig. 6, From which we ob-
serve that the success rates tend to increase with increasing
embedding payloads for both the spatial domain and the
JPEG domain. Taking CMD-HILL for example, the success
rate is less than 40% when the embedding payload is 0.1
bpp, which means that over 60% of the final stegos are
the original ones, although there are 100 (i.e., N = 100 in
the spatial domain) generated stegos for each original one.
When the embedding payload is 0.4 bpp, the success rate
increases to over 75%. In the JPEG domain, the numbers of
original stegos and generated stegos are exactly the same
(i.e., N = 1). When the embedding payloads are larger than
0.2 bpnzac, all success rates are larger than 50%, meaning
over 50% of the final stegos are from generated stegos.
4.9.2 Distribution of Parameter Pairs (p1 , p2 )
In the stego generation, we employ N random pairs (p1 , p2 )
of parameters to control the cost modification rates accord-
ing to the magnitude of the gradients and embedding costs,
respectively. In this section, we will analyze the distributions
of (p1 , p2 ) for those final stegos. Based on our experiments,
we found that the distributions for WOW, S-UNIWARD,
MiPOD and HILL are similar, and the distributions for
UERD and J-UNIWARD are similar. For simplicity, we show
three representative results (for HILL, CMD-HILL and J-
UNIWARD) in Fig. 7. In this figure, we can see that the
three distributions are quite different. For HILL, most values
of p1 are selected around 1. (The contrast with J-UNIWARD
is striking.) For CMD-HILL, however, both p1 and p2 seem
to obey the uniform distribution on the range [0, 1]. Based
on our experiments, there are several important factors that
affect the distributions, such as the embedding scheme, the
adaptive high-pass filters, and the pre-trained steganalyzer.
The resulting distributions may be helpful to guide an
adaptive stego generation, which could be considered in our
future research.
5 C ONCLUSION
The main contribution of this paper is that we have pro-
posed a novel adversarial steganography embedding frame-
work, employing stego generation and selection. Unlike
related methods, the proposed method firstly generates
many candidate stegos based on the gradients of the cover
and embedding costs, to improve the diversity of these
candidates, and then combines the high-level and low-
level steganalytic features of these candidate stegos to select
a final stego with high steganography security. Extensive
experimental results show the superiority of the proposed
method both in the spatial and JPEG domains, both com-
pared with our preliminary method [1] and related methods.
The proposed framework is flexible, and there are sev-
eral important issues worth further study. For instance, in
our experiments, the two parameters (N and α) were deter-
mined by some special steganographic methods (viz., HILL
and J-UNIWARD) and steganalyzers (viz., SRM/GFR and
Deng-Net) . How to determine better parameters adaptively
could be considered. Instead of using only one targeted
© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.
14
steganalyzer, as in the present paper, several targeted ste-
ganalyzers (including both CNN-based and hand-crafted
steganalyzers) could be included for generating and select-
ing the stegos. Furthermore, some iterative schemes, such as
min-max [26, 27], could be combined to further enhance the
security of the steganography.
ACKNOWLEDGMENTS
This work was supported in part by the National Science
Foundation of China (61972430), in part by the Natural
Science Foundation of Guangdong (2019A1515011549).
R EFERENCES
[1] T. Song, M. Liu, W. Luo, and P. Zheng, “Enhancing im-
age steganography via stego generation and selection,”
in 2021 IEEE Inf. Conf. on Acoustics, Speech and Signal
Process. (ICASSP), 2021.
[2] J. Fridrich and T. Filler, “Practical methods for mini-
mizing embedding impact in steganography,” in Proc.
SPIE, 2007, p. 650502.
[3] T. Filler, J. Judas, and J. Fridrich, “Minimizing addi-
tive distortion in steganography using syndrome-trellis
codes,” IEEE Trans. Inf. Forensics Security, vol. 6, no. 3,
pp. 920–935, 2011.
[4] V. Holub and J. Fridrich, “Designing steganographic
distortion using directional filters,” in IEEE Inf. Work-
shop Inf. Forensics and Secur. (WIFS), 2012, pp. 234–239.
[5] V. Holub, J. Fridrich, and T. Denemark, “Universal
distortion function for steganography in an arbitrary
domain,” EURASIP J. Inf. Secur., no. 1, p. 1, 2014.
[6] B. Li, M. Wang, J. Huang, and X. Li, “A new cost
function for spatial image steganography,” in IEEE Inf.
Conf. Image Process. (ICIP), 2014, pp. 4206–4210.
[7] V. Sedighi, R. Cogranne, and J. Fridrich, “Content-
adaptive steganography by minimizing statistical de-
tectability,” IEEE Trans. Inf. Forensics Security, vol. 11,
no. 2, pp. 221–234, 2015.
[8] B. Li, M. Wang, X. Li, S. Tan, and J. Huang, “A strat-
egy of clustering modification directions in spatial im-
age steganography,” IEEE Trans. Inf. Forensics Security,
vol. 10, no. 9, pp. 1905–1917, 2015.
[9] T. Denemark and J. Fridrich, “Improving stegano-
graphic security by synchronizing the selection chan-
nel,” in Proc. of the 3rd ACM Workshop Inf. Hiding and
Multimedia Secur. (IH& MMSec), 2015, pp. 5–14.
[10] L. Guo, J. Ni, and Y. Q. Shi, “Uniform embedding for
efficient JPEG steganography,” IEEE Trans. Inf. Forensics
Security, vol. 9, no. 5, pp. 814–825, 2014.
[11] L. Guo, J. Ni, W. Su, C. Tang, and Y. Shi, “Using
statistical image model for JPEG steganography: uni-
form embedding revisited,” IEEE Trans. Inf. Forensics
Security, vol. 10, no. 12, pp. 2669–2680, 2015.
[12] J. Fridrich and J. Kodovsky, “Rich models for steganaly-
sis of digital images,” IEEE Trans. Inf. Forensics Security,
vol. 7, no. 3, pp. 868–882, 2012.
[13] X. Song, F. Liu, C. Yang, X. Luo, and Y. Zhang, “Ste-
ganalysis of adaptive JPEG steganography using 2D
Gabor filters,” in Proc. of the 3rd ACM Workshop Inf.
Hiding and Multimedia Secur. (IH&MMSec), 2015, pp. 15–
23.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2022.3182041

15

[14] J. Kodovsky, J. Fridrich, and V. Holub, “Ensemble clas- [30] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Er-
sifiers for steganalysis of digital media,” IEEE Trans. Inf. han, I. Goodfellow, and R. Fergus, “Intriguing proper-
Forensics Security, vol. 7, no. 2, pp. 432–444, 2011. ties of neural networks,” arXiv preprint arXiv:1312.6199,
[15] W. Tang, H. Li, W. Luo, and J. Huang, “Adaptive 2013.
steganalysis against WOW embedding algorithm,” in [31] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining
Proc. of the ACM Workshop Inf. Hiding and Multimedia and harnessing adversarial examples,” arXiv preprint
Secur. (IH&MMSec), 2014, pp. 91–96. arXiv:1412.6572, 2014.
[16] T. Denemark, V. Sedighi, V. Holub, R. Cogranne, and [32] B. Chen, W. Luo, P. Zheng, and J. Huang, “Universal
J. Fridrich, “Selection-channel-aware rich model for stego post-processing for enhancing image steganogra-
steganalysis of digital images,” in IEEE Inf. Workshop phy,” J. Inf. Secur. Appl., vol. 55, p. 102664, 2020.
Inf. Forensics and Secur. (WIFS), 2014, pp. 48–53. [33] P. Bas, T. Filler, and T. Pevny, “Break our stegano-
[17] W. Tang, H. Li, W. Luo, and J. Huang, “Adaptive ste- graphic system: the ins and outs of organizing BOSS,”
ganalysis based on embedding probabilities of pixels,” Inf. Workshop Inf. Hiding, pp. 59–70, 2011.
IEEE Trans. Inf. Forensics Security, vol. 11, no. 4, pp. 734– [34] P. Bas and T. Furon, “BOWS-2,” 2007.
745, 2016. [35] P. M. N. Papernot and I. Goodfellow, “Transferabil-
[18] T. D. Denemark, M. Boroumand, and J. Fridrich, “Ste- ity in machine learning: from phenomena to black-
ganalysis features for content-adaptive JPEG steganog- box attacks using adversarial samples,” arXiv preprint
raphy,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 8, arXiv:1605.07277, 2016.
pp. 1736–1746, 2016. [36] N. Carlini and D. Wagner, “Towards evaluating the ro-
[19] G. Xu, H. Wu, and Y. Shi, “Structural design of convo- bustness of neural networks,” in 2017 IEEE Symposium
lutional neural networks for steganalysis,” IEEE Signal Secur. and Privacy (SP), 2017, pp. 39–57.
Process. Lett., vol. 23, no. 5, pp. 708–712, 2016. [37] N. Papernot, P. McDaniel, S. Jha, M. Fredrikson, Z. B.
[20] G. Xu, “Deep convolutional neural network to detect Celik, and A. Swami, “The limitations of deep learning
J-UNIWARD,” in Proc. of the 5th ACM Workshop Inf. in adversarial settings,” in 2016 IEEE European Sympo-
Hiding and Multimedia Secur. (IH&MMSec), 2017, pp. 67– sium Secur. and Privacy (Euro SP), 2016, pp. 372–387.
73. [38] R. Cogranne, Q. Giboulot and P. Bas, “Alaska#2: Chal-
[21] X. Deng, B. Chen, W. Luo, and D. Luo, “Fast and lenging academic research on steganalysis with realistic
effective global covariance pooling network for image images,” in IEEE Inf. Workshop Inf. Forensics and Secur.,
steganalysis,” in Proc. of the ACM Workshop Inf. Hiding (WIFS), 2020, pp. 1–5.
and Multimedia Secur. (IH&MMSec), 2019, pp. 230–234.
[22] M. Boroumand, M. Chen, and J. Fridrich, “Deep resid-
ual network for steganalysis of digital images,” IEEE
Trans. Inf. Forensics Security, vol. 14, no. 5, pp. 1181–
1193, 2018.
[23] Y. Zhang, W. Zhang, K. Chen, J. Liu, Y. Liu, and N. Yu,
“Adversarial examples against deep neural network
based steganalysis,” in Proc. of the 6th ACM Workshop
Inf. Hiding and Multimedia Secur. (IH&MMSec), 2018, pp.
67–72.
[24] W. Tang, B. Li, S. Tan, M. Barni, and J. Huang, “CNN-
based adversarial embedding for image steganogra-
phy,” IEEE Trans. Inf. Forensics Security, vol. 14, no. 8,
pp. 2074–2087, 2019.
[25] S. Ma, X. Zhao, and Y. Liu, “Adaptive spatial steganog-
raphy based on adversarial examples,” Multim. Tools
Appl., vol. 78, no. 22, pp. 32 503–32 522, 2019.
[26] S. Bernard, T. Pevnỳ, P. Bas, and J. Klein, “Exploiting
adversarial embeddings for better steganography,” in
Proc. of the ACM Workshop Inf. Hiding and Multimedia
Secur. (IH&MMSec), 2019, pp. 216–221.
[27] S. Bernard, P. Bas, J. Klein, and T. Pevny, “Explicit
optimization of min max steganographic game,” IEEE
Trans. Inf. Forensics Security, vol. 16, pp. 812–823, 2021.
[28] H. Mo, T. Song, B. Chen, W. Luo, and J. Huang, “En-
hancing JPEG steganography using iterative adversar-
ial examples,” in IEEE Inf. Workshop Inf. Forensics and
Secur. (WIFS), 2019, pp. 1–6.
[29] J. Wu, B. Chen, W. Luo, and Y. Fang, “Audio steganog-
raphy based on iterative adversarial attacks against
convolutional neural networks,” IEEE Trans. Inf. Foren-
sics Security, vol. 15, pp. 2282–2294, 2020.

© 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on October 12,2022 at 13:23:03 UTC from IEEE Xplore. Restrictions apply.