I Introduction
Image steganography is a technique to hide secret message into cover images via modifying some image components in an imperceptible manner. On the contrary, image steganalysis aims to detect the existence of secret message hidden by image steganography. During the past decade, many effective steganography methods have been proposed with the development of the steganalytic techniques.
Image steganography can be divided into two categories, that is, spatial steganography and JPEG steganography. In modern research, both of them are usually designed under the framework of distortion minimization [11], in which the design of embedding cost is the key issue. Typically, the embedding cost tries to measure the statistical detectability of each embedding unit (i.e. pixel or DCT coefficient). The smaller the embedding cost, the more likely the corresponding unit will be modified during the subsequent operation of SyndromeTrellis Codes (STCs) [10]. Up to now, there are many effective cost have been proposed in spatial domain. Most of them such as HUGO [24], WOW [17], SUNIWARD [16], HILL [21] and MIPOD [25] adopt an additive cost, meaning that they assume the embedding impact for each unit is independent. Some methods such as CMD [22], Synch [8] and DeJoin [35] improve the existing additive cost via sequentially embedding message and updating the cost to synchronize the modification direction. These methods usually achieve better security performance since the mutual impacts of adjacent embedding units are taken into consideration. For JPEG steganography, the additive costbased methods include UED [14], JUNIWARD [16], UERD [15], BET [18], and the nonadditive one includes BBC [23], which aims to preserve the spatial continuity at block boundaries. To enhance security, some other steganography methods aim to adjust existing costs via highlighting the details in an image [5, 6] or reassigning lower costs to controversial units [37, 36]. Recently, some deep learning techniques such as Generative Adversarial Network (GAN) [13] and adversarial example [27] have been applied in steganography. For instance, ASDLGAN [29] and UTGAN [32, 33] can learn costs that are directly related to the undetectability against the steganalyzer. ADVEMB [28] and method [3]
adjust the costs according to the gradients backpropagated from the target Convolutional Neural Network (CNN)based steganalyzer.
Note that above steganography methods mainly focus on designing embedding costs, and usually employ the STCs to minimize the total costs in subsequent data hiding. However, most existing embedding costs seem empirical, which would not be effective to measure the statistical detectability of embedding units. In addition, minimizing the total costs using STCs would not always produce high security stegos. Unlike existing works, we propose a novel framework to enhance the security of current steganography methods both in spatial and JPEG domains via stego postprocessing, which aims to reduce the residual distance between cover and modified stego. We firstly formulate the stego postprocessing as a nonlinear integer programming problem, and solve it using a heuristic search method  Hill Climbing. To achieve good security performance, the adaptive filters for obtaining image residuals and the distance measure are carefully designed. In addition, four acceleration strategies according to the characteristics of postmodification are considered to speed up our algorithm. Experimental results show that the proposed method can significantly enhance the security performance of the existing steganography methods, especially when the payloads and/or quality factors are large. Note that this paper is an extension of our previous work [4]. Compared to the work [4], the main differences of this paper are as follows. 1) Instead of using a fixed filter in [4] to obtain image residuals, in this paper, we design multiple adaptive filters which can better suppress image content while preserve the artifacts left by steganography; 2) The proposed method significantly accelerates the postprocessing via restricting the position of modified units, the direction and amplitude of modification, and adopting a fast method for convolution. 3) More extensive experimental results and analysis are given in this paper. For instance, we include both conventional and deep learning steganalytic models for security evaluation. We provide more analysis on statistical characteristics of postmodification and the processing time. In addition, both spatial and JPEG steganography methods and more image datasets are inlcued in this paper. 4) The extensive experimental results show that the proposed method can achieve higher security than the work [4].
Ii Robustness Analysis of STCs
Most current steganographic methods are constructed under the framework of distortion minimization. After the embedding costs are carefully designed, some coding methods are then used to embed secret message into cover image in order to minimize the total cost. In practical applications, STCs is widely used in modern steganography methods both in spatial and JPEG domains. Since the extraction of hidden message after using the proposed method is related to STCs, we will give a brief overview of STCs and its robustness against postmodification in the following.
Iia Review of SyndromeTrellis Codes
STC is one of the popular coding methods which is able to embed secret message into the cover image efficiently while approaching the optimal coding performance. It can be used to solve binary or nonbinary embedding problem under the steganography framework of distortion minimization. For binary problem, the message embedding and extraction for spatial steganography ^{1}^{1}1Similar results can be obtained for JPEG steganography. can be formulated as follows:
(1) 
(2) 
where is the function for message embedding. is the function for message extraction. is a cover image. is a stego image. is a secret message. is a parity function such as . is a paritycheck matrix of a binary linear code . is the coset corresponding to syndrome . STCs constructs the paritycheck matrix by placing a small submatrix along the main diagonal. The height of the submatrix is a parameter that can be used to balance the algorithm performance and speed. Using paritycheck matrix constructed in this way, equation (1) can be solved optimally by Viterbi algorithm with linear time and space complexity w.r.t. , which is the dimension of .
For the qary (q 2) embedding problem, STCs solves it efficiently via multilayered construction. It decomposes the qary problem into a sequence of similar binary problem and then applies the above solution for binary problem. The qary problem can be solved optimally if each binary problem is solve optimally. For more details of STCs, please refer the paper [10].
IiB Analysis of Robustness of STCs
From equation (2), the value of extracted message is determined by and . In a covert communication, since is fixed for a cover image, the message extraction completely relies on . Therefore, if there exists a modification matrix such that , we can extract exactly the same secret message from and , which shows the robustness of STCs against the modification in this case. Generally, image steganography embeds message into lower bits of the cover image for not introducing visually perceptible artifacts. Therefore, the parity function of qary STCs returns the to LSBs of the input image, where . Based on this characteristic, qary STCs’ robustness against postmodification can be formulated as follows:
(3) 
where and are matrices of the same size , denotes the element of the modification matrix
Taking a stego image obtained by ternary STCs (i.e. ) for example, in this case, . , . Therefore, we conclude that adding a multiple of 4 to any elements of the stego image will not confuse the message extraction at all.
Iii Proposed Framework and Method
In this section, we first describe the framework of stego postprocessing, and then present some implementation details, including the selection of some important parameters and four strategies to speed up processing. Finally, we will give the full description of the proposed algorithm under this framework.
Iiia Framework of Stego Postprocessing
As shown in Fig. 1, the current steganography firstly designs costs for all embedding units of a cover image, and then uses STCs to embed secret message into cover to get the resulting stego. Quite different from the existing works, the proposed framework aims to enhance the steganography security via reducing image residual distance between cover and stego using stego postprocessing. Since most current steganography methods, such as HILL [21] and UERD [15], employ ternary STCs for data embedding, the ternary case (i.e. ) is considered in our experiments. Please note that it is easy to extend our method for different .
IiiA1 Main Idea of Stego Postprocessing
It is well known that the steganography will introduce detectable artifacts into image residuals, and thus most effective steganalyzers based on handcrafted features (e.g. SRM [12], GFR [26]) and deep learning (e.g. XuNet [30], YeNet [34], and JXuNet [31]) are mainly based on analyzing image residuals in spatial domain. As illustrated in Fig. 2
, these steganalytic methods usually contain 3 components, that is, highpass filters to obtain image residuals, feature extraction operator of image residuals and a classifier based on the features. Since the steganography signal is rather weak compared to image content, good highpass filters can effectively suppress image content and improve the signaltonoise ratio (note that for steganalysis, noise here is image content), which is very helpful for steganalysis. From this point of view, if the image residual distance between cover and modified stego image is smaller, the security performance is expected to be better. Therefore, the main idea of the proposed framework is to reduce such distance via stego postprocessing. Combined with the robustness analysis on STCs in section
IIB, the proposed stego postprocessing can be formulated as the following optimization problem:(4)  
subject to  
where ^{2}^{2}2For spatial steganography, and denote pixel values of the corresponding images. For JPEG steganography, they denote the DCT coefficients. The image residual is obtained and analyzed in spatial domain both for spatial and JPEG steganography. denotes the image residual of image in spatial domain, denotes the distance between two image residuals and ; is a cover image, is a stego image obtained with an existing steganography method, is a modified version of with our post stegoprocessing; is an integer matrix; denotes the available range of embedding units of . Taking spatial steganography for instance, every unit in should be an integer in the range of .
Note that the proposed framework tries to modify a resulting stego obtained with an existing steganography method under the framework of distortion minimization, thus any modification on will inevitably increase the total distortion. However, we expect that the steganography security would become better since the residual distance between cover and the resulting stego is reduced after stego postprocessing.
IiiA2 Implementation of the Framework
Since the modifications are limited on integers, and the distance function is usually nonlinear, the optimization problem described in the previous section is a nonlinear integer programming, which is very hard to find the optimal solution. In our experiments, we employ a greedy algorithm, i.e., Hill Climbing, to find an approximate solution. Specifically, from an initial stego , we sequentially process the embedding units one by one to iteratively reduce its residual distance to cover until all embedding units are dealt with.
Fig. 3 illustrates how the proposed method updates a target embedding unit within a stego image. Let denote cover, denote the candidate stego which is initialized as the stego with an existing steganography method, denote the temporary variable for the modified version of after changing a target unit according to the rule described in section II (i.e. ). By doing so, we can assure that the secret messages extracted from and are exactly the same after modification. To determine whether the modified stego is better than the candidate one , we firstly apply function on cover image and two stego images , , and get the corresponding image residuals , and separately. And then we calculate the distance between the residual of cover and the two image residuals and separately according to a certain function, denoted as and . Finally, we will update the candidate stego as the temporary if , otherwise we keep unchanged.
We repeat the above operations for all embedding units, and the whole pseudocode of the proposed framework is illustrated in Algothrim 1. The inputs of the algorithm are cover and the corresponding stego using an existing steganography method. The algorithm first initializes the candidate stego as , and then updates using three loops. In the first loop (i.e. line 6  22), it traverses all the embedding units row by row. In the second loop (i.e. line 7  21), it considers the direction of postmodification to an embedding unit (positive or negative ). In the third loop (i.e. line 8  20), it considers different amplitudes of postmodification to an embedding units (e.g. ). After the three loops, the algorithm finally outputs a modified stego , which usually has smaller residual distance compared with the input stego .
IiiA3 HyperParameters
The residual function in Algorithm 1 is the key issue that would significantly affect the security performance of the proposed framework. In the following, we will discuss the design of adaptive filter.
As described in section IIIA1, most modern steganalytic features are mainly derived from image residuals. Thus, the selection of highpass filters is very important for steganalysis. Until now, there are many available filters in existing works, such as various filters in SRM [12] and GFR [26]. Note that these filters are fixed for all images. Inspired from [19], we employ an adaptive way to learn highpass filters for each image. Specifically, we first compute the convolution of the image with a prediction filter whose center element is 0, which amounts to predicting target pixels via their surrounding pixels; and then we determine the elements in the prediction filter by minimizing the mean square error between the predicted pixels and actual ones via lease squares; finally, we set the center of prediction filter as 1 to obtain the final filter, which calculate the residual between the predicted and actual values. Different from work [19] which learns a filter of size () with symmetry constraint, we first learn a base filter of size without symmetry constraint for any given image and its transposed version. Thus, the resulting basic filter (denoted as ) is a predictor of horizontal direction while its transposed version is a predictor of vertical direction. And then we get the outer product of and , denoted as , which can calculate the residual based on the prediction of both horizontal and vertical directions. In our method, we can obtain different residual functions via the combination of the elements in set with different size . Based on our experiments, we finally select the filters of size 7 for spatial steganography while filters of size 3 for JPEG steganography. More experimental results on the hyperparameter selection are shown in section IVA.
In Algorithm 1 (line 1213), the distance function is used to measure the residual distance between cover and stego. Different distances will lead to different postmodification, and thus affect security performance. We have tested several typical distance measures, including Manhattan, Euclidean, Chebychev and Hamming, and found that the Manhattan distance usually performs well on various steganography methods in both spatial and JPEG domains. Thus, we employ the Manhattan distance in all following experiments.
IiiB Acceleration Strategies
Several issues would significantly affect the processing time of the proposed Algorithm 1. First of all, there are three nested loops. The first loop will traverse all embedding units of the input stego . Taking an image of size for example, there are totally 262144 () units to be dealt with. For each unit, two directions (i.e. positive or negative in the second loop) and different amplitudes (i.e. 4, 8, , in the third loop) of the modification need to be considered. If we can reduce the iteration number of these loops, the algorithm speed will be improved. Furthermore, the filtering operation to get image residuals in the innermost loop is timeconsuming. As a result, a fast method for filtering is needed. In the following sections, we will describe four acceleration strategies separately.
IiiB1 Restriction on Position of PostModification
To reduce the number of embedding units to be dealt with in the first loop, we conduct the following experiment. Let be the set of all embedding units of the output image , be the set of units have been modified by steganography while be the complement of , be the set of units have been modified by our postprocessing while be the complement of . The four following statistics are considered.
Table I and Table II show the average results on 10,000 images from BOSSBase [1] for various steganography methods both in spatial and JPEG domains. From Tables I and II , we obtain two following observations.

: The steganography modification rate is relatively lower. In this experiment, less than 11% for spatial steganography for payload 0.4 bpp, and less than 4% for JPEG steganography for payload 0.4 bpnz.

: For those embedding units modified by the stego postprocessing (i.e. ), more of them are located at the small set of . Taking SUNIWARD for instance, over 65% of postmodification are located at the set of , which occupies only 7.39% of all units.
Based on above observations, we consider dealing with those embedding units that have been previously modified with the steganography (i.e. ) while skipping most unchanged units.
SUNI  MIPOD  HILL  CMDHILL  

7.39(65.18)  8.35(66.31)  8.52(65.93)  10.90(65.56)  
92.61(34.82)  91.65(33.69)  91.48(34.07)  89.10(34.44) 
QF  Ratio  JUNI  UERD  BETHILL 

75  1.36 (68.18)  1.26 (52.26)  1.28 (50.22)  
98.64 (31.82)  98.74 (47.74)  98.72 (49.78)  
95  3.65 (65.30)  3.47 (54.67)  3.45 (53.70)  
96.35 (34.70)  96.53 (45.33)  96.55 (46.30) 
IiiB2 Restriction on Direction of PostModification
In the previous section, we limited the postmodification to be performed on those embedding units which have been modified with steganography. To speed up the second loop, we will analyze the relationship between the directions (i.e. or ) of postmodification and steganography modification. We divide into two subsets according to its modification direction, denoted as and ; Similarly, we divide into two subsets according to its modification direction, denoted as and . Two following statistics are considered.
SUNI  MIPOD  HILL  CMDHILL  Average  

99.59  98.91  99.01  96.28  98.45  
0.41  1.09  0.99  3.72  1.55 
QF  Element  JUNI  UERD  BETHILL  Average 

75  95.76  92.42  89.53  92.57  
4.24  7.58  10.47  7.43  
95  90.70  85.11  83.54  86.45  
9.30  14.89  16.46  13.55 
Table III and Table IV show the average results on 10,000 images from BOSSBase [1] in different cases. From the two tables, we observe that the direction of postmodification is usually contrary to that of steganography modification. On average, is over 98% and over 86% for spatial and JPEG steganography separately. In our method, therefore, we will limit the direction of postmodification. This property is reasonable since the detectable artifacts left by steganography usually become more obvious when the direction of postmodification is the same as that of steganography modification.
Ratio  SUNI  MIPOD  HILL  CMDHILL  Average 

100  100  100  100  100  
0  0  0  0  0 
QF  Ratio  JUNI  UERD  BETHILL  Average 

75  99.89  99.74  99.30  99.64  
0.11  0.26  0.70  0.36  
95  99.42  98.70  98.09  98.74  
0.58  1.30  1.91  1.26 
IiiB3 Restriction on Amplitude of PostModification
In section IIB, we showed that adding a multiple of 4 to any embedding unit of the stego image would not confuse the message extraction. However, most existing literatures have shown that the security performance of steganography usually becomes poorer when the steganography modification becomes relatively larger. To enhance steganography security, we expect that most amplitudes of the postmodification are the smallest ones, i.e. 4, for the ternary STCs. To investigate this, we divide into two subsets according to whether the postmodification amplitude is equal to or larger than 4, denoted as and separately. The two following statistics are considered in this experiment.
Table V and Table VI show the average results on 10,000 images from BOSSBase [1] in different cases. From the two tables, we observe that almost all amplitudes of the postmodification are 4. On average, is 100% and over 98% for spatial and JPEG steganography separately, which fits our expectations very well. Therefore, we limit the amplitude for the postmodification to 4 in our method.
IiiB4 Efficient Convolution
In the three previous subsections, we try to reduce the loop count of the three loops in Algorithm 1 separately. In this section, we will speed up the key operation  i.e. the function to obtain image residual in the innermost loop (i.e. line 11) in Algorithm 1.
In section IIIA3, we determine to employ several adaptive convolution filters with a smaller size (i.e. or , which is significantly smaller than the image size and , i.e. in our experiments) to update image residual of temporary stego . Please note that the convolution is linear and it just affects a small region of embedding units that around the filter center. Thus, there is no need to perform the convolution on the whole temporary stego to obtain its residual, since just an element within is different from the candidate stego (refer line 910 in Algorithm 1). An equivalent and efficient method is employed in our method. When the image residual of is available (i.e. ), the image residual of can be calculated based on the following formula:
where is a matrix of the same size , and its elements are all 0 except that the element at position is 1.
Due to the characteristic of matrix , it is very fast to get the via modifying a small region corresponding to the position within , that is, a region of size for spatial steganography or a region of size ^{3}^{3}3Note that here: 1). The Inverse Discrete CosineTransform (IDCT) in JPEG decompression is linear. 2) Modifying a DCT coefficient in JPEG will affect an image block in spatial domain. for JPEG steganography. By doing so, we can obtain over 500 times acceleration both in spatial and JPEG steganography based on our experiments.
IiiC The Proposed Method
The pseudocode for the proposed stego postprocessing is illustrated in Algorithm 2. According to the first three acceleration strategies, we observe that only one loop (i.e. line 620 in Algorithm 2) is remaining here compared to Algorithm 1, and most embedding units in this loops will be skipped (i.e. line 1012 in Algorithm 2). According to the analysis in Section IIIB  4), the execution time is unbearable without using the fast method for obtaining temporary image residual . Thus the fast method is employed in both Algorithm 1 and Algorithm 2. For a fair comparison, both algorithms are implemented with Matlab and on the same server with CPU Intel Xeon Gold 6130. The processing time and the security performance of two algorithms would be evaluated in the following.
IiiC1 Comparison on Processing Time
In this experiment, we will compare the processing time of the algorithm before and after using the first three acceleration strategies. Four spatial steganography methods and three JPEG steganograpy methods are considered ^{4}^{4}4Please refer to Section IV for more details about the experimental settings.. The comparative results are shown in Table VII and Table VIII. From the two tables, we observe that the processing time of the proposed method (i.e. Algorithm 2) is significantly shorter than the original one (i.e. Algorithm 1). On average, we gain over 12 and 9 times speed improvement for the spatial and JPEG steganography separately.
SUNI  MIPOD  HILL  CMDHILL  Average  

Algorithm 1  3.75  3.72  3.75  3.72  3.74 
Algorithm 2  0.27  0.29  0.29  0.33  0.30 
QF  Strategy  JUNI  UERD  BETHILL  Average 

75  Algorithm 1  4.65  4.66  4.64  4.65 
Algorithm 2  0.50  0.49  0.49  0.49  
95  Algorithm 1  4.83  4.85  4.81  4.83 
Algorithm 2  0.54  0.53  0.53  0.53 
IiiC2 Comparison on Security Performance
In this experiment, we will compare the security performances of Algorithm 1 and Algorithm 2. The experimental results are shown in Table IX and Table X. From the two tables, we observe that both algorithms can enhance the steganography security in all cases. Although we have significantly simplified the Algorithm 1 for acceleration, the performance of Algorithm 2 would not drop. On the contrary, it is able to outperform Algorithm 1 slightly on average.
SUNI  MIPOD  HILL  CMDHILL  Average  

Baseline  79.68  75.66  75.72  70.06  75.28 
Algorithm 1  78.34  72.83*  72.96  69.35  73.37 
Algorithm 2  78.31*  73.19  72.42*  68.93*  73.21* 
QF  Strategy  JUNI  UERD  BETHILL  Average 

75  Baseline  89.66  89.59  87.13  88.79 
Algorithm 1  88.81  88.15  84.76  87.24  
Algorithm 2  88.54*  87.48*  84.59*  86.87*  
95  Baseline  72.79  76.00  69.22  72.67 
Algorithm 1  72.26  73.72  66.31*  70.76  
Algorithm 2  71.75*  73.46*  66.88  70.70* 
Iv Experimental Results and Discussions
In our experiments, we collect 10,000 grayscale images of size from BOSSBase [1], and randomly divide them into two nonoverlapping and equal parts, one for training and the other for testing. Like most existing literatures, we use the optimal simulator for data embedding. Four typical spatial steganography methods (i.e. SUNIWARD [16], MIPOD [25], HILL [21] and CMDHILL [22]) and three typical JPEG steganography methods (i.e. JUNIWARD [16], UERD [15] and BETHILL [18]) are considered. The spatial steganalytic detectors include two conventional feature sets (i.e. SRM [12], maxSRM [9]) and a CNNbased one (i.e. XuNet [30]). Similarly, the JPEG steganalytic detectors also include two conventional ones (i.e. GFR [26], SCAGFR [7] ) and a CNNbased one (i.e. JXuNet [31]). The ensemble classifier [20] is used for conventional steganalytic features.
Iva HyperParameter Selection
The residual function is the key issue in the proposed algorithm that will significantly affect the security performance. We employ several adaptive filters to get image residuals. In this section, we try to select proper hyperparameter about the adaptive filters, including the adaptive filter set and the size of basic filter .
Filter Set  SUNI  MIPOD  HILL  CMDHILL  Average 

Baseline  79.68  75.66  75.72  70.06  75.28 
78.82*  74.58  73.87  70.37  74.41  
79.42  75.69  75.13  70.02  75.07  
79.16  74.37*  73.75*  69.95*  74.31* 
QF  Filter Set  JUNI  UERD  BETHILL  Average 

75  Baseline  89.66  89.59  87.13  88.79 
94.97  95.43  92.99  94.46  
88.54*  87.48*  84.59  86.87*  
88.56  87.67  84.54*  86.92  
95  Baseline  72.79  76.00  69.22  72.67 
80.56  85.42  75.81  80.60  
71.75*  73.46*  66.88  70.70*  
72.09  73.80  66.67*  70.85 
Size  SUNI  MIPOD  HILL  CMDHILL  Average 

Baseline  79.68  75.66  75.72  70.06  75.28 
3  79.16  74.37  73.75  69.95  74.31 
5  78.28*  73.32  72.46  69.33  73.35 
7  78.31  73.19*  72.42*  68.93*  73.21* 
9  78.37  73.29  73.15  69.22  73.51 
QF  Size  JUNI  UERD  BETHILL  Average 

75  Baseline  89.66  89.59  87.13  88.79 
3  88.54*  87.48*  84.59*  86.87*  
5  88.87  87.82  84.95  87.21  
7  88.81  87.99  85.35  87.38  
9  88.89  88.06  85.33  87.43  
95  Baseline  72.79  76.00  69.22  72.67 
3  71.75*  73.46*  66.88  70.70*  
5  72.09  73.92  66.81*  70.94  
7  72.04  73.99  66.90  70.98  
9  72.34  74.17  66.90  71.14 
Steganography  SRM  maxSRMd2  XuNet  

0.1  0.2  0.3  0.4  0.5  0.1  0.2  0.3  0.4  0.5  0.1  0.2  0.3  0.4  0.5  
SUNI  60.09  68.29  74.74  79.68  83.61  63.72  70.71  76.58  80.69  84.36  55.72  64.86  73.62  78.60  82.72 
SUNISPP  59.76*  67.55*  73.27*  78.31*  82.22*  63.31*  70.09*  75.16*  79.17*  82.75*  55.24*  63.71*  70.66*  75.37*  79.73* 
MIPOD  58.25  65.68  71.44  75.66  80.20  60.77  67.37  72.92  77.41  81.34  58.06  65.52  71.11  75.66  80.43 
MIPODSPP  58.37  63.83*  69.11*  73.19*  77.52*  59.36*  65.21*  70.15*  73.79*  78.33*  56.98*  62.38*  66.80*  71.36*  75.23* 
HILL  56.65  64.14  70.44  75.72  79.67  62.43  69.32  73.72  78.30  81.92  58.04  65.50  71.40  77.26  80.23 
HILLSPP  56.09*  62.60*  67.68*  72.42*  76.47*  60.82*  66.82*  71.48*  75.72*  79.23*  56.29*  62.08*  66.92*  71.36*  75.50* 
CMDHILL  55.09  60.53  65.86  70.06  74.41  59.79  65.54  69.74  73.35  76.46  54.81  60.19  64.66  69.64  73.39 
CMDHILLSPP  54.55*  60.13*  64.95*  68.93*  72.73*  59.40*  64.42*  68.81*  71.83*  75.50*  54.39*  59.07*  62.65*  67.44*  70.25* 
QF  Steganography  GFR  SCAGFR  JXuNet  

0.1  0.2  0.3  0.4  0.5  0.1  0.2  0.3  0.4  0.5  0.1  0.2  0.3  0.4  0.5  
75  JUNI  59.03  71.00  81.82  89.66  94.50  64.33  76.91  85.94  91.75  95.47  65.28  77.66  86.13  91.72  95.01 
JUNISPP  59.06  70.92*  81.23*  88.54*  93.46*  63.72*  76.36*  85.07*  90.87*  94.65*  65.23  77.53*  85.97*  91.46*  94.57*  
UERD  60.42  72.46  82.27  89.59  94.14  70.36  82.17  88.91  93.17  95.88  77.44  88.04  93.01  96.13  97.46  
UERDSPP  59.60*  71.52*  81.11*  87.48*  92.54*  70.07*  81.08*  88.04*  92.10*  94.83*  77.06*  88.18  92.58*  95.95*  97.58  
BETHILL  58.26  69.12  78.96  87.13  92.10  65.19  76.98  86.11  92.01  95.58  65.63  77.70  84.88  90.43  95.20  
BETHILLSPP  57.82*  67.58*  77.04*  84.59*  90.42*  64.08*  75.22*  83.85*  89.73*  93.59*  64.28*  76.62*  83.27*  89.57*  93.73*  
95  JUNI  52.41  57.92  65.15  72.79  80.63  53.59  59.94  67.21  73.90  80.00  50.26  57.88  66.43  73.38  79.03 
JUNISPP  52.31*  57.66*  64.55*  71.75*  78.98*  53.52*  59.47*  65.98*  72.65*  78.27*  50.08*  57.72*  65.34*  72.42*  79.18  
UERD  54.18  60.62  68.49  76.00  82.77  59.33  67.89  74.57  80.53  85.44  50.12  73.37  82.39  88.97  92.79  
UERDSPP  54.11*  60.01*  66.66*  73.46*  79.68*  59.06*  66.81*  72.85*  77.93*  82.65*  50.04*  72.74*  82.30*  88.17*  92.12*  
BETHILL  52.24  56.75  62.30  69.22  75.59  54.14  59.47  65.36  71.73  77.81  50.47  58.49  65.36  73.01  80.00  
BETHILLSPP  52.06*  56.21*  61.22*  66.88*  72.86*  53.42*  58.19*  63.39*  69.18*  75.04*  49.90*  56.58*  64.09*  72.60*  78.07* 
IvA1 Adaptive Filter Set
As described in section IIIA3, we first learn a basic filter for each image, and then produce two filters via transpose and outer product, and then we obtain three adaptive filters, that is, , and . For simplification, three combinations of above filters are evaluated, that is, , and . In addition, the filter size of is fixed as 3 in this experiment, and the steganalytic features SRM and GFR are used for security evaluation for the spatial (0.4 bpp) and JPEG steganography (0.4 bpnz) separately. The detection accuracies evaluated on test set are shown in Table XI and Table XII. From Table XI, we observe that the three filter sets can improve the security performance of the four spatial steganography methods except using the filter on CMDHILL. On average, the set achieves the best performance, and it gains an average improvement of 0.97% compared to the baseline steganpgraphy. From Table XII, we observe and can improve the security performance while will significantly drop the performance. On average, the filter set performs the best and it achieves an improvement of around 1.90% for both quality factors. The above results show that different adaptive filter sets have a great influence on security performance. The filter sets and usually perform the best in spatial and JPEG domain separately.
IvA2 Size of Basic Filter
In previous section, we fixed the size of basic filter as 3, and selected the proper filter set for spatial and JPEG steganography separately. In this section, we first fixed the selected filter set, and evaluate their performances with different sizes of the basic filter , including . The detection accuracies are shown in Table XIII and Table XIV. From the two tables, we observe that the four filter sizes can improve the performance of various steganography methods in both spatial and JPEG domains. In spatial domain, the average performance becomes the best when the size of is 7 instead of 3, which will further gain an improvement of 1.10%. In JPEG domain, the proper size of is still 3 based on our experiments.
We should note that the hyperparameter determined previously is just a suboptimal solution. Due to time constraint, we probably find a better solution via brute force method according to several important issues, such as the combinations of adaptive filters with different sizes, the specific steganography with a given payload, and the steganalytic models under investigation and so on. For simplicity, we just apply the filter set
with filter size for spatial steganography, and the filter set with filter size for JPEG steganography for all embedding payloads and steganalytic models in the following section.IvB Steganography Security Evaluation
In this section, we will evaluate the security performance on different steganography methods for different payloads ranging from 0.1 bpp/bpnz to 0.5 bpp/bpnz. Three different steganalyzers in spatial domain, including SRM [12], maxSRM [9], and XuNet [30], and three steganalyzers in JPEG domain, including GFR [26], SCAGFR [7], and JXuNet [31], are used for security evaluation. The average detection accuracies on test set are shown in Table XV and Table XVI. From the two tables, we obtain the three following observations:

Almost in all cases, the proposed method can effectively improve the steganography security both in spatial and JPEG domains. The improvement usually increases with increasing embedding payload.

In spatial domain, we can achieve greater improvements on MIPOD and HILL compared to SUNIWARD and CMDHILL. Taking the payload of 0.5 bpp for instance, we obtain about 3% improvement on both MIPOD and HILL, while less than 2% for two other steganography methods under two handcrafted steganalytic feature sets, i.e. SRM and maxSRM. Furthermore, the proposed method seems more effective to the CNNbased steganalyzer (i.e. XuNet). For instance, we can obtain about 5% improvement for MIPOD and HILL for the payload of 0.5 bpp, which is a significant improvement on current steganography methods.
Fig. 4: The violin plots of the relative postmodification rates for HILL and BETHILL 
In JPEG domain, the proposed method can gain more improvement on UERD and BETHILL compared to JUNIWARD. Taking the payload 0.5 bpnz and for instance, it obtain an improvement of about 3% for both UERD and BETHILL under the steganalytic feature GFR, while only 1.65% for JUNIWARD. In addition, the proposed method seems less effective to CNNbased steganalyzer (i.e. JXuNet) compared to the handcrafted feature sets. In some cases, the security will drop slightly (less than 0.15%) after using the proposed method.
IvC Analysis on PostModification
In this section, we will analyze some statistical characteristics on the postmodification with our method, including the relative modification rate and its relation to the density of steganography modification.
Steganography  Rate  0.1  0.2  0.3  0.4  0.5 

SUNI  1.45  3.23  5.22  7.39  9.74  
2.63  3.47  4.08  4.59  5.02  
MIPOD  1.40  3.36  5.69  8.35  11.32  
2.33  3.83  4.77  5.41  5.86  
HILL  1.68  3.73  6.02  8.52  11.22  
3.95  4.70  5.20  5.58  5.89  
CMDHILL  2.34  5.03  7.89  10.90  14.06  
1.14  1.48  1.75  2.01  2.26 
QF  Steganography  Rate  0.1  0.2  0.3  0.4  0.5 

75  JUNI  0.28  0.61  0.98  1.36  1.76  
1.32  2.31  3.13  3.83  4.47  
UERD  0.25  0.56  0.90  1.26  1.64  
1.56  2.71  3.64  4.44  5.13  
BETHILL  0.27  0.58  0.93  1.28  1.66  
2.45  3.64  4.50  5.19  5.78  
95  JUNI  0.72  1.62  2.61  3.65  4.72  
1.85  3.54  5.03  6.30  7.36  
UERD  0.69  1.54  2.48  3.47  4.50  
2.66  4.65  6.24  7.52  8.55  
BETHILL  0.70  1.55  2.48  3.45  4.45  
3.15  5.08  6.55  7.69  8.59 
IvC1 Relative PostModification Rates
We first defined the relative postmodification rate to cover (denoted as , i.e. steganography modification rate) and the relative postmodification rate to steganography modification (denoted as ) are as follows:
where denote the set of embedding units in cover, stego, and the modified version with the proposed method separately. Note that since we limit the stego postmodification on those units that have been modified with the corresponding steganography; since the number of embedding units is the same for the three images. Table XVII and Table XVIII show the average results evaluated on 10,000 images from BossBase. From the two tables, we observe that will increase with increasing (and embedding payloads), and is usually less than 6% and 9% for spatial and JPEG steganography separately.
We further define the relative postmodification rate to stego (denoted as ) as follows:
Taking HILL for example, the average value of is around ‱) when the embedding payload is 0.5 bpp. Fig. 4 shows the violin plots of for HILL and BETHILL in different cases. From the two figures, we observe that the median number of usually increases with increasing payload. Even when the payload is as high as 0.5 bpp / 0.5 bpnz, the median number of is less than 80‱ / 40‱, which means that we can achieve great improvement (refer to Table XV and Table XVI) via modifying a tiny fraction of embedding units for any given stego images .
IvC2 vs. Density of Steganography Modification
From Fig. 4, we also observe that for a given payload, the values of will change a lot for different images. Taking HILL for 0.1 bpp for instance, the minimum of is close to 0, while the maximum become close to 30, meaning the range of is over 20 in this case. Furthermore, the range will increase with increasing payload or quality factor. In this section, we will analyze the factor which affects the values of .
Fig. 5 shows the steganography modifications and the postmodifications of two typical images using HILL for payload 0.1 bpp. From Fig. 5, we observe that for the first image, the steganography modifications seem uniformly dispersed throughout the whole image, while it is highly concentrated on a small part for the second one. After performing our method, the numbers of the postmodification are 1 and 523 separately. Thus we expect that there should be a positive correlation between the relative postmodification rate and the density of steganography modification. To verify this, we define the density of steganography modification in the following way. We first compare the difference between cover and stego , and divide the difference (i.e. ) into overlapping small blocks. And then we just consider those blocks which contain steganography modification, denoted as as . For each block , we calculate the proportion of steganography modification , where denotes the number of steganography modification in block , . Finally, we define the density of steganography modification for the stego image as follows.
Based on above definition, the densities of two images in Fig.5 are 0.05 and 0.27 respectively. We further calculate and the density of steganography modification for 10,000 images in BOSSBase, and show the scatter plot for HILL (0.1 bpp) and BETHILL (0.1 bpnz, QF=75) in Fig 6. For display purpose, we remove some outlying data (less than 0.15% with larger values) in this figure. From Fig. 6, it is obvious that increases with increasing density. In this case, the corresponding Pearson correlation coefficients are 0.95 and 0.70 respectively, meaning the linear relationships between the and the density of steganography modification are relatively strong, which fits our expectation very well. Similar results can be found for other steganography methods and/or payloads.
IvD Evaluation on Processing Time
0.1  0.2  0.3  0.4  0.5  

SUNI  0.30  0.28  0.29  0.28  0.29 
SUNISPP  0.17  0.20  0.23  0.27  0.31 
MIPOD  1.68  1.78  1.84  1.90  1.90 
MIPODSPP  0.17  0.20  0.25  0.29  0.34 
HILL  0.19  0.19  0.19  0.19  0.19 
HILLSPP  0.18  0.21  0.25  0.29  0.34 
CMDHILL Embed  0.32  0.33  0.32  0.32  0.32 
CMDHILL SPP  0.19  0.23  0.28  0.33  0.38 
QF  Steganography  0.1  0.2  0.3  0.4  0.5 

75  JUNI  3.07  3.07  3.07  3.07  3.06 
JUNISPP  0.47  0.48  0.49  0.50  0.50  
UERD  0.08  0.08  0.07  0.07  0.07  
UERDSPP  0.47  0.48  0.49  0.49  0.50  
BETHILL  0.68  0.69  0.69  0.69  0.69  
BETHILLSPP  0.47  0.48  0.48  0.49  0.50  
95  JUNI Embed  3.06  3.06  3.08  3.04  3.05 
JUNI SPP  0.48  0.50  0.52  0.54  0.56  
UERD  0.08  0.07  0.07  0.07  0.07  
UERD SPP  0.48  0.50  0.51  0.53  0.55  
BETHILL  0.69  0.74  0.71  0.71  0.71  
BETHILL SPP  0.48  0.50  0.51  0.53  0.56 
In this section, we will evaluate the processing time of the proposed method. To achieve convincing results, we report the average results on 100 images randomly selected from BOSSBase. For comparison, we also provide the processing time of the corresponding steganography method. The average results are shown in Table XIX and Table XX. From the two tables, we have two following observations:

For a given steganography method, the processing time usually increases with increasing payload since more steganography modification should be dealt with. Taking HILL for instance, the time processing is 0.18s for 0.1 bpp, while it becomes 0.34s for 0.5 bpp.

For the same reason, for a given JPEG steganography method and a payload, the processing time usually increases with increasing quality factor. Taking BETHILL for 0.5 bpnz for instance, the processing time is 0.50s for QF=75, while it increases to 0.56s for QF=95.
Overall, the processing time of the proposed method is very short (less than 0.60s per image in all cases), which is comparable to or even much shorter than that of the current steganography method.
Steganography  Database  SRM  maxSRMd2  XuNet  

0.1  0.3  0.5  0.1  0.3  0.5  0.1  0.3  0.5  
SUNI  BOSSBase  0.33  1.47  1.39  0.41  1.42  1.61  0.48  2.96  2.99 
BOWS2  0.23  2.33  1.97  1.66  2.73  2.11  1.00  4.66  2.98  
SZUBase  0.17  0.83  0.95  0.35  0.99  1.02  0.13  3.21  2.84  
MIPOD  BOSSBase  0.12  2.33  2.68  1.41  2.77  3.01  1.08  4.31  5.20 
BOWS2  0.57  3.32  4.94  1.47  4.92  4.03  1.92  5.23  5.21  
SZUBase  0.29  1.41  2.82  1.25  2.91  2.76  2.13  10.23  8.86  
HILL  BOSSBase  0.56  2.76  3.20  1.61  2.24  2.69  1.75  4.48  4.73 
BOWS2  1.52  4.75  5.04  2.76  4.54  4.22  2.66  5.92  5.67  
SZUBase  0.25  2.36  2.93  1.42  2.70  3.07  4.04  6.37  8.45  
CMDHILL  BOSSBase  0.54  0.91  1.68  0.39  0.93  0.96  0.42  2.01  3.14 
BOWS2  0.65  2.71  4.12  0.94  3.00  3.67  1.96  3.22  4.64  
SZUBase  0.23  1.13  0.96  0.61  1.64  1.29  0.81  4.77  3.17 
QF  Steganography  Database  GFR  SCAGFR  JXuNet  
0.1  0.3  0.5  0.1  0.3  0.5  0.1  0.3  0.5  
75  JUNI  BOSSBase  0.03  0.59  1.04  0.61  0.87  0.82  0.05  0.16  0.44 
BOWS2  0.16  1.01  1.06  0.03  0.69  1.18  0.40  0.08  1.28  
SZUBase  0.12  1.00  1.00  0.09  1.22  1.03  0.30  0.01  0.93  
UERD  BOSSBase  0.82  1.16  1.60  0.29  0.87  1.05  0.38  0.43  0.12  
BOWS2  0.11  1.07  1.43  0.63  0.96  1.08  1.25  2.35  0.52  
SZUBase  0.23  1.45  1.26  0.09  1.29  1.41  0.13  0.85  0.11  
BETHILL  BOSSBase  0.44  1.92  1.68  1.11  2.26  1.99  1.35  1.61  1.47  
BOWS2  0.47  1.80  2.15  1.33  2.36  1.68  0.97  2.38  1.45  
SZUBase  0.27  2.19  1.58  0.91  2.57  2.08  1.08  1.15  1.29  
95  JUNI  BOSSBase  0.10  0.60  1.65  0.07  1.23  1.73  0.18  1.09  0.15 
BOWS2  0.03  0.95  2.66  0.08  1.27  2.60  0.04  1.41  1.34  
SZUBase  0.03  0.25  2.18  0.12  0.97  1.80  0.04  2.37  0.15  
UERD  BOSSBase  0.07  1.83  3.09  0.27  1.72  2.79  0.08  0.09  0.67  
BOWS2  0.11  1.50  3.85  0.27  2.20  2.96  0.01  1.93  0.17  
SZUBase  0.47  1.77  3.01  0.42  1.79  2.24  0.15  1.26  1.05  
BETHILL  BOSSBase  0.18  1.08  2.73  0.72  1.97  2.77  0.57  1.27  1.93  
BOWS2  0.04  1.08  4.13  0.23  2.09  3.05  0.20  2.32  1.64  
SZUBase  0.37  1.61  3.03  0.50  2.40  2.51  0.08  1.92  1.13  
IvE Security Evaluation on Other Image Databases
In this section, we will evaluate the security performance of the proposed method on two other databases including 10,000 grayscale images of size from BOWS2 [2] and 40,000 grayscale images of size from SZUBase. The experimental settings about the partition of image dataset and hyperparameters are the same as previous ones used for the BOSSBase. For simplification, three embedding payloads, including 0.1 bpp/bpnz, 0.3 bpp/bpnz, 0.5 bpp/bpnz are considered in this experiment. For comparison, the detection accuracy improvements on the three image databases (i.e. BOSSBase, BOWS2 and SZUBase) are shown in Table XXI and Table XXII. From the two tables, we obtain two following observations:

Almost in all cases, the proposed method can effectively enhance the steganography security for the three image databases. In a few cases, the security performance will drop slightly (less than 0.17%) compared to the corresponding baseline steganography.

Compared to the results on BOSSBase, we can even make greater improvements on BOWS2 and SZUBase in many cases, especially for steganography methods in spatial domain. In several cases, we can achieve over 4% improvements, which is a significant improvement on the current good steganography.
The above results show that the proposed method can be effectively extended to other image databases.
IvF Comparison with Our Previous Method
In this section, we will compare the steganography security and the processing time with our previous work [4].
IvF1 Comparison on Security Performance
For simplification, we evaluate spatial steganography methods for payload 0.4 bpp using SRM, and JPEG steganography methods for payload 0.4 bpnz with QF 95 using GFR both on BOSSBase. The experimental results are shown in Table XXIII and Table XXIV separately. From the two tables, we observe that in spatial domain, both methods can enhance steganography security. On average, the previous method and the proposed method achieve an improvement of about 1% and 2% separately. In JPEG domain, our previous method [4] does not work, while the proposed method still achieves an average improvement of about 2%.
IvF2 Comparison on Processing Time
The average processing time evaluated on 100 randomly selected images from BOSSBase are shown in Table XXV and Table XXVI separately. From the two tables, we observe that the proposed method is significantly faster than the previous method. On average, the proposed method are able to achieve about 7 times acceleration in spatial domain, and about 5 times acceleration in JPEG domain.
The above results show that the proposed method is much more effective and faster than the previous one [4] ^{5}^{5}5Please note that the fast method for updating image residual in section IIIB4 is also employed in our previous work for comparison. .
Steganography  SUNI  MIPOD  HILL  CMDHILL  Average 

Method [4]  0.96  0.85  1.69  0.10  0.90 
Proposed  1.37*  2.47*  3.30*  1.13*  2.07* 
Steganography  JUNI  UERD  BETHILL  Average 

Method [4]  0.19  0.11  0.06  0.08 
Proposed  1.04*  2.54*  2.34*  1.97* 
V Conclusion
In this paper, we propose a novel method to enhance the steganography security via stego postprocessing. The main contributions of this paper are as follows.

To our best knowledge, this is the first work (including our previous conference work [4]) to enhance steganography security via stego postprocessing. The extensive experimental results show that we can easily achieve better steganography security via modifying a tiny part of embedding units within given stegos.

The proposed method is universal, because it can be effectively applied in those steganography methods using STCs for data hiding, including most modern image steganography methods both in spatial and JPEG domains.

Via analyzing some characteristics about the postmodification, such as the location, the direction and the amplitude of postmodification (see section IIIB), we significantly speed up the proposed method while preserving satisfactory results.
In our experiments, we try to reduce the Manhattan distance between cover residual and stego resudial via postmodification. Other steganalytic measures, such as the cooccurrence matrices of image residual in SRM and some deep learning based features will be considered in our future work. In addition, we will combine the technique of adversarial example to further improve the steganography security.
References
 [1] (2011) ”Break our steganographic system”: the ins and outs of organizing boss. In Springer International Workshop on Information Hiding, pp. 59–70. Cited by: §IIIB1, §IIIB2, §IIIB3, §IV.
 [2] (2007) BOWS2. Note: http://bows2.eclille.fr Cited by: §IVE.
 [3] (2019) Exploiting adversarial embeddings for better steganography. In ACM Workshop on Information Hiding and Multimedia Security, pp. 216–221. Cited by: §I.
 [4] (2019) Enhancing steganography via stego postprocessing by reducing image residual difference. In ACM Workshop on Information Hiding and Multimedia Security, pp. 63–68. Cited by: §I, §IVF1, §IVF2, §IVF, TABLE XXIII, TABLE XXIV, TABLE XXV, TABLE XXVI, 1st item.
 [5] (2016) Defining cost functions for adaptive steganography at the microscale. In IEEE International Workshop on Information Forensics and Security, pp. 1–6. Cited by: §I.
 [6] (2018) Defining cost functions for adaptive JPEG steganography at the microscale. IEEE Transactions on Information Forensics and Security 14 (4), pp. 1052–1066. Cited by: §I.
 [7] (2016) Steganalysis features for contentadaptive JPEG steganography. IEEE Transactions on Information Forensics and Security 11 (8), pp. 1736–1746. Cited by: §IVB, §IV.
 [8] (2015) Improving steganographic security by synchronizing the selection channel. In ACM Workshop on Information Hiding and Multimedia Security, pp. 5–14. Cited by: §I.
 [9] (2014) Selectionchannelaware rich model for steganalysis of digital images. In IEEE International Workshop on Information Forensics and Security, pp. 48–53. Cited by: §IVB, §IV.
 [10] (2011) Minimizing additive distortion in steganography using syndrometrellis codes. IEEE Transactions on Information Forensics and Security 6 (3), pp. 920–935. Cited by: §I, §IIA.
 [11] (2007) Practical methods for minimizing embedding impact in steganography. In Security, Steganography, and Watermarking of Multimedia Contents IX, Vol. 6505, pp. 650502. Cited by: §I.
 [12] (2012) Rich models for steganalysis of digital images. IEEE Transactions on Information Forensics and Security 7 (3), pp. 868–882. Cited by: §IIIA1, §IIIA3, §IVB, §IV.
 [13] (2014) Generative adversarial nets. In Advances in neural information processing systems, pp. 2672–2680. Cited by: §I.
 [14] (2014) Uniform embedding for efficient JPEG steganography. IEEE transactions on Information Forensics and Security 9 (5), pp. 814–825. Cited by: §I.
 [15] (2015) Using statistical image model for JPEG steganography: uniform embedding revisited. IEEE Transactions on Information Forensics and Security 10 (12), pp. 2669–2680. Cited by: §I, §IIIA, §IV.
 [16] (2014) Universal distortion function for steganography in an arbitrary domain. Springer EURASIP Journal on Information Security 2014 (1), pp. 1. Cited by: §I, §IV.
 [17] (2012) Designing steganographic distortion using directional filters. In IEEE International Workshop on Information Forensics and Security, pp. 234–239. Cited by: §I.
 [18] (2018) Efficient JPEG steganography using domain transformation of embedding entropy. IEEE Signal Processing Letters 25 (6), pp. 773–777. Cited by: §I, §IV.
 [19] (2008) Revisiting weighted stegoimage steganalysis. In Security, Forensics, Steganography, and Watermarking of Multimedia Contents X, Vol. 6819, pp. 681905. Cited by: §IIIA3.
 [20] (2012) Ensemble classifiers for steganalysis of digital media. IEEE Transactions on Information Forensics and Security 7 (2), pp. 432–444. Cited by: §IV.
 [21] (2014) A new cost function for spatial image steganography. In IEEE International Conference on Image Processing, pp. 4206–4210. Cited by: §I, §IIIA, §IV.
 [22] (2015) A strategy of clustering modification directions in spatial image steganography. IEEE Transactions on Information Forensics and Security 10 (9), pp. 1905–1917. Cited by: §I, §IV.
 [23] (2018) Defining joint distortion for JPEG steganography. In ACM Workshop on Information Hiding and Multimedia Security, pp. 5–16. Cited by: §I.
 [24] (2010) Using highdimensional image models to perform highly undetectable steganography. In Springer International Workshop on Information Hiding, pp. 161–177. Cited by: §I.
 [25] (2016) Contentadaptive steganography by minimizing statistical detectability. IEEE Transactions on Information Forensics and Security 11 (2), pp. 221–234. Cited by: §I, §IV.
 [26] (2015) Steganalysis of adaptive JPEG steganography using 2d gabor filters. In ACM Workshop on Information Hiding and Multimedia Security, pp. 15–23. Cited by: §IIIA1, §IIIA3, §IVB, §IV.
 [27] (2013) Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199. Cited by: §I.
 [28] (2019) CNNbased adversarial embedding for image steganography. IEEE Transactions on Information Forensics and Security 14 (8), pp. 2074–2087. Cited by: §I.
 [29] (2017) Automatic steganographic distortion learning using a generative adversarial network. IEEE Signal Processing Letters 24 (10), pp. 1547–1551. Cited by: §I.
 [30] (2016) Structural design of convolutional neural networks for steganalysis. IEEE Signal Processing Letters 23 (5), pp. 708–712. Cited by: §IIIA1, §IVB, §IV.
 [31] (2017) Deep convolutional neural network to detect juniward. In ACM Workshop on Information Hiding and Multimedia Security, pp. 67–73. Cited by: §IIIA1, §IVB, §IV.
 [32] (2019, To be appeared) An embedding cost learning framework using gan. IEEE Transactions on Information Forensics and Security. Cited by: §I.
 [33] (2019) Towards automatic embedding cost learning for JPEG steganography. In ACM Workshop on Information Hiding and Multimedia Security, pp. 37–46. Cited by: §I.
 [34] (2017) Deep learning hierarchical representations for image steganalysis. IEEE Transactions on Information Forensics and Security 12 (11), pp. 2545–2557. Cited by: §IIIA1.
 [35] (2017) Decomposing joint distortion for adaptive steganography. IEEE Transactions on Circuits and Systems for Video Technology 27 (10), pp. 2274–2280. Cited by: §I.
 [36] (2018) Controversial ’pixel’ prior rule for JPEG adaptive steganography. IET Image Processing 13 (1), pp. 24–33. Cited by: §I.
 [37] (2017) A new rule for cost reassignment in adaptive steganography. IEEE Transactions on Information Forensics and Security 12 (11), pp. 2654–2667. Cited by: §I.
Comments
There are no comments yet.