CNN Steganalyzers Leverage Local Embedding Artifacts (4:10 PM – 4:30 PM)
Yassine Yousfi (Binghamton University), Jan Butora (Binghamton University) and Jessica Fridrich (“SUNY, Binghamton”) – On-site presentation
While convolutional neural networks have firmly established themselves as the superior steganography detectors, little human-interpretable feedback to the steganographer as to how the network reaches its decision has so far been obtained from trained models. The folklore has it that, unlike rich models, which rely on global statistics, CNNs can leverage spatially localized signals. In this paper, we adapt existing attribution tools, such as Integrated Gradients and Last Activation Maps, to show that CNNs can indeed find overwhelming evidence for steganography from a few highly localized embedding artifacts. We look at the nature of these artifacts via case studies of both modern content-adaptive and older steganographic algorithms. The main culprit is linked to “content creating changes” when the magnitude of a DCT coefficient is increased (Jsteg, –F5), which can be especially detectable for high frequency DCT modes that were originally zeros (J-MiPOD). In contrast, J-UNIWARD introduces the smallest number of locally detectable embedding artifacts among all tested algorithms. Moreover, we find examples of inhibition that facilitate distinguishing between the selection channels of stego algorithms in a multi-class detector. The authors believe that identifying and characterizing local embedding artifacts provides useful feedback for future design of steganographic schemes.
Data Augmentation for JPEG Steganalysis (4:30 PM – 4:50 PM)
Tomer Itzhaki (Binghamton university), Yassine Yousfi (Binghamton University) and Jessica Fridrich (“SUNY, Binghamton”) – On-site presentation
Deep Convolutional Neural Networks (CNNs) have performed remarkably well in JPEG steganalysis. However, they heavily rely on large datasets to avoid overfitting. Data augmentation is a popular technique to inflate the datasets available without collecting new images. For JPEG steganalysis, the augmentations predominantly used by researchers are limited to rotations and flips (D4 augmentations). This is due to the fact that the stego signal is erased by most augmentations used in computer vision. In this paper, we systematically survey a large number of other augmentation techniques and assess their benefit in JPEG steganalysis.
Structural Watermarking to Deep Neural Networks via Network Channel Pruning (4:50 PM – 5:10 PM)
Hanzhou Wu (Shanghai University) – Virtual presentation (speaker: Xiangyu Zhao)
In order to protect the intellectual property (IP) of deep neural networks (DNNs), many existing DNN watermarking techniques either embed watermarks directly into the DNN parameters or insert backdoor watermarks by fine-tuning the DNN parameters, which, however, cannot resist against various attack methods that remove watermarks by altering DNN parameters. In this paper, we bypass such attacks by introducing a structural watermarking scheme that utilizes channel pruning to embed the watermark into the host DNN architecture instead of crafting the DNN parameters. To be specific, during watermark embedding, we prune the internal channels of the host DNN with the channel pruning rates controlled by the watermark. During watermark extraction, the watermark is retrieved by identifying the channel pruning rates from the architecture of the target DNN model. Due to the superiority of pruning mechanism, the performance of the DNN model on its original task is reserved during watermark embedding. Experimental results have shown that, the proposed work enables the embedded watermark to be reliably recovered and provides a sufficient payload, without sacrificing the usability of the DNN model. It is also demonstrated that the proposed work is robust against common transforms and attacks designed for conventional watermarking approaches.
Iteratively Generated Adversarial Perturbation for Audio Stego Post-processing (5:10 PM – 5:30 PM)
Kaiyu Ying (Ningbo University), Wang Rangding (Ningbo University) and Yan Diqun (Ningbo University) – Virtual presentation
Recent studies have shown that adversarial examples can easily deceive neural networks. But how to ensure the accuracy of extraction while introducing perturbations to steganography is a major difficulty. In this paper, we propose a method of iterative adversarial stego post-processing model called IA-SPP that can generate enhanced post-stego audio to resist steganalysis networks and the SPL of adversarial perturbations is restricted. The model decomposes the perturbation to the point level and updates point-wise perturbations iteratively by the large-absolute-gradient-first rule. The enhanced post-stego obtained by adding the stego and the adversarial perturbation has a high probability of being judged as covers by the target network. In particular, we further considered how to simultaneously fight against multiple networks. The extensive experiments on the TIMIT show that the proposed model generalizes well across different steganography methods.