arxiv: 2605.05789 · v1 · submitted 2026-05-07 · 💻 cs.CR · cs.CV

Recognition: unknown

Stego Battlefield: Evaluating Image Steganography Attacks and Steganalysis Defenses

Zhen Sun , Zongmin Zhang , Leyi Sheng , Yule Liu , Yifan Liao , Ke Li , Xinhu Zheng , Jiaheng Wei

show 2 more authors

Wenyuan Yang Xinlei He

Authors on Pith no claims yet

Pith reviewed 2026-05-08 09:24 UTC · model grok-4.3

classification 💻 cs.CR cs.CV

keywords image steganographysteganalysisbenchmarktransferabilityadversarial securitycontent moderationharmful payload hidingsocial media threats

0 comments

The pith

SADBench reveals that steganography attacks transfer to new image distributions while steganalysis detectors fail to adapt.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces SADBench, a benchmark with four evaluation tasks to measure how effectively attackers can hide harmful visual or textual content inside images and how well detectors can find those hidden payloads. It tests a range of steganography methods and steganalysis tools across different cover images, using realistic harmful semantics and toxic instructions to stand in for malicious use cases. The results show that invertible neural network and autoencoder methods hold up more stably than other approaches, that detectors work almost perfectly inside the training domain but cost less than the attacks they counter, and that attacks move easily to new image sets while detectors do not. Real social-media compression is also shown to leave many payloads intact or trainable to survive it. A sympathetic reader would care because the work quantifies an ongoing security gap that content-moderation systems and AI safety filters must close.

Core claim

SADBench evaluates both the attack side and the defense side of image steganography across image-payload and text-payload settings. It finds that invertible neural network and autoencoder architectures are the most stable, that in-domain steganalysis reaches near-perfect accuracy at lower cost than payload generation, that attacks generalize reliably to new cover distributions while detectors do not, and that payloads either survive light social-media compression or can be trained to survive aggressive compression.

What carries the argument

SADBench, the benchmark that runs four coordinated tasks (attack capability, defense capability, efficiency, and transferability) on steganography methods and steganalysis detectors using harmful semantics and simulated social-media compression.

If this is right

Invertible neural network and autoencoder steganography methods remain stable across varied cover distributions and payload types.
Steganalysis detectors achieve near-perfect accuracy when the test images match the training distribution and require fewer resources than the attacks they target.
Steganography attacks reliably generalize to unseen image distributions while steganalysis detectors lose effectiveness outside their training set.
Payloads hidden in images either survive minimal social-media compression or can be made to survive aggressive compression by training with simulated compression.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Content-moderation pipelines would benefit from training detectors on wider ranges of cover images to reduce the transferability gap the benchmark identifies.
The same benchmark structure could be applied to video or audio steganography to check whether the same attack-defense asymmetry appears.
Platform operators might need to add compression-robust steganalysis checks at upload time rather than relying on post-hoc detection.
The efficiency finding suggests defenders could focus more resources on rapid in-domain checks instead of trying to match the cost of generation.

Load-bearing premise

The chosen harmful visuals, toxic instructions, cover images, and simulated compression levels accurately reflect how real malicious steganography would behave and be detected in practice.

What would settle it

A direct test that uploads the paper's generated stego images to actual social-media platforms, then checks whether the benchmark's detectors catch the payloads or whether new attacks evade them.

Figures

Figures reproduced from arXiv: 2605.05789 by Jiaheng Wei, Ke Li, Leyi Sheng, Wenyuan Yang, Xinhu Zheng, Xinlei He, Yifan Liao, Yule Liu, Zhen Sun, Zongmin Zhang.

**Figure 1.** Figure 1: Overview of real-world image-cover steganography view at source ↗

**Figure 2.** Figure 2: Overview of SADBench framework. The framework consists of four core tasks. 3 Threat Model As shown in view at source ↗

**Figure 3.** Figure 3: Computational efficiency comparison on ALASKA#2. view at source ↗

**Figure 4.** Figure 4: Cross-dataset transfer performance (F1-score) of the steganalysis detector. A denotes the ALASKA#2 dataset and D denotes view at source ↗

**Figure 5.** Figure 5: Cross-method transferability of steganalysis on image payloads. view at source ↗

**Figure 6.** Figure 6: Performance comparison of image quality across dif view at source ↗

read the original abstract

Image steganography is widely used to protect user privacy and enable covert communication. However, it can also be abused by the adversary as a covert channel to bypass content moderation, disseminate harmful semantics, and even hide malicious instructions in images to elicit dangerous outputs from large models, posing a practical security risk that continues to evolve. To address the lack of a unified and systematic evaluation framework, we propose SADBench, a systematic benchmark that assesses the adversary's ability to inject harmful secrets via steganography and the defender's ability to detect such threats through steganalysis. Crucially, SADBench comprises $4$ core tasks, namely steganography attack capability evaluation, steganalysis defense capability evaluation, efficiency evaluation, and transferability evaluation. It evaluates both image-payload and text-payload steganography across diverse cover distributions, utilizing harmful visual semantics and toxic instructions to simulate malicious attacks. Across a broad set of attacks and detectors, SADBench reveals that (i) INN and autoencoder-based methods demonstrate superior stability compared to other architectures, (ii) in-domain detection is near-perfect and cheaper than generation, (iii) a critical asymmetry exists in transferability where attacks robustly generalize to new distributions while detectors fail to adapt, and (iv) real-world threats persist on social media, where payloads either survive minimal compression or effectively adapt to aggressive compression via simulated training. Overall, SADBench establishes a systematic, reproducible, and extensible framework to quantify risks, paving the way for measurable and security-driven advancements in steganography defense.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

SADBench sets up a new benchmark for testing stego attacks with harmful payloads and shows attackers transfer better than detectors, but the social media claims rest on unverified simulations.

read the letter

SADBench is the main takeaway. This benchmark evaluates how effectively steganography can hide harmful content in images and how well steganalysis can detect it, with dedicated tasks for capability, efficiency, and transferability. The work does well by running a wide range of attacks and detectors on both image and text payloads. It highlights that certain methods like INN and autoencoders are more stable, that detection works reliably within the same domain but not across shifts, and that attacks generalize better than defenses. The efficiency angle, showing detection is cheaper than generation, adds a useful practical dimension. Focusing on toxic instructions and harmful semantics ties it directly to real security risks in content moderation and AI systems. The soft spot is the real-world section. The persistence of threats under social media conditions comes from simulated compression and training. This may not capture the full pipeline on actual platforms, including their quantization tables and multi-stage processing. If the paper lacks direct validation on live traces, those results stay provisional. The choice of cover images and harmful content also assumes a match to malicious use cases, which could limit how far the findings apply. This is relevant for anyone building or evaluating moderation systems against covert channels. It deserves a serious referee because the benchmark structure is extensible and the asymmetry observation is worth testing further. I would send it for peer review, asking reviewers to check the simulation fidelity and the representativeness of the datasets used.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes SADBench, a systematic benchmark for evaluating image steganography attacks that embed harmful visual semantics or toxic instructions, alongside steganalysis defenses. It defines four core tasks (attack capability, defense capability, efficiency, and transferability) and reports results across multiple architectures and cover distributions. Key findings include superior stability of INN and autoencoder-based steganography methods, near-perfect and low-cost in-domain detection, an asymmetry favoring attack transferability over detector adaptation, and the persistence of threats under simulated social-media compression.

Significance. If the evaluations prove robust, SADBench would constitute a useful, reproducible, and extensible framework for quantifying steganographic risks in security settings, directly addressing the gap between theoretical methods and practical threats involving harmful payloads. The explicit focus on real-world simulation and transferability is a constructive step toward measurable defense improvements.

major comments (2)

[Abstract and real-world evaluation section] Abstract and the real-world evaluation section: the claim that 'real-world threats persist on social media, where payloads either survive minimal compression or effectively adapt to aggressive compression via simulated training' is load-bearing for the security implications. The simulation (generic JPEG quality factors and resizing) is not shown to replicate platform-specific pipelines (custom quantization tables, chroma subsampling, metadata stripping, multi-stage re-encoding), nor is it validated against live upload/download traces. This directly affects the external validity of finding (iv).
[Transferability evaluation section] Transferability evaluation section: the reported asymmetry (attacks generalize robustly while detectors fail to adapt) is central to the benchmark's conclusions. Without an explicit ablation table or description of the exact source/target distribution shifts and cover-image statistics used, it is unclear whether the asymmetry arises from inherent architectural properties or from the particular choices of harmful semantics and cover distributions.

minor comments (2)

[Abstract] The abstract refers to both 'image-payload and text-payload steganography' but the precise embedding procedure for toxic instructions (e.g., how text is converted to image payload or directly embedded) is not clarified in the high-level description.
[Results tables and figures] Figure and table captions should explicitly state the number of runs, random seeds, and confidence intervals for all reported metrics (accuracy, payload survival rate, etc.) to support reproducibility claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and insightful comments, which help improve the clarity and robustness of our benchmark. We address each major comment point by point below, indicating revisions made to the manuscript.

read point-by-point responses

Referee: [Abstract and real-world evaluation section] Abstract and the real-world evaluation section: the claim that 'real-world threats persist on social media, where payloads either survive minimal compression or effectively adapt to aggressive compression via simulated training' is load-bearing for the security implications. The simulation (generic JPEG quality factors and resizing) is not shown to replicate platform-specific pipelines (custom quantization tables, chroma subsampling, metadata stripping, multi-stage re-encoding), nor is it validated against live upload/download traces. This directly affects the external validity of finding (iv).

Authors: We appreciate the referee's emphasis on external validity for the real-world threat claims. Our simulations rely on standard JPEG quality factors (50-95) and resizing, which are established practices in the steganography literature for approximating post-upload processing. We acknowledge that these generic operations do not fully capture proprietary platform pipelines such as custom quantization tables, chroma subsampling, metadata stripping, or multi-stage re-encoding, nor have we validated against live traces. In the revised manuscript, we have expanded the real-world evaluation section with a precise description of all simulation parameters, added an explicit limitations paragraph discussing the gap to platform-specific behavior, and framed our results as indicative of potential persistence under common compression rather than a complete replication. This constitutes a partial revision focused on transparency and caveats. revision: partial
Referee: [Transferability evaluation section] Transferability evaluation section: the reported asymmetry (attacks generalize robustly while detectors fail to adapt) is central to the benchmark's conclusions. Without an explicit ablation table or description of the exact source/target distribution shifts and cover-image statistics used, it is unclear whether the asymmetry arises from inherent architectural properties or from the particular choices of harmful semantics and cover distributions.

Authors: We agree that additional details on the transferability setup are needed to substantiate the asymmetry finding. In the revised manuscript, we have added a dedicated paragraph in the transferability evaluation section that specifies the source and target cover distributions (e.g., shifts from general natural images to domain-specific sets such as indoor scenes or artistic renders), along with cover-image statistics including mean intensity, standard deviation, and entropy. We also include a new ablation table (Table 7) that systematically varies harmful payload types (visual semantics versus toxic text instructions) and reports transfer success rates for both attacks and detectors. These additions allow readers to evaluate whether the asymmetry stems primarily from architectural differences or from our benchmark's semantic and distributional choices, thereby strengthening interpretability and reproducibility. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical benchmark evaluation

full rationale

The paper introduces SADBench as a systematic empirical benchmark consisting of four evaluation tasks (attack capability, defense capability, efficiency, and transferability) applied to existing steganography and steganalysis methods. All reported findings (stability of INN/autoencoder methods, near-perfect in-domain detection, transferability asymmetry, and persistence under simulated compression) are obtained by running the selected attacks and detectors on chosen cover distributions, payloads, and compression simulations. No derivation chain, equations, fitted parameters, or self-citations are used to define or force any result in terms of itself; the outcomes are direct experimental measurements independent of the target claims by construction. The work contains no uniqueness theorems, ansatzes smuggled via prior self-citation, or renaming of known results as new derivations.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The contribution is an empirical benchmark proposal rather than a theoretical or mathematical derivation; the abstract introduces no free parameters, axioms, or invented entities.

pith-pipeline@v0.9.0 · 5610 in / 1367 out tokens · 25576 ms · 2026-05-08T09:24:51.187372+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

55 extracted references · 5 canonical work pages · 1 internal anchor

[1]

Ntire 2017 chal- lenge on single image super-resolution: Dataset and study

Eirikur Agustsson and Radu Timofte. Ntire 2017 chal- lenge on single image super-resolution: Dataset and study. InThe IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, July 2017. 5

2017
[2]

Se- cure and efficient data transmission by video steganog- raphy in medical imaging system.Cluster Computing, 22(Suppl 2):4057–4063, 2019

S Balu, C Nelson Kennedy Babu, and K Amudha. Se- cure and efficient data transmission by video steganog- raphy in medical imaging system.Cluster Computing, 22(Suppl 2):4057–4063, 2019. 1, 2

2019
[3]

Hiding images in plain sight: Deep steganography

Shumeet Baluja. Hiding images in plain sight: Deep steganography. In Isabelle Guyon, Ulrike von Luxburg, Samy Bengio, Hanna M. Wallach, Rob Fergus, S. V . N. Vishwanathan, and Roman Garnett, editors,Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4-9, 2017, Long Beach, CA, USA...

2017
[4]

Collo- mosse

Tu Bui, Shruti Agarwal, Ning Yu, and John P. Collo- mosse. Rosteals: Robust steganography using autoen- coder latent space. InIEEE/CVF Conference on Com- puter Vision and Pattern Recognition, CVPR 2023 - Workshops, Vancouver, BC, Canada, June 17-24, 2023, pages 933–942. IEEE, 2023. 5

2023
[5]

Stegomalware: A system- atic survey of malwarehiding and detection in images, machine learningmodels and research challenges.arXiv preprint arXiv:2110.02504, 2021

Rajasekhar Chaganti, Vinayakumar Ravi, Mamoun Alazab, and Tuan D Pham. Stegomalware: A system- atic survey of malwarehiding and detection in images, machine learningmodels and research challenges.arXiv preprint arXiv:2110.02504, 2021. 1, 2

work page arXiv 2021
[6]

Finding optimal least-significant-bit substitution in image hiding by dynamic programming strategy.Pat- tern Recognit., 36(7):1583–1595, 2003

Chin-Chen Chang, Ju Yuan Hsiao, and Chi-Shiang Chan. Finding optimal least-significant-bit substitution in image hiding by dynamic programming strategy.Pat- tern Recognit., 36(7):1583–1595, 2003. 1

2003
[7]

Low-frequency image deep steganography: Manipulate the frequency distribution to hide secrets with tenacious robustness.CoRR, abs/2303.13713, 2023

Huajie Chen, Tianqing Zhu, Yuan Zhao, Bo Liu, Xin Yu, and Wanlei Zhou. Low-frequency image deep steganography: Manipulate the frequency distribution to hide secrets with tenacious robustness.CoRR, abs/2303.13713, 2023. 3

work page arXiv 2023
[8]

Operation endtrade: Multi-stage backdoors that tick

Joey Chen, Hiroyuki Kakara, and Masaoki Shoji. Operation endtrade: Multi-stage backdoors that tick. https://www.trendmicro.com/en_us/research/ 19/k/operation-endtrade-finding-multi- stage-backdoors-that-tick.html, November
[9]

Trend Micro Research, published on 29 Nov
[10]

Accessed: 2026-01-18. 2

2026
[11]

Alaska#2: Challenging academic research on steganal- ysis with realistic images

Rémi Cogranne, Quentin Giboulot, and Patrick Bas. Alaska#2: Challenging academic research on steganal- ysis with realistic images. In12th IEEE International Workshop on Information Forensics and Security, WIFS 2020, New York City, NY, USA, December 6-11, 2020, pages 1–5. IEEE, 2020. 3, 5

2020
[12]

Steganalysis with cnn and srm

Jean-François Couchot, Raphaël Couturier, and Michel Salomon. Steganalysis with cnn and srm. https://github.com/rcouturier/steganalysis_ with_CNN_and_SRM, 2016. 5

2016
[13]

Digital watermarking.Journal of Electronic Imaging, 11(3):414–414, 2002

Ingemar Cox, Matthew Miller, Jeffrey Bloom, and Chris Honsinger. Digital watermarking.Journal of Electronic Imaging, 11(3):414–414, 2002. 1, 2

2002
[14]

Steganography and steganalysis (in digital forensics): a cybersecurity 13 guide.Multim

Mukesh Dalal and Mamta Juneja. Steganography and steganalysis (in digital forensics): a cybersecurity 13 guide.Multim. Tools Appl., 80(4):5723–5771, 2021. 1, 2

2021
[15]

Fast and effective global covariance pooling network for image steganalysis

Xiaoqing Deng, Bolin Chen, Weiqi Luo, and Da Luo. Fast and effective global covariance pooling network for image steganalysis. InProceedings of the ACM Workshop on Information Hiding and Multimedia Se- curity, IH&MMSec 2019, Paris, France, July 3-5, 2019, pages 230–234. ACM, 2019. 3, 5

2019
[16]

Deepmih: Deep invertible network for multiple image hiding

Zhenyu Guan, Junpeng Jing, Xin Deng, Mai Xu, Lai Jiang, Zhou Zhang, and Yipeng Li. Deepmih: Deep invertible network for multiple image hiding. IEEE Trans. Pattern Anal. Mach. Intell., 45(1):372– 390, 2023. 2, 3, 5

2023
[17]

Steganography: the art of hiding informa- tion in plain sight.IEEE potentials, 18(1):10–12, 1999

Tariq Jamil. Steganography: the art of hiding informa- tion in plain sight.IEEE potentials, 18(1):10–12, 1999. 1, 2

1999
[18]

Hinet: Deep image hiding by invert- ible network

Junpeng Jing, Xin Deng, Mai Xu, Jianyi Wang, and Zhenyu Guan. Hinet: Deep image hiding by invert- ible network. In2021 IEEE/CVF International Con- ference on Computer Vision, ICCV 2021, Montreal, QC, Canada, October 10-17, 2021, pages 4713–4722. IEEE, 2021. 3, 5

2021
[19]

Scarcruft continues to evolve, in- troduces bluetooth harvester.https://securelist

Kaspersky GReAT. Scarcruft continues to evolve, in- troduces bluetooth harvester.https://securelist. com/scarcruft-continues-to-evolve- introduces-bluetooth-harvester/90729/, May 2019. Securelist (Kaspersky), published on 13 May 2019. Accessed: 2026-01-18. 2

2019
[20]

Stegformer: Rebuilding the glory of autoencoder-based steganogra- phy

Xiao Ke, Huanqi Wu, and Wenzhong Guo. Stegformer: Rebuilding the glory of autoencoder-based steganogra- phy. InThirty-Eighth AAAI Conference on Artificial Intelligence, AAAI 2024, Thirty-Sixth Conference on Innovative Applications of Artificial Intelligence, IAAI 2024, Fourteenth Symposium on Educational Advances in Artificial Intelligence, EAAI 2014, Feb...

2024
[21]

Andrew D. Ker. The ultimate steganalysis bench- mark? In Deepa Kundur, Balakrishnan Prabhakaran, Jana Dittmann, and Jessica J. Fridrich, editors,Pro- ceedings of the 9th workshop on Multimedia & Secu- rity, MM&Sec 2007, Dallas, Texas, USA, September 20-21, 2007, pages 141–148. ACM, 2007. 3

2007
[22]

Sencar, and Nasir D

Mehdi Kharrazi, Husrev T. Sencar, and Nasir D. Memon. Benchmarking steganographic and steganal- ysis techniques. In Edward J. Delp III and Ping Wah Wong, editors,Security, Steganography, and Water- marking of Multimedia Contents VII, San Jose, Califor- nia, USA, January 17-20, 2005, Proceedings, volume 5681 ofProceedings of SPIE, pages 252–263. SPIE,

2005
[23]

The hateful memes challenge: Detecting hate speech in multimodal memes

Douwe Kiela, Hamed Firooz, Aravind Mohan, Vedanuj Goswami, Amanpreet Singh, Pratik Ringshia, and Davide Testuggine. The hateful memes challenge: Detecting hate speech in multimodal memes. In Hugo Larochelle, Marc’Aurelio Ranzato, Raia Hadsell, Maria-Florina Balcan, and Hsuan-Tien Lin, editors,Ad- vances in Neural Information Processing Systems 33: Annual ...

2020
[24]

Weinberger

Varsha Kishore, Xiangyu Chen, Yan Wang, Boyi Li, and Kilian Q. Weinberger. Fixed neural network steganography: Train the images, not the network. In The Tenth International Conference on Learning Rep- resentations, ICLR 2022, Virtual Event, April 25-29,

2022
[25]

OpenReview.net, 2022. 3, 5

2022
[26]

Image steganography approaches and their detection strategies: A survey.ACM Comput

Meike Kombrink, Zeno Jean Marius Hubert Geradts, and Marcel Worring. Image steganography approaches and their detection strategies: A survey.ACM Comput. Surv., 57(2):33:1–33:40, 2025. 1, 2, 3, 4

2025
[27]

Odysseus: Jailbreaking commercial multimodal llm-integrated systems via dual steganogra- phy

Songze Li, Jiameng Cheng, Yiming Li, Xiaojun Jia, and Dacheng Tao. Odysseus: Jailbreaking commercial multimodal llm-integrated systems via dual steganogra- phy. InNetwork and Distributed System Security Sym- posium, 2026. 1, 2, 4, 5

2026
[28]

Clpstnet: A progressive multi-scale convolutional steganography model integrating curriculum learning

Fengchun Liu, Tong Zhang, and Chunying Zhang. Clpstnet: A progressive multi-scale convolutional steganography model integrating curriculum learning. arXiv preprint arXiv:2504.16364, 2025. 5

work page arXiv 2025
[29]

Mm-safetybench: A benchmark for safety evaluation of multimodal large language models

Xin Liu, Yichen Zhu, Jindong Gu, Yunshi Lan, Chao Yang, and Yu Qiao. Mm-safetybench: A benchmark for safety evaluation of multimodal large language models. InComputer Vision - ECCV 2024 - 18th European Con- ference, Milan, Italy, September 29-October 4, 2024, Proceedings, Part LVI, volume 15114 ofLecture Notes in Computer Science, pages 386–403. Springer, 2024. 9

2024
[30]

The many colors of multimedia security.Communications of the ACM, 47(12):25–29,

Rebecca T Mercuri. The many colors of multimedia security.Communications of the ACM, 47(12):25–29,
[31]

Facebook.https://www

Meta Platforms, Inc. Facebook.https://www. facebook.com/, 2026. 12

2026
[32]

Instagram.https://www

Meta Platforms, Inc. Instagram.https://www. instagram.com/, 2026. 12

2026
[33]

Steganography tech- nique based on dct coefficients.International Journal of Engineering Research and Applications, 2(1):713– 717, 2012

Hardik Patel and Preeti Dave. Steganography tech- nique based on dct coefficients.International Journal of Engineering Research and Applications, 2(1):713– 717, 2012. 1

2012
[34]

Fridrich

Tomás Pevný and Jessica J. Fridrich. Benchmarking for steganography. In Kaushal Solanki, Kenneth Sullivan, and Upamanyu Madhow, editors,Information Hiding, 10th International Workshop, IH 2008, Santa Barbara, CA, USA, May 19-21, 2008, Revised Selected Papers, volume 5284 ofLecture Notes in Computer Science, pages 251–267. Springer, 2008. 3

2008
[35]

A strongreject for empty jailbreaks

Alexandra Souly, Qingyuan Lu, Dillon Bowen, Tu Trinh, Elvis Hsieh, Sana Pandey, Pieter Abbeel, Justin Svegliato, Scott Emmons, Olivia Watkins, and 14 Sam Toyer. A strongreject for empty jailbreaks. InAd- vances in Neural Information Processing Systems 38: Annual Conference on Neural Information Processing Systems 2024, NeurIPS 2024, Vancouver, BC, Canada,...

2024
[36]

CALPA-NET: channel- pruning-assisted deep residual network for steganalysis of digital images.IEEE Trans

Shunquan Tan, Weilong Wu, Zilong Shao, Qiushi Li, Bin Li, and Jiwu Huang. CALPA-NET: channel- pruning-assisted deep residual network for steganalysis of digital images.IEEE Trans. Inf. Forensics Secur., 16:131–146, 2021. 3, 5

2021
[37]

Towards robust image steganography.IEEE Trans

Jinyuan Tao, Sheng Li, Xinpeng Zhang, and Zichi Wang. Towards robust image steganography.IEEE Trans. Circuits Syst. Video Technol., 29(2):594–600,
[38]

Indictment: United states of america v

United States District Court for the North- ern District of New York. Indictment: United states of america v. zheng xiaoqing and zhang zhaoxi.https://www.justice.gov/d9/press- releases/attachments/2019/04/23/zheng_et_ al_indictment_0.pdf, April 2019. Criminal No. 1:19-cr-00156-MAD, Document 25, filed 18 Apr 2019. Accessed: 2026-01-18. 2

2019
[39]

Image hiding by optimal LSB substitution and genetic algo- rithm.Pattern Recognit., 34(3):671–683, 2001

Ran-Zan Wang, Chi-Fang Lin, and Ja-Chen Lin. Image hiding by optimal LSB substitution and genetic algo- rithm.Pattern Recognit., 34(3):671–683, 2001. 1

2001
[40]

F5-A steganographic algorithm

Andreas Westfeld. F5-A steganographic algorithm. In Ira S. Moskowitz, editor,Information Hiding, 4th International Workshop, IHW 2001, Pittsburgh, PA, USA, April 25-27, 2001, Proceedings, volume 2137 of Lecture Notes in Computer Science, pages 289–302. Springer, 2001. 1

2001
[41]

A LSB substitution oriented image hiding strategy us- ing genetic algorithms

Ming-Ni Wu, Min-Hui Lin, and Chin-Chen Chang. A LSB substitution oriented image hiding strategy us- ing genetic algorithms. In Chi-Hung Chi and Kwok- Yan Lam, editors,Content Computing, Advanced Work- shop on Content Computing, AWCC 2004, ZhenJiang, JiangSu, China, November 15-17, 2004, Proceedings, volume 3309 ofLecture Notes in Computer Science, pages 2...

2004
[42]

X.https://x.com/, 2026

X Corp. X.https://x.com/, 2026. 12

2026
[43]

Structural design of convolutional neural networks for steganalysis.IEEE Signal Process

Guanshuo Xu, Han-Zhou Wu, and Yun-Qing Shi. Structural design of convolutional neural networks for steganalysis.IEEE Signal Process. Lett., 23(5):708– 712, 2016. 3, 5

2016
[44]

PRIS: practical robust invertible network for image steganography.Eng

Hang Yang, Yitian Xu, Xuhua Liu, and Xiaodong Ma. PRIS: practical robust invertible network for image steganography.Eng. Appl. Artif. Intell., 133:108419,
[45]

Robust message embedding via attention flow- based steganography

Huayuan Ye, Shenzhuo Zhang, Shiqi Jiang, Jing Liao, Shuhang Gu, Dejun Zheng, Changbo Wang, and Chen- hui Li. Robust message embedding via attention flow- based steganography. InIEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2025, Nashville, TN, USA, June 11-15, 2025, pages 12840– 12849. Computer Vision Foundation / IEEE, 2025. 3

2025
[46]

Deep learning hier- archical representations for image steganalysis.IEEE Transactions on Information Forensics and Security, 12(11):2545–2557, 2017

Jian Ye, Jiangqun Ni, and Yang Yi. Deep learning hier- archical representations for image steganalysis.IEEE Transactions on Information Forensics and Security, 12(11):2545–2557, 2017. 3, 5

2017
[47]

Yedroudj-net: An efficient cnn for spatial ste- ganalysis

Mehdi Yedroudj, Frédéric Comby, and Marc Chau- mont. Yedroudj-net: An efficient cnn for spatial ste- ganalysis. In2018 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), page 2092–2096. IEEE Press, 2018. 3, 5

2092
[48]

A siamese CNN for image steganalysis.IEEE Trans

Weike You, Hong Zhang, and Xianfeng Zhao. A siamese CNN for image steganalysis.IEEE Trans. Inf. Forensics Secur., 16:291–306, 2021. 3, 5

2021
[49]

Cross: Diffusion model makes controllable, robust and secure image steganography

Jiwen Yu, Xuanyu Zhang, Youmin Xu, and Jian Zhang. Cross: Diffusion model makes controllable, robust and secure image steganography. InAdvances in Neural Information Processing Systems 36: Annual Confer- ence on Neural Information Processing Systems 2023, NeurIPS 2023, New Orleans, LA, USA, December 10 - 16, 2023, 2023. 2, 3, 5

2023
[50]

Malicious memes that commu- nicate with malware.https://www.trendmicro

Aliakbar Zahravi. Malicious memes that commu- nicate with malware.https://www.trendmicro. com/en_us/research/18/l/cybercriminals- use-malicious-memes-that-communicate-with- malware.html, December 2018. Trend Micro Research, published on 14 Dec 2018. Accessed: 2026-01-18. 1, 2

2018
[51]

UDH: universal deep hiding for steganography, watermarking, and light field mes- saging

Chaoning Zhang, Philipp Benz, Adil Karjauv, Geng Sun, and In So Kweon. UDH: universal deep hiding for steganography, watermarking, and light field mes- saging. InAdvances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6- 12, 2020, virtual, 2020. 3, 5

2020
[52]

Steganogan: High capacity image steganography with gans,

Kevin Alex Zhang, Alfredo Cuesta-Infante, Lei Xu, and Kalyan Veeramachaneni. Steganogan: High capacity image steganography with gans.CoRR, abs/1901.03892, 2019. 3, 5

work page arXiv 1901
[53]

Depth-wise separable convolutions and multi-level pooling for an efficient spatial cnn-based steganalysis

Ru Zhang, Feng Zhu, Jianyi Liu, and Gongshen Liu. Depth-wise separable convolutions and multi-level pooling for an efficient spatial cnn-based steganalysis. IEEE Trans. Inf. Forensics Secur., 15:1138–1150, 2020. 3, 5

2020
[54]

Hidden: Hiding data with deep networks

Jiren Zhu, Russell Kaplan, Justin Johnson, and Li Fei- Fei. Hidden: Hiding data with deep networks. In Vitto- rio Ferrari, Martial Hebert, Cristian Sminchisescu, and Yair Weiss, editors,Computer Vision - ECCV 2018 - 15th European Conference, Munich, Germany, Septem- ber 8-14, 2018, Proceedings, Part XV, volume 11219 ofLecture Notes in Computer Science, pa...

2018
[55]

Universal and Transferable Adversarial Attacks on Aligned Language Models

Andy Zou, Zifan Wang, J. Zico Kolter, and Matt Fredrikson. Universal and transferable adversar- ial attacks on aligned language models.CoRR, abs/2307.15043, 2023. 5 15 A Ethical Considerations We organize our ethical analysis by examining the implica- tions for stakeholders across three stages: data management during the research process, limited online p...

work page internal anchor Pith review arXiv 2023