Adversarial Embedding: A robust and elusive Steganography and Watermarking technique

We propose adversarial embedding, a new steganography and watermarking technique that embeds secret information within images. The key idea of our method is to use deep neural networks for image classification and adversarial attacks to embed secret information within images. Thus, we use the attacks to embed an encoding of the message within images and the related deep neural network outputs to extract it. The key properties of adversarial attacks (invisible perturbations, nontransferability, resilience to tampering) offer guarantees regarding the confidentiality and the integrity of the hidden messages. We empirically evaluate adversarial embedding using more than 100 models and 1,000 messages. Our results confirm that our embedding passes unnoticed by both humans and steganalysis methods, while at the same time impedes illicit retrieval of the message (less than 13% recovery rate when the interceptor has some knowledge about our model), and is resilient to soft and (to some extent) aggressive image tampering (up to 100% recovery rate under jpeg compression). We further develop our method by proposing a new type of adversarial attack which improves the embedding density (amount of hidden information) of our method to up to 10 bits per pixel.

[1]  Li Fei-Fei,et al.  HiDDeN: Hiding Data With Deep Networks , 2018, ECCV.

[2]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[3]  Jessica J. Fridrich,et al.  Designing steganographic distortion using directional filters , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[4]  David A. Wagner,et al.  Towards Evaluating the Robustness of Neural Networks , 2016, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Dongdong Hou,et al.  Detection Based Defense Against Adversarial Examples From the Steganalysis Point of View , 2018, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[6]  Samy Bengio,et al.  Adversarial Machine Learning at Scale , 2016, ICLR.

[7]  David Wagner,et al.  Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods , 2017, AISec@CCS.

[8]  Karim Abed-Meraim,et al.  A view on latest audio steganography techniques , 2011, 2011 International Conference on Innovations in Information Technology.

[9]  George Papadourakis,et al.  A review of image steganalysis techniques for digital forensics , 2018, J. Inf. Secur. Appl..

[10]  Lee-Ming Cheng,et al.  Hiding data in images by simple LSB substitution , 2004, Pattern Recognit..

[11]  Aleksander Madry,et al.  Towards Deep Learning Models Resistant to Adversarial Attacks , 2017, ICLR.

[12]  Wen-Hsiang Tsai,et al.  A steganographic method for images by pixel-value differencing , 2003, Pattern Recognit. Lett..

[13]  Jonathon Shlens,et al.  Explaining and Harnessing Adversarial Examples , 2014, ICLR.

[14]  Di Tang,et al.  Stealthy Porn: Understanding Real-World Adversarial Images for Illicit Online Promotion , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[15]  Shumeet Baluja,et al.  Hiding Images in Plain Sight: Deep Steganography , 2017, NIPS.

[16]  Sorina Dumitrescu,et al.  Detection of LSB steganography via sample pair analysis , 2002, IEEE Trans. Signal Process..

[17]  Ainuddin Wahid Abdul Wahab,et al.  Image steganography in spatial domain: A survey , 2018, Signal Process. Image Commun..

[18]  Eero P. Simoncelli,et al.  Image quality assessment: from error visibility to structural similarity , 2004, IEEE Transactions on Image Processing.

[19]  Patrick D. McDaniel,et al.  On the (Statistical) Detection of Adversarial Examples , 2017, ArXiv.

[20]  H. Anderson,et al.  Evading Machine Learning Malware Detection , 2017 .

[21]  Tomás Pevný,et al.  Using High-Dimensional Image Models to Perform Highly Undetectable Steganography , 2010, Information Hiding.

[22]  Yaxin Peng,et al.  The Adversarial Attack and Detection under the Fisher Information Metric , 2018, AAAI.

[23]  Steve Ward,et al.  Image Quality Assessment Using the SSIM and the Just Noticeable Difference Paradigm , 2013, HCI.

[24]  Kevin Curran,et al.  Digital image steganography: Survey and analysis of current methods , 2010, Signal Process..

[25]  Fabio Roli,et al.  Evasion Attacks against Machine Learning at Test Time , 2013, ECML/PKDD.

[26]  Andreas Westfeld,et al.  F5-A Steganographic Algorithm , 2001, Information Hiding.

[27]  Dawn Xiaodong Song,et al.  Delving into Transferable Adversarial Examples and Black-box Attacks , 2016, ICLR.

[28]  Rama Chellappa,et al.  Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models , 2018, ICLR.

[29]  Jessica J. Fridrich,et al.  Universal distortion function for steganography in an arbitrary domain , 2014, EURASIP Journal on Information Security.

[30]  Fenlin Liu,et al.  Equivalence Analysis Among DIH, SPA, and RS Steganalysis Methods , 2006, Communications and Multimedia Security.

[31]  Evgeny Burnaev,et al.  Steganographic generative adversarial networks , 2017, International Conference on Machine Vision.

[32]  Bin Li,et al.  A Survey on Image Steganography and Steganalysis , 2011, J. Inf. Hiding Multim. Signal Process..

[33]  Tabares-Soto Reinel,et al.  Deep Learning Applied to Steganalysis of Digital Images: A Systematic Review , 2019, IEEE Access.

[34]  David A. Wagner,et al.  Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples , 2018, ICML.

[35]  Jessica J. Fridrich,et al.  Reliable detection of LSB steganography in color and grayscale images , 2001, MM&Sec '01.

[36]  Bin Li,et al.  A new cost function for spatial image steganography , 2014, 2014 IEEE International Conference on Image Processing (ICIP).

[37]  Yves Le Traon,et al.  Automated Search for Configurations of Convolutional Neural Network Architectures , 2019, SPLC.

[38]  Edward J. Delp,et al.  Digital watermarking: algorithms and applications , 2001, IEEE Signal Process. Mag..

[39]  Ananthram Swami,et al.  The Limitations of Deep Learning in Adversarial Settings , 2015, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[40]  Alexei A. Efros,et al.  The Unreasonable Effectiveness of Deep Features as a Perceptual Metric , 2018, 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition.

[41]  Joan Bruna,et al.  Intriguing properties of neural networks , 2013, ICLR.

[42]  Lujo Bauer,et al.  Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition , 2016, CCS.

[43]  Alex Krizhevsky,et al.  Learning Multiple Layers of Features from Tiny Images , 2009 .