2.1. Notation

In this article, the capital symbols stand for matrices, and i and j are used to index the elements of the matrices. The symbols C = (C_i,j),  S = (S_i,j) ∈ R^h×w represent the 8-bit grayscale cover image and its stego image of size h × w, respectively, where S_i,j ∈ {max(C_i,j − 1, 0), C_i,j, min(C_i,j + 1, 255)}. p = (p_i,j) denotes the embedding probability map. N = (n_i,j) stands for a random matrix with a uniform distribution ranging from 0 to 1. M = (m_i,j) stands for the modification map, where m_i,j ∈ {−1, 0, 1}.

2.2. Distortion Minimization Framework

2.3. SI JPEG Steganography

3.1. JS–GAN

The overall architecture of the proposed JS–GAN is shown in Figure 1. The solid line and dashed line denote the forward and backpropagation, respectively. It is mainly composed of four modules: a generator, an embedding simulator, an IDCT module, and a discriminator. The training steps are described in Algorithm 1.

For an input of a rounded DCT matrix C, the p_i, j ∈ [0, 1] denotes the corresponding embedding probability produced by the adversarially trained generator. Since the probabilities of increasing or decreasing C_i,j are equal, we set $$ and the probability that C_i,j remains unchanged is $$^. We also feed the spatial cover image converted from the rounded DCT matrix into the generator to improve the performance of our method.

The embedding simulator is used to generate the corresponding modification map. The DCT matrix of the stego image is obtained by adding the modification map to the DCT matrix of the cover image. By applying the IDCT module [27], we can finally produce the spatial cover–stego image pair. The discriminator tries to distinguish the spatial stego images from the innocent cover images. Its classification error is regarded as the loss function to train the discriminator and generator using the gradient descent optimization algorithm.

To further improve the performance, the embedding costs from the same location of DCT blocks have been smoothed by a Gaussian filter as a postprocess [34]. The incorporation of this Gaussian filter will improve the security performance by about 1.5%. After designing the embedding cost, the STC encoder [1] has been applied to embed the specific secret messages to generate the actual stego image. Detailed descriptions of each module of JS–GAN will be given in the following sections.

3.1.1. Architecture of the Generator G

The main purpose of JS–GAN is to train a generator that can generate the embedding probability with the same size as the DCT matrix of the cover image, and the process step can be regarded as an image-to-image translation task. Based on the superior performance in image-to-image translation and high training efficiency, we use U-Net [26] as a reference structure to design our generator. The generator of JS–GAN contains a contracting path and an expansive path with 16 groups of layers. The contracting path is composed of eight operating groups: each group includes a convolutional (Conv) layer with Stride 2 for downsampling, a batch normalization (BN) layer, and a leaky rectified linear unit (Leaky-ReLU) activation function. The expansive path consists of the repeated application of the deconvolution layer, each time followed by a BN layer and ReLU activation function. After upsampling the feature map to the same size as the input, the final sigmoid activation function is added to restrict the output within the range of 0–1 in order to meet the requirements of being an embedding probability. To achieve pixel-level learning and facilitate the backpropagation, concatenations of feature maps are placed between each pair of mirrored Conv and deconvolution layers by using a skip connection process. The specific configuration of the generator is given in Figure 2.

3.1.3. Architecture of the Discriminator D

In [17], we used a DenseNet-based steganalyzer as the discriminator. Since the feature concatenation consumes more GPU memory and training time than the add process, we used a refined residual network–based J-XuNet [16] as the discriminator. The details of the discriminator are shown in Figure 3. Against the Gabor filter–based discriminator, a preprocessing layer that incorporates 16 Gabor high-pass filters is used to implement a Conv operation to the input image. Gabor high-pass filters can effectively enhance the steganographic signal and help subsequent neural networks extract steganographic features better. The Gabor filters are defined as follows:

$$ ()

where μ = xcosθ + ysinθ and v = xsinθ + ycosθ. σ is the standard deviation of the Gaussian factor and λ is the wavelength, σ = 0.56λ meanwhile σ = (0.75, 1). Directional coefficient θ = (0, π/4, 2π/4, 3π/4), phase offset ϕ = (0, π/2), and aspect ratio γ = 0.5.

After the preprocessing layer, a Conv block that consists of a truncated linear unit (TLU) [39] is used. The TLU limits the numerical range of the feature map to (-T, T) to prevent large values of input noise from influencing unduly the weight of the deep network, and we set T = 8. After that, five residual blocks are used to extract the features. The structure of each residual block is a sequence consisting of Conv layers, BN layers, and ReLU activation functions. Finally, after two Conv layers and a fully connected layer, the networks produce a classification probability from a softmax layer.

3.2. SI Estimation–Aided JPEG Steganography

In this part, we will introduce the CNN–based SI architecture and the strategy to asymmetrically adjust the embedding cost according to the estimated SI.

3.2.1. SI estimation

The architecture of the SI estimation is shown in Figure 4. It is composed of two steps: training the CNN–based precover estimation model, and calculating the SI using the trained model.

The training steps are shown in Figure 4(a). For a given spatial precover, the quantized and rounded DCT coefficients are calculated at first, and then the DCT coefficients are input to the CNN to obtain the estimated precover. The loss function of mean square error (MSE) and structural similarity index measure (SSIM) is used to reduce the difference between the estimated precover and the existing spatial precover.

$$ ()

$$ ()

$$ ()

where k is the batch size of the precover estimation network. L(x, y), C(x, y), and S(x, y) represent the brightness comparison, contrast comparison, and structural comparison respectively. The parameters l > 0, m > 0, n > 0 are used to adjust the importance of the three respective components. L(x, y), C(x, y), and S(x, y) are calculated by

$$ ()

$$ ()

$$ ()

where μ_x and μ_y are the average pixel values of image x and y, respectively; θ_x and θ_y are the standard deviations of Image x and Image y, respectively; and θ_xy is the covariance of Image x and Image y. C₁ ∼ C₃ are constants that can maintain stability when denominators are close to 0.

The calculation process of the SI is shown in Figure 4(b). After training the model of the precover estimation network, we can obtain the estimated precover from the input-rounded DCT coefficients and then calculate the nonrounded DCT coefficients. The difference between the rounded DCT coefficients and the DCT coefficients without the rounding operation is used as the SI. The details of the CNN–based precover estimation architecture are shown in Figure 5. It is composed of a series Conv layer, BN layer, and ReLU layer. All the Conv layers employ 5 × 5 kernels with Stride 1.

4.1. Experimental Setup

The experiments were conducted on SZUBase [23], BOSSBase V 1.01 [39], and BOWS2 [40], which contain grayscale images of size 512 × 512. All of the cover images were first resampled to size 256 × 256, and the corresponding quantified DCT matrix was obtained using JPEG transformation with a QF of 75. SZUBase, with 40,000 images, was used to train the JS–GAN and the CNN–based precover estimation model. In the training phase, all parameters of the generator and discriminator were first initialized from a Gaussian distribution. Then, we trained the JS–GAN using the Adam optimizer [32] with a learning rate of 0.0001. The batch size of the input-quantified DCT matrix of the cover image was set to 8.

After a certain number of training iterations, we used the generator and STC encoder [1] to produce the stego images from 20,000 cover images in BOSSBase and BOWS2 for evaluation. Four steganalyzers, including the conventional steganalyzers DCTR [7] and GFR [6], as well as the CNN–based steganalyzer J-XuNet [16] and SRNet [18], were used to evaluate the security performance of JS–GAN. To train the CNN–based steganalyzer, 10,000 cover–stego pairs in BOWS2 and 4000 pairs in BOSSBase were chosen. The other 6000 pairs in BOSSBase were divided into 1000 pairs as the validation set and 5000 pairs for testing. The training stage of JS–GAN was conducted in TensorFlow V 1.11 with an NVIDIA TITAN Xp GPU card.

4.2. The Content-Adaptive Learning of JS–GAN

We trained the JS–GAN for 60 epochs under the target payload of 0.5 bpnzAC and QF 75. The best model according to the attack results with GFR was selected. Then stegos with payloads of 0.1–0.5 bpnzAC were generated by using a STC encoder according to the cost calculated from the best model trained under 0.5 bpnzAC.

To verify the content-adaptivity of our method, we show the embedding probability map produced by the generator trained after different epochs in Figure 6. The embedding probability generated by J-UNIWARD [2] with the same payload is also given in Figure 6(b) for visual comparison. As shown in Figure 6, the 8 × 8 block property of the embedding probability has been automatically learned. The global adaptability (interblock) and the local adaptability (intrablock) have improved with an increase in the number of training epochs. After 50 training epochs, the block in the complex region has a large embedding probability, which verifies the global adaptability. Inside the 8 × 8 block, the larger probabilities are mostly located in the top left low-frequency region, which proves the local adaptability of JS–GAN. It can be also seen that the embedding probability generated by our GAN–based method has similar characteristics to those generated by J-UNIWARD.

4.3. Parameter Selection for Adjusting the Embedding Cost

We conducted experiments with ESI–aided version JS–GAN (JS–GAN [ESI]) with 0.4 bpnzAC and a QF of 75 to select the proper parameters for asymmetric embedding. The error rate P_E of the steganalyzers is used to quantify the security performance of our proposed framework. The error rate detected by GFR with an ensemble classifier is used to evaluate the performance. First, we investigate the impact of the sign of the ESI $$. Then, we set the amplitude parameter δ = 0 and observe the effect of the polarity parameter η in equation (26)

The effect of η is shown in Table 1, where η = 1 denotes the original JS–GAN, where the cost of +1 is equal to the cost −1. Experimental results show that the performance would be improved when η decreases. Thus, the performance can be improved by adjusting the cost asymmetrically according to the sign of the ESI. From Table 1, the detection error rate of JS–GAN (ESI) increases by 7.85% with η = 0.65 compared to the original JS–GAN.

After putting η = 0.65, we further investigated the influence of the parameter δ by using the polarity and the amplitude of the SI at the same time. It can be seen from Table 2 that setting δ = 0.05 will achieve better performance than other values; it also can improve the performance about 10% over setting δ = 0.5, which was used in [30]. The experimental results show that only a small amplitude can be used to improve the security performance. This is because amplitudes close to 0.5 are not precise. It can also be seen that setting δ = 0.05 will lead to an improvement by about 3.4% over δ = 0, and this shows that using the amplitude $$ properly can further improve the performance over using only the polarity of the SI. From Tables 1 and 2, we set η = 0.65 and δ = 0.05 for the final version JS–GAN (ESI).

4.4. Results and Analysis

We selected the classic steganographic algorithms UERD and J-UNIWARD to make a comparison with our proposed methods JS–GAN and JS–GAN (ESI). For a fair comparison, all steganographic algorithms used the STC encoder to embed the messages. Four different steganalyzers were used to evaluate the performance, including the conventional steganalyzers GFR and DCTR, as well as the CNN–based steganalyzers J-XuNet and SRNet.

The experimental results for JPEG-compressed images with QF 75 are shown in Table 3 and Figure 7. From Table 3, it can be seen that under the attack of the conventional steganalyzer GFR, our proposed architecture JS–GAN can obtain better security performance than the conventional methods UERD and J-UNIWARD. For example, under the attack of GFR with 0.4 bpnzAC, the JS–GAN can achieve a better performance by 2.51% and 2.58% than UERD and J-UNIWARD, respectively. Under the attack of the CNN–based steganalyzer SRNet with 0.4 bpnzAC, the proposed JS–GAN can increase the detection error rate by 3.29% and 0.44% over UERD and J-UNIWARD, respectively.

It can be seen from Table 3 that the security performance of JS–GAN can be further improved significantly by incorporating the proposed SI estimated method. With the payload 0.4 bpnzAC, the JS–GAN (ESI) can increase the detection error rate by 11.25% over JS–GAN against the conventional steganalyzer GFR, and it can also increase the detection error rate by 2.62% over JS–GAN to protect against the attack of the CNN–based steganalyzer SRNet. The main reason for the high level of security achieved is mainly because the embedding preserved the statistical characteristics of the precover.

Compared to the conventional methods UERD and J-UNIWARD, a significant improvement can be observed in UERD and J-UNIWARD, respectively. Under the detection of GFR with the payload 0.4 bpnzAC, the detection error of JS–GAN (ESI) is increased by 13.76% and 13.83% over that of UERD and J-UNIWARD, respectively. Under the detection of SRNet with the payload 0.4 bpnzAC, the detection error of JS–GAN (ESI) is also up by 5.91% and 3.06% over UERD and J-UNIWARD, respectively.

To verify the proposed method in the face of different compression QFs, we conducted the experiments for JPEG-compressed images with QFs 50 and 95. The parameters of the generator and discriminator with the QFs 50 and 95 were initialized from the trained best model using the QF 75. The experimental results are shown in Tables 4 and 5, respectively. From Table 4, JS–GAN (ESI) achieves significant improvement compared to the other three steganographic algorithms under the attack of different steganalyzers with different payloads, which proves that the proposed method can achieve better security performance. From Table 5, it can be seen that JS–GAN (ESI) can achieve comparable performance with other steganographic algorithms, and it can also be seen that the performance of JS–GAN (ESI) for higher QF needs to be further improved.