Steganography in animated emoji using self-reference

Animated emoji is a kind of GIF image, which is widely used in online social networks (OSN) for its efficiency in transmitting vivid and personalized information. Aiming at realizing covert communication in animated emoji, this paper proposes an improved steganography framework in animated emoji. We propose a self-reference algorithm to improve the steganography security. Meanwhile, the relations between adjacent frames of the cover GIF image are considered to further improve the distortion function. After that we embed the secret message into the GIF image using the popular framework of Syndrome Trellis Coding (STC). Experimental results show that the proposed method can provide better security performances than state-of-the-art works.


Introduction
Different from the image formats like JPEG or TIFF, the GIF (Graphics Interchange Format) image is composed of a color palette and a set of index values. For its prevalence in social network applications, it is quite suitable for covert communication by hiding secret data into GIF images. GIF images can be divided into two categories, namely, the static GIF images and the dynamic GIF images. The dynamic is more popular in online social networks (OSN). Animated GIF is a type of dynamic GIF, it is often used to enrich people's social expressions and emotional performance. The most popular GIF is the animated emoji, which is now widely used in OSN like WeChat, Twitter, and Weibo.
Steganography is a method of embedding secret messages into digital covers without introducing serious distortion [1]. In the early times, there were many steganography methods, such as LSB (Least Significant Bits) replacement, F5 [2], etc. LSB replacement is the simplest steganography method [3]. By modifying the least significant binary of pixel to store information, the human eye cannot perceive the changes. F5 uses matrix embedding to hide secret messages into the JPEG images. However, these methods are fragile against modern steganography analysis. Recently, the Syndrome Trellis Coding (STC) framework is popular for steganography [4], which tries to minimize the additive distortion between the cover and the stego using a predefined distortion function. Generally, the distortion function assigns different distortion costs to different elements of cover. For the spatial images, HILL (High-pass, Low-pass, and Lowpass) [5], WOW (Wavelet Obtained Weights) [6], and SUNI-WARD (Spatial UNIversal Wavelet Relative Distortion) [7,8] are widely proposed. Meanwhile, JUNIWARD (JPEG UNIversal WAvelet Relative Distortion) [7,8], UED (UNIversal WAvelet Relative Distortion) [9], UERD (Uniform Embedding Revisited Distortion) [10] and HDS (Hybrid Distortion Steganography) [11] are widely used for JPEG images, in which the coefficients of the transfer domain are modified according to the distortion costs. Besides, adaptive methods are proposed to guide the modification direction of the coefficients, which can often improve the security of the modified image [12][13][14][15].
As an adversary, steganalysis is used to break steganography, which analyzes the features of an image to determine whether it contains secret messages [16]. The rapid development of steganalysis has brought a great challenge to steganography. Generally, the steganalysis is a kind of classifier that learns the differences of the features between the cover and the stego [17]. The security of a steganography method can be evaluated by observing the accuracy of the classifier. There are many feature extraction methods, e.g., SPAM (subtractive pixel adjacency model) [18], SRM (Spatial Rich Model) [19], DCTR (Discrete Cosine Transform Residual) [20], and GFR (Gabor Filters Residual) [21].
As the GIF images are widely used, researchers are paying more attention to GIF steganography. In [22], the first steganography algorithm is proposed for indexed images such as static GIF. The scheme searches for the closest color in the palette to reduce the distortion caused by data hiding. In [23], adaptive strategies are proposed to determine which pixels should be modified to embed data. To the best of our knowledge, the first method of embedding data into dynamic GIF images is proposed in [24]. Subsequently, more steganography approaches for animated GIF are proposed [25][26][27][28]. In [28], the researchers propose a framework to embed data into animated GIF using the difference between adjacent pixels in the same frame. In [29], a method is proposed to hide data into the animated emoji GIF using the STC framework, in which the distortion functions are improved to achieve better security.
In this paper, we propose a steganography scheme in animated emoji using self-reference, in which we integrate the data embedding impacts for the intra frames and the inter frames. We also provide an algorithm of generating a reference image for guiding the data embedding. With these algorithms, we can achieve a better performance of countering steganalysis. The rest of this paper is organized as follows. We introduce the backgrounds of GIF steganography in Section II. The proposed framework is described in Section III. Section IV shows the experimental results and analysis. Section V concludes the whole paper.

Preliminaries
Let there be K frames in an emoji GIF image. Each frame is a color index matrix I with the size of M × N . The image contains a color palette, in which a limited amount of colors are represented, e.g., 256 colors for an 8-bit palette.
The pixels are represented by I ij , where i ∈ {1, 2, … , M} and j ∈ {1, 2, … , N} . The value of each pixel is represented by an index l defined in the palette C l , where l ∈ {0, 1, 2, … , 255} . Accordingly, an RGB value ( R ij , G ij , B ij ) can be constructed from the index I ij . Figure 1 illustrates the composition of an emoji GIF image.
We denote the cover and the stego images as X and Y, respectively. The pixels are represented by X ij and Y ij . After embedding data into any pixel X ij in X, we obtain the pixel Y ij and the stego Y. The modification is either binary or ternary. In ternary embedding, each pixel in the stego is To minimize the change of RGB values caused by data modification, the method in [29] proposes a palette sorting algorithm. First, it calculates the square sum of the pixel values of the RGB channels corresponding to the l-th index value in the palette C l .
After ascendingly sorting the obtained values, we obtain a sorted palette C ′ l . Based on the new palette, we can regenerate a new index matrix I ′ k , where k represent the k-th frame. Let the embedding costs of ternary embedding be + ij , ij and − ij , respectively, where ij = 0, + ij ∈ (0, +∞) , − ij ∈ (0, +∞) . The generated additive distortion function D( , ) is the sum of the embedding costs of all pixels.
To embed a secret message into cover X, the framework of Syndrome Trellis Coding (STC) requires a modification probability p ij for each pixel. According to [32], the modification probability p ij and embedding cost ij can be calculated by (3).
In (3), when the embedding is binary, |I|= 2; and when it is ternary, |I|= 3. Because the embedding cost ij is known, p ij can be placed in (4) to obtain the parameter λ, where the m is the amount of secrete data to be embedded by the data-hider.

Proposed framework
The proposed scheme is depicted in Fig. 2. First, after the sort the palette, we decompose the animated GIF into several frames. For each frame, we retrieve the RGB values of every pixel according to the GIF color palette and convert each fame I ′ k into a color image F k , where k is the frame index. Then, we construct a reference frame F k for each frame. With F k we optimize the embedding costs. We further improve the inter-frame distortion using the previous frame as a reference. After embedding data into each frame, we obtain a stego GIF.
A. Improved bipolar embedding.
Since GIF is a compressed format, it can be regarded as a 256-color image compressed from a true-color image. Therefore, we can use the original content of the image before GIF compression to improve Bipolar Embedding. We convert the GIF fames into the color images F = F 1 , … , F K according to the palette, where K is the number of frames. For each frame, every pixel B = (R ij , G ij , B ij ) has a corresponding pixel A = R ij ,Ĝ ij ,B ij at the same location before GIF compression. It is equivalent to shift the RGB value from point A to point B. Vector AB stands for the distortion during compression.
When we embed secret messages into I ij , the pixels are either added or subtracted by one. In (5), a refers to the Hamming distance between A and B. We also use as the corresponding pixel at the same location after embedding. In (6) and (7), the Hamming distances caused by + 1 and − 1 operation are defined as b + and b − , respectively. Subsequently, we define the modification angle between a and b + or b − as + or − in (8) and (9). The operator |⋅| stands for the module of vector.  Figure 3 illustrates the cases that the modification angles are acute or obtuse, respectively. Vector AB stands for the distortion during compression and vector BC stands for the distortion caused by data embedding.
In Fig. 3a, when between the two vectors AB and BC is acute, the compression direction is the same as the embedding direction. In the other words, the extra error would be the embedding error "plus" the compression error. In Fig. 3b, when is an obtuse angle, the compression direction and embedding direction are the opposite. Then, the extra error would be the embedding error "minus" the compression error. We denote the extra error AC in Fig. 3 as c + and c − , in (10).   In summary, when + ∈ (0, ∕2) or − ∈ (0, ∕2) , |c + | or |c − | is larger than each element in |a|, | | b + | | , |b − | . When + ∈ ( ∕2, ) or − ∈ ( ∕2, ) , c + or c − is smaller than anyone in |a|, | | b + | | , |b − | . Therefore, when + or − is obtuse, |c| would be smaller. Therefore, we prefer the pixel modification when the angle + or − be obtuse, and restrict data embedding when + or − is acute.
This algorithm reduces the extra error caused by embedding modification and makes the compressed image closer to the original image. Thus, it can improve the security of steganography effectively.
B. Reference construction.
According to the aforementioned analysis, if a data-hider have the original content of the image before GIF compression, a better performance of a security can be achieved by modifying the pixel values toward the original values. However, in most cases, the data hider does not have the original content of the images before compression. Therefore, we use an algorithm to construct a reference image for each frame.
To achieve a satisfactory performance, the constructed reference images should be close to the original image before GIF compression. Inspired by [30], we can treat the image compression as a procedure of adding noise into the original content. To remove this kind of noise, we propose to use the DnCNN model proposed in [31] to construct a reference image. This model has been proved to be useful in many denoising tasks. Different from the existing denoising methods that are defined for additive white Gaussian noise at a certain noise level, the DnCNN model is able to handle Gaussian denoising with the unknown noise level. Besides, this model is able to handle multiple general image denoising tasks, such as Gaussian denoising, single image superresolution, and JPEG image deblocking.
Denote the luminance of the original image as Y Ori and the GIF-compressed image as Y Comp . As shown in Fig. 4, the residual image is the difference between the original image and compressed image in the luminance channel. We denote Y Res as the residual image, where Y Ori = Y Comp − Y Res . In other words, the residual image can be regarded as a kind of image noise. With a residual learning strategy, the residual image can be estimated [31]. DnCNN is trained on the luminance channel because human perception is more sensitive to changes in brightness than changes in chrominance.
In Fig. 5, an animated emoji is decomposed into several frames, then the GIF-compressed images are converted from RGB space to the YCbCr space. The DnCNN network is trained to detect the residual images from the luminance of the color frames. Three different colors represent three types of layers. For the first layer, marked in yellow, 64 filters are used to generate 64 feature maps. ReLU is nonlinearity activation function. For layers 2∼(D − 1), marked in blue, 64 filters sized 3 × 3 × 64 are used. The batch normalization is added between convolution and ReLU. It is incorporated to speed up training as well as boost the denoising performance. The orange layer is the last layer, in which filters sized 3 × 3 × 64 are used to reconstruct the output. D is the depth of DnCNN. For an image denoising task, the depth of network (the number of convolution layers) is generally specified as 20.
With the model of DnCNN, we can reconstruct an undistorted version of a compressed frame by subtracting the Fig. 4 The generation of residual image compressed luminance channel from a residual image, and then converts the image back to the RGB color space.
We denote the k-th RGB frame of GIF as F k , which is constructed from I ′ k and C ′ l . Let the reference frame be F k . YF k and Y F k are the luminance channel of F k and F k . The reference frame YF k can be calculated by (11) where Dn_CNN(⋅) represents the DnCNN denoising network. Concatenate the denoised luminance channel YF k with the original chrominance channels to obtain the denoised image in the YCbCr space. We further convert the YCbCr image to RGB to generate the reference image F k . The reference image F k is close to the original image F k .
Let + ij and − ij be the embedding cost for + 1 and − 1 in the i n t r a -f r a m e e m b e d d i n g , r e s p e c t i ve ly, w h e r e i ∈ {1, … , M}, j ∈ {1, … , N} . In many steganography methods based on STC, + ij is identical to − ij . In the proposed method, we improve the embedding cost function according to the RGB value ( R ij ,Ĝ ij ,B ij ) of the reference image F . We first initialize the original costs ij for the pixels in each frame using the traditional distortion functions like HILL [5], WOW [6] and UNIWARD [7,8]. For each pixel, we multiply the original cost ij by a factor α . There are two cases for the factor α when performing ± 1 operations, namely, + or − , which are depicted in (12) and (13). We adjust the distortion function in (14) and (15) by combining three optimization factors, in which wetCost represents a very large value, e.g., 10 8 in the experiments.
On the other hand, during data hiding, there would be differences between adjacent frames. Therefore, we must consider the impact of inter-frame embedding. For each frame F k , we use the previous frame F k−1 as reference. The RGB values ( R k−1 ij , G k−1 ij , B k−1 ij ) from F k−1 is used to guide the modification of the current frame. The procedures of inter-frame embedding are similar except that a is redefined in (16) and the cost for inter-frame embedding are redefined as (17) and (18). Unlike a defined in (5), a redefined in (16) represents the change of direction of RGB values at the same position of adjacent frames. Then we get + and − by applying (12) and (13), and update the distortion function as (17) and (18). Fig. 5 The architecture of residual image construction network Finally, we combine the cost in intra-frame and interframe embedding, and obtain the final distortion function in (19).

D. Payload allocation.
For most animated GIF, the patterns on the different frame are different. To improve data security of each frame, we adaptively allocate different payloads to the frames according to their characteristics. We adopt the algorithm proposed in [32] for the purpose, in which an m-bit secret message is embedded into n covers with a minimized distortion. The distortion is calculated in (20), and the optimization problem is defined in (21), In this paper, the optimization problem is defined as (22), where n is the sum of the number of all selected GIF frames, k is the embedding cost of the k-th frame, and p k is the embedding possibility of the k-th frame. After calculating the distortion function, we input the embedding costs and the payloads of all frames into the constraints in (22), and obtain the modification probability of each frame. The embedding payload of each frame can be calculated by (23)

Experimental results
To verify the proposed framework, we have conducted many experiments on the emoji GIF dataset provided by [29] that contains 560 animated GIFs. Several examples are shown in Table 1. These GIF images are in 8-bit palette format where each image contains 256 colors.
We use binary pseudo-random sequences as the hidden data, i.e., the possibilities for zero and one are identical. We use the popular HILL, UNIWARD and WOW as initial distortion functions. The reference images are generated by DnCNN. We name the proposed steganography based on the improved versions of HILL, UNIWARD and WOW as PD-HILL, PD-UNIWARD and PD-WOW, respectively.
The embedding tasks are done by the STC framework. The capacity of secret data embedded in each frame are set as 600, 700, 800, 900, 1000, and 1100 bits, respectively. Subsequently, we also use the payloads of 0.05bpp, 0.1bpp, 0.15bpp, 0.2bpp and 0.25bpp for further comparisons.
For steganalysis, we use the ensemble classifier and the feature sets of SPAM and SRMQ1. Half of the cover and stego are used for training and the others are for testing data. The minimal total error P E is used as the criterion to evaluate the performances of steganography. In (24), P FA is the false alarm rate and P MD is the missed detection rate. The average P E by 10 random tests is used to evaluate the performance [17].
When testing the security of intro-frame steganography, we convert every fame of GIF into a colorful image and transform them into gray images. SPAM or SRMQ1 are used to extract the features. When testing the security of inter-frame steganography, we calculate the difference between two frames, which is used for the subsequent steganalysis. Table 2 provides the embedding test for an emoji image with different payloads and algorithms. The original HILL method is not effective in embedding a large payload in GIF due to texture simplicity, as obvious pepper and salt noises can be found in the smooth areas. While embedding data using the method in [29], the pepper and salt noises appear on the edges of the image. With our method, there are no obvious noises in the edge and texture areas.
To show the effectiveness of the proposed framework, we use the same experiment setting as [29]. The proposed method PD-HILL, PD-WOW and PD-UNIWARD are used to embed the same amount of message into the same dataset. Table 3 show the testing errors of the PD-HILL, [29] and HILL against SPAM and SRMQ1. The results show that the proposed method has better visual quality as well as security.
We further apply larger embedding payloads, i.e., 0.05 bpp ~ 0.25 bpp. Many GIF images cannot accommodate large amounts of secret messages when using HILL. Therefore, we only compare our method with [29]. In Fig. 6, we use different initial distortion functions. The results show that the proposed method outperforms [29] in most cases.
Finally, we conduct the inter-frame security experiments, which are compared with [29]. We use ensemble classifier to calculate the P E between frames. Table 4 shows the interframe testing errors of the PD-HILL and [29]. It can be seen that the proposed method has achieved better performance.

Conclusions
In this paper, we propose an improved steganography method for animated emoji using self-reference. We first construct the reference images by DnCNN network. Guided by the reference images, we adaptively modify the pixels according to the Hamming distances in RGB color space after conducting + 1 and − 1 operations. We further use the current frame as a reference to improve the security of steganography between frames. Several typical loss functions such as HILL are used and the embedding is done by the STC framework. Experimental results show that the security performances of the proposed method outperform state-ofthe-art steganography method for animated emoji images.  Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/.