浏览全部资源
扫码关注微信
Received:19 June 2025,
Revised:2025-09-01,
Accepted:11 September 2025,
Published:16 January 2026
移动端阅览
神经网络模型数量增长迅猛,以神经网络为代表的人工智能技术在很多应用领域取得巨大成功。与此同时,神经网络模型含有大量冗余信息,可为隐藏机密信息提供便利条件,因此可以借助神经网络模型传递机密信息。在此背景下,本文介绍以神经网络为载体的隐写技术。通过与相关技术进行对比,首先概述了神经网络模型隐写的研究意义、基础概念和评价指标;之后依据模型隐写的不同策略,从基于训练的模型隐写、基于修改的模型隐写、基于后门等技术的模型隐写3个不同的角度分别梳理了研究现状,阐述各类方法的核心机制与适用场景,以及分析了各类方法在实际应用中的优缺点。同时也对模型隐写分析的成果进行了分析和讨论,总结白盒和黑盒模型隐写分析技术,揭示当前模型隐写攻防态势。最后对模型隐写技术发展趋势进行了展望,指出大模型隐写、高隐蔽—大容量协同优化、端到端安全传输等未来方向。本文提供了一个关于模型隐写技术的全面视角,旨在展示其在信息安全领域的重要性和潜力。
In recent years, the number of neural network models has increased rapidly, and artificial intelligence technology represented by neural networks has achieved great success in many application fields. Neural network models inherently contain considerable redundant information. This redundancy creates favorable conditions for hiding confidential data. Therefore, neural network models can be used as covers for covert communication. This new paradigm is called neural network model steganography (model steganography). The steganographer chooses the location where confidential information is embedded in the model and uses a key to embed the confidential information into the model for transmission. The receiver uses the shared key to extract the confidential information in the location where it is embedded. Model steganography is used for covert communication without detection. In recent years, neural network model steganography technology has made great progress. In practice, it can be applied in some scenarios, such as military defense or secret communication between intelligence agencies, embedding confidential information in the model training process or hiding secret tasks in the model. In command distribution, the commander intends to send different commands to multiple officers, or multiple officers send different messages to the commander. Using model steganography allows transferring confidential information without being detected. Meanwhile, by modifying model parameters, malicious developers can embed malicious software into the benign model, resulting in the loss of model users. Using neural network backdoor technology to poison the target model enables performing different tasks defined by the attackers without the users’ knowledge. Technologies related to model steganography include model watermarking and multimedia steganography based on a neural network model. The model watermark takes the neural network as the protection object and embeds the digital watermark in the model to protect the intellectual property rights of the model owner. The watermark information embedded in the model can be extracted correctly without affecting the normal use of the cover model and without deliberately concealing the existence of the watermark information. In addition, the embedding capacity can accommodate the watermark information, so there is no need to pursue large capacity. Multimedia steganography based on a neural network model takes multimedia data as covers and the neural network model as a tool for information embedding and extraction and uses the neural network in each stage of embedding and extraction to embed confidential information in multimedia data. In terms of concealment, model steganography has unique advantages compared with its related technologies. The steganography of the model is naturally hidden. The model itself is a complex set of high-dimensional parameters, so a small number of parameter disturbances in the model are difficult to detect. Model steganography is usually achieved by modifying redundant parameters, which will not affect the function of the model. Regarding embedding capacity, model steganography has the potential of supercapacity compared with its related technologies. Model steganography can use parameter redundancy to embed data, and the neural network has a large number of parameters, so it can embed substantial information even if the minimum proportion parameters are modified. In accordance with the different strategies of model steganography, the existing methods can be divided into three categories: model steganography based on training, modification, and backdoor technology. Most of the results of model steganography are training-based model steganography. The main idea of training-based model steganography is to embed confidential information in the process of the training model. In the hidden layer of the model, the sender first selects the weight used to embed the confidential information and then embeds the confidential information into the model under the key function through the training model. In the output layer, the model output is required to be as similar as the confidential information as possible, and the model weight is constantly updated under the guidance of the confidential information. The basic idea of model steganography based on modification is to modify the model parameters to match the confidential information to achieve the purpose of embedding confidential information. Malicious payloads can be embedded without significantly affecting the model performance by replacing malware bytes or mapping model parameters to hide malware in the model. At the sending end, malicious developers choose to modify the location of model parameters to embed malicious software into the model. At the receiving end, they determine the location where the malicious software is embedded in the model parameters, extract the malicious software, check the integrity, and run the malicious software. Model steganography based on backdoor technology uses backdoor technology. Attackers bury backdoors in the model, making the infected model behave normally in general. However, when the backdoor trigger is activated, the output of the model will become the malicious target set by the attacker in advance. This method poisons the target model and can extract additional information from the output of the model. For the analysis method of model steganalysis, on the basis of whether the steganalyzer needs to master the internal details of the neural network model, current model steganalysis algorithms can be classified as white and black box model steganalysis. White box model steganalysis means that the analyst has knowledge and access rights to the internal structure and parameters of the model to detect and analyze the confidential information hidden in the model. Black box model steganalysis treats the target model as a “black box”, without accessing its internal structure and weight parameter details, to detect and analyze whether the model contains secret. To review the latest developments and trends, this study analyzes advanced methodologies in model steganography as follows: 1) it introduces the purpose and goal of model steganography, as well as its basic concepts, evaluation indicators, and technology classification. 2) The development status of model steganography is summarized and analyzed. 3) The advantages and disadvantages are compared and evaluated. 4) The development trend of model steganography is explored.
Chen H Y , Song L Q , Qian Z X , Zhang X P and Ma K D . 2022a . Hiding images in deep probabilistic models // Proceedings of the 36th Conference on Neural Information Processing Systems (NeurIPS 2022) . New Orleans, USA : Neural Information Processing Systems Foundation: 36776 - 36788
Chen H Z , Zhang W M , Liu K L , Chen K J , Fang H and Yu N H . 2022b . Speech pattern based black-box model watermarking for automatic speech recognition // Proceedings of 2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) . Singapore, Singapore : IEEE: 3059 - 3063 [ DOI: 10.1109/ICASSP43922.2022.9747044 http://dx.doi.org/10.1109/ICASSP43922.2022.9747044 ]
Ding C H , Fu Z J , Yang Z L , Yu Q , Li D Q and Huang Y F . 2024a . Context-aware linguistic steganography model based on neural machine translation . IEEE/ACM Transactions on Audio, Speech, and Language Processing , 32 : 868 - 878 [ DOI: 10.1109/TASLP.2023.3340601 http://dx.doi.org/10.1109/TASLP.2023.3340601 ]
Ding C H , Fu Z J , Yu Q , Wang F and Chen X Y . 2024b . Joint linguistic steganography with Bert masked language model and graph attention network . IEEE Transactions on Cognitive and Developmental Systems , 16 ( 2 ): 772 - 781 [ DOI: 10.1109/TCDS.2023.3296413 http://dx.doi.org/10.1109/TCDS.2023.3296413 ]
Dong Y Y , Wei P , Wang R X , Song B B , Wei T C and Zhou W . 2024 . Hiding image with inception transformer . IET Image Processing , 18 ( 13 ): 3961 - 3975 [ DOI: 10.1049/ipr2.13225 http://dx.doi.org/10.1049/ipr2.13225 ]
Dzhanashia K and Evsutin O . 2024 . Neural networks-based data hiding in digital images: overview . Neurocomputing , 581 : # 127499 [ DOI: 10.1016/j.neucom.2024.127499 http://dx.doi.org/10.1016/j.neucom.2024.127499 ]
El-Den B M and Raslan W . 2025 . A reversible and robust hybrid image steganography framework using radon transform and integer lifting wavelet transform . Scientific Reports , 15 ( 1 ): # 15687 [ DOI: 10.1038/s41598-025-98539-2 http://dx.doi.org/10.1038/s41598-025-98539-2 ]
Gilkarov D and Dubin R . 2024 . Steganalysis of AI models LSB attacks . IEEE Transactions on Information Forensics and Security , 19 : 4767 - 4779 [ DOI: 10.1109/TIFS.2024.3383770 http://dx.doi.org/10.1109/TIFS.2024.3383770 ]
Guo C , Wu R H and Weinberger K Q . 2021 . On hiding neural networks inside neural networks [EB/OL]. [ 2024-11-24 ]. https://arxiv.org/pdf/2002.10078.pdf https://arxiv.org/pdf/2002.10078.pdf
Guo Y S , Qian Z X and Zhang X P . 2022 . Hiding function with neural networks // Proceedings of the 24th IEEE International Workshop on Multimedia Signal Processing (MMSP) . Shanghai, China : IEEE: 1 - 5 [ DOI: 10.1109/MMSP55362.2022.9949163 http://dx.doi.org/10.1109/MMSP55362.2022.9949163 ]
Hao Y L , Wang Z C , Cao J M and Zhang X P . 2025 . General steganography for neural network models based on graph convolutional network . IEEE Internet of Things Journal , 12 ( 9 ): 12512 - 12526 [ DOI: 10.1109/JIOT.2024.3520994 http://dx.doi.org/10.1109/JIOT.2024.3520994 ]
Hassan Y A and Rahma A M S . 2024 . Improving video watermarking through galois field GF (2 4 ) multiplication tables with diverse irreducible polynomials and adaptive techniques . CMC-Computers, Materials and Continua , 78 ( 1 ): 1423 - 1442 [ DOI: 10.32604/cmc.2023.046149 http://dx.doi.org/10.32604/cmc.2023.046149 ]
He X L , Xu Q K , Lyu L J , Wu F Z and Wang C G . 2022 . Protecting intellectual property of language generation APIs with lexical watermark // Proceedings of the 36th AAAI Conference on Artificial Intelligence (AAAI 2022) . Palo Alto, USA : AAAI Press: 10758 - 10766 [ DOI: 10.1609/aaai.v36i10.21321 http://dx.doi.org/10.1609/aaai.v36i10.21321 ]
Hitaj D , Pagnotta G , Hitaj B , Mancini L V and Perez-Cruz F . 2022 . MaleficNet: hiding malware into deep neural networks using spread-spectrum channel coding // Proceedings of the 27th European Symposium on Research in Computer Security (ESORICS) . Copenhagen, Denmark : Springer: 425 - 444 [ DOI: 10.1007/978-3-031-17143-7_21 http://dx.doi.org/10.1007/978-3-031-17143-7_21 ]
Hu X X , Li S , Ying Q C , Peng W L , Zhang X P and Qian Z X . 2024 . Establishing robust generative image steganography via popular stable diffusion . IEEE Transactions on Information Forensics and Security , 19 : 8094 - 8108 [ DOI: 10.1109/TIFS.2024.3444311 http://dx.doi.org/10.1109/TIFS.2024.3444311 ]
Huang D X , Luo W Q , Liu M L , Tang W X and Huang J W . 2024a . Steganography embedding cost learning with generative multi-adversarial network . IEEE Transactions on Information Forensics and Security , 19 : 15 - 29 [ DOI: 10.1109/TIFS.2023.3318939 http://dx.doi.org/10.1109/TIFS.2023.3318939 ]
Huang Y K , Liu Z X , Wu Q W and Liu X L . 2024b . Robust image steganography against JPEG compression based on DCT residual modulation . Signal Processing , 219 : # 109431 [ DOI: 10.1016/j.sigpro.2024.109431 http://dx.doi.org/10.1016/j.sigpro.2024.109431 ]
Kanimozhi R and Padmavathi V . 2025 . Robust and secure image steganography with recurrent neural network and fuzzy logic integration . Scientific Reports , 15 ( 1 ): # 13122 [ DOI: 10.1038/s41598-025-97795-6 http://dx.doi.org/10.1038/s41598-025-97795-6 ]
Li F Y , Sheng Y , Zhang X P and Qin C . 2024a . iSCMIS: spatial-channel attention based deep invertible network for multi-image steganography . IEEE Transactions on Multimedia , 26 : 3137 - 3152 [ DOI: 10.1109/TMM.2023.3307970 http://dx.doi.org/10.1109/TMM.2023.3307970 ]
Li G B , Li S , Li M L , Zhang X P and Qian Z X . 2023a . Steganography of steganographic networks // Proceedings of the 39th AAAI Conference on Artificial Intelligence (AAAI 2023) . Philadelphia, Pennsylvania, USA : Association for the Advancement of Artificial Intelligence (AAAI): 5178 - 5186 [ DOI: 10.1609/aaai.v37i4.25647 http://dx.doi.org/10.1609/aaai.v37i4.25647 ]
Li G B , Li S , Luo Z C , Qian Z X and Zhang X P . 2024b . Purified and unified steganographic network // Proceedings of 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Seattle, USA : IEEE Computer Society: 27559 - 27568 [ DOI: 10.1109/CVPR52733.2024.02603 http://dx.doi.org/10.1109/CVPR52733.2024.02603 ]
Li Y H , Zhang R , Liu J Y and Lei Q . 2024c . A semantic controllable long text steganography framework based on LLM prompt engineering and knowledge Graph . IEEE Signal Processing Letters , 31 : 2610 - 2614 [ DOI: 10.1109/LSP.2024.3456636 http://dx.doi.org/10.1109/LSP.2024.3456636 ]
Li Z H , Jiang X H , Dong Y , Meng L J and Sun T F . 2023b . An anti-steganalysis HEVC video steganography with high performance based on CNN and PU partition modes . IEEE Transactions on Dependable and Secure Computing , 20 ( 1 ): 606 - 619 [ DOI: 10.1109/TDSC.2022.3140899 http://dx.doi.org/10.1109/TDSC.2022.3140899 ]
Liu J D , Li Z H , Jiang X H and Zhang Z Z . 2022a . A high-performance CNN-applied HEVC steganography based on diamond-coded PU partition modes . IEEE Transactions on Multimedia , 24 : 2084 - 2097 [ DOI: 10.1109/TMM.2021.3075858 http://dx.doi.org/10.1109/TMM.2021.3075858 ]
Liu L S , Meng L Z , Wang X L and Peng Y J . 2022b . An image steganography scheme based on ResNet . Multimedia Tools and Applications , 81 ( 27 ): 39803 - 39820 [ DOI: 10.1007/s11042-022-13206-2 http://dx.doi.org/10.1007/s11042-022-13206-2 ]
Liu T , Liu Z H , Liu Q , Wen W J , Xu W Y and Li M . 2020 . STegoNeT: turn deep neural network into a stegomalware // Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC) . Austin, USA : Association for Computing Machinery (ACM): 928 - 938 [ DOI: 10.1145/3427228.3427268 http://dx.doi.org/10.1145/3427228.3427268 ]
Luo H X , Li L and Li J C . 2025 . Digital watermarking technology for AI-generated images: a survey . Mathematics , 13 ( 4 ): # 651 [ DOI: 10.3390/math13040651 http://dx.doi.org/10.3390/math13040651 ]
Ma B , Li K , Xu J , Wang C P , Li J and Zhang L W . 2024 . High-security image steganography with the combination of multiple competition and channel attention . Journal of Image and Graphics , 29 ( 2 ): 355 - 368
马宾 , 李坤 , 徐健 , 王春鹏 , 李健 , 张立伟 . 2024 . 联合多重对抗与通道注意力的高安全性图像隐写 . 中国图象图形学报 , 29 ( 2 ): 355 - 368 [ DOI: 10.11834/jig.230134 http://dx.doi.org/10.11834/jig.230134 ]
Meng L J , Jiang X H , Sun T F , Zhao Z Y and Xu Q . 2024 . A robust coverless video steganography based on the similarity of inter-frames . IEEE Transactions on Multimedia , 26 : 5996 - 6011 [ DOI: 10.1109/TMM.2023.3344357 http://dx.doi.org/10.1109/TMM.2023.3344357 ]
Öztürk E , Mesut A Ş and Fıdan Ö A . 2024 . A character based steganography using masked language modeling . IEEE Access , 12 : 14248 - 14259 [ DOI: 10.1109/ACCESS.2024.3354710 http://dx.doi.org/10.1109/ACCESS.2024.3354710 ]
Quan Y H , Teng H , Chen Y X and Ji H . 2021 . Watermarking deep neural networks in image processing . IEEE Transactions on Neural Networks and Learning Systems , 32 ( 5 ): 1852 - 1865 [ DOI: 10.1109/TNNLS.2020.2991378 http://dx.doi.org/10.1109/TNNLS.2020.2991378 ]
Salem A , Backes M and Zhang Y . 2021 . Get a model! model hijacking attack against machine learning models // Network and Distributed System Security Symposium . San Diego, USA : [s.n.]
Shibata R and Yamauchi Y . 2025 . End-to-end learning framework incorporating image reconstruction and recognition models . IEEE Access , 13 : 73355 - 73361 [ DOI: 10.1109/ACCESS.2025.3563476 http://dx.doi.org/10.1109/ACCESS.2025.3563476 ]
Song B B , Wei P , Wu S X , Lin Y and Zhou W . 2024 . A survey on deep-learning-based image steganography . Expert Systems with Applications , 254 : # 124390 [ DOI: 10.1016/j.eswa.2024.124390 http://dx.doi.org/10.1016/j.eswa.2024.124390 ]
Song C Z , Ristenpart T and Shmatikov V . 2017 . Machine learning models that remember too much // Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (ACM CCS) . Dallas, USA : Association for Computing Machinery (ACM): 587 - 601 [ DOI: 10.1145/3133956.3134077 http://dx.doi.org/10.1145/3133956.3134077 ]
Tang X , Wang Z C and Zhang X P . 2023 . Steganalysis of neural networks based on symmetric histogram distribution . Symmetry (Basel) , 15 ( 5 ): # 1079 [ DOI: 10.3390/sym15051079 http://dx.doi.org/10.3390/sym15051079 ]
Wang H and Song L P . 2025 . Extended target tracking using neural network and Gaussian process . Electronics Letters , 61 ( 1 ): #e 70151 [ DOI: 10.1049/ell2.70151 http://dx.doi.org/10.1049/ell2.70151 ]
Wang K , Wu S W , Yin X L , Lu W , Luo X Y and Yang R . 2025 . Robust image watermarking with synchronization using template enhanced-extracted network . IEEE Transactions on Circuits and Systems for Video Technology , 35 ( 2 ): 1602 - 1614 [ DOI: 10.1109/TCSVT.2024.3474029 http://dx.doi.org/10.1109/TCSVT.2024.3474029 ]
Wang Z , Liu C G and Cui X . 2021a . EvilModel: hiding malware inside of neural network models // Proceedings of the 26th IEEE Symposium on Computers and Communications (ISCC 2021) . Athens, Greece : IEEE: 1 - 7 [ DOI: 10.1109/ISCC53001.2021.9631425 http://dx.doi.org/10.1109/ISCC53001.2021.9631425 ]
Wang Z , Liu C G , Cui X , Yin J and Wang X T . 2022a . EvilModel 2.0: bringing neural network models into malware attacks . Computers and Security , 120 : # 102807 [ DOI: 10.1016/j.cose.2022.102807 http://dx.doi.org/10.1016/j.cose.2022.102807 ]
Wang Z C , Feng G R , Wu H Z and Zhang X P . 2021b . Data hiding in neural networks for multiple receivers . IEEE Computational Intelligence Magazine , 16 ( 4 ): 70 - 84 [ DOI: 10.1109/MCI.2021.3108305 http://dx.doi.org/10.1109/MCI.2021.3108305 ]
Wang Z C , Feng G R and Zhang X P . 2022b . Repeatable data hiding: towards the reusability of digital images . IEEE Transactions on Circuits and Systems for Video Technology , 32 ( 1 ): 135 - 146 [ DOI: 10.1109/TCSVT.2021.3057599 http://dx.doi.org/10.1109/TCSVT.2021.3057599 ]
Wu D Q and Zhu C . 2025 . Interactive memory networks based on syntactic dependencies for aspect-level sentiment classification . The Journal of Supercomputing , 81 ( 1 ): # 189 [ DOI: 10.1007/s11227-024-06594-9 http://dx.doi.org/10.1007/s11227-024-06594-9 ]
Wu H Z , Li C , Liu G and Zhang X P . 2023 . Hiding data hiding . Pattern Recognition Letters , 165 : 122 - 127 [ DOI: 10.1016/j.patrec.2022.12.008 http://dx.doi.org/10.1016/j.patrec.2022.12.008 ]
Wu H Z , Liu G , Yao Y W and Zhang X P . 2021 . Watermarking neural networks with watermarked images . IEEE Transactions on Circuits and Systems for Video Technology , 31 ( 7 ): 2591 - 2601 [ DOI: 10.1109/TCSVT.2020.3030671 http://dx.doi.org/10.1109/TCSVT.2020.3030671 ]
Wu H Z , Zhang J , Li Y , Yin Z X , Zhang X P , Tian H , et al . 2023b . Overview of artificial intelligence model watermarking . Journal of Image and Graphics , 28 ( 6 ): 1792 - 1810
吴汉舟 , 张杰 , 李越 , 殷赵霞 , 张新鹏 , 田晖 , 等 . 2023 . 人工智能模型水印研究进展. 中国图象图形学报 , 28 ( 6 ): 1792 - 1810 [ DOI: 10.11834/jig.230010 http://dx.doi.org/10.11834/jig.230010 ]
Xie Y F and Wang Z C . 2024 . Neural network steganography using extractor matching // Proceedings of the 22nd International Workshop on Digital-Forensics and Watermarking (IWDW 2023) . Jinan, China : Springer: 169 - 179 [ DOI: 10.1007/978-981-97-2585-4_12 http://dx.doi.org/10.1007/978-981-97-2585-4_12 ]
Yan H , Liu Y L , Jin L W and Bai X . 2023 . The development, application, and future of LLM similar to ChatGPT . Journal of Image and Graphics , 28 ( 9 ): 2749 - 2762
严昊 , 刘禹良 , 金连文 , 白翔 . 2023 . 类ChatGPT大模型发展、应用和前景 . 中国图象图形学报 , 28 ( 9 ): 2749 - 2762 [ DOI: 10.11834/jig.230536 http://dx.doi.org/10.11834/jig.230536 ]
Yang Z Y , Wang Z C and Zhang X P . 2023 . A general steganographic framework for neural network models . Information Sciences , 643 : # 119250 [ DOI: 10.1016/j.ins.2023.119250 http://dx.doi.org/10.1016/j.ins.2023.119250 ]
Yang Z Y , Wang Z C , Zhang X P and Tang Z J . 2022 . Multi-source data hiding in neural networks // Proceedings of the 24th IEEE International Workshop on Multimedia Signal Processing (MMSP 2022) . Shanghai, China : IEEE: 1 - 6 [ DOI: 10.1109/MMSP55362.2022.9948867 http://dx.doi.org/10.1109/MMSP55362.2022.9948867 ]
Yanuar M R , Suryadi M T , Apriono C and Syawaludin M F . 2024 . Image-to-image steganography with josephus permutation and least significant bit (LSB) 3 - 3 - 2 embedding. Applied Sciences (Basel) , 14 ( 16 ): # 7119 [ DOI: 10.3390/app14167119 http://dx.doi.org/10.3390/app14167119 ]
Yin Y , Zhang W M , Yu N H and Chen K J . 2022 . Steganalysis of neural networks based on parameter statistical bias . Journal of University of Science and Technology of China , 52 ( 1 ): 1- 1 -1 - 12
尹奕 , 张卫明 , 俞能海 , 陈可江 . 2022 . 基于参数特征偏移的神经网络隐写检测方法 . 中国科学技术大学学报 , 52 ( 1 ): 1- 1 -1 - 12 [ DOI: 10.52396/JUSTC-2021-0197 http://dx.doi.org/10.52396/JUSTC-2021-0197 ]
Zhao N , Chen K J , Qin C , Yin Y , Zhang W M and Yu N H . 2023 . Calibration-based steganalysis for neural network steganography // Proceedings of the 11th ACM Workshop on Information Hiding and Multimedia Security (IH and MMSec) . Chicago, USA : Association for Computing Machinery: 91 - 96 [ DOI: 10.1145/3577163.3595100 http://dx.doi.org/10.1145/3577163.3595100 ]
相关作者
相关机构
京公网安备11010802024621
