Research on Making Two Models Based on the Generative Linguistic Steganography for Securing Linguistic Steganographic Texts from Active Attacks

Abstract

Generative steganographic text covertly transmits hidden information through readable text that is unrelated to the message. Existing AI-based linguistic steganography primarily focuses on improving text quality to evade detection and therefore only addresses passive attacks. Active attacks, such as text tampering, can disrupt the symmetry between encoding and decoding, which in turn prevents accurate extraction of hidden information. To investigate these threats, we construct two attack models: the in-domain synonym substitution attack (ISSA) and the out-of-domain random tampering attack (ODRTA), with ODRTA further divided into continuous (CODRTA) and discontinuous (DODRTA) types. To enhance robustness, we propose a proactive adaptive-clustering defense against ISSA, and, for CODRTA and DODRTA, a post-hoc repair mechanism based on context-oriented search and the determinism of text generation. Experimental results demonstrate that these mechanisms effectively counter all attack types and significantly improve the integrity and usability of hidden information. The main limitation of our approach is the relatively high computational cost of defending against ISSA. Future work will focus on improving efficiency and expanding practical applicability.

1. Introduction

Steganography [1] enables the covert transmission of information by concealing the existence of a message. Traditionally, hidden information has been embedded within common covers such as text, images, and videos, thereby reducing perceptibility during transmission. Among these media, text has attracted significant attention due to its widespread use and ease of distribution. However, conventional text-based steganographic methods suffer from limited embedding capacity and insufficient imperceptibility [2], which limits their practical applicability.

With the rapid advancement of artificial intelligence (AI), neural text generation models can produce highly readable text by leveraging intrinsic associations in large-scale datasets. This capability has given rise to generative linguistic steganography, which encodes hidden information into fluent text that is unrelated to the original message. Compared with traditional approaches, generative methods can embed more information while maintaining better imperceptibility.

Despite these advantages, existing generative linguistic steganography primarily focuses on resisting passive attacks, such as manual audits and statistical steganalysis. Active attacks, particularly text tampering, pose a significant threat by modifying steganographic text and preventing accurate extraction of hidden information. Text tampering can take the form of synonym substitution, which replaces words with semantically similar alternatives, or random tampering, which introduces arbitrary changes without semantic constraints. However, conventional attack models are often ineffective against carefully crafted generative steganographic text, allowing the recipient to recover the hidden information.

This research addresses the vulnerability of generative linguistic steganography to active text tampering attacks. We redefine traditional tampering attacks to enhance their adversarial capability, resulting in the in-domain synonym substitution attack (ISSA) and the out-of-domain random tampering attack (ODRTA), with the latter further divided into continuous and discontinuous types. To defend against these attacks, we propose a proactive adaptive-clustering mechanism for ISSA and a post-hoc repair mechanism for ODRTA, leveraging context-oriented search and the determinism of text generation. These mechanisms aim to improve the integrity and usability of hidden information under active attacks.

The main contributions of this research are as follows:

• We remodel common text tampering attacks specifically for generative linguistic steganography.
• We classify tampering attacks into ISSA and ODRTA based on whether the tampered words exist within the candidate pool of the text generation model.
• We further categorize ODRTA into continuous and discontinuous types according to the continuity of the attack.
• We propose a proactive adaptive-clustering defense for ISSA and a post-hoc repair mechanism for ODRTA.
• We validate through experiments the idea that the proposed mechanisms effectively enhance the integrity and accessibility of hidden information.

Section 2 reviews related work on generative linguistic steganography. Section 3 introduces the two types of attack models. Section 4 details the proposed steganographic mechanisms. Section 5 presents experimental results and provides a comprehensive discussion. Section 6 illustrates examples of the proposed attack models and defense mechanisms in practice. Finally, Section 7 concludes the research.

2. Related Work

In the early days of generative linguistic steganography, limited computational power often necessitated reliance on statistical models or Markov chains for text generation. Specifically, these mechanisms used Markov chains to embed hidden information through state transitions and transition probabilities. However, Markov chain-based steganographic texts [3] struggled to embed large amounts of information and generally exhibited low quality, with poor perceptual and statistical imperceptibility. Huang et al. [4] attempted to improve text quality by using Song Ci as a textual template, but the template format constrained embedding capacity, limiting the practical utility of early mechanisms.

With advances in computational capabilities and artificial intelligence (AI), neural network-based text generation models have significantly improved the handling of long sequences. Consequently, generative linguistic steganography regained research focus, emphasizing higher embedding capacity and better quality, including both perceptual and statistical imperceptibility. Perceptual imperceptibility refers to evading human scrutiny, while statistical imperceptibility assesses alignment with the statistical distribution of large datasets.

Despite improvements, early neural models faced challenges in generating high-quality text, and embedding hidden information could further reduce quality. Huang et al. [5] addressed this by combining intra-word mutual information with recurrent neural networks to generate Chinese poetry containing hidden information. Building on this, Tong [6] used long short-term memory networks to generate Chinese lyrics with higher embedding capacity. Although quality improved, advancing steganalysis techniques necessitated further optimization to enhance resistance against detection.

Recent developments in natural language processing (NLP) and text generation allow new models [7,8,9,10,11] to generate texts with arbitrary semantic content. Compared with traditional neural network models, these new models improve steganographic text quality and are no longer constrained by fixed templates, enhancing practicality. Zachary et al. [12] introduced a semantically secure steganographic mechanism using state-of-the-art models and arithmetic coding, achieving near-optimal statistical security. Huang et al. [13] developed a long short-term memory-based model implementing two embedding algorithms: fixed-length binary tree mapping and variable-length Huffman coding. While Huffman coding offers slightly lower embedding capacity, it favors high-probability candidate words, improving imperceptibility. Dai et al. [14] further enhanced imperceptibility using patient Huffman coding based on statistical regularities of fluent texts [13,15].

Huang et al. [2] observed a tradeoff between perceptual and statistical imperceptibility and proposed a variational autoencoder (VAE) combined with Huffman coding to improve both. Zhou et al. [16] leveraged adaptive probability distributions and generative adversarial networks (GANs) [17] to strengthen imperceptibility and security. Reliable transmission also requires shared knowledge between communicators. Yi et al. [18] proposed a BERT-based mechanism with Gibbs sampling, but limited long-sequence performance restricted embedding capacity. Cao et al. [19] enhanced text generation using plug-and-play models with an embeddable candidate pool, while Yan et al. [20] introduced lightweight disambiguation to improve statistical imperceptibility. Ding et al. [21] combined neural machine translation with algorithmic coding to generate high-quality semantic steganographic text.

Further improvements include those of Li et al. [22], who leveraged prompt engineering and knowledge graphs with large language models for content consistency, and Yang et al. [23], who integrated modification-based and generation-based mechanisms to enhance embedding capacity and steganalysis resistance. Zhang et al. [24] proposed controllable steganography using summary generation, improving semantic consistency. Bai et al. [25] mapped hidden information into semantic spaces using ontology trees, enhancing robustness. Huang et al. [26] applied adaptive dynamic grouping to minimize statistical differences between steganographic and natural text. Christian et al. [27] demonstrated that maximal information throughput requires minimal entropy coupling in perfectly secure systems. Huang et al. [28] used rejection sampling for approximate perfect steganography, while Pang et al. [29] applied frequency-reform-based softmax to reduce statistical discrepancies. Ding et al. [30] utilized distribution replicas to achieve near-theoretical absolute security. Wu et al. [31] developed LLM Stega, embedding encrypted messages via large language model interfaces while maintaining semantic quality. Lin et al. [32] proposed a zero-shot contextual learning method to enhance concealability, and Sun et al. [33] introduced theme-controlled graph-to-text steganography for improved quality and concealability.

To increase embedding capacity, Xiang et al. [34] refined generation units from words to letters, while Omer et al. [35] developed a word-level Arabic poetry mechanism using LSTM networks and Baudot coding. These studies collectively improved embedding capacity.

Despite these advances, generative linguistic steganography mechanisms still show vulnerabilities against active attacks. Some defensive measures exist, primarily for cover-based steganography [36,37]. While strategies for generative steganography have been proposed [38], they often overlook the adversary’s perspective and oversimplify synonym substitution, weakening defense effectiveness against complex manipulations.

Table 1. Comparative summary of generative linguistic steganography approaches.

Development Stage	Method Category	Embedding Strategy	Main Focus/Feature	Advantages	Limitations	Reference
Early (2000–2005)	Statistical	State transitions	Basic generative steganography	Simple	Low capacity and quality	[3,4]
Neural networks (2010–2015)	Neural networks	Word level	Improve embedding	Higher capacity	Vulnerable	[5,6]
Advanced neural models (2020–2022)	LSTM/SOTA	Huffman	Enhance imperceptibility	High quality	Model complexity	[12,13,14,15]
Large language models (2022–2024)	Transformer/GAN/VAE	Variable embedding	Improve text quality	High quality	High cost	[2,16,17,18,19,20,21,22,23,24]
Public key and security focus	Public key/controllable	Cover text	Resist active attacks	Secure	Complex	[36,37,38]

summarizes the representative works and their key features.

3. Attack Model

Currently, generative linguistic steganography mechanisms follow a specific process. First, based on historical information (prompt), a candidate pool (CP) for the next position is constructed by a text generation model. Construction of the CP mainly relies on top-$k$ or top-$p$ sampling. Subsequently, an embedding algorithm, such as Huffman coding [2,13], arithmetic coding [21], or distributed copies [30], is employed to map hidden information to elements within the CP, thereby selecting the current output word. It is noteworthy that the CP’s dimensionality is typically much smaller than the text generation model’s vocabulary $\mathcal{V}$, which helps maintain good readability of the generated steganographic text.

Text tampering attacks involve replacing certain words in a text with other words. These attacks can be further categorized based on the similarity of the replacement words to the original words into two types: synonym substitution and non-synonym substitution. Among the latter, random tampering attacks can be considered a special case.

Based on the generative linguistic steganography process, we have redefined synonym substitution and random tampering attacks as in-domain synonym substitution attack (ISSA) and out-of-domain random tampering attack (ODRTA). Instead of depending on the similarity between tampered and original words, the distinction now relies on whether the tampered words are present in the current CP. When a tampered word exists in the CP, the attack is classified as ISSA and is considered stealthy. The other type is termed ODRTA, which will be further classified based on attack continuity in the following sections.

3.1. ISSA

To enhance the adversary’s ability beyond conventional synonym substitution attacks, we introduce the in-domain synonym substitution attack (ISSA).

We consider an active adversary who intercepts communication channels suspected of carrying steganographic texts. The adversary has full knowledge of the text generation model and the candidate pool construction strategy (e.g., top-$k$ or top-$p$ sampling) but cannot manipulate the generation system itself. Thus, the adversary is treated as a model-aware outsider rather than an insider. Since the adversary can access the same model and decoding strategy, the candidate pool at each step is reproducible.

Before launching an attack, the adversary may attempt to detect whether a message contains hidden information using human judgment or automated steganalysis (e.g., statistical tests or classifier-based methods). Once a text is identified as suspicious, the adversary selectively decides where to apply ISSA.

The adversary’s tampering strategy is not arbitrary. At each position $t$, the adversary inspects the candidate pool ${CP}^t$ constructed by the generation model. If no semantically related alternatives are found, the position is left unchanged. Otherwise, when a candidate $c_i^t\in {CP}^t$ is identified as a synonym of the original word $w_t$, the attacker replaces $w_t$ with $c_i^t$. This selective, condition-triggered attack ensures that tampering is both in-domain (restricted to ${CP}^t$) and semantically consistent (maintaining synonymy). Unlike ordinary synonym replacement methods, which indiscriminately substitute words regardless of context or model constraints, this design significantly improves stealthiness and reduces the likelihood of immediate detection.

At step $t$, the generation model constructs a candidate pool $\mathrm{CP}\subseteq \mathcal{V}$ according to its decoding strategy. The adversary inspects ${CP}^t$. If no semantically related alternatives are found, the position is left unchanged. Otherwise, the adversary replaces the original word $w_t$ with a synonym $c_i^t\in {CP}^t$.

Based on the above description, ISSA can be expressed as follows:

$$c_i^t\in \{c\in {CP}^t|c_i\ne {\mathrm{w}}_{\mathrm{t}},\parallel \mathsf{\varphi }\left(w_t\right)-\mathsf{\varphi }\left(c\right){\parallel }_2<\delta \},$$

(1)

where $w_t$ denotes the original word at step $t$, ${CP}^t$ is the candidate pool generated by the model, $\mathsf{\varphi }\left(·\right)\in {\mathbb{R}}^d$ represents the word embedding function, $\parallel ·{\parallel }_2$ is the $L_2$ norm, and $\mathsf{\delta }$ is a similarity threshold. Note that ${CP}^t$ is a set of candidate words rather than a vector.

The parameter $\mathsf{\delta }$ controls the trade-off between semantic fidelity and the number of substitution options. A small $\mathsf{\delta }$ ensures high semantic consistency but yields fewer candidates, whereas a larger $\mathsf{\delta }$ enlarges the tampering space at the risk of semantic drift. In practice, $\delta$ can be tuned on validation data to balance stealthiness and naturalness.

A key feature of ISSA is the position-shift effect, which significantly enhances stealthiness. When the adversary substitutes $w_t$ with $c_i^t\in {CP}^t$, the receiver may not detect the change at step $t$. Instead, the subsequent word $w_{t+1}$ may fall outside its corresponding candidate pool ${CP}^{t+1}$, leading the receiver to misattribute the tampering.

For example, suppose the original sequence is $\left[A,B,C\right]$. If the adversary replaces $B$ with a synonym $B^{\prime }$ from ${CP}^2$, the original third word $C$ may no longer belong to ${CP}^3$. Consequently, the receiver detects inconsistency at position 3 rather than at position 2. This misalignment complicates both detection and recovery, making ISSA substantially more stealthy than conventional synonym substitution attacks. Figure 1 illustrates the adversary intercepting steganographic text $S$ and performing ISSA at position $t$.

3.2. ODRTA

From the description of ISSA, it is clear that the adversary must possess substantial knowledge. This includes an understanding of the text generation model and the candidate pool construction strategy. In ISSA, the adversary has significant attack capabilities but cannot manipulate the generation system itself. Therefore, an adversary employing ISSA can be best characterized as a model-aware outsider.

In contrast, attacks may also originate from ordinary external adversaries who have limited or no access to the underlying mechanisms and parameters. In such text-tampering attacks, these adversaries primarily target the availability and timeliness of hidden information. As a result, they are less constrained by detection concerns and may freely replace original words.

Traditional random tampering attacks (RTA) can be modeled as follows:

$${\mathcal{W}}_{RTA}^t\subseteq \mathcal{V},w_t^o\in \mathcal{V}\backslash {\mathcal{W}}_{RTA}^t,$$

(2)

where ${\mathcal{W}}_{RTA}^t$ is the available set of tampering words at step $t$, $\mathcal{V}$ is the entire vocabulary, and $w_t^o$ is the original steganographic word at step $t$.

Due to the requirement for readability in generative linguistic steganography tasks, candidate pools are generally small, e.g., containing 2, 8, or 16 words. Consequently, the probability of an adversary randomly selecting these words is significantly lower than the probability of choosing a word from the remaining vocabulary ${\mathcal{V}}^{*}=\mathcal{V}\backslash {\mathcal{W}}_{CP}^t$ Therefore, we define the out-of-domain random tampering attack (ODRTA), where “random” refers to the selection of words from ${\mathcal{V}}^{*}$. The ODRTA can be represented as follows:

$$\left\{\begin{array}{c}{\mathcal{W}}_{ODRTA}^t\cap {\mathcal{W}}_{CP}^t=\varnothing \\ {\mathcal{W}}_{ODRTA}^t\cup {\mathcal{W}}_{CP}^t=\mathcal{V}\\ \left|{\mathcal{W}}_{CP}^t\right|\ll \left|{\mathcal{W}}_{ODRTA}^t\right|\approx \left|\mathcal{V}\right|\\ P\left(w_{ODRTA}^t\in CP\right)=0\end{array}\right.,$$

(3)

where $\mid ·\mid$ denotes the number of elements in the set.

ODRTA can be categorized based on the continuity of the attacks into continuous ODRTA and discontinuous ODRTA. Let $\mathcal{S}=\left(w_1,w_2,w_3,w_4,w_{\mathcal{T}},\dots ,w_{\mathcal{T}+k},w_n\right)$ denote the intercepted steganographic text, and let $\mathcal{T}$ and $\mathcal{T}+k$ be the indices of consecutive attack points; then, we obtain the following:

$$\left\{\begin{array}{c}CODRTA\triangleq \mathcal{T}+k-\mathcal{T}=1\\ DODRTA\triangleq \mathcal{T}+k-\mathcal{T}>1\end{array}\right.,$$

(4)

If $k=1$, the attack is continuous, meaning no unmodified words exist between attack points. If $k>1$, the attack is discontinuous.

Figure 2 illustrates a schematic representation of ODRTA. The upper half of Figure 2 represents a single instance of DODRTA, while the lower half showcases a CODRTA.

4. Defense Mechanism

To defend against the two types of tampering attacks described above and to enhance the integrity and availability of hidden information at the receiving end, we propose two mechanisms: a proactive defense mechanism based on adaptive clustering for ISSA, and a post-hoc repair mechanism based on a context-oriented search strategy and the determinism of the text generation model for ODRTA. In addition to targeting different attacks, these two mechanisms also differ in their deployment locations. The proactive defense mechanism must be deployed at both the sending and receiving ends of the communication, whereas the post-hoc repair mechanism only needs to be deployed at the receiving end.

4.1. ISSA-Defense (ISSA-D)

According to the ISSA model, the construction mechanism and specific parameters of a steganographic text are known to the adversary. To avoid detection by both parties in the communication and to increase the difficulty of extracting the original hidden information, the adversary selects synonyms of the source words from the candidate pool generated by the text generation model at the current step as tampering words.

To enhance the defensive capability of generative linguistic steganography against ISSA, we propose a proactive defense mechanism based on an adaptive clustering algorithm. In this mechanism, the DBSCAN algorithm is chosen as the clustering algorithm.

First, the sending end inputs a prompt into the text generation model to initiate the steganographic task. Most existing text generation models calculate the probability of each word in the vocabulary $\mathcal{V}$ appearing at the current position based on conditional probabilities. Subsequently, a candidate pool (CP) is constructed by selecting the top-$k$ words from the computed results using the top-$k$ sampling strategy. The prediction rules of the text generation model and the top- strategy are as follows:

$$\left\{\begin{array}{c}P\left(\mathcal{S}\right)=P\left(w_t∣w_{t-1},w_{t-2},\dots ,w_1,prompt\right)\\ CP=top\text{-}k\left(\mathcal{V},k\right)=\{x_1,x_2,\dots ,x_k\}\end{array}\right.,$$

(5)

where $x_i\in \mathcal{V}$ and $p\left(x_i\right)\ge p\left(x_{i+1}\right)$.

Currently, generative linguistic steganography typically begins the embedding process immediately after obtaining the CP. To ensure that steganographic text can withstand ISSA, we perform adaptive clustering on the CP, constructing a new CP to be transmitted to the embedding unit. Let ${CP}^t$ denote the CP constructed by the text generation model at step $t$, and ${CP}_c^t$ refer to the CP transmitted to the embedding unit.

The adaptive clustering algorithm based on the DBSCAN algorithm is as follows:

$$N_{ϵ}\left(x_i\right)=\{x_j\in {CP}^t\mid ||x_i-x_j|{|}_2\le \mathsf{ϵ}\},$$

(6)

where $N_{ϵ}\left(·\right)$ and $\mathsf{ϵ}$ are the crucial hyperparameters of DBSCAN. Here, $N_{ϵ}\left(·\right)$, represents the minimum number of points required to form a dense region, while $\mathsf{ϵ}$, denotes the maximum distance between two points to be considered in the same cluster.

To ensure that every element in the ${CP}_c^t$ can withstand ISSA, the minimum value of $N_{ϵ}\left(·\right)$ is set to 2.

$$\mid N_{ϵ}\left(x_i\right)\mid \ge 2,$$

(7)

As the elements of ${CP}^t$ differ at each step, a static $\mathsf{ϵ}$ cannot guarantee effective clustering results. Therefore, we introduce the K-NN algorithm to dynamically adjust $\mathsf{ϵ}$, as follows:

$$D_{x_i}=\{d_{x_i{x}_j}\mid x_j\in \mathrm{K}\text{-}\mathrm{NN}\left(\mathrm{C}{\mathrm{P}}^{\mathrm{t}},{\mathrm{N}}_{\mathsf{ϵ}}\left(x_i\right)\right)\},$$

(8)

where $D_{x_i}$ represents the distances from all elements in ${CP}^t$ to data point $x_i$, while $d_{x_i{x}_j}$ denotes the distance from data point $x_j$ to data point $x_i$.

$$\mathsf{ϵ}={\displaystyle \frac{1}{k}}{\sum }_{i=1}^k{D}_i\left[T\right],$$

(9)

where $k$ is the total number of words in ${CP}^t$ and $\left[T\right]$ represents the $K$ nearest words to the $i$-th word based on their distances.

After these operations, ${CP}^t$ is partitioned into different clusters, each containing at least two elements:

$${CP}^t=\{{\mathcal{C}}_1,\dots ,{\mathcal{C}}_{\mathcal{m}}\},$$

(10)

A filtering function selects the element with the highest probability from each cluster ${\mathcal{C}}_{\mathcal{i}}$ to be included in ${CP}_c^t$:

$$x_i^j=\arg \underset{x\in {\mathcal{C}}_{\mathcal{i}}}{\max }P\left(x\right),$$

(11)

where $x_i^j$ denotes the word with the highest probability in cluster ${\mathcal{C}}_{\mathcal{i}}$. This ensures perceptual imperceptibility of the steganographic text.

At this point, ${CP}_c^t$ serves as the latest candidate pool, passed to the embedding unit for information hiding. A complete algorithmic flow for the adversarial ISSA is illustrated in Algorithm 1, where line 11 produces the final ${CP}_c^t$ to be transmitted to the next processing unit. In line 9, the DBSCAN clustering algorithm is applied with parameters $\left(\mathsf{ϵ},\mathrm{M}\mathrm{i}\mathrm{n}\mathrm{P}\mathrm{t}\mathrm{s}\right)=\left(\mathsf{ϵ},2\right)$. Here, $MinPts$ is set to 2 to ensure that each cluster contains at least two candidate words, which establishes the lower bound necessary for the mechanism to resist ISSA attacks. The hyperparameters were chosen based on empirical experience and further tuned on the validation set to achieve meaningful clustering results while balancing cluster density and noise points.

Algorithm 1. Steganographic text generation against ISSA

01: INPUT: hidden information HI, historical information HIS 02: OUTPUT: steganographic text ST 03: HIS $\to$ text generation model, TGM 04: $i$ = 1, OHI = HIS 05: while HI is not empty do 06:  candidate pool, ${CP}^t$ $\leftarrow$ TGM(HIS) 07:  distances $\leftarrow$ K-NN($K$) 08:  $\mathsf{ϵ}$ $\leftarrow$ mean(distances) 09:   clusters, $C$ $\leftarrow$ DBSCAN($\mathsf{ϵ}$, $MinPts$ = 2) 10:  candidate pool ${CP}_c^t$ = [] 11:  for cluster in $C$ do 12:    word $\leftarrow$ cluster(max_prob) 13:    ${CP}_c^t$.add(word) 14:  end for 15:  $w_i$ $\leftarrow$ Embedding(HI, ${CP}_c^t$) 16:  HI $\leftarrow$ update(HI) 17:  HIS $\leftarrow$ HIS + $w_i$ 18:  $i++$ 19: end while 20: ST $\leftarrow$ HIS.minus(OHI) 21: Return ST

Now, we discuss how the candidate pool ${CP}_c^t$ helps both parties resist ISSA. Suppose the adversary performs an ISSA at the $i$-th word of the intercepted $\mathcal{S}$. According to the ISSA description, the word $x_i^a$ is altered to a synonym of the original word $w_i$. When $x_i^a$ exists within the cluster ${\mathcal{C}}_{\mathcal{i}}$ containing the original word $w_i$, the receiving end can query the original word $w_i$ using Equation (11). The number of allowed alterations for each cluster ${\mathcal{C}}_{\mathcal{i}}$ is limited to its dimension, minus one. Additionally, if the clustering operation does not yield multiple clusters, the word with the highest probability from ${CP}^t$ will be returned. This approach is aimed at enhancing the usability of the steganographic text while maintaining perceptual imperceptibility. The formulation expression is as follows:

$$w_i\in {\mathcal{C}}_{\mathcal{i}}\wedge {\mathcal{C}}_{\mathcal{i}}\subseteq {CP}^t\wedge x_i^a\in {\mathcal{C}}_{\mathcal{i}}\to \exists Q,Q\left(x_i^a\right)=w_i,$$

(12)

where $w_i$ represents the original word, $x_i^a$ represents the tampering word, and $Q$ denotes the query function related to Equation (11).

4.2. ODRTA-Defense (ODRTA-D)

When an adversary aims to compromise the usability and timeliness of hidden information without considering detection, they can implement an out-of-domain random tampering attack (ODRTA) on the $\mathcal{S}$.

To recover such texts and enhance the integrity and usability of hidden information, we propose a post-hoc repair mechanism based on context-oriented search strategy and the determinism of text generation model.

Generative linguistic steganography effectively constitutes a deterministic system under various conditions determined by text generation model, CP construction strategies, hidden information, and embedding algorithm. Specifically, this mechanism ensures that the same input always produces the same output. The representation of steganographic text generation and hidden information extraction are as follows:

$$\left\{\begin{array}{c}E\left(G\left(prompt\right),\mathcal{M},\theta \right)\to S\\ E^{-1}\left(G\left(prompt\right),\mathcal{S},\theta \right)\to M\\ \begin{array}{c}where,G\left(·\right)\to {CP}^t\\ \mathcal{S}=\{w_1,w_2,\dots ,w_t,\dots ,w_n\}\end{array}\end{array}\right.,$$

(13)

where $E$ denotes the embedding algorithm, $E^{-1}$ denotes its inverse, $G\left(·\right)$ denotes the text generation process used to construct ${CP}^t$, $\mathsf{\theta }$ is a hyperparameter, and $\mathcal{M}$ is the hidden information.

As $G\left(·\right)$ is a deterministic system and both $E$ and $E^{-1}$ are bijective, generative linguistic steganography can also be regarded as a deterministic system. At step $t$, if the steganographic text ${\mathcal{S}}^{*}$ is tampered such that the original word $w_t$ is altered to $w_t+\mathsf{\alpha }$, given that the information before $t$ is correct, the generation system $G\left(·\right)$ outputs the correct ${CP}^t$ at step $t$. However, as $w_t+\mathsf{\alpha }\notin {CP}^t$, the inverse mapping function $E^{-1}$ cannot proceed, interrupting the extraction process:

$${\mathcal{S}}^{*}=\{prompt,w_1,w_2,\dots ,w_t+\mathsf{\alpha },w_{t+1},\dots ,w_{t+m},\dots ,w_n\},$$

(14)

Without auxiliary information, the receiving end can only repair the steganographic text via enumeration. Introducing auxiliary information to assist in the repair process is therefore a natural approach. The receiving end can reasonably assume that the steganographic text following the tampering point is correct and use it as auxiliary information.

Under this assumption, the repair mechanism uses $\{prompt,w_1,\dots ,w_{t-1}\}$ and employs a text generation model to predict $m+1$ steps backward, enumerating all possible outcomes. The last $m$ words are then used as search tokens to query text samples matching these words. These $m$ words correspond to the nearest $m$ words following the tampered word $w_t+\mathsf{\alpha }$ in ${\mathcal{S}}^{*}$. After the repair process, the first word following $\{prompt,w_1,\dots ,w_{t-1}\}$ is restored to the original word $w_t$.

Algorithm 2 describes the workflow for repairing steganographic text affected by a DODRTA. In line 15, based on historical information (HIS), the algorithm predicts $m+1$ steps backward, where the first step represents the possible original word at the tampering point, and subsequent steps provide auxiliary information necessary for the repair. Once predictions are completed, the algorithm combines historical information with the auxiliary information predicted in the first step. Leveraging the determinism of the steganographic mechanism and a context-oriented search strategy, the algorithm filters out the original word from possible candidates at the tampering point (lines 16–18).

Algorithm 2. Extracting from DODRTA-affected ST

01: INPUT: steganographic text ST, historical information HIS 02: OUTPUT: hidden information HI 03: ST $\leftarrow$ ST.minus(HIS) 04: HI = [] 05: HIS $\to$ text generation model, TGM 06: for $t$ in range(0, len(ST)) do 07:  candidate pool, ${CP}^t$ $\leftarrow$ TGM(HIS) 08:  if ST [$t$] in ${CP}^t$ do 09:    temp $\leftarrow$ Extraction(ST [$t$]) 10:    HI.add(temp) 11:    HIS $\leftarrow$ HIS + ST [$t$] 12:  else do 13:    // Predict $m+1$ positions backward and query the path of ST[$t+1$: $t+m$] 14:    candidate pools, ${\mathcal{C}\mathcal{P}}^{\left[t:m+t\right]}$ $\leftarrow$ TGM(HIS, $m+1$) 15:    if ST[$t+1$: $t+m$] in ${\mathcal{C}\mathcal{P}}^{\left[t+1:t+m\right]}$ do 16:      original word, ow in ${CP}^{\left[t\right]\left[j\right]}$ 17:      temp $\leftarrow$ Extraction(ow + ST [$t+1$: $t+m$]) 18:      HI.add(temp) 19:      HIS $\leftarrow$ HIS + ow + ST[$t+1$: $t+m$] 20:    end if 21:  end if 22: end for 23: Return HI

Repairing steganographic text ${\mathcal{S}}^{**}$ affected by a CODRTA requires more auxiliary knowledge:

$${\mathcal{S}}^{**}=\{prompt,w_1,w_2,\dots ,w_t+{\alpha }_0,\dots ,w_{t+a}+{\alpha }_a,\dots ,\dots ,w_n\},$$

(15)

Let $a$ represent the continuity of tampered words and $z$ denote the amount of required auxiliary information. Based on $\{prompt,w_1,\dots ,w_{t-1}\}$, the text generation model predicts $a+z$ steps backward. The repair process is expressed as follows:

$$\left\{\begin{array}{c}{\mathcal{Y}}_{a+z}^{t-1}=Seq\left(G\left(S^{**}\left[prompt:t-1\right],{\mathcal{C}\mathcal{P}}^{\left[t:t+a+z\right]},a+z\right)\right)\\ {\mathcal{W}}_{\left[t:t+a\right]}=Sea\left({\mathcal{Y}}_{t-1}^{a+z},{\mathcal{S}}^{**}\left[t+a+1:t+a+z\right]\right)\end{array}\right.,$$

(16)

where ${\mathcal{Y}}_{a+z}^{t-1}$ denotes the data-predicted backward $a+z$ steps, $Seq\left(·\right)$ combines these data samples, ${\mathcal{C}\mathcal{P}}^{\left[t:t+a+z\right]}$ collects all candidate pools from step $t$ to $t+a+z$, $Sea\left(·\right)$ is the retrieval function for matching the retrieval tokens ${\mathcal{S}}^{**}\left[t+a+1:t+a+z\right]$, and ${\mathcal{W}}_{\left[t:t+a\right]}$ is the set of original words to be restored. Algorithm 3 describes the workflow for repairing steganographic text affected by a CODRTA.

Algorithm 3. Extracting from CDORTA-affected ST

01: INPUT: steganographic text ST, historical information HIS 02: OUTPUT: hidden information HI 03: ST $\leftarrow$ ST.minus(HIS) 04: HI = [] 05: HIS $\to$ text generation model, TGM 06: while ST is not empty do 07:  candidate pool, $C{P}^t$ $\leftarrow$ TGM(HIS) 08:  if ST [0] in ${CP}^t$ do 09:    temp $\leftarrow$ Extraction(ST [0]) 10:    HI.add(temp) 11:    HIS $\leftarrow$ HIS + ST [$t$] 12:    ST $\leftarrow$ ST.minus(ST[0]) 13:  elif ST[0] not in ${CP}^t$ do 14:    candidate pools, ${\mathcal{C}\mathcal{P}}^{\left[t:t+m\right]}$ $\leftarrow$ TGM(HIS, $m+1$) 15:    if ST[1: $m-1$] in ${\mathcal{C}\mathcal{P}}^{\left[t+1:t+m-1\right]}$ do 16:      go to DODRTA 17:    else do 18:      candidate pools, $\mathcal{C}{\mathcal{P}}^{\left[t:t+a+z\right]}$ TGM(HIS}, $a+z$) 19:      if ST [$t+a+1$: $t+a+z$] in ${\mathcal{C}\mathcal{P}}^{\left[t+a+1:t+a+z\right]}$ do 20:        original word, ${\mathrm{o}\mathrm{w}}^{\left[t:t+a\right]}$ in ${\mathcal{C}\mathcal{P}}^{\left[t:t+a\right]}$ 21:        tem $\leftarrow$ Extraction(${\mathrm{o}\mathrm{w}}^{\left[t:t+a\right]}$ + ST[$t$: $t+a+z$]) 22:        HI.add(tem) 23:        HIS $\leftarrow$ HIS + ${\mathrm{o}\mathrm{w}}^{\left[t:t+a\right]}$ + ST[$t+a+1$: $t+a+z$] 24:        ST $\leftarrow$ ST.minus(ST[0: $a+z-1$]) 25:      end if 26:    end if 27:  end if 28: end while 29: Return HI

5. Experiments

This section presents the evaluation metrics commonly used in generative linguistic steganography, analyzes the feasibility of the proposed mechanisms, and compares them with several existing steganographic approaches.

5.1. Evaluation Metrics

The evaluation of generative linguistic steganography typically relies on two key dimensions: perceptual imperceptibility and statistical imperceptibility.

Perceptual imperceptibility refers to the readability of the generated steganographic text, including semantic clarity and logical coherence. For fairness, we employ standard metrics commonly used in natural language processing [39] to assess perceptual imperceptibility. The primary evaluation metrics are perplexity ($ppl$) and Kullback–Leibler divergence ($KL$ divergence):

$$ppl=2^{-{\displaystyle \frac{1}{n}}logP\left(\mathcal{S}\right)},$$

(17)

$$KL\left(P_t|Q_g\right)=\sum P_t\left(x\right)log{\displaystyle \frac{P_t\left(x\right)}{Q_g\left(x\right)}},$$

(18)

where $n$ denotes the number of words in the steganographic text $\mathcal{S}$, $P_t$ represents the true data distribution obtained from training, and $Q_g$ is the statistical distribution of the generated text.

In addition, we also adopt diversity ($Div$), grammatical scores ($GS\left(·\right)$), and descriptiveness ($Des$) as auxiliary metrics [40] for assessing perceptual imperceptibility.

$$Div={\displaystyle \frac{\mid set\left(words\right)\mid }{\mid \mathcal{S}\mid }},$$

(19)

$$GS\left(\mathcal{S}\right)={\displaystyle \frac{1}{1+e^{-\mathcal{S}}}},$$

(20)

$$Des={\displaystyle \frac{|v{|}_1}{\mid \mathcal{S}\mid }},v=\left[N,A,R\right],$$

(21)

where $\mid ·\mid$ denotes the number of words in the steganographic text and $set\left(·\right)$ ensures that only unique words are counted. Specifically, $N$, $A$ and $R$ represent nouns, adjectives, and adverbs, respectively.

Statistical imperceptibility refers to the ability of the generated steganographic text to evade detection by steganalysis tools. We evaluate statistical imperceptibility using three widely adopted steganalysis models: FCN [41], TS-RNN [42], and HiduNet [43]. The corresponding evaluation metrics are accuracy ($Acc$), precision ($Pre$), $F_1$ score ($F_1$), and recall ($Rec$):

$$Acc={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}},$$

(22)

$$Pre={\displaystyle \frac{TP}{TP+FP}},$$

(23)

$$Rec={\displaystyle \frac{TP}{TP+FN}},$$

(24)

$$F_1=2\times {\displaystyle \frac{pre·rec}{pre+rec}},$$

(25)

where $TP$, $TN$, $FP$, and $FN$ denote the numbers of true positives, true negatives, false positives, and false negatives, respectively.

To assess the resilience of generative linguistic steganography against active tampering attacks, we adopt three qualitative binary metrics: attack detection capability ($ADC$), which measures the ability to detect actual manipulation points; attack identification capability ($AIC$), which evaluates the effectiveness in recognizing the type of attack; and repair capability ($RC$), which quantifies the ability to restore the steganographic text and correctly extract hidden information.

Furthermore, we introduce the fault tolerance rate ($FTR$) to quantify robustness against active attacks. $FTR$ is defined as the maximum proportion of manipulation points allowed in the steganographic text, beyond which hidden information can no longer be correctly extracted:

$$FTR={\displaystyle \frac{\mid Point{s}_{attacked}\mid }{\mid \mathcal{S}\mid }}\times 100\%,$$

(26)

where $Point{s}_{attacked}$ denotes that the point is under attack.

Finally, embedding capacity is also an important evaluation criterion. It typically refers to the maximum amount of hidden information that can be embedded into a given carrier. As most generative steganographic methods convert hidden information into bit streams, bits per word ($bpw$) is used as the metric:

$$bpw={\displaystyle \frac{bits\left(\mathcal{M}\right)}{\mid \mathcal{S}\mid }},$$

(27)

where $\mathcal{M}$ denotes hidden information.

5.2. Feasibility Analysis

The feasibility analysis aims to evaluate whether the proposed defense mechanisms effectively enhance the integrity and availability of hidden information at the receiving end. We further analyze the performance of different steganographic mechanisms under the two proposed types of attacks.

To rapidly validate the feasibility and usability of the proposed mechanisms, we implemented an ISSA-D steganographic mechanism using the adaptive DBSCAN algorithm and generated 6000 steganographic texts. In constructing the candidate pool, we adopted the top-$k$ strategy with $k=8,16,$ and 32. For ODRTA evaluation, we constructed 4000 data points with a candidate pool dimension of 2, among which 2000 were used for measuring DODRTA-D and the remainder for measuring CODRTA-D-2. Here, the subscript “2” indicates that the maximum number of consecutive manipulations is two. To ensure generalizability, GPT-2 [44] was selected as the underlying text generation model.

For ISSA-D and ODRTA-D, we evaluated ($ADC$), ($AIC$), and ($RC$). The results are presented in

Table 2. Comparison of defensive capabilities of steganographic mechanisms. ☑ and ☒ denote the presence and absence of capability, respectively.

Method	ISSA			ODRTA
	$ADC$	$AIC$	$RC$	$ADC$	$AIC$	$RC$
ISSA-D (our)	☑	☑	☑	☒	☒	☒
ODRTA-D (our)	☒	☒	☒	☑	☑	☑
RNN-stega [13]	☒	☒	☒	☑	☑	☒
PH-stega [14]	☒	☒	☒	☑	☑	☒
VAE-stega [2]	☒	☒	☒	☑	☑	☒
GAN-stega [16]	☒	☒	☒	☑	☑	☒
BERT-GS-stega [18]	☒	☒	☒	☑	☑	☒
PAP-stega [19]	☒	☒	☒	☑	☑	☒
LD-stega [20]	☒	☒	☒	☑	☑	☒
NT-stega [21]	☒	☒	☒	☑	☑	☒
PE&KE-stega [22]	☒	☒	☒	☑	☑	☒
SS2SS-stega [28]	☒	☒	☒	☑	☑	☒
Discop [30]	☒	☒	☒	☑	☑	☒
LLM-stega [31]	☒	☒	☒	☑	☑	☒
ZS-stega [32]	☒	☒	☒	☑	☑	☒
TC-stega [33]	☒	☒	☒	☑	☑	☒
CS-stega [38]	☒	☒	☒	☑	☑	☒

. The findings demonstrate that ISSA-D is capable of successfully extracting hidden information from steganographic texts affected by ISSA, whereas other mechanisms fail. Similarly, only ODRTA-D achieves successful extraction from texts affected by ODRTA. This difference arises because ODRTA introduces tampered words from outside the current candidate pool, allowing other methods to detect tampering points based on the text generation model and candidate pool strategy. In contrast, ISSA operates more covertly, by concealing tampering points within synonyms, preventing other steganographic mechanisms from identifying them.

The complexity analyses and correctness/security proofs of the proposed ISSA-D and ODRTA-D mechanisms are detailed in Appendix A (complexity analysis) and Appendix B (correctness and security analysis)

We further used the fault tolerance rate ($FTR$) to quantify the performance of ISSA-D, DODRTA-D, and CODRTA-D-2, with the results reported in

Table 3. Defensive performance of the proposed method. ☑ and ☒ denote the presence and absence of capability, respectively.

Method	|CP|	$\mathit{F}\mathit{T}\mathit{R}$	$\mathit{A}\mathit{C}$
ISSA-D	8	100%	☑
	16	100%	☑
	32	100%	☑
DODRTA-D	2	33.3%	☒
CODRTA-D-2	2	33.3%	☑

. In the table, $\left|CP\right|$ denotes the candidate pool dimension under the top-$k$ strategy, while $AC$ indicates the continuity of the attack. As ISSA-D does not require auxiliary information, its FTR reaches up to 100%, meaning ISSA can occur at any position and with any number of words in the steganographic text. By contrast, the repair processes of DODRTA-D and CODRTA-D-2 rely on subsequent auxiliary information, thereby limiting their tolerance to extensive manipulations.

In theory, as long as at least one untampered word remains, tampering points can be repaired. We initially set $m=1$. However, in practice, when tampering occurs near the end of the steganographic text, accurate recovery may not be possible. This is due to the iterative nature of the repair process: as the computational sequence grows longer, the computational load increases exponentially, reducing precision and hindering retrieval of the original candidate pool. To mitigate this, we set $m=2$. With $m=2$, DODRTA-affected steganographic texts can be fully and accurately repaired. For CODRTA-2, we further increased the value of $z$; when $z=4$, the receiver was also able to extract the hidden information completely and correctly.

Therefore, we conclude that, to ensure full and accurate recovery of hidden information, the amount of auxiliary information following tampered points must be at least twice the number of tampered words.

5.3. Perceptual Imperceptibility Analysis

To validate the perceptual imperceptibility of the steganographic text generated by the proposed method, particularly that produced by ISSA-D, a quantitative assessment was conducted. The dimensions of the candidate pool were set to 8, 16, and 32. A comparison was made among RNN-stega [13], VAE-stega [2], and Discop [30], with RNN-stega [13] serving as the baseline. Discop [30], a theoretically secure steganographic mechanism, demonstrated superior perceptual imperceptibility. Similarly, under different dimensions of the CP, we generated 2000 data samples for each comparative subject under identical conditions of hidden information and prompt.

In evaluating the generative quality of steganographic texts, perceptual imperceptibility was one of the key metrics. This metric primarily referred to the extent to which the generated steganographic text aligned with human writing habits while exhibiting logical coherence and semantic clarity. To objectively assess the perceptual imperceptibility of steganographic texts produced by the four mechanisms, we employed the BERT [10] model as an evaluation tool. The comparison results are presented in

Table 4. Perceptual imperceptibility comparison table.

Method	|CP|	$\mathit{K}\mathit{L}$	$\mathit{p}\mathit{p}\mathit{l}$	$\mathit{D}\mathit{i}\mathit{v}$	$\mathit{G}\mathit{S}$	$\mathit{D}\mathit{e}\mathit{s}$	$\mathit{b}\mathit{p}\mathit{w}$
ISSA-D	8	4.24	19.96	0.36	0.5	0.34	0.16
	16	5.43	46.49	0.62	0.5	0.39	0.33
	32	7.23	63.99	0.73	0.5	0.41	0.41
DODRTA-D	2	4.70	29.0	0.84	0.5	0.34	0.96
Discop [30]	Dynamic	1.86	2.00	0.5	0.5	0.37	1.38
	Dynamic	3.19	3.70	0.6	0.5	0.40	1.78
	Dynamic	4.20	9.60	0.51	0.5	0.36	2.70
VAE-stega [2]	8	3.74	17.13	0.72	0.5	0.39	2.54
	16	4.17	22.67	0.75	0.5	0.38	3.19
	32	4.63	30.57	0.78	0.5	0.38	3.76
RNN-stega [13]	8	7.53	20.93	0.35	0.5	0.30	2.64
	16	8.20	33.16	0.45	0.5	0.30	3.52
	32	8.83	52.55	0.56	0.5	0.29	4.40

.

From Table 4, it can be observed that the steganographic text generated by ISSA-D exhibited superior generation quality compared with the baseline [13] in terms of $KL$ and $ppl$ metrics across different dimensions, although it remained lower than that of VAE-stega [2] and Discop [30]. In terms of the $Div$ metric, VAE-stega [2] performed the best, followed by ISSA-D; conversely, ISSA-D excelled in the $Des$ metric, with Discop [30] coming in second. To quickly validate the feasibility of ISSA-D, we employed a perfect binary tree for the embedding algorithm, while Discop [30] utilized distributed copies, and both VAE-stega [2] and RNN-stega [13] implemented Huffman coding. In contrast, the latter two embedding algorithms were more effective in enhancing the perceptual imperceptibility of steganographic text.

Additionally, regarding the $bpw$ metric, the embedding capacity of ISSA-D was significantly lower than that of the other three mechanisms. This was because, to ensure the steganographic text could withstand ISSA, certain elements in the candidate pool had to be sacrificed. Furthermore, the candidate pool in Table 4 was obtained through top-$k$ or top-$p$ filtering, with ISSA-D performing additional filtering on the resulting candidate pool. Notably, ISSA-D, RNN-stega [13], and VAE-stega [2] all used a top-$k$ strategy, which allowed for static candidate pool dimensions, whereas Discop [30] adopted a top-$p$ strategy, representing a dynamic candidate pool construction method.

5.4. Statistical Imperceptibility Analysis

It is fair to state that assessing statistical imperceptibility should be conducted under identical $bpw$ conditions. Given that the $bpw$ of RNN-stega [13], VAE-stega [2], and Discop [30] was significantly higher than that of ISSA-D, we increased the dimensions of the initial candidate pool to enhance the $bpw$ of ISSA-D. After adjustments, the $bpw$s of the newly generated data for ISSA-D were found to be 1.1, 1.9, 2.4, and 2.7, respectively.

In evaluating the generative quality of steganographic texts, statistical imperceptibility was another important metric, primarily measuring whether the generated steganographic texts could effectively evade detection attacks from steganalysis tools. To verify the statistical imperceptibility of the steganographic text, we generated 2000 steganographic texts for four different mechanisms under four $bpw$ conditions. In total, this resulted in 32,000 texts being analyzed.

Figure 3 demonstrated the resilience of steganographic texts against steganalysis using the FCN [41] model. The results indicate that VAE-stega [2] performed best in the accuracy ($Acc$), precision ($Pre$), and $F_1$ score ($F_1$), averaging 0.75%, 0.25%, and 0.5% better than the second-best method (ISSA-D), respectively. In contrast, Disop [30] excelled in recall ($Rec$), outperforming the proposed method by an average of 11.75%.

Figure 4 illustrates the resilience of steganographic texts against steganalysis using the TS-RNN [42] model. The performance of all four mechanisms in the $Acc$ was relatively poor, yet all exceed 90%. In the $Pre$, the proposed method improved with increasing $bpw$, with gains of up to 5%. In $Rec$, Discop [30] performed the best, followed by the proposed method, which averaged 5.75% higher than Discop [30]. For the $F_1$ score, VAE-stega [2] led, followed by Discop [30], the proposed method, and RNN-stega [13].

Figure 5 demonstrates the resilience of steganographic texts against steganalysis using the HiduNet [43] model. The results show that VAE-stega [2] outperforms the other three methods across all four metrics, with Discop [30] following closely. The proposed method averages 11.75%, 11%, 12.5%, and 11.5% points higher than VAE-stega [2] in the respective metrics. It is important to note that, for steganographic text creators, lower values of these four metrics indicate better statistical imperceptibility of the generated steganographic text.

In summary, compared with the baseline model RNN-stega [13], the steganographic texts generated by ISSA-D demonstrated superior capabilities in resisting statistical analysis. However, when compared with the more advanced models Discop [30] and VAE-stega [2], ISSA-D still shows potential for further improvement.

Table 5. Steganalysis resistance for ODRTA-D steganographic text.

Metric	[41]	[42]	[43]
$Acc$	64.00%	88.79%	92.62%
$Pre$	58.22	90.96%	91.01%
$F_1$	100%	85.74%	94.82%
$Rec$	73.29%	87.10%	92.61%

presents the performance of steganographic texts generated by GPT-2 [44] under the condition of 1 $bpw$ across four steganalysis tools. These steganographic texts were primarily used to evaluate the statistical imperceptibility of ODRTA-D.

6. Case Studies

The internet of things (IoT) [45] faces numerous shortcomings, including low data security and inadequate privacy protection. These issues render IoT systems vulnerable to attacks, exposing them to both passive and active threats, particularly man-in-the-middle (MITM) attacks and zero-day attacks that compromise the availability of transmitted data [46]. Transmitting confidential information [47] in such insecure communication environments poses significant risks, potentially leading to the disclosure of users’ personal information [48]. Thus, the introduction of protective measures is essential. Compared with conventional encryption systems, covert communication systems can conceal hidden information during transmission, making them more suitable for resource-constrained communication devices. Consequently, implementing generative linguistic steganography mechanisms in IoT environments is crucial. However, existing linguistic steganography mechanisms remain inadequate against MITM attacks. Therefore, we conducted a study to enhance the integrity and availability of hidden information at the receiving end. Our proposed method was tested for usability and effectiveness across various IoT environments.

6.1. Wifi or Buletooth

Consider a scenario in which Alice and Bob are employees of a company. Alice intended to transmit confidential information to Bob via the company’s Wi-Fi [49,50] or Bluetooth [51,52]. However, due to the inherent vulnerabilities of Wi-Fi and Bluetooth transmission, another employee, Eve, could intercept the data packets. To obscure the visibility of the confidential information, Alice used a generative steganographic text and transmitted a readable steganographic message $\mathcal{S}$ to Bob.

Assuming that the steganographic mechanism was shared within the company, Eve could exploit this mechanism to decipher the confidential information transmitted by Alice. At this juncture, Eve not only sought to acquire the confidential information but also aimed to prevent Bob from interpreting it. In this context, Eve executed an ISSA attack on the steganographic text.

Figure 6 illustrates information transmission in wireless communication networks (e.g., Wi-Fi and Bluetooth) and an MITM attack via in-domain synonym substitution attack (ISSA). In the left half, Alice constructs a steganographic text using the proposed ISSA-D method, with the currently selected word highlighted in red and a marker indicating the i-th attack conducted by Eve. During testing, Eve can tamper with any position, though the example shows only a specific instance for illustration. Ultimately, Alice transmits the steganographic text $\mathcal{S}$ to Bob, while Eve intercepts and modifies it according to ISSA, producing the altered text ${\mathcal{S}}^{\prime }$, as shown in the right half of the figure. If Bob lacks defensive mechanisms, he will be unable to extract the hidden information from ${\mathcal{S}}^{\prime }$. The initial candidate pool displayed in Figure 6 is also assumed to be known to Eve.

6.2. Internet of Medical Things (IoMT)

In the internet of medical things (IoMT) [53], data security issues have also arisen [54,55]. For instance, when hospitals use steganography to conceal confidential information within local databases through text covers such as case reports or patient feedback, a zero-day attack on the database could compromise its availability. In such cases, a steganographic mechanism without recovery measures would be unable to extract hidden confidential information from the compromised text.

In Figure 7a, S1 represents the steganographic text stored in the local database, with the points of assumed attack tampering highlighted in red, while the blue text indicates the auxiliary information required for tampering recovery. The figure illustrates both the construction of the steganographic text and the DODRTA process, resulting in the transformation of $S1$ into $S{1}^{*}$. It is important to note that, as the adversary aims solely to corrupt the data, the candidate pool remains unknown to them.

6.3. Industrial Internet of Things (IIoT)

In industrial control environments [56,57], long-distance communication from the data acquisition end to the data processing end is particularly susceptible to tampering. Transmitting collected data in plaintext is highly insecure. Conversely, ciphertext transmission may attract the attention of adversaries, increasing the likelihood of interception. Therefore, introducing steganography into industrial control environments is essential.

Figure 7b shows a different scenario, where linguistic steganography is applied in the industrial internet of things, and an indiscriminate random tampering attack (CODRTA) is launched on all data. If the data processing end lacks a configured recovery mechanism, the chances of extracting hidden information are significantly reduced, leading to a loss of data availability. Here too, the candidate pool remains unknown to the adversary.

These experiments simulate real-world IoT and IoMT scenarios where active adversaries can tamper with steganographic texts without access to the candidate pool. The key observation is that, without recovery or defense mechanisms, both DODRTA and CODRTA can severely compromise the integrity and availability of hidden information, emphasizing the necessity of the proposed tampering-recovery strategies.

7. Conclusions

Current AI-based linguistic steganography mechanisms often fail to withstand active attacks. To address this, we proposed two novel text tampering models, ISSA and ODRTA, to distinguish whether tampered words exist in the candidate pool, with ODRTA further divided into discontinuous and continuous variants. Correspondingly, we designed targeted defense mechanisms, a proactive adaptive clustering for ISSA and a post-hoc context-oriented repair for ODRTA. These approaches effectively counter ISSA, CODRTA, and DODRTA, significantly improving the integrity and usability of hidden information at the receiving end.

Compared with existing methods such as VAE-stega and Discop, our framework introduces innovative attack models and effective defenses, explicitly addressing candidate-pool and out-of-domain tampering while maintaining reliable steganographic communication under adversarial conditions.

Despite these improvements, the generated steganographic texts still exhibit limited perceptual imperceptibility, especially at higher bits per word. Future work will focus on enhancing imperceptibility while preserving resilience, and extending the approach to other data covers such as images and videos to improve practical usability in IoT environments.