arxiv: 2604.10460 · v1 · submitted 2026-04-12 · 💻 cs.CV · cs.AI· cs.CR· cs.ET

Recognition: unknown

Toward Accountable AI-Generated Content on Social Platforms: Steganographic Attribution and Multimodal Harm Detection

Xinlei Guan , David Arosemena , Tejaswi Dhandu , Kuan Huang , Meng Xu , Miles Q. Li , Bingyu Shen , Ruiyang Qin

show 2 more authors

Umamaheswara Rao Tida Boyang Li

Authors on Pith no claims yet

Pith reviewed 2026-05-10 15:13 UTC · model grok-4.3

classification 💻 cs.CV cs.AIcs.CRcs.ET

keywords steganographywatermarkingAI-generated imagesmultimodal harm detectioncontent attributiondigital forensicsspread-spectrum embedding

0 comments

The pith

Embedding cryptographically signed identifiers into AI-generated images at creation time, triggered by multimodal harm detection, enables reliable tracing of misuse on social platforms.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a framework where AI generators embed persistent, signed watermarks in images so that platforms can later verify origins when the image appears with harmful text. It evaluates multiple watermarking approaches and identifies spread-spectrum methods in the wavelet domain as particularly resistant to distortions such as blurring. A fusion model based on CLIP processes both image and text to flag harmful combinations, achieving high detection accuracy that then activates the attribution check. This addresses the gap where synthetic images carry no reliable metadata, allowing contextual misuse that current moderation systems struggle to handle. The resulting pipeline supports accountability by making harmful deployments of generated content traceable back to their source.

Core claim

We introduce a steganography enabled attribution framework that embeds cryptographically signed identifiers into images at creation time and uses multimodal harmful content detection as a trigger for attribution verification. Experiments demonstrate that spread-spectrum watermarking, especially in the wavelet domain, provides strong robustness under blur distortions, and our multimodal fusion detector achieves an AUC-ROC of 0.99, enabling reliable cross-modal attribution verification. These components form an end-to-end forensic pipeline that enables reliable tracing of harmful deployments of AI-generated imagery, supporting accountability in modern synthetic media environments.

What carries the argument

The steganography-enabled attribution framework, which embeds signed identifiers at image generation and activates verification through a CLIP-based multimodal harm detector when harmful image-text pairs are flagged.

If this is right

Spread-spectrum watermarking in the wavelet domain maintains detectability after blur and similar distortions common in online sharing.
The multimodal detector can reliably flag harmful image-text combinations to initiate attribution checks.
An end-to-end pipeline becomes available for tracing the source of misused AI-generated images.
Platforms gain a mechanism to enforce accountability on synthetic media without depending on external metadata.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If generators adopt the embedding step, platforms could verify origins at scale for flagged content.
The approach could extend to other generative media such as video if similar embedding techniques prove robust.
Lowering false positives in the harm detector would be necessary before widespread deployment to avoid unnecessary attribution requests.

Load-bearing premise

The assumption that AI image generators will reliably embed the watermarks at creation time and that the harm detector will identify truly harmful contexts without high rates of false positives in actual social media use.

What would settle it

A large-scale test on real social media posts showing that the embedded watermarks become undetectable after typical platform processing such as compression and resizing, or that the detector produces frequent false positives on benign content.

Figures

Figures reproduced from arXiv: 2604.10460 by Bingyu Shen, Boyang Li, David Arosemena, Kuan Huang, Meng Xu, Miles Q. Li, Ruiyang Qin, Tejaswi Dhandu, Umamaheswara Rao Tida, Xinlei Guan.

**Figure 2.** Figure 2: Flowchart of the Steganographic Enabled Image Trac [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Visual comparison of watermarking methods on a natural color image under different attack conditions. [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗

**Figure 4.** Figure 4: Training Accuracy and Validation Performance. [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗

read the original abstract

The rapid growth of generative AI has introduced new challenges in content moderation and digital forensics. In particular, benign AI-generated images can be paired with harmful or misleading text, creating difficult-to-detect misuse. This contextual misuse undermines the traditional moderation framework and complicates attribution, as synthetic images typically lack persistent metadata or device signatures. We introduce a steganography enabled attribution framework that embeds cryptographically signed identifiers into images at creation time and uses multimodal harmful content detection as a trigger for attribution verification. Our system evaluates five watermarking methods across spatial, frequency, and wavelet domains. It also integrates a CLIP-based fusion model for multimodal harmful-content detection. Experiments demonstrate that spread-spectrum watermarking, especially in the wavelet domain, provides strong robustness under blur distortions, and our multimodal fusion detector achieves an AUC-ROC of 0.99, enabling reliable cross-modal attribution verification. These components form an end-to-end forensic pipeline that enables reliable tracing of harmful deployments of AI-generated imagery, supporting accountability in modern synthetic media environments. Our code is available at GitHub: https://github.com/bli1/steganography

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper pairs harm-triggered multimodal detection with steganographic watermarking for AI images, but only tests robustness to blur and leaves JPEG, resize, and crop unexamined.

read the letter

The main takeaway is a pipeline that embeds cryptographically signed identifiers into AI-generated images at creation and triggers verification only when a CLIP-based multimodal model flags harmful text-image pairs. They evaluate five watermarking methods and report that wavelet-domain spread-spectrum watermarking resists blur well, while the fusion detector hits 0.99 AUC-ROC. The public code release is a practical plus that lets others check or reuse the components directly. This framing reduces the cost of always-on checks and ties attribution to actual misuse, which is a reasonable engineering choice for platform settings. The experiments give concrete numbers on the detector and on blur tolerance, so the work is not purely conceptual. The soft spot is the limited distortion testing. Social platforms routinely apply JPEG compression, downsampling, and cropping, yet the reported results cover only blur. Frequency-domain watermarks are known to degrade under those operations, so the bit-error rates after realistic platform processing remain unknown. Without those numbers the end-to-end claim of reliable attribution is hard to assess. The assumption that generators will embed the marks at creation time is also left as future work rather than tested. This paper is aimed at researchers working on AI content moderation, digital forensics, and platform accountability. A reader who needs baselines for watermarking plus harm detection would get usable starting points, though they would still need to run their own platform-specific trials. It has a clear question, reproducible code, and measurable results, so it deserves a serious referee who can ask for the missing distortion tests and check the detector's false-positive behavior on real data.

Referee Report

1 major / 1 minor

Summary. The manuscript proposes a steganographic attribution framework for AI-generated images on social platforms. Cryptographically signed identifiers are embedded into images at creation time using five watermarking methods spanning spatial, frequency, and wavelet domains. A CLIP-based multimodal fusion model detects harmful image-text content to trigger attribution verification. Experiments claim that spread-spectrum watermarking (especially wavelet-domain) is robust under blur and that the detector reaches an AUC-ROC of 0.99, forming an end-to-end forensic pipeline for tracing harmful AI-generated imagery.

Significance. If the pipeline functions under realistic conditions, the work could meaningfully advance accountability for synthetic media by linking generation-time identifiers to detected misuse. The open code release is a clear strength that supports reproducibility. The combination of watermarking with multimodal detection is timely, but the practical significance hinges on whether the embedded identifiers survive the transformations typical of social platforms.

major comments (1)

[Experiments] Experimental evaluation of watermarking methods: robustness is reported only for blur distortions on the wavelet spread-spectrum technique. No bit-error-rate or extraction accuracy figures are given for JPEG compression (typical quality 70-90), resizing, or cropping. These operations are standard on social platforms and can destroy frequency-domain watermarks, directly undermining the central claim that the cryptographically signed identifier will survive to enable reliable cross-modal attribution verification.

minor comments (1)

[Abstract and Experiments] The abstract and results sections would benefit from explicit mention of the exact datasets, number of test images, and comparison baselines used for both the watermarking and multimodal detection experiments.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed and constructive review. We appreciate the acknowledgment of the work's timeliness and the value of the open code release. The major comment on experimental robustness evaluation is addressed point-by-point below. We will revise the manuscript to incorporate additional experiments as outlined.

read point-by-point responses

Referee: [Experiments] Experimental evaluation of watermarking methods: robustness is reported only for blur distortions on the wavelet spread-spectrum technique. No bit-error-rate or extraction accuracy figures are given for JPEG compression (typical quality 70-90), resizing, or cropping. These operations are standard on social platforms and can destroy frequency-domain watermarks, directly undermining the central claim that the cryptographically signed identifier will survive to enable reliable cross-modal attribution verification.

Authors: We agree that the current experimental section focuses on blur distortions for the wavelet-domain spread-spectrum watermarking method, as this is a prevalent transformation in social media pipelines. The manuscript does not yet report bit-error-rate (BER) or extraction accuracy results for JPEG compression (quality 70-90), resizing, or cropping across the five evaluated methods. These are indeed critical for validating the survival of cryptographically signed identifiers under realistic platform operations. In the revised manuscript, we will add a comprehensive robustness evaluation section that includes these transformations, reporting BER and extraction accuracy for all watermarking techniques. This will directly support the central claim of reliable attribution verification. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical evaluation independent of inputs

full rationale

The paper describes an empirical steganographic attribution system evaluated through direct experiments on five watermarking methods and a CLIP-based multimodal detector. No derivation chain, equations, fitted parameters renamed as predictions, or self-citations appear as load-bearing premises. Robustness claims rest on reported experimental outcomes (e.g., blur tolerance and 0.99 AUC-ROC) rather than any self-referential construction or ansatz smuggled via prior work. The pipeline is presented as a practical composition of independently tested components.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The framework relies on established techniques in steganography and vision-language models; no new entities introduced. Assessment limited by abstract-only access.

axioms (2)

domain assumption Steganographic methods can embed robust identifiers without perceptible changes to images
Core to the attribution framework.
domain assumption CLIP-based models can reliably detect multimodal harmful content
Basis for the fusion detector.

pith-pipeline@v0.9.0 · 5542 in / 1189 out tokens · 71935 ms · 2026-05-10T15:13:21.576275+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

LLM-as-Judge Framework for Evaluating Tone-Induced Hallucination in Vision-Language Models
cs.CV 2026-04 unverdicted novelty 7.0

Ghost-100 benchmark shows prompt tone drives hallucination rates and intensities in VLMs, with non-monotonic peaks at intermediate pressure and task-specific differences that aggregate metrics hide.

Reference graph

Works this paper leans on

29 extracted references · 6 canonical work pages · cited by 1 Pith paper · 1 internal anchor

[1]

Generative adversarial nets,

I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B. Xu, D. Warde-Farley, S. Ozair, A. Courville, and Y . Bengio, “Generative adversarial nets,” Advances in neural information processing systems, vol. 27, 2014

2014
[2]

Denoising diffusion probabilistic models,

J. Ho, A. Jain, and P. Abbeel, “Denoising diffusion probabilistic models,” Advances in neural information processing systems, vol. 33, pp. 6840– 6851, 2020

2020
[3]

Zero-shot text-to-image generation,

A. Ramesh, M. Pavlov, G. Goh, S. Gray, C. V oss, A. Radford, M. Chen, and I. Sutskever, “Zero-shot text-to-image generation,” inInternational conference on machine learning. Pmlr, 2021, pp. 8821–8831

2021
[4]

The hateful memes challenge: Detecting hate speech in multimodal memes,

D. Kiela, H. Firooz, A. Mohan, V . Goswami, A. Singh, P. Ringshia, and D. Testuggine, “The hateful memes challenge: Detecting hate speech in multimodal memes,”Advances in neural information processing systems, vol. 33, pp. 2611–2624, 2020

2020
[5]

Recent advances in online hate speech moderation: Multimodality and the role of large models,

M. S. Hee, S. Sharma, R. Cao, P. Nandi, P. Nakov, T. Chakraborty, and R. K.-W. Lee, “Recent advances in online hate speech moderation: Multimodality and the role of large models,”Findings of the Association for Computational Linguistics: EMNLP 2024, pp. 4407–4419, 2024

2024
[6]

Financial fraud and manipulation: The malicious use of deepfakes in business,

P. Kaushik, V . Garg, A. Priya, and S. Kant, “Financial fraud and manipulation: The malicious use of deepfakes in business,” inDeepfakes and Their Impact on Business. IGI Global Scientific Publishing, 2025, pp. 173–196

2025
[7]

Beyond the deepfake hype: Ai, democracy, and “the slovak case

L. de Nadal and P. Jan ˇc´arik, “Beyond the deepfake hype: Ai, democracy, and “the slovak case”,”HKS Misinformation Review, vol. 5, no. 4, 2024

2024
[8]

arXiv:1802.07228, 2018

M. Brundage, S. Avin, J. Clark, H. Toner, P. Eckersley, B. Garfinkel, A. Dafoe, P. Scharre, T. Zeitzoff, B. Filar, H. Anderson, H. Roff, G. C. Allen, J. Steinhardt, C. Flynn, S. Baum, O. Evans, A. Herbert-V oss, M. Riemer, T. Denison, C. Leung, D. Matheny, E. Ferrara, J. Grimmelmann, D. C. Parkes, W. Isaac, K. Lum, T. Maharaj, J. Kaplan, I. Sutskever, and...

work page arXiv 2018
[9]

How spammers and scammers leverage ai-generated images on facebook for audience growth,

R. DiResta and J. A. Goldstein, “How spammers and scammers leverage ai-generated images on facebook for audience growth,” arXiv preprint arXiv:2403.12838, 2024. [Online]. Available: https: //arxiv.org/abs/2403.12838

work page arXiv 2024
[10]

Explaining and Harnessing Adversarial Examples

I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,”arXiv preprint arXiv:1412.6572, 2014

work page internal anchor Pith review arXiv 2014
[11]

Real-time adversarial attacks,

Y . Gong, B. Li, C. Poellabauer, and Y . Shi, “Real-time adversarial attacks,”arXiv preprint arXiv:1905.13399, 2019

work page arXiv 1905
[12]

A survey of safety on large vision-language models: Attacks, defenses and evalua- tions,

M. Ye, X. Rong, W. Huang, B. Du, N. Yu, and D. Tao, “A survey of safety on large vision-language models: Attacks, defenses and evalua- tions,”arXiv preprint arXiv:2502.14881, 2025

work page arXiv 2025
[13]

Tone matters: The impact of linguistic tone on hallucination in vlms,

W. Hong, Z. Jiang, B. Shen, X. Guan, Y . Feng, M. Xu, and B. Li, “Tone matters: The impact of linguistic tone on hallucination in vlms,” inProceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision (WACV) Workshops, March 2026, pp. 1353–1362

2026
[14]

High- resolution image synthesis with latent diffusion models,

R. Rombach, A. Blattmann, D. Lorenz, P. Esser, and B. Ommer, “High- resolution image synthesis with latent diffusion models,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2022, pp. 10 684–10 695

2022
[15]

The creativity of text-to-image generation,

J. Oppenlaender, “The creativity of text-to-image generation,” inPro- ceedings of the 25th international academic mindtrek conference, 2022, pp. 192–202

2022
[16]

Blessing or curse? a survey on the impact of generative ai on fake news,

A. Loth, M. Kappes, and M.-O. Pahl, “Blessing or curse? a survey on the impact of generative ai on fake news,”arXiv preprint arXiv:2404.03021, 2024

work page arXiv 2024
[17]

Deepfakes, misinformation, and disinformation in the era of frontier ai, generative ai, and large ai models,

M. R. Shoaib, Z. Wang, M. T. Ahvanooey, and J. Zhao, “Deepfakes, misinformation, and disinformation in the era of frontier ai, generative ai, and large ai models,” in2023 international conference on computer and applications (ICCA). IEEE, 2023, pp. 1–7

2023
[18]

Detection and moderation of detrimental content on social media platforms: current status and future directions,

V . U. Gongane, M. V . Munot, and A. D. Anuse, “Detection and moderation of detrimental content on social media platforms: current status and future directions,”Social Network Analysis and Mining, vol. 12, no. 1, p. 129, 2022

2022
[19]

Rethinking multimodal content moderation from an asymmetric angle with mixed- modality,

J. Yuan, Y . Yu, G. Mittal, M. Hall, S. Sajeev, and M. Chen, “Rethinking multimodal content moderation from an asymmetric angle with mixed- modality,” inProceedings of the IEEE/CVF winter conference on applications of computer vision, 2024, pp. 8532–8542

2024
[20]

Cosmos: catching out-of-context image misuse using self-supervised learning,

S. Aneja, C. Bregler, and M. Nießner, “Cosmos: catching out-of-context image misuse using self-supervised learning,” inProceedings of the AAAI conference on artificial intelligence, vol. 37, no. 12, 2023, pp. 14 084–14 092. 11

2023
[21]

Exploring hate speech detection in multimodal publications,

R. Gomez, J. Gibert, L. Gomez, and D. Karatzas, “Exploring hate speech detection in multimodal publications,” inProceedings of the IEEE/CVF winter conference on applications of computer vision, 2020, pp. 1470– 1478

2020
[22]

A digital watermark,

R. G. Van Schyndel, A. Z. Tirkel, and C. F. Osborne, “A digital watermark,” inProceedings of 1st international conference on image processing, vol. 2. IEEE, 1994, pp. 86–90

1994
[23]

Secure spread spectrum watermarking for multimedia,

I. J. Cox, J. Kilian, F. T. Leighton, and T. Shamoon, “Secure spread spectrum watermarking for multimedia,”IEEE transactions on image processing, vol. 6, no. 12, pp. 1673–1687, 1997

1997
[24]

A multiresolution watermark for digital images,

X.-G. Xia, C. G. Boncelet, and G. R. Arce, “A multiresolution watermark for digital images,” inProceedings of international conference on image processing, vol. 1. IEEE, 1997, pp. 548–551

1997
[25]

Media forensics and deepfakes: an overview,

L. Verdoliva, “Media forensics and deepfakes: an overview,”IEEE journal of selected topics in signal processing, vol. 14, no. 5, pp. 910– 932, 2020

2020
[26]

Cnn- generated images are surprisingly easy to spot... for now,

S.-Y . Wang, O. Wang, R. Zhang, A. Owens, and A. A. Efros, “Cnn- generated images are surprisingly easy to spot... for now,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2020, pp. 8695–8704

2020
[27]

Faceforensics++: Learning to detect manipulated facial images,

A. Rossler, D. Cozzolino, L. Verdoliva, C. Riess, J. Thies, and M. Nießner, “Faceforensics++: Learning to detect manipulated facial images,” inProceedings of the IEEE/CVF international conference on computer vision, 2019, pp. 1–11

2019
[28]

C2pa: the world’s first industry standard for content provenance (conference presentation),

L. Rosenthol, “C2pa: the world’s first industry standard for content provenance (conference presentation),” inApplications of Digital Image Processing XLV, vol. 12226. SPIE, 2022, p. 122260P

2022
[29]

Can’t see the forest for the trees: Benchmarking multimodal safety awareness for multimodal LLMs,

W. Wang, X. Liu, K. Gao, J.-t. Huang, Y . Yuan, P. He, S. Wang, and Z. Tu, “Can’t see the forest for the trees: Benchmarking multimodal safety awareness for multimodal LLMs,” inProceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), W. Che, J. Nabende, E. Shutova, and M. T. Pilehvar, Eds. Vienna, Au...

2025