Steganography and Steganalysis in digital age
Tomáš Pevný
Agent Technology Center, CTU
15th October 2015
T. Pevný | Steganography and Steganalysis 1/56
What is steganography?
AliceBob
Eve - Warden
message
message
m ∈ M
m ∈ M
cover imagec ∈ C
secret messagehidden in image
embeddingfunction SE
keyk ∈ K
extractionfunction SX
SteganographySteganography is the art of undetectably communicatingmessage in an innocuous looking object.Steganos (covered) + graphia (writing), J. Trithemius, 1499The most important property is undetectability.
T. Pevný | Steganography and Steganalysis 4/56
Difference to cryptography
Difference to cryptographyCrypto makes the message unintelligible, but the existence ofsecret message is obvious (overt).Stego conceals the very presence of message (covert), thecommunicated object is just a decoy.Cryptography provides privacy.Steganography provides secrecy.
T. Pevný | Steganography and Steganalysis 5/56
Little history
First written evidence comes from ancient Greece about470BC (wax covered tablets, slave’s scalp).Messages written on the back of postage stamps.Invisible ink (lemon juice, water, etc.).Microdots (Nazis, WWII).Transferred meanings of words (Japan, WWII).Com. J. Denton blinked by his eyes TORTURE in Morse codeduring propaganda filming in Vietnam prison.Steganography in its modern form utilizing digital media isonly approx. 17 years old.
T. Pevný | Steganography and Steganalysis 6/56
Schwarzenegger’s letter
Fig: A letter of gov. A. Schwarzenegger to T. Ammiano,S.F. Gate, October 28, 2009
T. Pevný | Steganography and Steganalysis 7/56
Schwarzenegger’s letter
Fig: A letter of gov. A. Schwarzenegger to T. Ammiano,S.F. Gate, October 28, 2009
T. Pevný | Steganography and Steganalysis 8/56
Steganographic channel (1)
Steganographic channelEnables the exchange of the “innocuous” messages.Any periodically visited site with medias is good.
ExamplesMedia sharing sites: flicker, youtube, picasa, e-bay etc.voice-over-IP (skype), timing of IP packetsYogurt story
T. Pevný | Steganography and Steganalysis 9/56
Steganographic channel (2)
Steganographic software by type of hideout media.
(data provided courtesy of N. Johnson
figure provided courtesy of J. Fridrich)
T. Pevný | Steganography and Steganalysis 10/56
Why are image popular?
downloaded from:
https://www.flickr.com/photos/franckmichel/6855169886/in/photostream/
T. Pevný | Steganography and Steganalysis 11/56
Who uses steganography and why?
In some countries the cryptography is prohibited (China,Belarus, Russia,. . . ) or restricted (UK).Used by secret services (no information).
June 2010, russian spies in US alleged to use steganography.http://www.darkreading.com/security/news/225701866
Steganography program S-Tools was used to distribute childporn. This case occurred between 1998 and 2000.Malware for concealing Command and Control channel.
T. Pevný | Steganography and Steganalysis 12/56
Used by terrorist
Technical Mujahid, a Training Manual for Jihadis containschapter about steganography.Dhiren Barot, an Al Qaeda operative filmed reconnaissancevideo between Broadway and South Street and concealed it bysplicing it into a copy of the Bruce Willis movie "Die Hard:With a Vengeance."Barot was sentenced to 40-to-life in Great Britain. NY Times,08/11/20061st May, 2012 CNN reported Al Qaeda courier was caught inGermany.http://edition.cnn.com/2012/04/30/world/al-qaeda-documents-future/index.html
T. Pevný | Steganography and Steganalysis 13/56
Used by Malware
Malware embeds payload into meta data in image containers.
blog.sucuri.net, July 2013Fireeye report, page 15
Replacing portion of images with the payload
blog.malwarebytes.org, February 2014
“Decent” steganography
Lurk, February 2014Vawtrack, March 2015trend micro, October 2015
T. Pevný | Steganography and Steganalysis 14/56
Number of software titles by release date
Number of newly released steganographic software titles per year.(data provided courtesy of N. Johnsonfigure provided courtesy of J. Fridrich)
T. Pevný | Steganography and Steganalysis 15/56
Relation to other data hiding techniques
SteganographyIt is fragile, as small change can make the message unreadable.It has to be undetectable.It should provide high capacity.
Watermarking
Watermarking — robust against distortion / removal attacks.Its presence can be detected,It usually has low capacity.
Boundaries are blurred (robust steganography, fragile watermarking),other application exists (Secure Digital Camera).
T. Pevný | Steganography and Steganalysis 16/56
Example: LSB replacement (1)
cover image stego image with hidden256 color image
T. Pevný | Steganography and Steganalysis 25/56
Example: LSB replacement (2)
cover image
Let’s try to hide as much data, aspossible.
T. Pevný | Steganography and Steganalysis 26/56
Example: LSB replacement (2)
cover image
1st LSB bitplane overwritten.approximately 98Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 27/56
Example: LSB replacement (2)
1st and 2nd LSB bitplanesoverwritten.approximately 196Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 28/56
Example: LSB replacement (2)
1st, 2nd, and 3rd LSBbitplanes overwritten.approximately 294Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 29/56
Example: LSB replacement (2)
1–4 LSB bitplanesoverwritten.approximately 392Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 30/56
Example: LSB replacement (2)
1–5 LSB bitplanesoverwritten.approximately 490Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 31/56
Example: LSB replacement (2)
1–6 LSB bitplanesoverwritten.approximately 588Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 32/56
Example: LSB replacement (2)
1–7 LSB bitplanesoverwritten.approximately 686Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 33/56
Example: LSB replacement (2)
1–8 LSB bitplanesoverwritten.approximately 784Kb hidden.filesize 784Kb.
T. Pevný | Steganography and Steganalysis 34/56
Current approaches
Uses coding (syndrome trellis codes) to increase embeddingefficiency.The location of embedding changes depends on the imagecontent.
T. Pevný | Steganography and Steganalysis 35/56
Hugo — content adaptive steganography
0.25 bits per pixel 0.5 bits per pixel
T. Pevný | Steganography and Steganalysis 36/56
What is steganalysis?
AliceBob
Eve - Warden
message
message
m ∈ M
m ∈ M
cover imagec ∈ C
secret messagehidden in image
embeddingfunction SE
keyk ∈ K
extractionfunction SX
SteganalysisSteganalysis aims to detect the presence of secret message.
T. Pevný | Steganography and Steganalysis 38/56
Who is interested in steganalysis?
Interests from government and law enforcement.Steganalysis is considered part of Computer Forensics.Steganalysis is important for protection against malware.Tools developed for steganalysis find applications in DigitalForensics in general (e.g., for detection of digital forgeries andintegrity and origin verification).Major US agencies funding research in steganography
US Air Force and AFOSRNational Institute of Justice (NIJ)Office of Naval Research (ONR)National Science Foundation (NSF)Defense Advanced Research Project Agency (DARPA)
T. Pevný | Steganography and Steganalysis 39/56
Steganalysis in a wide sense
Traditional steganalysisTraditional steganalysis detects the mere presence of secretmessage.
Forensic steganalysisDetection is not sufficient, we want to know more:
identification of the embedding algorithm (LSB,±1 ,. . . )the stego software used (F5 , Outguess, Steganos, . . . )the stego keythe hidden bit-streamthe decrypted message
T. Pevný | Steganography and Steganalysis 40/56
Different flavors of steganalysis
Visual steganalysishuman intensive.rarely used in practice.
Heuristic steganalysis
100% relies on steganalyst detail knowledge of the algorithm.
Blind steganalysiscombines knowledge
extracted from the training setfrom steganographic features.
T. Pevný | Steganography and Steganalysis 41/56
Visual steganalysis
Invisible changes may become visible after appropriate processing.
Stego image LSB of red channel ofcover image
LSB of red channel ofstego image
(source: A. Westfeld and A. Pfitzmann, "Attacks on Steganographic Systems,"Lecture Notes in Computer Science, vol.1768, Springer-Verlag, Berlin, 2000,pp. 61–75)
T. Pevný | Steganography and Steganalysis 42/56
Heuristic steganalysis
Heuristic steganalysisamounts to find quantity predictably changing with the lengthof hidden message.
20 22 24 26 28 300
100
200
300
pixel value
number
ofpixels
cover image
20 22 24 26 28 300
100
200
300
400
pixel valuenumber
ofpixels
stego image
Histograms of pixel values.
T. Pevný | Steganography and Steganalysis 43/56
Blind steganalysis
PSfrag repla ements Steganographi Features De isionBlind steganalysis
uses features to provide low-dimensional model of naturalimages (more later).pattern recognition algorithms are used to learn differencesbetween cover and stego images.state of the art in steganalysis.
T. Pevný | Steganography and Steganalysis 44/56
Current approaches
Image is described by a large number of features (up to 50000) sensitive to noise.Machine learning algorithms learns the difference betweencover and stego.Problem with over-fitting / cover source mismatch.
T. Pevný | Steganography and Steganalysis 45/56
Problem setting
message
messagem ∈ M, m ∼ Pm
m ∈ Mcover imagec ∈ C, c ∼ Pc
stego images ∈ C, s ∼ Ps
embeddingfunction SE
keyk ∈ K, k ∼ Pk
extractionfunction SX
Steganographic algorithm
Steganographic algorithm is a tuple (SE,SX), whereSE : C ×M ×K 7→ C is an embedding functionSX : C ×K 7→M is an extraction function
T. Pevný | Steganography and Steganalysis 47/56
Cachin’s defition of steganographic security
The most important property is undetectabilityKerckhoffs’ principleFor perfect steganographic algorithm holds Pc = Ps .
Cachin’s definition: steganographic algorithm is ε-secure iffKL-divergence
DKL(Pc‖Ps) = ∑c∈C
Pc(c) logPc(c)
Ps(s)< ε,
where Pc/Ps is pdf of cover / stego objects.
T. Pevný | Steganography and Steganalysis 48/56
Why KL-divergence is important?
Provides bounds on best achievable detector.
T. Pevný | Steganography and Steganalysis 49/56
Why KL-divergence is important?
Statistical testingHypothesis H0 states that scrutinized images is cover, H1 statesthat scrutinized images is stego. If detection statistic f (x)> τ, thetest output image is stego, otherwise cover.Errors:
1 Type I occurs if test returns H1 when H0 is true(false positive), α .
2 Type II occurs if test returns H0 when H1 is true(false negative), β .
T. Pevný | Steganography and Steganalysis 50/56
Question
How does secure message length grows with size (number) of covermedia?
T. Pevný | Steganography and Steganalysis 51/56
Square-root law for independent covers
Assumptions:1 Cover consists of n iid pixels (x1, . . . ,xn)∼ pn(x).
2 Payload of size m causes each pixel to be replaced,independently of each other and the cover, with probabilityλ = m
n , and that replaced pixels are independent each withmass function q(x).
3 Suppose that for all x , p(x) 6= 0 and q(x) 6= 0, and there existsy such that p(y) 6= q(y).
Statement:1 If m√
n7→ ∞ then, for sufficiently large n, covers and stego
objects can be distinguished with arbitrarily low error rate.2 If m√
n7→ 0 then, for sufficiently large n, any detector must have
arbitrarily high error rate.
T. Pevný | Steganography and Steganalysis 52/56
Hoeffding’s inequality
Let X be a sum of n independent, not necessarily identicallydistributed, random variables each bounded in [0,1], then for t > 0
Pr [X ≥ E [X ]+nt]≤ exp(−2nt2),and
Pr [X ≤ E [X ]−nt]≤ exp(−2nt2).
T. Pevný | Steganography and Steganalysis 53/56
Square root law requires linear key
Assumptions:1 Cover consists of n pixels (x1, . . . ,xn) independent and
identically distributed each with mass functionp(x).2 Payload of size m which causes exactly m pixels to be replaced
with mass function q(x).3 Sender, recipient, and attacker share knowledge of a set K of
secret keys, each of which generates a path of length mdetermining the payload locations, but only the sender andrecipient know which key is used.
4 Exists y such that p(y) 6= q(y).
Statement:If log |K |
m 7→ 0, as m 7→+∞ and m 7→+∞ as n 7→+∞, then, forsufficiently large n, covers and stego objects can be distinguishedwith arbitrarily low error rate.
T. Pevný | Steganography and Steganalysis 54/56
Practical issues with verification of the security
Practical issuesProbability distribution of cover objects Pc is unknown(perfectly secure stego-system).Space of all cover objects C is too large to sample Pc .
We have to rely on simplified models (statistical / analytical).
Balanceunrealistic conclusions (steganography).curse of dimensionality (steganalysis).cat and mouse game.
T. Pevný | Steganography and Steganalysis 55/56
Current trends and open problems
SteganographyDesign of distortion functions, content adaptive steganography.Embedding in stream of imagesSteganography for color images / video / (timing channels).
SteganalysisHigh dimensional models, learning models.Learning from large number of images.Pooled steganalysisEvidence in front of the court.Cover-source mismatch / overfitting.
T. Pevný | Steganography and Steganalysis 56/56
Top Related