Steganography detection Roland Cmorik, Martin Šumák

Steganography detection

Roland Cmorik, Martin ŠumákRoland Cmorik, Martin Šumák

IntroductionIntroduction

cryptography and steganography are cryptography and steganography are used for exchanging a secret used for exchanging a secret informationinformation,,

the difference - steganography is a the difference - steganography is a method how to method how to communicate invisiblycommunicate invisibly,,

the cthe cover medium is a message in over medium is a message in which the secret message can be which the secret message can be hiddenhidden,,

IntroductionIntroduction

hidden message can be also encrypted hidden message can be also encrypted before embeddingbefore embedding

ccover medium over medium shouldshould contain enough contain enough amount of redundancy and ucertaintyamount of redundancy and ucertainty,,

tthe data such as images, videos and he data such as images, videos and sounds contain huge amount of sounds contain huge amount of uncertaintyuncertainty (ex. the least significant bits of pictures)(ex. the least significant bits of pictures)

WatermarksWatermarks

Strong watermarks - Strong watermarks - keep indentity of author keep indentity of author of of somesome file file (book, video, photography,...).(book, video, photography,...).They They would be found even after the file would be found even after the file undergoes a great deal of distortionundergoes a great deal of distortion..

Weak watermarks – are made as fragile as Weak watermarks – are made as fragile as possible.possible.They have to They have to disappear even if a minimal disappear even if a minimal change of the file would occurchange of the file would occur..

The combination is a good protection The combination is a good protection before before tampering the filetampering the file..

Steganography techniquesSteganography techniques

replace the noise in an imagereplace the noise in an image,, eight bits for each color component eight bits for each color component (RGB) (RGB)

soso color colorss of pixels of pixels areare expressed with extra expressed with extra precisionprecision,,

tthe secret message can be stored in least he secret message can be stored in least significant bits of color componentssignificant bits of color components,,

changed image is for human eye identical with changed image is for human eye identical with original imageoriginal image

disadvantage - easy to detect disadvantage - easy to detect by visual or statistical by visual or statistical attacksattacks,,

mmore sophisticated way is to spread the information ore sophisticated way is to spread the information between many filesbetween many files ( (needs larger cover medium needs larger cover medium ).).

Steganography techniquesSteganography techniques

Mimic data - tMimic data - this technique doesn’t try to his technique doesn’t try to change a cover medium, it tries to create change a cover medium, it tries to create aa message only from the secret messagemessage only from the secret message..

Example - Example - create a chess game notation, create a chess game notation, that represents a random chess gamethat represents a random chess game..The bits of secret message can be hidden The bits of secret message can be hidden as order of black or white squares of as order of black or white squares of moves in the gamemoves in the game..

Attacks on steganographyAttacks on steganography

Attacking staganographic algorithms is very Attacking staganographic algorithms is very similar to attacking cryptographic algorithms.similar to attacking cryptographic algorithms.

Some possible attacks:Some possible attacks:

File only - determine if there is a hidden File only - determine if there is a hidden message.message.

File and original CopyFile and original Copy - destroy hidden - destroy hidden information, extract the information, replace...information, extract the information, replace...

Attacks on steganographyAttacks on steganography

Compression Attack: One of the simplest attacks Compression Attack: One of the simplest attacks is to compress the file. Compression algorithms is to compress the file. Compression algorithms try to remove the extraneous information from try to remove the extraneous information from a file, and “hidden” is often equivalent to a file, and “hidden” is often equivalent to “extraneous”.“extraneous”.

Random Tweaking Attack: An attacker could Random Tweaking Attack: An attacker could simply add small, random tweaks.simply add small, random tweaks.

Reformat Attack: One possible attack is to change Reformat Attack: One possible attack is to change the format of the file. Different file formats don’t the format of the file. Different file formats don’t store data in exactly same way (BMP, GIF, JPEG)store data in exactly same way (BMP, GIF, JPEG)

StaganalysisStaganalysis

Deals with identifying the existence of a Deals with identifying the existence of a messagemessage (File Only Attack). (File Only Attack).

Many of the basic tests in steganalysis will Many of the basic tests in steganalysis will just identify the possible existence of a just identify the possible existence of a message. In some cases, hidden bits are message. In some cases, hidden bits are spread throughout the file. spread throughout the file.

Some of these algorithms can’t tell you Some of these algorithms can’t tell you where they are, but they can tell that the where they are, but they can tell that the hidden bits are probably there.hidden bits are probably there.

StaganalysisStaganalysis

The basic approaches can be divided into The basic approaches can be divided into these categories:these categories:

Structural AttacksStructural Attacks

Visual or Aural AttacksVisual or Aural Attacks

Statistical AttacksStatistical Attacks


Steganographic algorithms often leave behind a Steganographic algorithms often leave behind a characteristic structure to the data.characteristic structure to the data.

Hiding information in the least significant bit is Hiding information in the least significant bit is simple when each pixel is represented by 24 bits simple when each pixel is represented by 24 bits such as BMP.such as BMP.

But, file formats such as GIF allocate 8 bits or fewer But, file formats such as GIF allocate 8 bits or fewer by building a palette of selected colors. by building a palette of selected colors. Each pixel of image is represented by index of color Each pixel of image is represented by index of color in the palette. in the palette. Hiding information in GIF format by tweaking the Hiding information in GIF format by tweaking the least significant bit can fail because the palette least significant bit can fail because the palette entries are often not close enough.entries are often not close enough.


An effective way An effective way how to avoid this how to avoid this problem is to sort problem is to sort the palettethe palette

EzStego uses this EzStego uses this techniquetechnique


After hiding procedure the palette After hiding procedure the palette must be unsorted to the original form must be unsorted to the original form – attacker will not see that – attacker will not see that steganographic program was used.steganographic program was used.

But if the attacker knows the sorting But if the attacker knows the sorting algorithm (it is deterministic) then he algorithm (it is deterministic) then he can access to hiden bits.can access to hiden bits.

Visual AttacksVisual Attacks

Human is trying to search for visual Human is trying to search for visual anomalies.anomalies.

One common test displays the least One common test displays the least significant bits of an image.significant bits of an image.

Completely random noise often reveals the Completely random noise often reveals the existance of a hidden message because existance of a hidden message because imperfect digitalizers leave echoes of the imperfect digitalizers leave echoes of the large structure in the least significant bits.large structure in the least significant bits.


On the left is the On the left is the original picture, on the original picture, on the right one is hiden right one is hiden message embedded in message embedded in upper half of image upper half of image (EzStego used).(EzStego used).

Least significant bits Least significant bits of pixels (after of pixels (after ordering the palette), ordering the palette), it is easy to recognize it is easy to recognize that there was a hiden that there was a hiden message embedded in message embedded in the right picture.the right picture.


Disadvantages (for attacker):Disadvantages (for attacker): If there are no objects on the picture with If there are no objects on the picture with

clear shapes – it causes random noise on clear shapes – it causes random noise on the least significant bits of the original the least significant bits of the original image – canimage – can’t see the difference.’t see the difference.

IIt is hard to automatize the visual t is hard to automatize the visual attacksattacks..


Visual attacks show that the value of last Visual attacks show that the value of last significant bits of pixels is not as random as it significant bits of pixels is not as random as it seems.seems.

Standard Standard embeddedembedded message that has to be message that has to be hidden is more random than thehidden is more random than the replaced replaced bits. bits.

This property is the main weakness explioted This property is the main weakness explioted by statistical attacks on steganography.by statistical attacks on steganography.


The simplest statistical test for The simplest statistical test for detecting randomness is the χ2 (chi-detecting randomness is the χ2 (chi-squared) test.squared) test.

It is It is based on differences between based on differences between expected number of some event expected number of some event occurrences and number of its real occurrences and number of its real occurrences.occurrences.

Statistical AttacksStatistical Attacks EEvents vents ee00, ... , , ... , ekek would occur with uniform probability (as would occur with uniform probability (as

bits in a message to hide). bits in a message to hide). If there is If there is nn events in a sample sequence at all, the expected events in a sample sequence at all, the expected number of each number of each eiei event occurrences is then event occurrences is then nn//kk. . Let Let cici be the number of real occurrences of be the number of real occurrences of eiei event event.. TThe he amount of randomness in the sample sequence of amount of randomness in the sample sequence of nn events is events is measured with this equation:measured with this equation:

k

i

k

n

ikn

c

1

2

2


High scores indicate an unrandom High scores indicate an unrandom condition and it is typical for any part condition and it is typical for any part of original pictureof original picture..

LLow scores indicate high degree of ow scores indicate high degree of randomness and it is typical for files randomness and it is typical for files with ewith embeddedmbedded hidden message. hidden message.


In χ2 test of some image file the In χ2 test of some image file the events can be the values of least events can be the values of least significant bitssignificant bits ( (ee1 = 01 = 0,, ee2 = 12 = 1, , nn is is the number of least significant bitsthe number of least significant bits).).

Or wOr we can also evaluate the e can also evaluate the randomnessrandomness of of pairs pairs (triplets,…) (triplets,…) of of coterminously bitscoterminously bits or or the randomnessthe randomness of squares of of squares of pp × × pp pixels in image. pixels in image.

Documents

Steganography detection Roland Cmorik, Martin Šumák