The Basics of Data Hiding on the Internet-handout

8/7/2019 The Basics of Data Hiding on the Internet-handout

1/67

WORLDCOMP'10

The 2010 World Congress in Computer Science,

Computer Engineering, and Applied Computing

The Basics of Data Hiding

on the Internet(Tutorial)

Prof. Gevorg Margarov

Head of Information Security and Software Development Department,

State Engineering University of Armenia, Yerevan, Armenia

WORLDCOMP'10

July 12-15, 2010

Las Vegas, Nevada, USAhttp://www.world-academy-of-science.org


2/67


3/67

GevorgMargarov WORLDCOMP'10

TheBasicsofDataHidingontheInternet i

DESCRIPTION

This tutorial is devoted to problems of data hiding on the Internet by means of steganography and

detection of steganographic content by means of steganalysis. Rumors in mass media about terrorists

using steganography are revealed. The basic idea of steganography, its history and application on theInternet is considered. Classification and examples of available software are outlined. Main principles

of steganalysis and detection of steganographic content are discussed. The modern Internet is

becoming a more and more suitable environment for storage and the multi-user access to big volumes

of data. Thus, digital steganographic techniques can be applied to hide sensitive data from undesired

eyes. The basis of data hiding on the Internet is Steganography and accordingly Steganalysis.

Steganographic systems can hide secret messages inside images or other digital objects on a local

computer, LAN or the Internet. Secret messages remain invisible to a casual observer inspecting these

files.

What is Steganography? Someone unfamiliar with this term, like a friend of mine, can ask Maybe it

is Stenography (shorthand notation) or a Stegosaurus (one of the most recognizable dinosaurs)?

Certainly it is not. In fact, there are several different technical definitions of the term

"Steganography". For instance, in April 2006, the US National Science and Technology Council

released the Federal Plan for Cyber Security and Information Assurance Research and

Development, which defines steganography as "the art and science of writing hidden messages in

such a way that no one apart from the intended recipient knows of the existence of the message".

Generally speaking there are two main approaches to the information protection against the

purposeful influence:

Cryptography - literally means "secret writing" Steganography - literally means "covered writing"

In cryptography, one can say that the message has been encrypted, but it cannot be decoded without

the proper key. While, in steganography the message itself may be easy to decode, but the majority

will not be aware of the presence of it. It is alleged that steganography provides a higher security than

cryptography. Why so? You will be able to learn about it from the tutorial.

OBJECTIVES

This tutorial will:

enable the participants to understand more about the basics of steganography andsteganalysis

describe the history of steganography, and identify the lessons of history suitable for themodern practice


4/67


TheBasicsofDataHidingontheInternet ii

survey various available steganographic software and demonstrate their practical applicationon various examples

provide the peculiarities of data hiding on the Internet and the basic approaches to furtherdevelopment

INTENDED AUDIENCE

This tutorial:

does not require any special knowledge and can be available for a wide range ofWorldComp10 participants.

is intended for faculty, engineers, scientists, department managers and policy makers, andstudents who are interested in data hiding and investigation of hidden data.

BIOGRAPHY OF INSTRUCTOR

Gevorg Margarov has obtained a Degree in Computer Engineering from Yerevan Polytechnic

Institute (now State Engineering University of Armenia - SEUA) (Armenia) in 1976, Ph.D. in

Organization of Structures and Computing Processes in Computers, Complexes and Systems from

Moscow Institute of Radio Engineering, Electronics and Automation (Russia) in 1983. Since 1976 he

has been teaching at SEUA and State Institute of Skill Advance in Informatics (SISAI) (Armenia).

1988 - 2004 he was the Head of the Systemotechniques Department of SISAI. Since 2004 till now he

has been holding the position of the head of Information Security and Software Development

Department of the SEUA. The current research interests are in the fields of organization of computer

systems, principles of the information security management and engineering, digital steganograpy,

applied cryptography, e-Learning systems. Prof. Margarov has over 160 publications in these areas.

CONTACT INFORMATION

Professor Gevorg Margarov

Information Security and Software Development Department,

State Engineering University of Armenia,

105 Terian Street, Yerevan, Armenia, 0009

tel: + (374) 93 401895 fax: + (374) 10 544006

email: [email protected]

http://www.seua.am/eng/comp/depar1.htm#2


5/67


TheBasicsofDataHidingontheInternet 1

The Basics of Data Hidingon the Internet

(Tutorial - July 14, 2010, 6:00-9:00 PM)

State Engineering University of Armenia

Instead of Preamble

This chair is the best

from all existing

But it is not so .

The basis is too weak

The basis is very important

The chair from blocks


6/67



Instead of PreambleThe modern design chair

This chair seems to

be much better

The Robotic Chair

This chair which canreconstitute itself is really

excellent because of its

strong scientific basis

Data Hiding on the Internet

Steganography Steganalysis

Steganography can hide

secret messages inside

images or other digital

objects on a localcomputer or Internet

[1]


7/67




Secret messages remain

invisible to a casual observer

inspecting these files

More suitable

environment for

storage and themulti-user access to

big volume of dataSteganog

raphy

+

Rumors - Terrorists Use Steganography

Terrorist instructions hidden online Terror groups hide behind Web

encryption

February 5, 2001

Lately, al-Qaeda operatives have been sending hundredsof encrypted messages that have been hidden in files ondigital photographs on the auction site eBay.com

Militants wire Web with links to jihadJuly 10, 2001

[2]

[3]

[4]

[5]


8/67



Rumors - Terrorists Use Steganography

The investigation of the terrorist attacks on the United

States is drawing new attention to a stealthy method of

sending messages through the Internet. The method,

calledsteganography, can hide messages in digitalphotographs or in music files but leave no outward trace

that the files were altered

Veiled Messages of Terror May Lurk in CyberspaceOctober 30 , 2001

Latest Publications

Another technique employed by terrorists is

steganography that is used to embedmessages in pictures and audio files

Terror flows out of hi-tech boom Law & orderJuly 14, 2007

[6]

[7]


9/67



Latest Publications

Internet jihadists hide their messages with

pirated encryption software and steganography,

a technology that embeds messages into

photographs making them undetectable

August 21, 2007

Latest Publications

He used a technique called steganography whichenabled him to encrypt and send data inside music

and picture files using third-party software. He wascaught after an elaborate investigation process

Data leak: Cyber sherlocks outwit hackersOctober 12, 2007

[8]

[9]


10/67



Latest Publications

Anti-forensics tools are being used morefrequently by cyber-criminals to cover their

tracks and to prevent monitoring The use of

steganography is very easy for a forensicinvestigator to overlook and is thus becoming

popular with cyber-criminals

Steganography is key ingredient to anti-forensicsOctober 31, 2008

Latest Publications

Examiners need to look for the presence of

steganography tools on the suspectscomputer. If no tools are discovered, possibly

theirartifacts can be found in the registery.

Digital Insider: Anti-DigitalForensics, The Next Challenge

December 01, 2008

[10]

[11]


11/67



Latest Publications

Its easy. All one has to do is use any of the

more than 1,000 digitalsteganographyapplications available as freeware or

shareware on the Internet to hide information

that the current generation ofe-discovery

toolswill not detect.

Defeating E-DiscoveryEnterprise Search Tools

January 23, 2009

Latest Publications

The internet's underlying technology can be

harnessed to let people exchangesecret

messages, perhaps allowing free speech anoutlet in oppressive regimes.

Fake Web Traffic Can Hide Secret ChatMay 26, 2009

[12]

[13]


12/67



Magazine Available on the Internet

Section 1: CovertCommunications

andHidingSecrets Inside Images

Technical Mujahid, a TrainingManual for Jihadis

February, 2007

One more interesting publication

The next time your internet (VoIP) phone call

sounds a bit fuzzy, it might not be your ISP

that's to blame. Someone could be trying to

squeeze a secret message between thepackets of data carrying the caller's voice.

Secret messages could be hidden in net phone callsMay 30, 2008

[14]

[15]


13/67



Steganalysis vs. Steganography

Steganography is a tool for information

support of terrorist activity

To struggle against such use of

the Internet it is necessary to

have adequate means of

detecting the steganographic

content in files automatically

These problems are subject to

investigation for steganalysis

What Is Steganography?

Stega-what?

Stenography? (shorthand notation)

Stegosaurus ? (type of dinosaurs)


14/67




Steganography is

the art and science of writing

hidden messages in such a waythat no one apart from the

intended recipient knows of the

existence of the message

Steganography is the art andscience of writing hidden

messages in such a way that no

one even realizes there is a

hidden message


Two main approaches to information protection:

Cryptography - secret writingSteganography - covered writing

Cryptography - It is visible, that a message

has been encrypted, but it cannot be

decoded without the proper key

Steganography - The message itself may

not be difficult to decode, but the majority

will not perceive the presence of it

[16]

[17]


15/67




Steganography is transparent, but not virtual

Virtual is when you think its there

but it really isnt.

Transparent is when its really there

but you just cant see it.

Steganography provides highersecurity than cryptography

Steganography vs. Cryptography

Steganography

Cryptography

?


16/67



Steganography hides a message inside another messageand looks like a normal graphic, sound, or other file

steganography


Steganography hides a message inside another message

and looks like a normal graphic, sound, or other file

In case of cryptography an encrypted message looks

like a meaningless jumble of characters

cryptography steganography


From this point of view as well steganography is more secure


17/67




Cryptography

SteganographyThe message is hidden in another

message without disturbing the

perception of the last

The message is

encrypted and getskind of meaningless characters


Cryptography

SteganographyA set of similar graphics, sound and

other files do not cause suspicion

A set of files containing

arbitrarycharacters raises suspicions


18/67




Cryptography

SteganographyA well-prepared enemy can detect some

inconsistencies in the format

of the message

Unprepared enemy

can easily detect the fact ofthe transfer of encrypted message


Cryptography

SteganographyIt is dangerous to reuse graphics,

sound and other files

It is dangerous to

reuse cryptographic keys


19/67




Cryptography

SteganographyThe software development is relatively

simple and its application does not

require special skills

The software development is

relatively complex and its applicationrequires special skills and knowledge


Cryptography

SteganographyUsing usually not advertised

Using mostly obvious


20/67



Steganography + Cryptography

Steganography and cryptography

can amplify each other

Cryptography can be applied

to the data before hiding it

Once the presence of hidden

data is suspected, the goal of

steganography is defeated

The History of Steganography

Steganography was widely used in historical times,

especially before cryptographic systems were developed

Ancient Sumerians in 4-3 millennium BC

were one of the first to use steganography

The same technique of the covered

writing was used in the ancient

kingdom of Urartu (13-5 centuries BC)

Clay cuneiform tablets

found on the territory

of Armenian highlands

[18]

[19]

[20]


21/67




Wax covered tablet

To send the message without

being discovered, one scraped

the wax from the surface and

wrote his message on the bare

wood beneath


He then covered the wood with a fresh coat of wax andwrote on the wax a harmless text

thus let the tablet pass

without awaking any

suspicion with the guard

[21]


22/67




Another steganographic method was to shave

the head and tattoo a message on the scalp


Another steganographic method was to shave

the head and tattoo a message on the scalp

Once the hair grew

back, the messenger

could be sent to deliver

the message

To retrieve the message the receiver simply

had to re-shave the messengers head


23/67




In 1499 Johannes Trithemius

wrote a book Steganographia

It was published in

1606 in Frankfurt

Some of described

methods can be effective till now

Later they were replaced byinvisible inks, newspaper code,

microdots and null cipher

messages


Johannes Trithemius, as authorof the first printed work on

cryptography, the Polygraphiapublished in 1518, is one of the

founders of modern cryptography.His earlier famous work, thethree books of Steganographia,

composed 1499-1500 but notprinted until 1606, has been the

uncertain foundation of adifferent reputation: blackmagic.

Uncertain, because the

Steganographia is, at least onfirst reading, deeply ambiguous.The work itself seems to be about

using spirits to send secretmessages. But the preface to Book

I of the Steganographia explainsthat the cryptographic techniquesare purely natural. These are

valuable techniques of statecraft

- 2 -

and in order to keep them out ofthe hands of the enemies of the

state (planning conspiracies) andadulterers (planning trysts) they

are disguised by the use of af i g u r a t i v e l a n g u a g e o fdemonology.

Another letter from the

mathematician Carolus Bovillus(1479-1567) to Germanus de Ganay( a l s o a c o r r e s p o n d e n t o f

Trithemius's), described a 1504visit to Trithemius.

Shocked by the strange namesof spirits or demons, Bovillus

asserted that the book should beburned and that Trithemius must

have consorted with demons. Thisletter was published in 1510 andthe Trithemius's reputation as an

occultist was established, in

- 3 -

Invisible ink

Covered writingCovered writing

[22]

[23]


24/67









Steganographia is, at least on

first reading, deeply ambiguous.The work itself seems to be about




- 2 -











- 3 -


Newspaper code





.

. .

. . . . . .. .

3, 3, 1-1,6, 5-17, 23,







Steganographia is, at least onfirst reading, deeply ambiguous.The work itself seems to be about




- 2 -











- 3 -


Microdot

The idea and practice of hiding

information exchange has a long

history. Sumerians in 4-3 millen.

BC used steganography.


25/67




Null cipher







Steganographia is, at least on

first reading, deeply ambiguous.The work itself seems to be about




- 2 -











- 3 -

3, 3, 1-1,6, 5-6, 11, 13,


Hollywood blockbusters

1998

2001

2002

2007


26/67



under the image in a PowerPoint fileby coloring like the background

Digital Steganography

The boom of the Internet rose increasing

interest in digital steganography

Low-tech Data Hiding

It is not necessary to have any special tools or skills for

data hiding using computer variants of null cipher

using functions of a MS WordSecret

message

in comments within PowerPoint file,Web page, Source code, etc.


ABBYY FineReader

Microsoft

Word

Steganography

in the software

Easter Eggs

Help -> About -> 2x

[24]

[25]


27/67




EasterEggs

www. eeggs.com

Who Can Know About

Steganography Today?

1,020,000


28/67



How Big is the Problem?

Number of available steganographic software

2003 2004 2005 2006 2007 2008 2009

1200

1000

800

600

400

200

0

How Big is the Problem?

At least 1 million copies of steganographic software were

downloaded or purchased over the Internet during 2 years

Eventually the very knowledge of it

might not be of a great importance

The use of steganography is sure to increase and

will be a growing hurdle for anti-terrorism activities

Ignoring the significance of steganography

is most likely not a good strategy

[26]


29/67



Generalized Structure of

Steganographic System

Review

features

Embedding

algorithm

Pre-

processing

Filled

container

Extracting

algorithm

Post-

processing

Key

Container

Message

Key

Message

Sender Recipient

The Main Applications of

SteganographyThere are many practical applications of steganography,

which can be divided into:

data embedding for hiddentransmission or storage

embedding digital watermarks(Watermarking)

embedding authentication data (Fingerprinting)embedding headers and annotations (Captioning)

Embedding data for hidden transmission and storage is

the most obvious application of steganography

[21]


30/67



The Main Applications of

SteganographyDigital watermarks are used mainly forprotection of information materials (first

of all software and multimedia files) from

copying and unauthorized use

Unlike watermarks authentication

data is unique for each of the

protected sample (therefore called

fingerprint)

The purpose of captioning is

to gather different data of the

object into a single file

Requirements of Steganography

Data

Hiding

Water-

marking

Finger-

printing

Capti-

oning

4Payload 1 2 3

3Inalterability 5 5 4

1Embedding

Speed1 1 2

5Invisibility 3 3 3

5Security 5 5 1

1ExtractingSpeed

1 4 5

Applications


31/67



Trade-off Between Requirements

System is considered secure if it is impossible to

detect the presence of steganographic content

Payload is the

maximum amount

of data which

can be hidden

Security

Steganography

RobustnessPayload

Robustness is the

hidden data

survivability

factor

Increasing the security willdecrease payload and robustness

Increasing the payload willdecrease robustness and security


Main ideas:

Regular e-mail scenario

Web site scenario

Shared e-mail scenario

[27]

[28]


32/67




Firewall

InternetFirewall

Regular e-mail Scenario


Web Site Scenario


33/67




Shared Free Web-based e-mail Scenario

Recent Research Effort

About 60

steganographic

software have

been checked up

The majority of them appeared simple enough

for use and showed high functional qualities.


34/67



Practical Steganography

In all practical methods of digital steganography,

something is done to hide the data in carrier file

These methods can be

broke down into the

three categories on base

of both how and where

the data is hidden Generation

Substitution

Insertion

Insertion Based Steganography

These methods find places in a file that

are ignored by the application reading it

In this case, the size of the file

may increase, but its processing

by the appropriate software will

remain unchanged

For example the MS WORD file format can

contain quite a lot of data that is not

reflected when viewing the file.

[21]


35/67



Start End

Text


This file contains the flags of the Start

and End between which the actual Text is

In general, most files containthe flag end of file (EOF) after

which the file processing stops


Data placed after the EOF flag will be

imperceptible when processing the

file by standard application software

The main advantage here is that

one can hide theoretically

unlimited amount of data without

breaking the integrity and

perception of the container fileThe main drawback - the file

size can significantly increase

causing a reasonable suspicion


36/67



Example of Insertion Based

Steganography softwareInstalling the Camouflage software addstwo new options to Windows context menu

Names of new options and their

icons can be changed so as not

to cause suspicion (hide options)

Camouflage in Action

Data Embedding (Hiding)

[29]


37/67




The size of the filled container is the sum of thesizes of the empty container and hidden data

70KB


Data Extraction


38/67




Camouflaging to Image File

FF D9

Original file

Camouflaged file



FF D9

Original file

Camouflaged file

433 KB


39/67





FF D9

Original file

Camouflaged file

433 KB

Original file Camouflaged file

Data Hiding Using Means

of the Operating SystemTwo elements determine the effectiveness of steganography:

Invisibility of hidden dataInvisibility of steganographic tools

Invisibility of hidden data can be achieved by:

Digital steganographyConcealing (hidden) data

For example:

c:\windows

\system32\secret.doc btreza.dll


40/67



The use of undocumented features of the operatingsystem


of the Operating SystemInvisibility of steganographic tools can be achieved by:Installation on the mobile carriers (e.g. USB Drive)Concealing steganographic tools

For example:

c:\games

\chess\stego.exe setup.exe

Unconventional use of softwareFor example:


of the Operating SystemCommand Prompt

R+

Start, All Programs, Accessories, Command Prompt

This commands are

fairly similar to

classic MS-DOScommands


41/67



copycommand with the switch/b combines(concatenates) binary files without disrupting their structure

file1 file2

Data Hiding by copy Command


from End to Start (Type 2)

from Start to End (Type 1)

The extensionex3 is chosentaking into account the types

of combinable files (ex1,ex2)

There are two main principles of reading

the file by corresponding software:


42/67




In case of ex1=ex2=ex3 whencombining two similar files:

if the files are of type 1 the content of the file1willappear while reading the file3

if the files are of type 2 the content of the file2 willappear while reading the file3

file1 file2


Most interesting is the case when two files of

different types file1 and file2are combined

In this case:

ifex3 = ex1 while reading the file3 will appearthe content of the file1

ifex3 = ex1 while reading the file3 will appearthe content of the file2

file1 file2


43/67



Data Hiding by copy CommandThe Case Study:

copy /b text.doc + secret.zip result.doc

result.doc

result.zip

result. doc

Open With

WinZip

Data Hiding byNotepadNotepad - a simple text editor

Several text files can be attached to the same file text.txt

Size of file

text.txt remainsunchanged

Data Hiding in text files


44/67




of the Operating System

copy

Notepad

file3.ex3, ex2

text.txt:secret.txt

The main advantage here is that special steganographic

tools are not used and therefore they can not be found

Substitution Based Steganography

These methods overwrite (substitute)

the information that is already in the file

In this case, the hidden data replaces

part of meaningful data in a container

file without changing its size

Consequently it is necessary to choose very carefully

and thoroughly containers substitute parts, so it does

not become noticeably changed or even useless for

processing by standard application software


45/67




For instance gaps in the MS WORDfile can be replaced by invisible

characters, colored as the background

A very common way of hiding data is to substitute

the least significant bits (LSB) of image or sound file

In such a file every element is represented by a single

byte1127=128 20=1

G = 01000111

10010101 00001101 11001001 10010110

00001111 11001011 10011111 00010000

10010100 00001101 11001000 10010110

00001110 11001011 10011111 00010001

LSB

MSB


Data placed in the least significant parts

of the container modifies it slightly and

as a result imperceptibly for processing

the file by standard application software

The main advantage here is

that the container file size is

not increased, therefore there

is no undue suspicion

The main drawback - there is a

real limitation of hidden data

volume (size of least significant

parts of the container)

[30]


46/67



Header Image Data Footer

7 6 5 4 3 2 1 0

M

SBlayer

LSBlay

er

1 pixel 1 byte

28=256 levels

8 binary layers

Substitution in Grayscale Image

0 1 1 0 0 1 1 0

1 LSB 480 000 bit 60 KB

MSB LSB

11100110 00100110 01000110 01110110 01101110 01100010 01100100 01100111

Example of the gray level

800x600 pixels

3 LSB 1 440 000 bit 180 KB



47/67



LSB layer of empty container

LSB layer of filled container

Difference of layers

39 pixels of 77

are modified

Statistical studies show that in average

about 50% of pixels are modified


The primary statistical indicator of the image alteration isthe number of modified pixels

Substitution in Color Image

A color image is formed by the superposition of three

grayscale images in a range of red, green and blue

Red (R) Green (G) Blue (B) Color (RGB)

The volume of uncompressed image

file is determined by the physicaldimensions of the image (cm2),

pixel density (pixels/cm) and

storage format (plain , palette, ...)

[28]


48/67




24 bit color image800600 pixel

1 LSB

180 Kbytes

3 LSB

540 Kbytes


Modification of the least significant bits (LSB)Red Green Blue Color

00000000 11111111 11111111

00000000 11111111 11111110

00000000 11111110 11111110

00000001 11111110 11111110

Modification of the most significant bits (MSB)

Red Green Blue Color

00000000 11111111 11111111

00000000 11111111 01111111

00000000 01111111 01111111

10000000 01111111 01111111


49/67



8 bits7 bits6 bits

5 bits4 bits3 bits

2 bits1 bitOriginal


Example of Substitution Based

Steganography softwareThe most widely recognized

example of a substitution based

steganography is S-Tools which:

can hide data in BMP (BitMaP file format), GIF(Graphics Interchange Format) and WAV

(WAVeform audio format) filesallows data encryption with IDEA (International

Data Encryption Algorithm), DES (Data Encryption

Standard), Triple-DES or MDC (Message Digest

Cipher)can hide a secret message within the cover file using

pseudorandom number generator and password

[31]


50/67



Example of Substitution Based

Steganography softwareSuch a nonlinear substitution makes very difficult to

detect and extract hidden data in the absence of secret

values (key, password)

Using

S-Tools is

very easy

because of its

drag-and-dropinterface

S-Tools in Action

Data Embedding (Hiding)


51/67



S-Tools in Action

Hiding in 3 LSB - payload up to almost 40 %

Data Extraction

Generation Based Steganography

Both the insertion and substitution based

methods require a covert (hidden) and an

overt (carrier) file

With generation-based methods

the hiding data is used to create

the carrier file

In many cases such tools

can provide almost perfect

resistance to enemy attacks


52/67




Hide data used to generate the filled container,

so the enemy does not have something to

compare with since the corresponding empty

container does not exist at all

The main advantage here is

that the container file size can

not even be assumed ,

therefore there is no suspicion

The main drawback - for a givenamount of hidden data container

file size can be very large, which

strictly limits the payload


The prime example is the generation

of graphical fractals, the parameters

of the elements of which are

determined by hidden data

Fractal in a sense consists of

similar parts, which are

frequently repeated with change

of size, position, color, etc.

Parts of a fractal are described

by mathematical expressions,

the coefficients of which can

be specified by hidden data

[32]

[33]


53/67




Examples of interesting fractals

Grammar Based Steganography

Effective kind of container

generation idea are

steganographic tools based

on a special grammar

For instance generated

message may have

grammar, specific to the

advertisement, commentof source code, joke, or

even spam


54/67



Example of Grammar Based

Steganography softwareThe most interesting example ofgrammar (generation) based

steganography tool is SpamMimic

Web-based service which uses a

spam grammar and mimic

algorithm to produce spam-like

steganographic text

____ went to the city - He, She, It,

SpamMimic in Action

Hiding: www.spammimic.com

[34]

[35]


55/67



SpamMimic in Action

Hiding: Secretwww.spammimic.com

SpamMimic in Action

Hiding: Secretwww.spammimic.com


56/67



SpamMimic in Action

Extracting: www.spammimic.com

SpamMimic in Action

Extracting: www.spammimic.com


57/67



SpamMimic in Action

Extracting: Secretwww.spammimic.com

SpamMimic in Action

Extracting: Secretwww.spammimic.com

Annual Communications

Intelligence Report

Spam volume increases by more

than 50 % annually and already

reaches 95 % of all correspondence

Some 94% of all e-mail

last December was spam

Postini's report

[36]

[37]


58/67



Detection of Content

Steganalysis is the art and science of detecting

messages hidden using steganography

selection of features that hidden

message might exhibit

testing selected features for

the presence of hidden data

Art

Science

The Goal of Modern Steganalysis

The goal is to develop universal methods that can

work effectively for all steganographic methods

It is possible to design a reasonably good steganalysis

method for a specific steganographic algorithm

Current trend seems to suggest two extreme philosophies:

[38]


59/67



Universal Steganalysis

steganalysis is an attempt to find common

properties in existing steganographic algorithms

Universal approaches can be broken down into three

categories:

Self-learning

Blind identification

Parametric statistical modeling

Self-learning Steganalysis

The methods based on these approaches use two phases:

In the training phase examples of

steganographic files are provided to the

system, which learns the best

classification rule using these examples

training phase testing phase

In the testing phase an unknown file isgiven as input to the trained system to

decide whether a secret message is

present or not

[39]


60/67



Blind Identification Steganalysis

The methods based on these approaches formulate the

steganalysis as a system identification problem

The steganographic

algorithm is

represented as a

channel and the goal

is to invert this

channel to identify

the hidden data

Parametric Statistical Steganalysis

These approaches are based on certain parametric

statistical models for the carrier file, steganographic

file and the hidden data

Steganalysis is formulated as a

hypothesis testing problem:

no hidden data hidden data present

Content detection algorithm is then designed

to choose between the two hypotheses.

[40]

[41]


61/67



Universal Steganalysis in Action

Steganography detection and extraction environment:

SAFDB (SteganographyApplication Fingerprint Database)

StegAlyzerAS (SteganographyAnalyzerArtifact Scanner)

StegAlyzerSS (SteganographyAnalyzerSignature Scanner)

StegAlyzerRTS (SteganographyAnalyzerReal-Time Scanner)

Real time detection of signatures of 55 and

fingerprints of 725 steganography applications

over various networks including the Internet

Universal Steganalysis in Action

StegAlyzerAS (Steganography AnalyzerArtifact Scanner)

[42]


62/67



Specialized Steganalysis

steganalysis is an attempt to find weaknessesof specific steganographic methods on the basis of

detailed research of algorithms and results of their use

Specific steganographic algorithms:

Detecting Camouflage

Hidden file can be detected by examining

the camouflaged file data

FF D9

Hidden file


63/67



Detecting S-Tools

alter only the least significant bits of carrier file

but still leave detectable traces

Two types of methods can be used for

detecting these traces:

direct (visual, auditory, etc.) algorithmic

Direct inspection can succeed when hidden

data is inserted in relatively smooth areas

Algorithmic analysis is more powerful

since it reveals tiny alterations in the

files statistical behavior caused by hiding

Detecting SpamMimic

The vulnerability in is the redundancy of

some patterns, which can be found by wide testing

An e-mail with few pattern matches is a real-spam,

while an email with more matches can be considered

to be a steganographic e-mail

How spam patterns change

through the years?


64/67



Conclusion

Steganography is an ancient art which has experienceda surge of growth with the advent of the InternetSteganographic software is now available for public

over the Internet, and require no special training to use

Steganography defines the increased ability forterrorists to communicate undetectedly

Bans on the technology are not sufficient to eliminatecriminal useSteganalysis faces many obstacles in becoming a

reliable method of tracking steganographic activity

Summary

Steganography and steganalysis are still rapidlygrowing and

For every clever method and tool being

developed to hide data, the equal

number of clever methods and tools are

or will be developed to detect and

reveal the steganographic content

Real option - continue advancing andform a strong educational infrastructure

on steganography and steganalysis

[43]


65/67



Paraphrased Aphorism

If somebody thinks

steganography

can solve his problem,

. . .

then he doesnt

understand steganography

. . .

and he doesnt

understand his problem

Thank you!

Questions, Comments,

if you please

Contact: Gevorg [email protected]

[44]


66/67



References

[1] http://www.roboticchair.com/description.php[2] G. Margarov, V. Markarov, A. Khachaturov, Steganographic system with dynamically reconfigurable

structure, In: Proceedings of the 2009 International Conference on Security & Management - SAM'09,

Volume 1. ISBN 1-60132-124-4. CSREA Press, Las Vegas, NV, 2009, pp. 43-45

[3] http://www.usatoday.com/tech/news/2001-02-05-binladen-side.htm[4] http://www.usatoday.com/tech/news/2001-02-05-binladen.htm[5] http://www.usatoday.com/news/world/2002/07/10/web-terror-cover.htm[6] http://query.nytimes.com/gst/fullpage.html?res=9B01E3D91730F933A05753C1A9679C8B63[7] http://www.hindu.com/2007/07/14/stories/2007071459570300.htm[8] http://video.msn.com/?mkt=en-us&brand=msnbc&vid=929b7491-95a6-4e18-add5-7c3c8205dd1e[9] http://economictimes.indiatimes.com/Infotech/Data_leak_Cyber_sherlocks_outwit_hackers/articlesho

w/2451089.cms

[10] http://www.infosecurity-magazine.com/news/081031_Steganography_RSA.html[11] http://www.forensicmag.com/articles.asp?pid=245[12] http://www.dfinews.com/articles.php?pid=160

[13]

http://www.newscientist.com/article/mg20227096.200-fake-web-traffic-can-hide-secret-chat.html

[14] http://www.jamestown.org/terrorism/news/article.php?articleid=2370293[15] http://www.tmcnet.com/usubmit/2008/05/30/3474046.htm[16] http://en.wikipedia.org/wiki/Steganography[17] http://www.nitrd.gov/Pubs/csia/csia_federal_plan.pdf[18] F.L. Bauer, Decrypted Secrets: Methods and Maxims of Cryptology, New York: Springer-Verlag,

2002

[19] M. L. Thomsen, The Sumerian Language: An Introduction to Its History and Grammatical Structure,Copenhagen, 1984

[20] J. J. Klein, Urartian Hieroglyphic Inscriptions from Altintepe, Anatolian Studies, Volume 24, 1974,pp. 77-94

[21] G. Kipper, Investigator's Guide to Steganography, Auerbach, 2004[22] J. Reeds, Solved: The Ciphers in Book III of Trithemiuss Steganographia, Cryptologia, Volume 22,

Issue 4, October 1998 , pp. 291 - 317

[23] http://www.esotericarchives.com/tritheim/stegano.htm[24] D. Artz, Digital Steganography: Hiding data within Data, IEEE Internet Computing, May/June 2001,


67/67

GevorgMargarov WORLDCOMP'1075-80

[25] http://www.eeggs.com[26] C. Hosmer, and C. Hyde, Discovering Covert Digital Evidence, Proceedings of the 3th annual Digital

Forensic Research Workshop (DFRWS), Cleveland, Ohio August 2003

[27] S. Katzenbeisser, and F. Petitcolas, Defining security in steganographic systems, Proceedings of SPIE,Security and Watermarking of Multimedia Contents IV (San Jose, CA, Jan 2124), International

Society for Optical Engineering, 2002, pp. 5056

[28] H. Wang, and S. Wang, Cyber warfare: steganography vs. steganalysis, Communications of the ACM,Volume 47 , Issue 10, October 2004, pp. 76-82

[29] http://camouflage.unfiction.com/[30] F. A. P. Petitcolas, R. J. Anderson, M. G. Kuhn, Information Hiding - A Survey, Proceedings of the

IEEE, Volume 87(7), 1999, pp. 1062-1078

[31] ftp://ftp.ntua.gr/pub/crypt/mirrors/idea.sec.dsi.unimi.it/code/s-tools4.zip[32] S. Agaian, J.M. Susmilch, Fractal Steganography, IEEE Region 5 Technology and Science

Conference, San Antonio, USA, April 7-8, 2006

[33] M. F. Barnsley, Fractals everywhere, Second Edition, Academic Press, 1993[34] http://www.spammimic.com/[35] P. Wayner, Mimic Functions, Cryptologia, Volume 19, Issue 3, July 1995 , pp. 285299[36] http://www.postini.com[37] www.google.com/a/help/intl/en/security/pdf/cir_08.pdf[38] N. Provos, P. Honeyman, Detecting steganographic content on the Internet. Proceedings of Network

and Distributed System Security Symposium (San Diego, Feb. 68). Internet Society, Reston, VA,

2002

[39] J. Fridrich, M. Goljan, and R. Du, Detecting LSB steganography in color and gray-scale images, IEEEMultimedia, Volume 8, no. 4, 2001, pp. 2228

[40] R. Chandramouli, A mathematical framework for active steganalysis, ACM Multimedia Systems,Volume 9, no. 3, 2003, pp. 303311

[41] J. J. Harmsen and W. A. Pearlman, Steganalysis of additive noise modelable information hiding,Proceedings of the SPIE, Security, Steganography, and Watermarking of Multimedia Contents VI, San

Jose, CA, Jan. 2003, pp. 131142

Documents

The Basics of Data Hiding on the Internet-handout