Top Banner
Detecting Steganographic Content on the Internet Niels Provos Peter Honeyman Center for Information Technology Integration University of Michigan Abstract Steganography is used to hide the occurrence of com- munication. Recent suggestions in US newspapers indi- cate that terrorists use steganography to communicate in secret with their accomplices. In particular, images on the Internet were mentioned as the communication medium. While the newspaper articles sounded very dire, none substantiated these rumors. To determine whether there is steganographic con- tent on the Internet, this paper presents a detection framework that includes tools to retrieve images from the world wide web and automatically detect whether they might contain steganographic content. To ascer- tain that hidden messages exist in images, the detection framework includes a distributed computing framework for launching dictionary attacks hosted on a cluster of loosely coupled workstations. We have analyzed two million images downloaded from eBay auctions and one million images obtained from a USENET archive but have not been able to find a single hidden message. 1 Introduction Steganography is the art and science of hiding the fact that communication is taking place. Stegano- graphic systems can hide messages inside of images or other digital objects. To a casual observer inspecting these images, the messages are invisible. In February 2000, USA Today reported that terror- ists are using steganography to hide their communi- cation from law enforcement [7]. The article lacked any technical information that would allow a reader to verify these claims. Nonetheless, it was echoed by a number of other news sources. Wired News reported that messages are being hidden in images posted to Internet auction sites like eBay or Amazon [11]. To assess the claim that steganographic content is regularly posted to the Internet, we need a way to de- tect steganographic content in images automatically. This paper presents a steganography detection frame- work that begins with a web crawler that downloads JPEG images from the Internet. Using statistical anal- ysis, a subset of images likely to contain steganographic content is identified. The analysis is statistical, i.e. there is no guarantee that an identified image really contains a hidden message, so we also describe a dis- tributed computing framework that launches a dictio- nary attack hosted on a cluster of loosely-coupled work- stations to reveal any hidden content. We discuss the results from analyzing two million images downloaded from eBay auctions and one million images obtained from USENET archives. So far we have not been able to uncover a single message. The remainder of this paper is organized as follows. In Section 2, we give a brief background of steganogra- phy in general. Section 3 explains how to hide informa- tion in JPEG [19] images. Section 4 presents statistical tests that cat detect steganographic content. In Sec- tion 5, we give an overview of existing steganographic systems and describe how to detect them. The detec- tion framework is presented in Section 6. We discuss our results and related work in Sections 7 and 8. We conclude in Section 9. 2 Steganography Background The term “information hiding” relates to both wa- termarking and steganography. There are three differ- ent aspects to an information hiding system that con- tent with one another: capacity, security and robust- ness [2]. Capacity refers to the amount of information that can be hidden, security to the inability of an eaves- dropper to detect hidden information, and robustness to the amount of modification the cover medium can withstand before the hidden information is destroyed. In general, the primary goal of a watermarking sys- tem is to achieve a high level of robustness. That means, it should be impossible to remove a watermark without degrading the quality of the data object. On the other hand, steganography tries to achieve high security and high capacity. This often entails that the hidden information is fragile. Modifications to the cover medium may destroy it.
13

Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

Apr 26, 2018

Download

Documents

phungdien
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

Detecting Steganographic Content on the Internet

Niels Provos Peter HoneymanCenter for Information Technology Integration

University of Michigan

Abstract

Steganography is used to hide the occurrence of com-munication. Recent suggestions in US newspapers indi-cate that terrorists use steganography to communicatein secret with their accomplices. In particular, imageson the Internet were mentioned as the communicationmedium. While the newspaper articles sounded verydire, none substantiated these rumors.

To determine whether there is steganographic con-tent on the Internet, this paper presents a detectionframework that includes tools to retrieve images fromthe world wide web and automatically detect whetherthey might contain steganographic content. To ascer-tain that hidden messages exist in images, the detectionframework includes a distributed computing frameworkfor launching dictionary attacks hosted on a cluster ofloosely coupled workstations. We have analyzed twomillion images downloaded from eBay auctions and onemillion images obtained from a USENET archive buthave not been able to find a single hidden message.

1 Introduction

Steganography is the art and science of hiding thefact that communication is taking place. Stegano-graphic systems can hide messages inside of images orother digital objects. To a casual observer inspectingthese images, the messages are invisible.

In February 2000, USA Today reported that terror-ists are using steganography to hide their communi-cation from law enforcement [7]. The article lackedany technical information that would allow a reader toverify these claims. Nonetheless, it was echoed by anumber of other news sources. Wired News reportedthat messages are being hidden in images posted toInternet auction sites like eBay or Amazon [11].

To assess the claim that steganographic content isregularly posted to the Internet, we need a way to de-tect steganographic content in images automatically.This paper presents a steganography detection frame-work that begins with a web crawler that downloads

JPEG images from the Internet. Using statistical anal-ysis, a subset of images likely to contain steganographiccontent is identified. The analysis is statistical, i.e.there is no guarantee that an identified image reallycontains a hidden message, so we also describe a dis-tributed computing framework that launches a dictio-nary attack hosted on a cluster of loosely-coupled work-stations to reveal any hidden content.

We discuss the results from analyzing two millionimages downloaded from eBay auctions and one millionimages obtained from USENET archives. So far wehave not been able to uncover a single message.

The remainder of this paper is organized as follows.In Section 2, we give a brief background of steganogra-phy in general. Section 3 explains how to hide informa-tion in JPEG [19] images. Section 4 presents statisticaltests that cat detect steganographic content. In Sec-tion 5, we give an overview of existing steganographicsystems and describe how to detect them. The detec-tion framework is presented in Section 6. We discussour results and related work in Sections 7 and 8. Weconclude in Section 9.

2 Steganography Background

The term “information hiding” relates to both wa-termarking and steganography. There are three differ-ent aspects to an information hiding system that con-tent with one another: capacity, security and robust-ness [2]. Capacity refers to the amount of informationthat can be hidden, security to the inability of an eaves-dropper to detect hidden information, and robustnessto the amount of modification the cover medium canwithstand before the hidden information is destroyed.

In general, the primary goal of a watermarking sys-tem is to achieve a high level of robustness. Thatmeans, it should be impossible to remove a watermarkwithout degrading the quality of the data object.

On the other hand, steganography tries to achievehigh security and high capacity. This often entails thatthe hidden information is fragile. Modifications to thecover medium may destroy it.

Page 2: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

Watermarking and steganography differ in anotherimportant way: while steganographic information mustnever be apparent to a viewer unaware of its presence,this feature is optional for a watermark.

The security of a classical steganographic system re-lies on the secrecy of the encoding system. Once theencoding system is known, the steganographic systemis defeated. A famous example of a classical systemis that of a Roman general who shaved the head of aslave and tattooed a hidden message on it. After thehair had grown back, the slave was sent to deliver themessage [6]. While such a system might work once, themoment that it is known, it is simple to shave the headsof all people passing by to check for hidden messages.

Other encoding systems might use the last word inevery sentence of a letter or the least significant bits inan image.

However, modern steganography should be de-tectable only if secret information is known, namely,a secret key. This is very similar to “Kerckhoffs’ Prin-ciple” in cryptography, which holds that the securityof a cryptographic system should rely only on the keymaterial [8].

Because of their invasive nature, steganographic sys-tems often leave detectable traces within a medium’scharacteristics. This allows an eavesdropper to detectmodified media, revealing that secret communicationis taking place. Although the secret content is not ex-posed, its existence is revealed, which defeats the mainpurpose of steganography.

In general, the information hiding process consistsof the following steps:

1. Identification of redundant bits in a cover medium.Redundant bits are those bits that can be mod-ified without degrading the quality of the covermedium.

2. Selection of a subset of the redundant bits to bereplaced with data from a secret message. Thestego medium is created by replacing the selectedredundant bits with message bits.

The modification of redundant bits can change thestatistical properties of the cover medium. As a result,statistical analysis may reveal the hidden content [3,15, 20]. In Section 4, we explain this in detail.

3 Information Hiding in JPEG Images

JPEG images are commonly used on Internet websites. This section briefly explains the JPEG formatand how it can be used for information hiding.

The JPEG image format uses a discrete cosine trans-form (DCT) to transform successive 8×8-pixel blocksof the image into 64 DCT coefficients each. The least-significant bits of the quantized DCT coefficients areused as redundant bits into which the hidden messageis embedded. The modification of a single DCT coeffi-cient affects all 64 image pixels.

In some image formats, e.g. GIF, the visual struc-ture of an image exists to some degree in all bit-layers ofthe image. Steganographic systems that modify least-significant bits of these image formats are often suscep-tible to visual attacks [20].

This is not true for the JPEG format. The modifi-cations happen in the frequency domain instead of thespatial domain, so there are no visual attacks againstthe JPEG image format.

Figure 1 shows two images with a resolution of640 × 480 and 24-bit color depth. The uncompressedoriginal image has a size of almost 12 Mb, while thetwo JPEG images shown are about 0.3 Mb. The oneto the left is unmodified. The one to the right containsthe first chapter of Lewis Carroll’s “The Hunting of theSnark.” After compression, the chapter has a size ofabout 15 Kb. It is not possible for the human eye tofind a visual difference between the two images.

4 Statistical Analysis

Statistical tests can reveal that an image has beenmodified by steganography by determining that an im-age’s statistical properties deviate from a norm. Sometests are independent of the data format and just mea-sure the entropy of the redundant data. We expectimages with hidden data to have a higher entropy thanthose without.

The simplest test measures the correlation towardsone. A more sophisticated one is Maurer’s “UniversalStatistical Test for Random Bit Generators” [10].

These simple tests are not able to decide automat-ically if an image contains a hidden message. West-feld and Pfitzmann observed that embedding encrypteddata into a GIF image changes the histogram of itscolor frequencies [20]. One property of encrypted datais that the one and the zero bit are equally likely.When using the least-significant bit method to embedencrypted data into an image that contains color twomore often than color three, color two is changed moreoften to color three than the other way around. Asa result, the difference in color frequency between twoand three is reduced by the embedding.

The same is true for JPEG images. Instead of mea-suring the color frequencies, we analyze the frequency

Page 3: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

Figure 1: The image on the left is the unmodified original, but the image on the right has the first chapter of the“Hunting of the Snark” embedded into it. There are no visual differences to the human eye.

−40 −30 −20 −10 0 10 20 30 400

5000

10000

15000

Coe

ffici

ent F

requ

ency

Modified image

−40 −30 −20 −10 0 10 20 30 400

5000

10000

15000

Coe

ffici

ent F

requ

ency

Original image

−40 −30 −20 −10 0 10 20 30 40−20

−10

0

10

20

Diff

eren

ce in

per

cent

DCT coefficents

Histogram difference

Figure 2: Embedding a hidden message causes noticeablechanges to the histogram of DCT coefficients.

of the DCT coefficients. Figure 2 shows an examplewhere embedding a hidden messages causes noticeabledifferences to the DCT coefficient histogram.

We use a χ2-test to determine whether an imageshows distortion from embedding hidden data. Becausethe test uses only the stego medium, the expected dis-tribution y∗i for the χ2-test has to be computed fromthe image. Let ni be the frequency of DCT coefficienti in the image. We assume that an image with hid-den data embedded has similar frequency for adjacentDCT coefficients. As a result, we can take the arith-metic mean,

y∗i =n2i + n2i+1

2,

to determine the expected distribution. The expecteddistribution is compared against the observed distribu-tion

yi = n2i.

The χ2 value for the difference between the distri-butions is given as

χ2 =ν+1∑i=1

(yi − y∗i )2

y∗i,

where ν are the degrees of freedom, that is, one lessthan the number of different categories in the his-togram.

The probability p of embedding is then given by thecomplement of the cumulative distribution function,

p = 1−∫ χ2

0

t(ν−2)/2e−t/2

2ν/2Γ(ν/2)dt,

where Γ is the Euler Gamma function.We can compute the probability of embedding for

different parts of an image. The selection depends onwhat steganographic system we try to detect. For animage that does not contain any hidden information,we expect the probability of embedding to be zero ev-erywhere. Figure 3 shows the embedding probabilityfor an image without steganographic content and foran image that has content hidden in it.

5 Steganographic Systems in Use

In this section, we describe several steganographicsystems that embed hidden messages into JPEG im-ages. We show that the statistical distortions depend

Page 4: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

misc/dcsf0001-no.jpg

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

misc/dcsf0001.jpg

Figure 3: The probability of embedding calculated fordifferent areas of an image. The upper graph shows theresults for an unmodified image, the lower graph showsthe results for an image with steganographic content.

on the steganographic system that inserted the messageinto the image. Because the distortions are character-istic for each system, we can identify “signatures” thatallow us to identify which system has been used.

There are three popular steganographic systemsavailable on the Internet that hide information inJPEG images:

• JSteg, JSteg-Shell

• JPHide

• OutGuess

All of these systems use some form of least-significant bit embedding and are detectable by statis-tical analysis except the latest release of OutGuess [13].In the following, we describe the specific characteristicsof these systems and show how to detect them.

5.1 JSteg and JSteg-Shell

JSteg is an addition by Derek Upham to the Inde-pendent JPEG Group’s JPEG Software library. TheDCT coefficients are modified continuously from thebeginning of the image. JSteg does not support en-cryption and has no random bit selection.

The message data is prepended with a variable sizeheader. The first five bits of the header express the sizeof the length field in bits. The following bits containthe length field that expresses the size of the embeddedcontent.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

misc/dcsf0003.jpg

Figure 4: An image containing a message hidden withJSteg shows a high probability of embedding at the be-ginning of the image. It flattens to zero, when the testreaches the unmodified part of the DCT coefficients.

Figure 4 shows the result of the χ2-test for an im-age that contains information hidden with JSteg. Inthis case, the first chapter of “The Hunting of theSnark” has been bzip2 compressed prior to embedding.The low probability at the beginning of the graph iscaused by the dictionary at the beginning of a bzip2compressed file. The dictionary does not look like en-crypted data and is not detected by the test.

JSteg-Shell is a Windows user interface to JSteg de-veloped by Korejwa. It supports encryption and com-pression of the content before embedding the data withJSteg. JSteg-Shell uses the RC4 stream cipher [17] forencryption. However, the RC4 key space is restrictedto 40 bits.

When encryption is being employed, we expect theprobability of embedding to be high at the beginningof the image. There should be no exception.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

msg/dcsf0002.jpg

Figure 5: Using JSteg-Shell with RC4 encryption causesthe probability of embedding to be high for all embeddeddata.

An example of JSteg-Shell is shown in Figure 5. Justobserving the graph allows us to determine the size ofthe embedded message. Later we show how this canhelp to improve the automatic detection of stegano-graphic content.

Page 5: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

5.2 JPHide

JPHide is a steganographic system by AllanLatham. There are two versions: 0.3 and 0.5. Ver-sion 0.5 supports additional compression of the hiddenmessage. As a result, they use slightly different head-ers to store embedding information. Before the contentis embedded, it is Blowfish [16] encrypted with a user-supplied pass phrase.

Because the DCT coefficients are not selected con-tinuously from the beginning, JPHide is more difficultto detect.

The program uses a fixed table that defines classes ofDCT coefficients to determine in which order to modifythe coefficients. All coefficients in the current class areused first to hide information before the next class ischosen. As a result, coefficients are selected in such away that they those likely to be numerically high areused first.

One artifact of the implementation is that the infor-mation hiding continues in the current coefficient classeven after the complete message has been embedded.The first class in the table are the DC coefficients ofcolor component zero. An image with a resolution of600 × 480 has approximately five thousand DC coef-ficients. Even if the message is only eight bits long,JPHide modifies all five thousand coefficients in suchan image.

A pseudo-random number generator determines ifcoefficients are skipped. The probability of skippingbits depends on the length of the hidden message andhow many bits have been embedded already.

JPHide modifies not only the least-significant bitsof the DCT coefficients, it can also switch to a modewhere the second-least-significant bits are modified.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

compress/dcsf0001.jpg

Figure 6: JPHide has a signature similar to JSteg. Themajor difference is the order in which the DCT coefficientsare modified.

Figure 6 shows the probability of embedding for animage containing information hidden with JPHide. Be-cause JPHide can skip DCT coefficients, the probabil-ity is not as high as with JSteg.

5.3 Outguess

OutGuess is a steganographic system available asUNIX source code. There are two released versions:OutGuess 0.13b, which is vulnerable to statistical anal-ysis, and OutGuess 0.2, which includes the ability topreserve statistical properties [15] and can not be de-tected by the statistical tests used in this paper.

OutGuess is different from the systems described inthe previous sections in that its chooses the DCT coef-ficients with a pseudo-random number generator. Auser-supplied pass phrase initializes a stream cipherand a pseudo-random number generator, both basedon RC4. The stream cipher is used to encrypt the con-tent.

Because the modifications are distributed randomlyover the DCT coefficients, the χ2-test can not be ap-plied on a continuously increasing sample of the image.Instead, we slide the position where we take the sam-ples across the image.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

misc/dcsf0001.jpg

Figure 7: OutGuess 0.13b is more difficult to detect. Dueto the random selection of bits, there is no clear signature.

For OutGuess 0.13b, we do not find any clear sig-natures. Figure 7 shows the probability of embeddingfor a sample image. The spikes indicate areas in theimage where modifications to coefficients cause depar-tures from the expected DCT coefficient frequency.

6 Detection Framework

In the previous section, we presented detection sig-natures that allow us to find hidden messages and de-termine which steganographic system was used to em-bed them. In the next section, we present “Stegde-tect,” an automated utility to analyze JPEG imagesfor steganographic content.

6.1 Stegdetect

Stegdetect detects images that have content hiddenwith JSteg, JPHide and OutGuess 0.13b. For each

Page 6: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

system that we want to detect, we select the DCT co-efficients in the order that they are modified and applya χ2-test.

misc/0003-wonder-2.jpg : jphide(*)

misc/dscf0001.jpg : outguess(old)(***)

misc/dscf0002.jpg : negative

misc/dscf0003.jpg : jsteg(***)

Figure 8: The output from Stegdetect contains an esti-mate of the detection confidence.

The output from Stegdetect lists the steganographicsystems found in each image or “negative” if nosteganographic content could be detected. Stegdetectexpresses the level of confidence of the detection withone to three stars. Figure 8 shows some sample output.

6.1.1 JSteg Detection: Detection of content hid-den with JSteg is similar to the approach outlined byWestfeld and Pfitzmann [20].

JSteg does not modify the DCT coefficients zero andone. For that reason, they are ignored in the χ2-test.We sample the DCT coefficients starting from the be-ginning of the image and compute the probability ofembedding. This process is repeated with increasingsample size until all DCT coefficients are contained inthe sample. As a performance optimization, we stopcomputing the probability of embedding once it fallsbelow a certain threshold.

To improve the detection accuracy, we estimate thesize of the hidden content from the calculated graphand compare it with the size stored in the JSteg em-bedding header as described in Section 5.1.

6.1.2 JPHide Detection: Because JPHide mod-ifies the DCT coefficients in a fixed order determinedby coefficient classes as described earlier, we rearrangethem in that order before computing the probabilityof embedding. However, there are two exceptions thatinfluence the detection.

JPHide modifies the DCT coefficients −1, 0 and 1in a special way. As a result, the modifications to thesecoefficients can not be detected by the χ2-test. By sim-ply ignoring these coefficients, we are still able to detectcontent embedded with JPHide. We also ignore modi-fications to the second-least-significant bits, which arenot as frequent as modifications to the least-significantbits.

As with JSteg, we stop computing the probabilityof embedding once it falls below a certain threshold.

For the very first coefficient class, we know that thecoefficients −1, 0, and 1 are being modified with a 1

4

chance. We refer to their frequencies in the currentsample as n−1, n0 and n1 respectively. JPHide treats−1 and 1 the same, so we refer to their combined fre-quency as n′ = n−1 +n1. Assuming a non-uniform dis-tribution of coefficients in the first coefficient class, weestimate the original frequencies before steganographicmodification as

m0 =3n0 − n′

2m′ =

3n′ − n0

2.

If either m0 or m′ becomes negative when analyzingthe first coefficient class in an image, it is an indicationthat JPHide was not involved. To cut down on falsepositives, we declare such an image as JPHide negative.

We calculate the probability P that JPHide embed-ding causes a transition from m0,m

′ to n0, n′ as follows

P =∑

40−41=m0−n00≤40≤m00≤41≤m′

(m0

40

)(m′

41

)

p40+41(1− p)n0+n′−40−41 ,

where p is the probability that a coefficient from m0

changes to m′ and vice versa. For the coefficients −1,0 and 1, p is 1

4 . For all other coefficients, p is 12 . A

low probability P indicates that steganography is notpresent. By ignoring them, we reduce the false positiverate of our detection system.

6.1.3 OutGuess Detection: Detecting contentembedded with OutGuess 0.13b is complicated by thefact that the coefficients are selected pseudo-randomly,there is no fixed order in which to apply the χ2-test. However, Provos has shown that the χ2-testcan be extended to detect content hidden with Out-Guess 0.13b [15].

Instead of increasing the sample size and applyingthe test at a constant position, we use a constant sam-ple size but slide the position where the samples aretaken over the entire range of the image.

The test starts at the beginning of the image, andthe position is incremented by one percent for everyapplication of the χ2-test. The extended test does notreact to an unmodified image, but detects the embed-ding in some areas of the stego image.

To find an appropriate sample size, we choose anexpected distribution for the extended χ2-test thatshould cause a negative test result. Instead of cal-culating the arithmetic mean of coefficients and theiradjacent ones, we take the arithmetic mean of two un-related coefficients,

y∗i =n2i−1 + n2i

2.

Page 7: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

A binary search on the sample size is used to finda value for which the extended χ2-test does not showa correlation to the expected distribution derived fromunrelated coefficients.

6.1.4 Stegdetect Performance: In this Section,we analyze the performance of Stegdetect on a 333 MHzCeleron processor by measuring the time it takes toprocess a few hundred JPEG files. The result is theaverage number of kilobytes that can be processed persecond (KBps).

We test the performance separately for each stegano-graphic system, and then measure the performance forall tests in concert.

Test SpeedJSteg 356 KBps

JPHide 200 KBpsOutGuess 0.13b 227 KBps

All tests 127 KBps

Figure 9: Stegdetect performance on a 333 MHz Celeronprocessor.

The results are displayed in Figure 9. As expected,the JSteg test is the fastest and detection of JPHideand OutGuess 0.13b are about the same speed.

Given the results for the separate tests, we wouldexpect the combined speed for all tests to be about80 KBps. However, the speed is higher because thetests for JPHide and Outguess are skipped if JSteg hasbeen detected.

To calibrate the detection sensitivity of Stegdetect,we tested it on about 1, 500 images taken with a FujiMX-1700 digital camera.

The percentage of false negatives depends on thesteganographic system and the size of the embeddedmessage. The smaller the message, the harder it isto detect by statistical means. Stegdetect is very re-liable in finding images that have content embeddedwith JSteg. For JPHide, detection depends also on thesize and the compression quality of the JPEG images.Furthermore, JPHide 0.5 reduces the hidden messagesize by employing compression. The results of detect-ing JPHide and JSteg are shown in Figure 10.

For JSteg, we can not detect messages smaller thanfifty bytes. The false negative rate in that case is al-most 100%. However, once the message size is largerthan 150 bytes, our false negative rate is less than 10%.For JPHide, the false negative rate is at least 20% in allcases. The rate of false negatives for OutGuess 0.13bis around 60%. That is quite high. However, this is

preferable to a high false positive rate, as we will ex-plain in the next Section.

0 500 1000 1500 2000 25000

0.2

0.4

0.6

0.8

1

Pos

itive

rat

e Image size 640x480Image size 320x240High quality 640x480

JPHide Detection

0 100 200 300 400 500Message Size

0

0.2

0.4

0.6

0.8

1

Pos

itive

rat

e

Image size 640x480Image size 320x240

JSteg Detection

Figure 10: JSteg and JPHide detection for different testimages and message sizes.

6.2 Finding Images

Now that we can automatically test for stegano-graphic content, we are ready to search for images thatmight have hidden messages embedded. We analyzeimages from two different sources: images from eBayauctions as indicated by the news paper reports andimages from discussion groups in the USENET archivefrom The Internet Archive [5].

To obtain images from eBay auctions, a web crawlerthat finds JPEG images is the obvious choice. Un-fortunately, there were no open-source, image capableweb crawlers available when we started our research,so we added the capability to save images to existingweb crawlers, like larbin or the web consortium’s webrobot. However, none of them was stable enough tocrawl large web sites reliably.

So we wrote “Crawl”, a simple, efficient web crawlerthat saves JPEG images it encounters on web pages.Using “libevent” [14], a library for asynchronous eventnotification, Crawl is implemented in fewer than 5,000lines of C source code.

Crawl performs a depth-first search and has the fol-lowing features:

• Images and web pages can be matched against reg-ular expressions. A match can be used to includeor exclude web pages in the search.

• Minimum and maximum image size can be spec-ified. This allows us to exclude images that are

Page 8: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

too small to contain hidden messages. We re-stricted our search to images that were larger than20 KByte but smaller than 400 KByte.

• DNS requests are synchronous but cached. Syn-chronous DNS queries can be a major performancepenalty because they cause the crawler to blockand not to make progress on any other outstand-ing network connections. The effects are mitigatedby caching positive and negative query results.

HEAD http://img.andale.com/635/monitor_lo.jpg

HEAD http://img.andale.com/635/hi.jpg

GET http://www.cities.com/a_ports/graphone.jpg

GET http://img.andale.com/635/scope_lo.jpg

Terminated with 3479 saved urls.

448684 GET for body 2861924 Kbytes

436084 HEAD for header 271287 Kbytes

9.172 Requests/sec

Figure 11: The output from Crawl is used as input forStegdetect.

At this writing, we have downloaded more than twomillion images linked to eBay auctions. To automatethe detection, Crawl uses “stdout” to report success-fully retrieved images; see Figure 11.

Because Stegdetect can accept images from “stdin”,we connect Crawl to Stegdetect via a pipe to automatethe detection process. After processing the two mil-lion images with Stegdetect, we find that over 1% ofall images seem to contain hidden content. JPHide isdetected most often; see Figure 12.

Additionally, we augmented our study by analyzingone million images obtained from a USENET archive.

Test (False) PositiveseBay USENET

JSteg 0.003% 0.007%JPHide 1% 2.1%

OutGuess 0.13b 0.1% 0.14%

Figure 12: Percentage of (false) positives for images ob-tained from the Internet.

Most of these are likely to be false positives. Ax-elsson applies the “Base-Rate Fallacy” to intrusion de-tection systems and shows that a high percentage offalse positives has a significant impact on the efficiencyof such a system [1]. The situation is very similar forStegdetect. The “true positive” rate, i.e. the proba-bility that an image detected by Stegdetect really has

steganographic content, can be calculated as follows

P (S|D) =P (S) · P (D|S)

P (D)

=P (S) · P (D|S)

P (S) · P (D|S) + P (¬S) · P (D|¬S).

P (S) is the probability of steganographic contentin images and P (¬S) its complement. P (D|S) is theprobability that we detect an image that has stegano-graphic content and P (D|¬S) the false positive rate.

To improve the efficiency of our detection system,weneed to increase the “true positive” rate. There are twopossible approaches: decreasing the false negative rateor decreasing the false positive rate. We assume thatP (S), the percentage of images containing stegano-graphic content, is low in comparison to P (D|¬S), thepercentage of false positives. As a result, the false pos-itive rate is the dominating term in the denomiator.Reducing it improves the “true positive” rate the best.

We notice that there are special classes of imagesfor which Stegdetect falsely indicates hidden content.An example of a false positive is shown in Figure 13.Stegdetect indicates that content has been hidden byJSteg. However, when analyzing the probability of em-bedding displayed next to the drawing, we do not seea plateau at the beginning, as we would expect hadencrypted data been embedded.

We find similar false positives when trying to detectcontent hidden with OutGuess. Images with monotonebackgrounds like the painting in Figure 14 are morelikely to be false positives. When analyzing the graph,we see only a few high probability spikes. If there werehidden content, we would expect to find more areas inthe image where the extended χ2-test shows a positiveresult.

That Stegdetect finds so many images that seemto have content hidden with JPHide does not indicatethat there are many images that really contain hiddencontent. Instead, it means that the detection functionsfor JPHide need to be improved to be more accurate.Furthermore, many images downloaded from the In-ternet are of very low quality, while the images thatwere used to calibrate Stegdetect are of higher quality,because they come directly from a digital camera.

6.3 Verifying Hidden Content

The statistical tests used to find steganographic con-tent in images indicate nothing more than a likelihoodthat content has been embedded. Because of that,Stegdetect can not guarantee the existence of a hid-den message.

Page 9: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

0

20

40

60

80

100

0 10 20 30 40 50

Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

jsteg-1.jpg

Figure 13: Stegdetect indicates that this drawings seems to have content hidden with JSteg.

0

20

40

60

80

100

0 10 20 30 40 50 60 70 80 90 100

Pro

babi

lity

of e

mbe

ddin

g in

per

cent

Analysed position in image in percent

outguess-1.jpg

Figure 14: Stegdetect indicates that this painting seems to have content hidden with Outguess 0.13b.

To verify that the detected images have hiddencontent, it is necessary to launch a dictionary attackagainst the JPEG files. Stegbreak does just thatfor content hidden with JSteg-Shell, JPHide or Out-guess 0.13b.

The presented steganographic systems all hide con-tent based on a user supplied password, so an attackercan try to guess the password to determine what con-tent has been hidden. Instead of trying all possiblepasswords, it is much faster to try only words fromdictionary, i.e. a dictionary attack [12].

For a dictionary attack to work, it is necessary thatthe user of the steganographic system selects a weakpassword, i.e., he selects the password from a smallsubset of the full password space.

Success depends on the quality of the dictionary.For the eBay images, we used a dictionary with about850, 000 words, containing words from several lan-guages. For the USENET images, we improved thedictionary by including four-digit PIN numbers andshort pass phrases. The short pass phrases were cre-

ated by taking three to five letter words from a listof the two-thousand most common English words andconcatenating them. The resulting dictionary contains1, 800, 000 words.

Key attacks on cryptographic systems often have thebenefit that properties of the underlying plaintext areknown to the attacker. Given these properties, it ispossible to verify statistically if the correct decryptionkey has been found [18]. All the steganographic sys-tems presented in this paper embed header informationin addition to a message into the images. The headerinformation contains, among other things, the lengthof the hidden message. We can use this information toverify the correctness of the guessed password.

IV 5IV 2 IV 3 IV 4

Length bits 23-16 Length bits 15-8 Length bits 7-0 IV 1

Figure 15: Header information for JPHide 0.3.

Page 10: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

6.3.1 JPHide Header Information: JPHide 0.3embeds a 64-bit header. The first 24 bits include thelength of the hidden message in bytes. The other 40bits are obtained from encrypting the first eight DCTcoefficients with Blowfish. The Blowfish key scheduleis initialized with the guessed password. JPHide takesthe first eight DCT coefficients, reduces them mod-ulo 256 and then concatenates to get a 64-bit block.This block is then encrypted, and the first 3 bytes areoverwritten with the length information. The result isstored as header in the image; see Figure 15.

The dictionary attack uses the 40-bit IV as a verifier.Additionally, we can check if the encoded length fits inthe image.

IV 4

IV 3

IV 5 IV 6 IV 7

Compressed length bits 23-0 Mode

Orig. Len. bits 15-8

Orig. Len. bits 23-16

Orig. Len bits 7-0

IV 1 IV 2

Compressed length bits 15-0

Figure 16: Header information for JPHide 0.5.

The header for JPHide 0.5 is twice as long as forJPHide 0.3; because JPHide 0.5 compresses the mes-sage before embedding, the header contains both thecompressed and the original length of the message.With the increased header length, we get a 56-bit veri-fier. The IV is obtained by encrypting the first 16 DCTcoefficients, and is then overwritten with the length in-formation. In addition, to the 56 bits, we also get 16more bits to verify our guess because parts of the com-pressed length are duplicated in the header; see Fig-ure 16.

Another difference between version 0.3 and 0.5 is achange in key schedule computation. In version 0.5,the Blowfish key schedule depends on the first eightDCT coefficients. As a result, the Blowfish key sched-ule has to be recomputed for images that differ in thoseDCT coefficients. This causes a marked slowdown inStegbreak.

6.3.2 JSteg-Shell Header Information: JSteg-Shell is very simple. Because, it is just a user interfaceto JSteg, it does not encrypt the length of the em-bedded message. Instead it adds a signature at theend of the message. The signature is either “korejwa”,“cMk4” or “cMk5”.

We get at least 31 bits of certainty that we guessedthe right password. However, because the key size is re-stricted to 40 bits, it is feasible to search the whole keyspace instead of using a dictionary attack. A search ofthe whole key space may lead to false positives becausethe key space is larger than the verifier.

6.3.3 OutGuess Header Information: Dictio-nary attacks against OutGuess seem to be infeasible,because we lack information to verify the passwordguess. OutGuess stores a 32-bit header in front of theembedded message. The header contains a 16-bit seedand 16 bits containing the length of the following mes-sage in bytes. We can use only the length to verify ourpassword guess, because the seed can be an arbitrarynumber. While it is possible to restrain the acceptableseed or include a minimum length check in the pass-word verification, there are still many keys that passthe verification.

As an additional check, Stegbreak retrieves at least256 bytes of the encrypted message and checks the re-trieved bytes for randomness. The simplest and fastestcheck is to count the number of zero and one bits. Ifthere are close to 50% one bits then the data seemslikely to be random. We further increase the accuracyby distributing the data into bins and checking if thebins are uniformly filled. Finally, we decrypt the dataand use the UNIX file utility to check for known datatypes.

However, 256 bytes of data is not enough for a thor-ough test. For a large dictionary, we still find too manycandidate passwords, making a dictionary attack infea-sible.

System SpeedOne image Fifty images

JPHide 4,500 words/s 8,700 words/sOutGuess 0.13b 18,000 words/s 34,000 words/s

JSteg 36,000 words/s 47,000 words/s

Figure 17: Stegbreak performance on a 1200 MHz Pen-tium III.

6.3.4 Stegbreak Performance: We measure theperformance of Stegbreak on a 1200 MHz Pentium IIIby running the dictionary attack against one image anda set of fifty images. The results are shown in Fig-ure 17. The speed improvement for the fifty images isdue to key schedule caching. For JPHide, we can checkabout 8,700 words per second. A test run with 300 im-ages and a dictionary of about 577,000 words takes tendays to complete. Stegbreak is slow because it has tocheck for both versions of JPHide. When checking forversion 0.5, the Blowfish key schedule needs to be re-computed for almost every image.

Stegbreak is faster for OutGuess: it can check about34,000 words per second. However, as explained above,with a large dictionary the tool finds too many candi-date passwords.

Page 11: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

For JSteg-Shell, we can check about 47,000 wordsper second. This is fast enough to run a dictionaryattack on a single computer. However, because the keyspace is restricted to 40 bits, it makes more sense to doa brute-force search of the whole key space. The keyspace is reduced to 40 bits in such a way that effectivelyonly 35 bits are used. On a 1200 MHz Pentium III, abrute-force key search of the 35-bit key space completeswithin nine days.

6.4 Distributed Dictionary Attack

As we have seen, Stegbreak is too slow to run a dic-tionary attack against JPHide on a single computer.However, because dictionary attack is inherently par-allel, it is possible to distribute the dictionary attackto a number of workstations.

Such a distributed computing framework shouldwork on a cluster of loosely-couple workstations thatfulfills the following requirements:

• The setup and maintenance of jobs should be sim-ple.

• It should be portable to many operating systems,so that we can use as many different computersystems as possible.

• All communication should be encrypted and au-thenticated.

• The system should not require “root” privilegesfor installation.

Because such a system was not available as open-source, we developed “Disconcert.”

Disconcert uses libevent for asynchronous event no-tification and “libio”, a library especially developed foruse with disconcert. Libio abstracts communicationinto data sources and data sinks. A data source is con-nected to a data sink via multiple filters. Using this ab-straction, encryption and authentication just becomefilters. Disconcert has fewer than 7,000 lines of sourcecode.

In the following, we explain a few essential com-mands that Disconcert supports:

• The init command transfers files to selectedclients. It is used to copy Stegbreak, word listsand image files to the remote computers.

• The job command sets up various parameters fora specific job. This includes the number of workunits that should be completed and the commandline to be executed on the client machines.

• The run command is used to start remote execu-tion of a job. Disconcert sets the “nice” level forthese jobs to ten, so that they do not irritate theusers of the workstation.

Clients send the exit status of a terminated processto the server to indicate if a work unit has been com-pleted successfully or not. To communicate passwordguesses or other messages to the server, “stdout” and“stderr” are redirected to files on the server.

If a client loses its connection to the server, all com-munication is buffered until the client can reconnect.If a client does not reconnect within a certain timeframe, the server reassigns the work unit of that clientto another machine. The disconcert framework alsosupports multiple jobs at the same time.

To prevent transmission of objectionable content(such as pornographic images) to the clients, Stegbreakcan extract the information from the JPEG images thatis relevant to a dictionary attack and save it as a sep-arate file. For JPHide, the dictionary attack requiresonly about 512 bytes to verify a password guess. An-other benefit of this is a reduction of network traffic.

Stegbreak has very low I/O and memory require-ments and is hardly noticeable when running in thebackground.

There are two obvious ways to parallelize the dictio-nary attack: each node is assigned its own set of imagesor each node is assigned its own part of the dictionary.We use the latter approach as it permits a more finegrained segmentation of the work units. When runningthe dictionary attack, Disconcert assigns each node anindex into the dictionary. After a node completes awork unit, it receives a new index to work on.

While analyzing the eBay images, Stegbreak wasrunning on about sixty nodes, ten of them at the Cen-ter for Information Technology Integration and fifty onother machines at the University of Michigan. Thetotal performance of the cluster when trying to findcontent hidden by JPHide is about 200,000 words persecond. This is sixteen times faster than running on asingle 1200 MHz Pentium III. The slowest client con-tributed 471 words per second to the job, the fastest12,504 words per second. The average performance ofa workstation is around 3,900 words per second.

For the USENET images, we increase the size ofthe cluster to about two hundred thirty nodes. Itspeak performance is about 870, 000 keys per second,the equivalent of seventy-two 1200 MHz Pentium IIImachines.

Page 12: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

7 Discussion

At this writing, Crawl has downloaded over two mil-lion images from eBay auctions. For these images,Stegdetect indicates that about 17,000 seem to havesteganographic content. Of these 17,000 images, 15,000supposedly have content hidden by JPHide. All 15,000images have been processed by Stegbreak. We get simi-lar results from the one million images that we obtainedfrom the USENET archives.

While Stegbreak has been running on a large clusterof loosely-coupled workstations, it is still too slow toprocess all images that Stegdetect finds. We hope tohave access to more and better machines in the future.

To verify the correctness of all participating clients,we insert tracer images into every Stegbreak job. Asexpected the dictionary attack finds the correct pass-words for these images. However, so far we have notfound a single genuine hidden message. We offer threepossible explanations to support our results:

• There is no significant use of steganography on theInternet.

• We are analyzing images from sources that are notused to carry steganographic content.

• Nobody uses steganographic systems that we canfind.

• All users of steganographic systems carefullychoose passwords that are not susceptible to dic-tionary attacks.

Even if the majority of passwords used to hide con-tent were strong, there would be a small percentage ofweak passwords, e.g. a study conducted by Klein foundnearly 25% of all passwords vulnerable [9]. Weak pass-words are susceptible to a dictionary attack and weshould have been able to find them. Similarly, even ifmost of the steganographic systems used to hide mes-sages were undetectable by our methods, we still shouldfind some images with hidden messages from detectablesystems. That leaves two remaining explanations: ei-ther we are looking in the wrong place or there is nosignificant use of steganography on the Internet.

The popular press claims that steganographic mes-sages are hidden in images on eBay, Amazon and on“pornographic bulletin boards.” So far, we have lookedat images obtained from eBay and USENET. Given thehigh number of false positive images that we found, wealso plan to improve the accuracy of Stegdetect.

8 Related Work

Fridrich et al. analyze the security of steganographicsystems that embed information in the LSB of color im-ages [4]. They find that the number of pairs of “veryclose” colors increases when hidden messages have beenembedded. While they are able to detect stegano-graphic content, they are not able to differentiate be-tween steganographic systems.

Farid finds predictable higher-order statistics of un-modified images and shows that embedding messagesdistorts these statistics [3]. To find predictable higher-order statistics a large training set is required. As aresult, the predictable statistics seem to reflect onlyproperties of the sample set and might not apply forall images in general. The methods presented here donot require special training and apply to all images ingeneral.

9 Conclusion

Steganography can be used for hidden communica-tion. There are widely reported rumors that images onauction sites contain hidden messages. To verify theseclaims, we developed new techniques and software tofind hidden messages on the Internet:

• Stegdetect allows us to detect steganographic con-tent in JPEG images automatically.

• Crawl is an efficient web crawler that saves JPEGimages from web pages that it encounters.

• Stegbreak launches dictionary attacks againststeganographic systems to test whether content isindeed hidden in an image.

• Disconcert is a distributed computing frameworkfor a cluster of loosely-coupled workstations usedto distribute the dictionary attacks.

We analyzed two million images that we obtainedfrom eBay auctions and one million images fromUSENET, but we are unable to report finding a sin-gle hidden message.

All software is freely available as source codeand can be downloaded from www.outguess.org andwww.citi.umich.edu/u/provos/.

10 Acknowledgments

We thank Bruce Fields, Patrick McDaniel, JoseNazario and Therese Pasquesi for careful reviews and

Page 13: Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

suggestions. We also thank Mark Giuffrida and DavidG. Anderson for providing computing resources. Addi-tionally, we thank The Internet Archive for providingaccess to their USENET archives.

References

[1] Stefan Axelsson. The Base-Rate Fallacy and its Im-plications for the Difficulty of Intrusion Detection. InProceedings of the 6th ACM Conference on Computerand Communications Security, pages 1–7, November1999. 8

[2] Brian Chen and Gregory W. Wornell. QuantizationIndex Modulation: A Class of Provably Good Meth-ods for Digital Watermarking and Information Em-bedding. IEEE Transactions on Information Theory,47(4):1423–1443, May 2001. 1

[3] Hany Farid. Detecting Steganographic Messages inDigital Images. Technical Report TR2001-412, Depar-ment of Computer Science, Dartmouth College, Au-gust 2001. 2, 12

[4] Jiri Fridrich, Rui Du, and Meng Long. Steganalysisof LSB Encoding in Color Images. In Proceedings ofthe IEEE International Conference on Multimedia andExpo, August 2000. 12

[5] The Internet Archive: Building an ’Internet Library’.http://www.archive.org/, November 2001. 7

[6] F. Johnson and S. Jajodia. Exploring steganogra-phy: Seeing the unseen. IEEE Computer Magazine,31(2):26–34, February 1998. 2

[7] Jack Kelley. Terror groups hide behind Web encryp-tion. USA Today, Feburary 2001.http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm.1

[8] A. Kerckhoffs. La cryptographie militaire. Journal desSciences Militaires, Feburary 1883. 2

[9] Daniel Klein. Foiling the Cracker: A Survey of, andImprovements to, Password Security. In Proceedings

of the 2nd USENIX Security Workshop, pages 5–14,August 1990. 12

[10] Ueli M. Maurer. A Universal Statistical Test for Ran-dom Bit Generators. Journal of Cryptology, 5(2):89–105, 1992. 2

[11] Declan McCullagh. Secret Messages Come in .Wavs.Wired News, February 2001.http://www.wired.com/news/politics/0,1283,41861,00.html.1

[12] Alfred J. Menezes, Paul C. van Oorschot, and Scott A.Vanstone. Handbook of Applied Cryptography. CRCPress, Boca Raton, 1996. 9

[13] Niels Provos. OutGuess - Universal Steganography.http://www.outguess.org/, August 1998. 4

[14] Niels Provos. Libevent - An Asynchronous EventNotification Library.http://www.monkey.org/~provos/libevent/,November 2000. 7

[15] Niels Provos. Defending Against Statistical Steganaly-sis. In Proceedings of the 10th USENIX Security Sym-posium, pages 323–335, August 2001. 2, 5, 6

[16] Bruce Schneier. Description of a New Variable-LengthKey, 64-Bit Block Cipher (Blowfish). In Fast Soft-ware Encryption, Cambridge Security Workshop Pro-ceedings, pages 191–204. Springer-Verlag, December1993. 5

[17] RSA Data Security. The RC4 Encryption Algorithm,March 1992. 4

[18] D. Wagner and S. Bellovin. A Programmable PlaintextRecognizer. Unpublished manuscript, 1994. 9

[19] G. W. Wallace. The JPEG Still Picture CompressionStandard. Communications of the ACM, 34(4):30–44,April 1991. 1

[20] Andreas Westfeld and Andreas Pfitzmann. Attacks onSteganographic Systems. In Proceedings of Informa-tion Hiding - Third International Workshop. SpringerVerlag, September 1999. 2, 6