Steganography Detection Brittnee Morgan December 22, 2004 HPR 108B.

Steganography Steganography DetectionDetection

Brittnee MorganBrittnee Morgan

December 22, 2004December 22, 2004

HPR 108BHPR 108B

Topics of discussion:Topics of discussion:

What is Steganography?What is Steganography?

What is Steganalysis?What is Steganalysis?

What are some detection methods?What are some detection methods?

Is this a growing threat?Is this a growing threat?

What is Steganography?What is Steganography?

SteganographySteganography is the hiding of information within is the hiding of information within a more obvious kind of communication.a more obvious kind of communication.

Used for centuriesUsed for centuries traced back to the Roman Empire traced back to the Roman Empire

messenger shaved his head messenger shaved his head

tattooed a message on it tattooed a message on it

waited for his hair to grow backwaited for his hair to grow back

traveled to his destination traveled to his destination

shaved his head to reveal the message. shaved his head to reveal the message.

Also used invisible ink etc.Also used invisible ink etc.

Round 1 - BitmapRound 1 - Bitmap

One of these is just a regular image, the other has a 22.0 KB document hidden inside it. Can you tell which is which by just looking? The image on the right is the one with the embedded data.

Round 2 – GIF Round 2 – GIF

The same 22 KB document is hidden inside one of these.

The original was 4.8 KB, because it is compressed, the steg image is 251 KB

SteganalysisSteganalysis

SteganalysisSteganalysis is the detection of is the detection of steganography by a third party. steganography by a third party. Visual analysis- detecting changes in the Visual analysis- detecting changes in the appearance that are noticeable to the appearance that are noticeable to the human eye.human eye.Statistical (algorithmic) analysis- more Statistical (algorithmic) analysis- more powerful, reveals small alterations in an powerful, reveals small alterations in an image’s statistical behavior caused by image’s statistical behavior caused by steganographysteganography

Different Statistical TestsDifferent Statistical Tests

Average bytes - above 175 Average bytes - above 175 indicates data embedded, indicates data embedded, below indicates clean file.below indicates clean file.Differential values – above Differential values – above 150 is dirty, below 50 is clean150 is dirty, below 50 is cleanYou can also use variation of You can also use variation of the bytes, kurtosis, and the bytes, kurtosis, and average deviation graphs, but average deviation graphs, but they have no distinct breaking they have no distinct breaking point, and therefore can not point, and therefore can not be universal.be universal.There are also more There are also more complicated types, such as complicated types, such as mathematical steganalysismathematical steganalysis

Types of DetectionTypes of Detection

S-tools & Hide and S-tools & Hide and Seek – examine color Seek – examine color table of .bmp images table of .bmp images for near duplicatesfor near duplicatesJ-Steg – hides in DCT J-Steg – hides in DCT coefficients, use coefficients, use statistical testingstatistical testingEZ-Stego – look at EZ-Stego – look at color table, can see color table, can see by looking at image if by looking at image if it is degradedit is degraded

WetStone TechnologiesWetStone Technologies

WetStone WetStone delivers cyber security and delivers cyber security and

digital investigation digital investigation products products

training to government, law training to government, law enforcement, and private enforcement, and private sector organizations around sector organizations around the world. the world.

StegoStego Suite 4.1 Suite 4.1 Stego Watch Stego Watch Stego Analyst Stego Analyst Stego BreakStego Break

StegoWatch, Stego Analyst and StegoWatch, Stego Analyst and Stego BreakStego Break

Stego Analyst-Stego Analyst- An imaging An imaging tool that allows searches for tool that allows searches for visual cluesvisual cluesCan examine characteristics Can examine characteristics such as color palettes, hue, such as color palettes, hue, intensity, used colors, etc…intensity, used colors, etc…Stego Break-Stego Break- Applies a Applies a dictionary based attack, to dictionary based attack, to obtain passwords.obtain passwords.

Stego Watch-Stego Watch- This allows This allows users to detect the presence users to detect the presence of hidden communications in of hidden communications in digital images or audio files.digital images or audio files.

Niels Provos and StegDetectNiels Provos and StegDetect

Niels Provos is one of the Niels Provos is one of the leaders in Steganography leaders in Steganography detection, he developed detection, he developed Stegdetect.Stegdetect.This program uses a This program uses a webcrawler to save images webcrawler to save images and send them to and send them to Stegdetect. Stegdetect. It also includes Stegbreak It also includes Stegbreak which launches dictionary which launches dictionary based attacks on jpegs.based attacks on jpegs.Problems: Problems:

Many false positivesMany false positives Too slowToo slow

Dangers of SteganographyDangers of Steganography

Explosion on internet traffic provides perfect Explosion on internet traffic provides perfect environment for steganographyenvironment for steganographyOver 100 free steg programs on the internet, Over 100 free steg programs on the internet, over 1 million downloadsover 1 million downloadsTerrorism – In a New York Times article it Terrorism – In a New York Times article it explains the use of steganography by terrorists explains the use of steganography by terrorists linked to Osama Bin Laden, as well as the linked to Osama Bin Laden, as well as the Zacarias Moussaoui case that we read about.Zacarias Moussaoui case that we read about.Used for industrial espionage, trade secret theft, Used for industrial espionage, trade secret theft, cyber weapon exchange, and criminal cyber weapon exchange, and criminal coordination and communication.coordination and communication.

Future of Steg and SteganalysisFuture of Steg and Steganalysis

As the use of steganography becomes more As the use of steganography becomes more widespread in both the traditional and criminal widespread in both the traditional and criminal world, the techniques are becoming better and world, the techniques are becoming better and better.better.

Steganalysis is also getting better, but as people Steganalysis is also getting better, but as people publish their findings, it is easier to protect publish their findings, it is easier to protect against it. against it.

Laws are changing to encompass digital Laws are changing to encompass digital information. on Niels Provos’ information. on Niels Provos’ websitewebsite, the , the legality is said to be questioned.legality is said to be questioned.

My ThoughtsMy Thoughts

There is a lot of information out there.There is a lot of information out there.

Too many imagesToo many images

Easy accessEasy access

SummarySummary

Today we talked aboutToday we talked about What steganography isWhat steganography is

What steganalysis isWhat steganalysis is

Some detection methodsSome detection methods

Some programs usedSome programs used

The growing threat when used maliciouslyThe growing threat when used maliciously

For more information look at my website at: http://www.uri.edu/personal2/love0945/stegdetection.htm