You get a bonus - 1 coin for daily activity. Now you have 1 coin

Steganography and steganalysis. seeing and application options

Lecture



Steganography is the science of the hidden transfer of information by keeping secret the fact of transmission. The main task is to ensure that a person does not suspect that there is hidden valuable information inside the transmitted information that does not represent outwardly absolutely no value. Thus, steganography allows transmitting secret information through open channels, hiding the very fact of its transmission. Cryptography protects the message, making it useless in the event of interception, and steganography tends to make the message transmission itself hidden. Cryptography and steganography can be used together: then the message is first encrypted and then secretly transmitted. If you use cryptography without steganography, then there is a risk that the observer who intercepted the message will force the sender or recipient to decipher it.

Stegoanalysis or steganalysis is a section of steganography; the science of identifying the fact of the transfer of hidden information in the analyzed message. In some cases, steganalysis also refers to the extraction of hidden information from the message containing it and (if necessary) its further decryption. The latter definition should be used with the appropriate reservation.

Steganography and steganalysis.  seeing and application options

Steganography today
● Big Data - very, very much data
● A huge number of data transfer and storage protocols, file systems, operating systems
● Internet
● Internet - IoT
● Internet - a large number of participants, data channels
All of the above creates a good support for steganography.

Three goals of information hiding
● Hidden transmission or storage of data (SPD) - only this is steganography (“concealment”) in the strict sense
● Watermarks (OT, “digital watermarking”)
- certain labels that are the same for each copy

● Tsiforovye prints (TSO, "stego fingerprinting") - certain labels, different for each copy.

CO vs OT
● It is necessary to distinguish between CO and OT! At least because of the attack by collusion. VZ can be steganography: steganographic VZ (SVZ), CO - no.
● Attack by collusion. Take n copies of the container and create one copy of them - a bitwise XOR of each of them.

Remark 1. The term “informational concealment” is not established in Russian-language literature and is often the Central Organ, OT also called “steganography”
Note 2. There is a term “CEH” (digital watermark). This is the central organ, the OT. Sometimes both simultaneously in one article;)

Practical use
1. Imperceptible information transfer (SPD)
2. Hidden storage of information (SPD)
3. Non-declared information storage (SPD)
4. Protection of exclusive rights (AC)
5. Copyright Protection (OT)

6. Protection of authenticity of documents (OT)
7. Individual imprint in SEDO (CO)
8. Watermark in DLP systems
9. Hidden transmission of the control signal (SPD)
10. Steganographic botnet network (SPD)

11. Inalienability of information (OT)
12. Confirmation of the accuracy of the information transmitted (AC)
13. Funkspiel (“Radio Game”) (SPD)
14. Steganographic Tracking (SPD)
15. Steganographic distraction.

Steganalysis

Wikipedia, the free encyclopedia

Stegoanalysis or steganalysis is a section of steganography; the science of identifying the fact of the transfer of hidden information in the analyzed message. In some cases, steganalysis also refers to the extraction of hidden information from the message containing it and (if necessary) its further decryption. The latter definition should be used with the appropriate reservation.

Content

  • 1 Method of steganalysis
    • 1.1 Offenders
  • 2 Classification of attacks on the stegosystem
    • 2.1Classification of attacks on digital watermark systems
  • 3Some attacks
    • 3.1Na classic stegosystem
      • 3.1.1 Shaving the head
      • 3.1.2 Appearance
    • 3.2Na digital stegosystem
      • 3.2.1 Subjective attack
      • 3.2.2 Histogram image analysis
      • 3.2.3RS image analysis
      • 3.2.4 A machine learning method for image analysis
      • 3.2.5 Attack using compression algorithms for analyzing audio files
      • 3.2.6Attack using compression algorithms for analyzing text files
      • 3.2.7 Attack using a compression algorithm for analyzing executable files
      • 3.2.8 Attacks on video files

Steganalysis method

The intruder (analyst) seeks to crack the steganographic system, that is, to detect the fact of the message being transmitted, to extract the message and either modify the message or prohibit the message transmission [1]. Usually analysts spend several stages hacking the system [1]:

  1. Detection of the fact of a hidden message, the most difficult stage [2]
  2. Message retrieval
  3. Message modification
  4. Prevent message forwarding

In this case, the system is considered hacked if the analyst succeeds in proving at least the presence of a hidden message. [1]

During the first two stages, analysts can usually hold such events [2]:

  1. Subjective attack
  2. Stego sorting by external features
  3. Identify used message embedding algorithms
  4. Selection of messages with a known embedding algorithm
  5. Checking the sufficiency of the volume of material for analysis
  6. Check of possibility of the analysis in special cases
  7. Analysis of materials and development of methods for opening the system

Violators

There are several types of offenders [2]:

  1. A passive intruder, able only to detect the fact of the message being sent and, possibly, retrieve the message.
  2. An active intruder who can, apart from detection and extraction, also destroy and delete a message.
  3. Malicious intruder, capable, in addition to detection, extraction, destruction and removal, to create a false system.

The classification of attacks on stegosystem

Some attacks on steganosystems are similar to cryptographic attacks [1]:

  • Attack based on known filled container ;
  • Attack based on known embedded message ;
  • Attack based on selected embedded message . Used when the analyst can select a message and analyze the sent filled containers.
  • Adaptive attack based on selected embedded message . A special case of an attack based on the selected hidden message, when the analyst has the ability to select messages based on the results of the analysis of previous containers.
  • Attack based on selected filled container ;

But there are also attacks that have no direct analogues in cryptography [3]:

  • Attack based on known empty container . In this case, the analyst has the ability to compare empty and filled containers.
  • Attack based on selected empty container ;
  • Attack based on the well-known mathematical model of the container or its part ;

The classification of attacks on digital watermark systems

There are specific attacks on digital watermark systems [2]:

  • Attacks against the embedded message aimed at removing or disabling the CEH. Such attack methods do not attempt to isolate a watermark.
  • Attacks against the test detector , which hinder or make impossible the correct operation of the detector. Such attacks leave CEH unchanged.
  • Attacks against the protocol of the use of the CEH - creating false CEH or stego messages, inverting the existing watermark, adding several watermarks.
  • Attacks against CEH aimed at extracting a watermark from a message. For these attacks, it is desirable to leave the container without distortion.

Some attacks

On classic stegosystems

Head shave

An attack based on a well-known filled container against an ancient messaging system on the skin of a slave’s head. A tattoo message was put on the head of the slave and they waited for the hair to grow back. Then the slave was sent to the recipient of the message. The attack of the system is primitive - to shave the slave again and read the message [4].

Manifestation

An attack based on a well-known filled container against a message transfer system with a letter written in sympathetic ink. During World War II, analysts drove brushes moistened with developers by writing and read the messages that were shown. Transmission by ultraviolet or infrared radiation has also been used [4].

To digital stegosystems

Subjective attack

Attack based on known filled container. The algorithm is simple: the analyst examines the container without the help of special tools, trying "by eye" to determine if it contains stego. That is, if the container is an image, then looks at it, if the audio is, then it listens. Despite the fact that such an attack is effective only against almost unprotected steganographic systems, the attack is widespread at the initial stage of opening the system [2].

Histogram image analysis

Attack based on known LSB-filled container. Andreas Fitzmann and Andreas Westfeld noted [5] that if the embedded message has a uniform distribution, the frequencies Steganography and steganalysis.  seeing and application options the appearance of color Steganography and steganalysis.  seeing and application options before embedding were related by Steganography and steganalysis.  seeing and application options then frequency Steganography and steganalysis.  seeing and application options after embedding, they are associated with frequencies prior to embedding in such a relation:

Steganography and steganalysis.  seeing and application options

That is, the introduction of a uniform message reduces the difference between the frequencies of the distribution of neighboring colors that have the difference in the smallest bit. It is also noted that during the LSB implementation, the sum of the frequency distribution of neighboring pairs remains unchanged. On these facts, an analysis method is built using the Chi-square test:

  1. The expected distribution is obtained by the formula: Steganography and steganalysis.  seeing and application options
  2. The chi-square value to compare the expected distribution and distribution of the sequence under study: Steganography and steganalysis.  seeing and application options where Steganography and steganalysis.  seeing and application options - the number of histogram columns minus 1
  3. Probability Steganography and steganalysis.  seeing and application options that the two distributions will be the same and that there is a hidden message in the container is equal to Steganography and steganalysis.  seeing and application options where Steganography and steganalysis.  seeing and application options - gamma function.

Usually, a series of probability measurements are carried out for the image fragments in order to also measure the length of the intended message by the probability jump.

In the case when the container is not an image with color indexation, but a JPEG image, instead of color indices, the coefficients of the discrete cosine transform are used for the analysis [5].

RS image analysis

An attack based on a well-known filled container on the system for embedding stego into an image using the LSB method. Regular-Singular analysis was proposed in 2001 by a team of researchers from Binghamton University [5].

The method is based on the division of the image into related groups. Steganography and steganalysis.  seeing and application options by Steganography and steganalysis.  seeing and application options pixels For each group, the value of the regularity or smoothness function is determined. Steganography and steganalysis.  seeing and application options . Most often, the regularity function is the sum of the differences of neighboring pixels in a group [5].

Flipping function is introduced - function Steganography and steganalysis.  seeing and application options such that Steganography and steganalysis.  seeing and application options . In this analysis, three functions of flipping are used [5]:

  • Steganography and steganalysis.  seeing and application options - inversion of the least significant bit of color in the image
  • Steganography and steganalysis.  seeing and application options - leaving unchanged
  • Steganography and steganalysis.  seeing and application options - inversion of the least significant bit of color in the image with transfer to the most significant bit (that is Steganography and steganalysis.  seeing and application options , Steganography and steganalysis.  seeing and application options etc.).

Inside the group, you can use different flipping functions for different pixels, so they write a mask Steganography and steganalysis.  seeing and application options - Steganography and steganalysis.  seeing and application options -dimensional vector in space} Steganography and steganalysis.  seeing and application options indicating which pixel in the group corresponds to which flipping: Steganography and steganalysis.  seeing and application options [five]

All received groups Steganography and steganalysis.  seeing and application options divided into three types [5]:

  • Regular for which Steganography and steganalysis.  seeing and application options increases smoothness value
  • Singular for which Steganography and steganalysis.  seeing and application options reduces smoothness
  • Unused for which Steganography and steganalysis.  seeing and application options does not change the value of smoothness

Next, count the number Steganography and steganalysis.  seeing and application options number of regular groups Steganography and steganalysis.  seeing and application options singular groups for the mask M and similar quantities Steganography and steganalysis.  seeing and application options , Steganography and steganalysis.  seeing and application options for the inverted {-M} mask. The statistical hypothesis of researchers, confirmed by the study of a sample of real photographs, is that the inversion of the mask almost does not change the number of regular and singular groups for an empty container [5]:

Steganography and steganalysis.  seeing and application options , Steganography and steganalysis.  seeing and application options

At the same time, the researchers noticed that introducing random distortions into this ratio violates this ratio so that random distortions reduce the difference between Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options with increasing the length of the message being injected. This fact is based on the method of RS-analysis [5]:

  1. A diagram is constructed: the fraction of inverted bits is plotted on the abscissa axis, the fractions of singular and regular groups of all are plotted on the ordinate axis
  2. Several lines are received in the diagram, assuming the length of the message. Steganography and steganalysis.  seeing and application options and the proportion of changes in the lower bits when writing a message is 50%:
    1. Straight lines Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options built at two points: with an unchanged image (that is, at the point with the abscissa Steganography and steganalysis.  seeing and application options ) and in the image with inverted low-order bits (i.e. at the point with abscissa Steganography and steganalysis.  seeing and application options )
    2. Parabolas Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options build on three points: at the point with the abscissa Steganography and steganalysis.  seeing and application options at the point of abscissa Steganography and steganalysis.  seeing and application options and at the point with the abscissa 50% (writing random values ​​to the low bits)
  3. By taking the abscissa Steganography and steganalysis.  seeing and application options over 0 and abscissa Steganography and steganalysis.  seeing and application options for 1, determine the abscissa Steganography and steganalysis.  seeing and application options curve intersection points Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options and consider the estimated length of the message: Steganography and steganalysis.  seeing and application options

Machine learning method for image analysis

The method coined by Sewie Liu and Honey Farid in 2002 in response to the improvement of message embedding algorithms. They suggested using the support vector method, well-known in machine learning. As a feature vector, the method uses a vector calculated on the basis of the statistical regularities of the distribution of groups of image pixels: expectation, variance, standard deviation, etc. [5]

Attack using compression algorithms for analyzing audio files

It is noted [6] that files containing hidden messages can be compressed using compression algorithms worse than not containing messages. This remark is based on a group of attacks using compression methods. One of these attacks is the WAVE format audio file analysis method.

The analysis algorithm [6] assuming that the file (empty container), the algorithm for implementing the stego message, and the data compression algorithm are known:

  1. The analyst applies a message embedding algorithm to the file with some pre-selected fill factor, getting a filled container.
  2. The analyst then compresses both files and gets the compression ratios of the empty container. Steganography and steganalysis.  seeing and application options and filled container}} Steganography and steganalysis.  seeing and application options .
  3. Finally, the stegoanalyst calculates the modulus of the differential compression ratio. Steganography and steganalysis.  seeing and application options and compares with a pre-selected threshold value Steganography and steganalysis.  seeing and application options . If a Steganography and steganalysis.  seeing and application options , then we can conclude that the file contains a stego message.

The threshold values ​​depending on the content of the audio file and the archiver used are determined experimentally and lie in the range from 0.05% to 0.2% [6].

Attack using compression algorithms for analyzing text files

The attack is based on the same fact as an attack on audio files using compression algorithms. Let there be three texts: Steganography and steganalysis.  seeing and application options , Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options , and Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options contain hidden messages. If you write Steganography and steganalysis.  seeing and application options at the end of each text Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options , compress the resulting texts with the archiver and measure the dimensions that the text occupies in the received archives Steganography and steganalysis.  seeing and application options then it turns out that in the archive received from the texts Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application optionsSteganography and steganalysis.  seeing and application optionstakes up less space. This can be interpreted as a sign of the presence of a stego message in the container Steganography and steganalysis.  seeing and application options[7]

Algorithm:

  1. Stegoanalyst prepares the file under investigation: all characters that are not numbers, letters, punctuation marks, spaces and line breaks are deleted, existing sequences of two or more space or line break characters are reduced to single characters and the resulting file is truncated to a fixed size.
  2. The analyst writes the resulting text to the end of two specially selected files. Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options receiving files Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options .
  3. Steanalyst measures compression ratios Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application optionsboth initial files. Also measured are compression ratios.Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options both received files.
  4. The analyst calculates two values: Steganography and steganalysis.  seeing and application options and Steganography and steganalysis.  seeing and application options . It was established experimentally that plain text satisfies the condition Steganography and steganalysis.  seeing and application options or Steganography and steganalysis.  seeing and application options . If the measured values ​​do not satisfy this condition, the presence of the stegotext can be considered as established.

An attack using a compression algorithm for analyzing executable files [

The attack is based on the same facts as other attacks based on compression algorithms, but uses the features of the PE executable file format and the specific implementation algorithm [8] of the message for which analysis is used. [9]

Algorithm:

  1. The analyst extracts a section of code from the container of the executable file and deletes alignment bytes at the end of the section, if they are present. The code section is chosen because the embedding algorithm works with it.
  2. Stegoanalyst compresses the last Steganography and steganalysis.  seeing and application optionsbyte of the section. Steganography and steganalysis.  seeing and application optionschosen experimentally in advance.
  3. If the length of the received code is greater than a certain threshold value Steganography and steganalysis.  seeing and application options, then the analyst can conclude that the stego message is present in the file. Steganography and steganalysis.  seeing and application optionsalso determined experimentally.

Attacks on video files [

As one of the examples of the analysis of video files, one can cite a statistical analysis similar to histogram image analysis. The analyst in this case checks the statistical properties of the signal and compares them with the expected ones: for example, for the lower bits of the signals, the distribution is similar to the noise. The Chi-square test works well for comparison. [10]

To destroy the message, you can use various transformations [10]:

  • Video transcoding using lossy compression algorithms;
  • Reordering or deleting video footage frames;
  • Geometric transformations;

Comments


To leave a comment
If you have any suggestion, idea, thanks or comment, feel free to write. We really value feedback and are glad to hear your opinion.
To reply

Information security, Cryptography and cryptanalysis, Steganography and Stegoanalysis

Terms: Information security, Cryptography and cryptanalysis, Steganography and Stegoanalysis