- Email: [email protected]
Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions
Journal Pre-proof Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions Pengjie Cao Xiaolei He Xianfeng Zhao Jimin Zhang
PII:
S2665-9107(19)30019-2
DOI:
https://doi.org/doi:10.1016/j.fsir.2019.100019
Reference:
FSIR 100019
To appear in:
Forensic Science International: Reports
Received Date:
20 June 2019
Revised Date:
16 July 2019
Accepted Date:
16 July 2019
Please cite this article as: Pengjie Cao, Xiaolei He, Xianfeng Zhao, Jimin Zhang, Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions, (2019), doi: https://doi.org/10.1016/j.fsir.2019.100019
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier.
Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions I Pengjie Caoa,b , Xiaolei Hea,b , Xianfeng Zhaoa,b , Jimin Zhanga,b a State
Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China b School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China
Abstract
of
Recently, more and more steganography tools are exploited to embed malicious code into images by attackers, which brings harm to society. Thus, it has been a tricky problem, for which needs to detect the stego-images correctly. Sig-
ro
nature detection, an effective method was proposed to solve this problem by identifying the fingerprints of steganography tool that are left in the stego-images. Unfortunately, extracting the fingerprints of steganography tools from the
-p
stego-images is a troublesome job. Few researchers pay attention to it and realize it. In this report, we discuss some approaches to obtaining fingerprints of steganography tools which embed message in fixed positions. Three main
re
cases will be analyzed, including embedding message in the reserved positions of the image file header, embedding message in the sequential LSBs(least significant bits) of the image file data and embedding message in the redundant positions behind the image file tail. For each case, we summarize a general approach of fingerprint extraction and its
rn al P
effectiveness has been confirmed through the test on some typical steganography tools. Keywords: steganography tools, fingerprints, approaches
1. Introduction
Steganography is a covert communication technique to embed message into multimedia files such as digital im-
Jo u
ages, audios and videos, and then transfer the stego-files through public communication channels[1]. On the other hand, steganalysis techniques are used to detect the presence of hidden message in an image. With the development of steganography techniques, the steganalysis techniques also develop rapidly. Based on the steganography techniques, a multitude of steganography tools are designed and appear on Internet. According to the survey, the number of steganography tools has reached more than 1000 so far. You can find most of them on websites[2]. These steganography tools play a very important role in protecting personal privacy. But they may also be used by hackers to create some malicious attacks. Thus, it is indispensable to adopt some strategies to detect these stego-files for security. I This work was supported by NSFC under U1636102, U1736214, 61802393 and 61872356, National Key Technology R&D Program under 2016QY15Z2500, and Project of Beijing Municipal Science & Technology Commission under Z181100002718001 Email addresses: [email protected] (Pengjie Cao), [email protected] (Xianfeng Zhao)
Page 1 of 14
In the past, most researchers adopted some traditional steganalysis algorithms to analyze these stego-files. One uses the corresponding dedicated steganalysis algorithms[3][4][5][6] if they have known the steganography algorithms in advance. The other uses the universal steganalysis algorithms[7][8][9] without knowing the steganography algorithms in detail. All of them have achieved positive results on some data sets. Different from the previous methods, signature technique is another effective way to detect the stego-files and can also significantly decrease the false alarm rate. Many experiments show that some fingerprints of steganography tools will be left in the stego-files in the process of embedding message. This is because some extra fixed bytes for purpose of copyright protection or information extraction may be embedded. Generally, these fixed bytes can be extracted as fingerprints of steganography tools for detection. Yet, how to find it in a stego-file is a very difficult problem. Different embedding cases of steganography
of
tools may need different approaches to extract it.
So, in this report, we discuss three main cases of fixed position embedding, which are: embedding message in
ro
the reserved positions of the image file header, embedding message in the sequential LSBs(least significant bits) of the image file data and embedding message in the redundant positions behind the image file tail. For each case,
-p
based on the analysis, we sum up an effective approach to obtaining fingerprints of steganography tools. The main analytical way is to compare cover-images with stego-images in detail and search for the abnormal data between them.
re
Then, next step is extracting the common byte or bit sequences from abnormal data in stego-images as fingerprints. Beside this, in the process of analysis, there are four key points that should be considered. Firstly, occurring to three embedding cases occur in different parts of the image, we divide the image file into three parts: image file header,
rn al P
image file data and image file tail to analyze. Secondly, the BMP-image and JPEG-image are chosen as the main discussional file-object because these two image formats are the used most by steganography tools. Thirdly, we choose the black box as an analytical tool to find the differences between cover-images and stego-images. The black box is an efficient tool, for you only focus on the input and output of the steganography tool, without understanding the code of it. Fourthly, we use LCS(longest-common-subsequence)algorithm to extract the common byte or bit sequences as fingerprints from the stego-images. In the end, some experiments have been done on some widely used
Jo u
steganography tools to verify the effectiveness of each approach. All results show that the proposed approaches can match the fingerprint extraction of steganography tools which embeds message in fixed positions. The structure of this report is as follows. Section 2 introduces some related background knowledge. Section 3 presents analysis of three cases and gives a general approach of fingerprint extraction for each case. The performance of the approaches will be measured and evaluated in the section 4. We conclude the report in Section 5, where we present some final thoughts, insights and discuss future avenues of work.
2. Related background knowledge In this section, we introduce some background knowledge which will be referred in the following analysis. The details are as follows. 2
Page 2 of 14
JPEG STRUCTURE
BMP STRUCTURE
biSize
bfType
RESn
SOF0
COM
DHF
TEM
biClrUsed
Image File Tail
biXPelsPerMeter
DQT
JPGn Image Data
DC Table
AC Table
biClrImportant
of
bfOffBits
biCompression
APP0
SOS Reserved Marker
biYPelsPerMeter
Fundamental Marker
biSizeImage
biPlanes Image Data
bfReserved2
biBitCount
Color Palette
File Header
bfReserved1
File Information Header
bfSize
biHeight
APPn
SOI
biWidth
Image File Header
Figure 2: JPEG Structure Description
ro
Figure 1: BMP Structure Description
-p
BMP file structure. The BMP image[10] is called Bitmap image file or DIB file format and is a raster graphics image file format used to store bitmap digital images. It is widely used on Microsoft Windows operating systems. As shown in figure1, its file structure mainly consists of four parts: file header, file information header, color palette,
re
and image data. The file header describes the format and the size information of the file. The file information header shows some basic information of image such as size, bit planes, compression method, and color index. Color palette
rn al P
stores a mapping table of the index and its corresponding color values. The last part is occupied by image pixels. Survey shows that the bfReserved1 marker and bfReserved2 marker in the file header, the LSBs of image pixels and the area behind the file tail may generate some redundant positions for embedding. JPEG file structure. The JPEG image[11] is the most widely used image format because of its high performance. Even though it occupies very few bytes, it does show the image clearly. Different from the structure of the BMP file, the JPEG file is composed of marker code and compressed data. The main structure of the JPEG file is shown
Jo u
in figure2. According to the order of marker-segments stored in the image, we split the JPEG file into three parts: image file header, image data, and image file tail. The image file header contains fundamental marker-segments, such as SOI(Start of Image), DQT(Difine Quantization Table), SOF0(Start of Frame), DHF(Difine Huffman Table) and other reserved marker-segments, such as APPn(Application-specific), JPGn(Reserved for JPEG extensions), RESn(Reserved), COM(Comment), TEM(For temporary use in arithmetic coding). Next, the image data stores the compressed data called DCT coefficients, not pixels. The last part is a marker which describes the end of the file. Different from the BMP image, redundant positions appear in the reserved marker-segments of the image file header, the LSBs of the DCT coefficients and the area behind the tail marker of the image. LSB replacement and matching. LSB replacement[12] and LSB matching[13] are two basic types of steganography algorithms which are used widely by most steganography tools, for they are easy to implement, safe and efficient. 3
Page 3 of 14
message:010
Least significant bit replacement 1 01 1 1 11
1 01 1 1 10
96
1 10 0 0 00
1 10 0 0 01
93
1 01 1 1 01
1 01 1 1 00
…
…
…
of
95
ro
Figure 3: LSB replacement Description
LSB replacement replaces the carrier’s least significant bits with message bits directly. As shown in figure3, the least
-p
significant bits of pixel set(95, 96, 93) are replaced by message’s bit set(0, 1, 0). The steganography tools can securely embed secret data without being discovered by this simple modification. LSB matching is a modified edition of LSB
re
replacement. In the process of information embedding, if the value of carrier’s lsb matches the message bit, the value will remain unchanged, or it will be added or subtracted by 1 at random. Because of this, the LSB matching is more
rn al P
difficult to detect than LSB replacement. The information extraction of them is done in the same way by extracting the LSBs of pixels or DCT coefficients. So, if we have known that the steganography algorithm is LSB replacement or LSB matching in advance, we can briefly extract relevant embedding information bits. Software version
Software tag
0
..
..
1
Jo u
STEGHIDE
File Name
1
..
..
encryption information
File Length
1
0
..
1
1
..
Secret message
1
…
End tag
1
0
1
Cover lsb bits
Figure 4: General embedding protocol
Embedding protocol. Each steganography tool has its own embedding protocol. As shown in Figure4, most of them may have the common structure, contain these elements: software tag, software version, file name, file length, encryption information, secret data, ending tag. The information of software tag and software version is mainly used for copyright protection and the information of other elements is used for extraction. We notice that each stego-image 4
Page 4 of 14
will contain the same information of software tag and software version, if they have been embedded information with the same steganography tool. So, it creates the possibility to identify the authenticity of these image files by matching these common information. These common information can be extracted to form a fingerprint set for detection. Embedding order. Different steganography tools usually provide different choices of embedding order for users. The main four orders are shown in figure5. The first order starts from the top left corner, from left to right and then from top to bottom; The second order starts from the top left corner, from top to bottom and then from left to right; The third order starts from the bottom left corner, from left to right and then from bottom to top; The fourth order starts from the bottom left corner, from bottom to top and then from left to right. For the convenience of analysis and
of
description, we have described it as an embedding order set O{a, b, c, d}. According to different embedding orders,
-p
ro
we can extract all possible LSBs of pixels or DCT coefficients to find fingerprints .
b
c
d
re
a
rn al P
Figure 5: General embedding protocol
Black box test for analysis. Black box test is one type test model which is used to check whether the software interfaces and software functions meet the requirements. When using this model, you don’t need to understand the coding of the software, but only need to focus on the values of software’s input and output. Based on this feature, without having more information about the steganography tools, we can easily compare the difference between the
Jo u
decoding bytes of cover-image and stego-image to find some embedd traces. black box test
cover image
parameters
INPUT
Steganography Code
OUTPUT
stego image
Figure 6: Block box test
5
Page 5 of 14
3. Analysis of three cases of fixed position embedding According to the surveys, a multitude of steganography tools usually adopt these three fixed position embedding manners. The first manner happens in the header of the image file, using the reserved positions to store secret data. The second manner occurs at the end of the image file, using file mounting to hide information. Both manners are simple and easy to implement, but less secure. The third manner is to use LSB replacement or LSB matching algorithm to embed secret data into the sequential LSBs of image pixels or DCT coefficients. This manner is chosen by most steganography tools because of its higher security and capacity embedding. These three manners hold the same characteristics that all the steganography tools will choose the redundant positions of the image file to hide
of
information. This is because the changes in these positions can’t be perceived by the human vision. So, it is obvious that analysis of these fixed redundant positions becomes the first choice for the task. Meanwhile, because these three
ro
cases of fixed position embedding happen in the different parts of the image file, we divide the image file into three parts:image file header, image data and image file tail to analyze and separately adopt different analytical strategies.
-p
Embedding in fixed positions of the image file header. The information of the image file header mainly describes properties(such as width, height, resolution, palette, etc.) of the image. We find that some of them may be changed
re
by steganography tools in this case. For example, the length of the file header of a BMP image will be increased if the image is embedded by Imagehide[14]; The resolution of a BMP image will be changed if the image is embedded
rn al P
by BMPSecret[14]. However, these changes may happen if the image is processed by other image processing tools. These phenomena are not unique, which are only produced by steganography tools. As a result, we can’t extract definite fingerprints from these modified values in stego-images. Fortunately, beside this, we find that some reserved positions can also be changed. Some extra marker-segments appear in the image file header of stego-images and many special byte sequences are contained in it. Yet, it does not happen when the image is processed by other image processing tools. So, these extra marker-segments can be seen as abnormal data which are brought by steganography tools, and there may be some common byte subsequences in these abnormal byte sequences extracted from different
Jo u
stego-images because of using the same embedding protocol. Thus, these common byte subsequences can be extracted as fingerprints. In actual operation, there is a difference between the BMP-image and JPEG-image. Most cases may choose the JPEG image as the operation object, because the JPEG image remain more reserved positions than BMP image, where we can see from the background knowledge of the BMP file and JPEG file structure. Therefore, we should pay more attention to the image file header when we meet the JPEG stego-files. Based on the analysis of this case, we give a general approach of fingerprint extraction as follows. • step1: Use black box tool to make samples, input the cover-images and other parameters and get the corresponding output stego-images. • step2: Decode the header of the cover images and stego-images according to the respective image structure.
6
Page 6 of 14
• step3: If the image is BMP file, then get values of the bfReserved1 and the bfReserved2 marker. Or if the image is JPEG file, get values of the reserved marker-segments: APPn, JPGn, RESn, COM, TEM. • step4: Compare these values of reserved positions in cover-images and stego-images. If the same changes exists in all pairs of cover-image and stego-image, then extract the abnoraml byte sequences from each stego-image. • step5: Choose the LCS(longest-common-subsequence)algorithm to extract the common byte sequence from these abnormal byte subsequences as the fingerprints of the steganography tools. Embedding in fixed positions of the image data. This manner is the chosen most by steganography tools which use
of
LSB replacement or LSB matching algorithm. Different from other manners, its steganographic trace cannot be found by decoding the image file into bytes. But it will also leave some fingerprints in the image data, in the process of
ro
embedding message, some unique tags of the steganography tools described in the embedding protocol will also be embedded into the image data. These tags contain the special byte or bit sequences which can be used as fingerprints. In this case, we find that some sequential LSBs(least significant bits) of pixels or DCT coefficients are replaced by
-p
embedding message. So, the possible bit sequences of embedding message can be acquired by extracting the LSBs of the pixels or DCT coefficients from the stego-images. But when in practice, some factors need to be considered,
re
which are the embedding orders and the choice of different channels chosen by steganography tools. The introduction of the embedding orders is described above and the different channels refer to R, G and B channel in the BMP image
rn al P
or Y, U and V channel in the JPEG image. Usually, we can’t learn about them in detail. Thus, in actual operation, we extract all possible bit sequences form stego-images according to different combinations of embedding orders and channels, 60(4 ∗ (C13 + C23 ∗ A22 + C33 ∗ A33 ))cases in total, and then remove error cases. For each case, we find that if the embedding method does not match the case, the corresponding extracted bit sequences will not hold the final common bit subsequence and the value of it will be null. Thus, we can remove the error cases by judging whether the final common bit subsequence exists. Finally, only one case will be left and the corresponding final common bit subsequence can be taken as fingerprints.
Jo u
In the process of extracting common bit subsequence, different from the traditional LCS (longest-commonsubsequence) algorithm, we have made some changes to the algorithm to improve its performance in this case. We find that the extracted bit subsequence is mainly composed of the following parts:fixed tags, embedding information, secret data and the left unused LSBs of pixels or DCT coefficients and their order is fixed. So, we can compare each bit value of two extracted bit subsequences separately to find the common bit subsequence. The modified algorithm used in this case is as follows. Meanwhile, the approach of fingerprint extraction to this case is as follows. • step1: Make enough samples of stego-image by the steganography tool. • step2: For each stego image, extract all possible bit sequences from the LSBs of the pixels in stego-bmp or the DCT coefficients in stego-jpeg according to the 60 different cases. 7
Page 7 of 14
• step3: For each case, iteratively use the modified LCS algorithm to get the common bit subsequence in the extracted bit sequences, until the extracted bit subsequence isn’t change again when you input the new extracted bit sequences from stego-images. • step4: Remove the error cases in which the value of the last common bit subsequence are null and remain the final correct case and take the extracted bit subsequence as fingerprint.
Jo u
rn al P
re
-p
ro
of
Algorithm 1: Modified LCS algorithm which gets the longest common bit subsequence from n bit sequences Input: n bit sequences set such as B1 = ”10100100....1111”, B2 = ”10100100.....0101”, ....., Bn = ”1010011.....0001” Output: the longest common bit subsequence R 1 1 len = strlen(B ); 1 2 Initialize a vector V = B ; 3 for j ← 2 and j ≤ n do 4 for i ← 0 and i ≤ len do 5 get element bi from B j ; 6 get element vi from V; 7 if bi ! = vi then 8 vi = null 9 end 10 end 11 end 12 /*Get the longest common bit subsequence R from the V vetor*/; 13 Initialize a temp vector set T and a vector R; 14 m = 0; 15 for i ← 0 and i ≤ len do 16 get element vi from V; 17 if vi ! = null then 18 push vi into T m ; 19 end 20 get the next element vi+1 from V; 21 if vi+1 == null then 22 m = m + 1; 23 if R.size() ≤ T m .size() then 24 R = Tm ; 25 end 26 end 27 end 28 Return R ;
Embedding in fixed positions behind the image file tail. The information of the image file tail is used to mark the end of the file. In JPEG file, the EOI marker is used to indicate the end of the file. Different from the JPEG file, the BMP file does not have a distinct tail marker. Yet, according to the decoding information of its image file header, we can get the length of the file and find the end position of the file easily. In this case, we can find that many extra byte sequences may be appended behind the end of the stego-images by decoding the image into bytes, which is unable to 8
Page 8 of 14
be discovered through the human eye. Beside this, if more bytes are appended behind the end of the image, the size of the image file will increase and is much larger than the size of normal image file. These two characteristics can be seen as the identification of the file mounting. Meanwhile, similar to the other two cases, the appended byte sequences usually hold the same byte subsequences which can be extracted as fingerprints. This is because the steganography tools embed them into images as the start and end mark of information embedding or other marks for extraction. In light of analysis above, we give a general approach of fingerprint extraction to this case. • step1: Use black box tool to make samples, input the cover-images and other parameters and get the corresponding output stego-images.
of
• step2: Search for the ending position of the image file by identifying the EOI marker in the JPEG image or
ro
calculating the length of the file in the BMP image.
• step3: Observe the ending position of cover-images and stego-images to find out if abnormal bytes exists. If some extra byte sequences exist behind the tail of stego-images, then extract these byte sequences from every
-p
stego-images.
re
• step4: Choose the LCS(longest-common-subsequence)algorithm to extract the common byte subsequence from
4. Experiments
rn al P
these byte sequences as the fingerprints of this steganography tool.
In order to test the effectiveness of the proposed approaches in fingerprint extraction, three typical, widely used
Jo u
steganography tools which match these three cases are analyzed here.
Figure 7: InvisibleSecrets4 tool
Figure 8: InvisibleSecrets4 embedding
9
Page 9 of 14
4.1. InvisibleSecrets4 InvisibleSecrets4 shown in figure8 is a widely used steganography tool, which can be got from the website[15]. It supports multiple embedding cases, multiple carrier formats and multiple encryption algorithms. In this test, we analyze the embedding manner used for JPEG images. In accordance with the previously proposed analysis strategy. We find this embedding manner matches the first case which embeds message in the reserved positions of the image file header. We compare the decoding bytes of cover-image with the decoding bytes of stego-image and find some abnormal bytes in COM marker-segment of the file header. Some extra COM marker-segments appear in the stego-image rather than the cover-image. As we can see
of
from the figure11, the stego-image has added two COM marker-segments and the last COM marker-segment ends with byte ”0xFF”. Then we have done more experiments and found that this phenomenon is common in stego-images, and the common ending byte ”0xFF” always exists. Based on this, the fingerprints of this steganography tool can consist
rn al P
re
-p
ro
of two factors, the stego-image contains two or more COM marker-segments and the common ending byte ”0xFF”.
Jo u
Figure 9: Message Smuggler tool
Figure 10: Message Smuggler embedding
Ending Flag
Figure 11: Compare the cover-image decoding bytes with the stegoimage decoding bytes in InvisibleSecrets4
Figure 12: Compare the cover-image decoding bytes with the stegoimage decoding bytes in Message Smuggler
10
Page 10 of 14
4.2. Message Smuggler Message Smuggler is another steganography tool which can be downloaded from the website[16]. It also supports embedding and extracting operations on multiple format carrier files. We choose the JPEG file as the test carrierobject. The embedding manner for JPEG files matches the third case which embeds message in the area behind the image file tail marker. Some abnormal bytes are found in the area behind the end of the file when decode the stego-images into bytes, like what we can see from the figure12. More experiments indicate that this steganography tool adopts file mount to embed message. Also, the common byte subsequence ”E9 E2 E4 F9 E6 E7 EB D5 F5 EE 8F C4 C6 C9 C5
of
B3 B5 B6 B8 C2 BC AE B0 B2 B4 B6 B8 BA BC BE C0” from the abnormal byte sequences of the stego-images
rn al P
re
-p
ro
has been extracted as the fingerprints based on the proposed approach.
Figure 13: ImageHide tool
4.3. ImageHide
Figure 14: ImageHide embedding
ImageHide[17] is a steganography tool which uses the lsb algorithm to embed message in the image. Usually, it
Jo u
converts an image to a spatial image, and then utilizes the sequential LSBs of image pixels to embed the secret data. So, it matches the second case. Based on the strategy of fingerprint extraction proposed above, we extract all possible LSBs sequences from the stego-images’ pixels and obtain the final ”00000001” bit subsequence as the fingerprints by using the modified LCS algorithm. 4.4. detection of three steganography tools To test the accuracy of fingerprint detection, we prepare 500 cover-images which are downloaded from the Google website and randomly choose some of them to make stego-images with every steganography tool. Then, for every 500 mixed test images, we detect them by fingerprint recognition which is described before. The result is shown in table1. What we can see from this result is that these extracted fingerprints get a high precision in detecting the stego-images. What’s more, the false alarm rate can be reduced to zero. 11
Page 11 of 14
Table 1 Detection of the three steganography tools embedding methods
False Detection Rate
True Positive Rate
False Alarm Rate
InvisibleSecrets4 COM marker extension and ending byte ”FF”
store secret data in reserved position of the image header
0%
100%
0%
Message Smuggler
”E9 E2 E4 F9 ....BA BC BE C0”
file mount behind the end of the file
0%
100%
0%
ImageHide
”00000001”
LSB replacement in sequential LSBs of the pixels
0%
100%
0%
of
fingerprint
ro
steganography tool
-p
5. Conclusion and future work
In this report, three approaches of fingerprint extraction for fixed embedding cases are proposed. Inspired of the test result, the approaches are effective. We think that they can be used as general approaches for fingerprint extraction
re
of steganography tools which embeds message in fixed positions. At the same time, the fingerprint detection shows a higher performance in detecting the stego-images, which is more convincing than the statistic steganalysis. In this
rn al P
report, we only summarize three approaches of fingerprint extraction for the cases of fixed position embedding and hope that this work can bring some help to some researchers in the future. Moreover, more work needs to be done on finding the approaches of fingerprint extraction. These approaches are not applicable to the fingerprint extraction of steganography tools which embed message in random positions. So, this problem will be studied in the future.
References
Jo u
[1] J. Lu, F. Liu, X. Luo, Recognizing f5-like stego images from multi-class JPEG stego images, KSII Transactions on Internet and Information Systems 8 (11) (2014) 4153–4169.
[2] F.Johnson, Steganography software, http://www.jjtc.com/Steganography/tools.html. [3] J. Fridrich, R. Du, M. Long, Staganalysis of LSB encoding in color images, in: IEEE International Conference on Multimedia and Expo, Vol. 3, New York, USA, 2000, pp. 1279–1282. [4] J. Fridrich, M. Goljan, D. Hogea, Attacking the outguess, in: Proceedings of the 2002 ACM Workshop on Multimedia and Security, Juanles-Pins, France, 2002, pp. 1279–1282. [5] R. B¨ohme, A. Westfeld, Breaking cauchy model-based JPEG steganography with first order statistics, in: Proceedings of the 9th European Symposium On Research in Computer Security, Vol. 3193, Sophia Antipolis, France, 2004, pp. 125–140. [6] J. J. Fridrich, M. Goljan, D. Hogea, Steganalysis of JPEG images: Breaking the F5 algorithm, in: Proceedings of the 5th Information Hiding Workshop, Vol. 2578, Noordwijkerhout, The Netherlands, 2002, pp. 310–323. [7] Y. Q. Shi, C. Chen, W. Chen, A markov process based approach to effective attacking JPEG steganography, in: Proceedings of the 8th Information Hiding Workshop, Vol. 4437, Alexandria, VA, USA, 2006, pp. 249–264.
12
Page 12 of 14
[8] T. Pevn´y, J. J. Fridrich, Merging markov and DCT features for multi-class JPEG steganalysis, in: Proceedings of SPIE: Electronic Imaging, Security, Steganography, and Watermarking of Multimedia Contents IX,, Vol. 6505, San Jose, CA, USA, 2007, pp. 3–14. [9] T. Pevn´y, P. Bas, J. J. Fridrich, Steganalysis by subtractive pixel adjacency matrix, IEEE Trans. Information Forensics and Security 5 (2) (2010) 215–224. [10] J. Miano, Compressed image file formats - JPEG, PNG, GIF, XBM, BMP, Addison-Wesley-Longman, 1999. [11] M. Rabbani, R. L. Joshi, An overview of the JPEG 2000 still image compression standard, Signal Processing: Image Communication 17 (1) (2002) 3–48. [12] W. Bender, D. Gruhl, N. Morimoto, A. Lu, Techniques for data hiding, IBM Systems Journal 35 (3/4) (1996) 313–336. [13] X. Li, B. Yang, D. Cheng, T. Zeng, A generalization of LSB matching, IEEE Signal Process. Lett. 16 (2) (2009) 69–72. [14] R. Guang, Analysis and attack of the popular network steganography software, Master’s thesis (2009). [15] East-Tec., Invisiblesecrets4, http://www.invisiblesecrets.com (2014).
of
[16] Keepsecretinpicture, Message smuggler, https://www.softpedia.com/get/Security/Encrypting/Message-Smuggler.shtml (2012).
Jo u
rn al P
re
-p
ro
[17] Dancemammal.Com, Imagehide, https://www.softpedia.com/get/Security/Encrypting/ImageHide.shtml (2017).
13
Page 13 of 14
Title Page Article Title: Approaches to obtaining fingerprints of steganography tools which embed essage in fixed positions
re
-p
ro of
Authors: Pengjie Caoa,b, Xiaolei Hea,b, Xianfeng Zhaoa,b, Jimin Zhanga,b Affiliations: a State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China b School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China Email address: [email protected] (Pengjie Cao) [email protected](Xiaolei He) [email protected] (Xianfeng Zhao) [email protected](Zhangjimin)
Jo ur na
lP
Corresponding author: XianFeng Zhao Email address: [email protected] (Xianfeng Zhao)
Page 14 of 14
PII:
S2665-9107(19)30019-2
DOI:
https://doi.org/doi:10.1016/j.fsir.2019.100019
Reference:
FSIR 100019
To appear in:
Forensic Science International: Reports
Received Date:
20 June 2019
Revised Date:
16 July 2019
Accepted Date:
16 July 2019
Please cite this article as: Pengjie Cao, Xiaolei He, Xianfeng Zhao, Jimin Zhang, Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions, (2019), doi: https://doi.org/10.1016/j.fsir.2019.100019
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier.
Approaches to obtaining fingerprints of steganography tools which embed message in fixed positions I Pengjie Caoa,b , Xiaolei Hea,b , Xianfeng Zhaoa,b , Jimin Zhanga,b a State
Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China b School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China
Abstract
of
Recently, more and more steganography tools are exploited to embed malicious code into images by attackers, which brings harm to society. Thus, it has been a tricky problem, for which needs to detect the stego-images correctly. Sig-
ro
nature detection, an effective method was proposed to solve this problem by identifying the fingerprints of steganography tool that are left in the stego-images. Unfortunately, extracting the fingerprints of steganography tools from the
-p
stego-images is a troublesome job. Few researchers pay attention to it and realize it. In this report, we discuss some approaches to obtaining fingerprints of steganography tools which embed message in fixed positions. Three main
re
cases will be analyzed, including embedding message in the reserved positions of the image file header, embedding message in the sequential LSBs(least significant bits) of the image file data and embedding message in the redundant positions behind the image file tail. For each case, we summarize a general approach of fingerprint extraction and its
rn al P
effectiveness has been confirmed through the test on some typical steganography tools. Keywords: steganography tools, fingerprints, approaches
1. Introduction
Steganography is a covert communication technique to embed message into multimedia files such as digital im-
Jo u
ages, audios and videos, and then transfer the stego-files through public communication channels[1]. On the other hand, steganalysis techniques are used to detect the presence of hidden message in an image. With the development of steganography techniques, the steganalysis techniques also develop rapidly. Based on the steganography techniques, a multitude of steganography tools are designed and appear on Internet. According to the survey, the number of steganography tools has reached more than 1000 so far. You can find most of them on websites[2]. These steganography tools play a very important role in protecting personal privacy. But they may also be used by hackers to create some malicious attacks. Thus, it is indispensable to adopt some strategies to detect these stego-files for security. I This work was supported by NSFC under U1636102, U1736214, 61802393 and 61872356, National Key Technology R&D Program under 2016QY15Z2500, and Project of Beijing Municipal Science & Technology Commission under Z181100002718001 Email addresses: [email protected] (Pengjie Cao), [email protected] (Xianfeng Zhao)
Page 1 of 14
In the past, most researchers adopted some traditional steganalysis algorithms to analyze these stego-files. One uses the corresponding dedicated steganalysis algorithms[3][4][5][6] if they have known the steganography algorithms in advance. The other uses the universal steganalysis algorithms[7][8][9] without knowing the steganography algorithms in detail. All of them have achieved positive results on some data sets. Different from the previous methods, signature technique is another effective way to detect the stego-files and can also significantly decrease the false alarm rate. Many experiments show that some fingerprints of steganography tools will be left in the stego-files in the process of embedding message. This is because some extra fixed bytes for purpose of copyright protection or information extraction may be embedded. Generally, these fixed bytes can be extracted as fingerprints of steganography tools for detection. Yet, how to find it in a stego-file is a very difficult problem. Different embedding cases of steganography
of
tools may need different approaches to extract it.
So, in this report, we discuss three main cases of fixed position embedding, which are: embedding message in
ro
the reserved positions of the image file header, embedding message in the sequential LSBs(least significant bits) of the image file data and embedding message in the redundant positions behind the image file tail. For each case,
-p
based on the analysis, we sum up an effective approach to obtaining fingerprints of steganography tools. The main analytical way is to compare cover-images with stego-images in detail and search for the abnormal data between them.
re
Then, next step is extracting the common byte or bit sequences from abnormal data in stego-images as fingerprints. Beside this, in the process of analysis, there are four key points that should be considered. Firstly, occurring to three embedding cases occur in different parts of the image, we divide the image file into three parts: image file header,
rn al P
image file data and image file tail to analyze. Secondly, the BMP-image and JPEG-image are chosen as the main discussional file-object because these two image formats are the used most by steganography tools. Thirdly, we choose the black box as an analytical tool to find the differences between cover-images and stego-images. The black box is an efficient tool, for you only focus on the input and output of the steganography tool, without understanding the code of it. Fourthly, we use LCS(longest-common-subsequence)algorithm to extract the common byte or bit sequences as fingerprints from the stego-images. In the end, some experiments have been done on some widely used
Jo u
steganography tools to verify the effectiveness of each approach. All results show that the proposed approaches can match the fingerprint extraction of steganography tools which embeds message in fixed positions. The structure of this report is as follows. Section 2 introduces some related background knowledge. Section 3 presents analysis of three cases and gives a general approach of fingerprint extraction for each case. The performance of the approaches will be measured and evaluated in the section 4. We conclude the report in Section 5, where we present some final thoughts, insights and discuss future avenues of work.
2. Related background knowledge In this section, we introduce some background knowledge which will be referred in the following analysis. The details are as follows. 2
Page 2 of 14
JPEG STRUCTURE
BMP STRUCTURE
biSize
bfType
RESn
SOF0
COM
DHF
TEM
biClrUsed
Image File Tail
biXPelsPerMeter
DQT
JPGn Image Data
DC Table
AC Table
biClrImportant
of
bfOffBits
biCompression
APP0
SOS Reserved Marker
biYPelsPerMeter
Fundamental Marker
biSizeImage
biPlanes Image Data
bfReserved2
biBitCount
Color Palette
File Header
bfReserved1
File Information Header
bfSize
biHeight
APPn
SOI
biWidth
Image File Header
Figure 2: JPEG Structure Description
ro
Figure 1: BMP Structure Description
-p
BMP file structure. The BMP image[10] is called Bitmap image file or DIB file format and is a raster graphics image file format used to store bitmap digital images. It is widely used on Microsoft Windows operating systems. As shown in figure1, its file structure mainly consists of four parts: file header, file information header, color palette,
re
and image data. The file header describes the format and the size information of the file. The file information header shows some basic information of image such as size, bit planes, compression method, and color index. Color palette
rn al P
stores a mapping table of the index and its corresponding color values. The last part is occupied by image pixels. Survey shows that the bfReserved1 marker and bfReserved2 marker in the file header, the LSBs of image pixels and the area behind the file tail may generate some redundant positions for embedding. JPEG file structure. The JPEG image[11] is the most widely used image format because of its high performance. Even though it occupies very few bytes, it does show the image clearly. Different from the structure of the BMP file, the JPEG file is composed of marker code and compressed data. The main structure of the JPEG file is shown
Jo u
in figure2. According to the order of marker-segments stored in the image, we split the JPEG file into three parts: image file header, image data, and image file tail. The image file header contains fundamental marker-segments, such as SOI(Start of Image), DQT(Difine Quantization Table), SOF0(Start of Frame), DHF(Difine Huffman Table) and other reserved marker-segments, such as APPn(Application-specific), JPGn(Reserved for JPEG extensions), RESn(Reserved), COM(Comment), TEM(For temporary use in arithmetic coding). Next, the image data stores the compressed data called DCT coefficients, not pixels. The last part is a marker which describes the end of the file. Different from the BMP image, redundant positions appear in the reserved marker-segments of the image file header, the LSBs of the DCT coefficients and the area behind the tail marker of the image. LSB replacement and matching. LSB replacement[12] and LSB matching[13] are two basic types of steganography algorithms which are used widely by most steganography tools, for they are easy to implement, safe and efficient. 3
Page 3 of 14
message:010
Least significant bit replacement 1 01 1 1 11
1 01 1 1 10
96
1 10 0 0 00
1 10 0 0 01
93
1 01 1 1 01
1 01 1 1 00
…
…
…
of
95
ro
Figure 3: LSB replacement Description
LSB replacement replaces the carrier’s least significant bits with message bits directly. As shown in figure3, the least
-p
significant bits of pixel set(95, 96, 93) are replaced by message’s bit set(0, 1, 0). The steganography tools can securely embed secret data without being discovered by this simple modification. LSB matching is a modified edition of LSB
re
replacement. In the process of information embedding, if the value of carrier’s lsb matches the message bit, the value will remain unchanged, or it will be added or subtracted by 1 at random. Because of this, the LSB matching is more
rn al P
difficult to detect than LSB replacement. The information extraction of them is done in the same way by extracting the LSBs of pixels or DCT coefficients. So, if we have known that the steganography algorithm is LSB replacement or LSB matching in advance, we can briefly extract relevant embedding information bits. Software version
Software tag
0
..
..
1
Jo u
STEGHIDE
File Name
1
..
..
encryption information
File Length
1
0
..
1
1
..
Secret message
1
…
End tag
1
0
1
Cover lsb bits
Figure 4: General embedding protocol
Embedding protocol. Each steganography tool has its own embedding protocol. As shown in Figure4, most of them may have the common structure, contain these elements: software tag, software version, file name, file length, encryption information, secret data, ending tag. The information of software tag and software version is mainly used for copyright protection and the information of other elements is used for extraction. We notice that each stego-image 4
Page 4 of 14
will contain the same information of software tag and software version, if they have been embedded information with the same steganography tool. So, it creates the possibility to identify the authenticity of these image files by matching these common information. These common information can be extracted to form a fingerprint set for detection. Embedding order. Different steganography tools usually provide different choices of embedding order for users. The main four orders are shown in figure5. The first order starts from the top left corner, from left to right and then from top to bottom; The second order starts from the top left corner, from top to bottom and then from left to right; The third order starts from the bottom left corner, from left to right and then from bottom to top; The fourth order starts from the bottom left corner, from bottom to top and then from left to right. For the convenience of analysis and
of
description, we have described it as an embedding order set O{a, b, c, d}. According to different embedding orders,
-p
ro
we can extract all possible LSBs of pixels or DCT coefficients to find fingerprints .
b
c
d
re
a
rn al P
Figure 5: General embedding protocol
Black box test for analysis. Black box test is one type test model which is used to check whether the software interfaces and software functions meet the requirements. When using this model, you don’t need to understand the coding of the software, but only need to focus on the values of software’s input and output. Based on this feature, without having more information about the steganography tools, we can easily compare the difference between the
Jo u
decoding bytes of cover-image and stego-image to find some embedd traces. black box test
cover image
parameters
INPUT
Steganography Code
OUTPUT
stego image
Figure 6: Block box test
5
Page 5 of 14
3. Analysis of three cases of fixed position embedding According to the surveys, a multitude of steganography tools usually adopt these three fixed position embedding manners. The first manner happens in the header of the image file, using the reserved positions to store secret data. The second manner occurs at the end of the image file, using file mounting to hide information. Both manners are simple and easy to implement, but less secure. The third manner is to use LSB replacement or LSB matching algorithm to embed secret data into the sequential LSBs of image pixels or DCT coefficients. This manner is chosen by most steganography tools because of its higher security and capacity embedding. These three manners hold the same characteristics that all the steganography tools will choose the redundant positions of the image file to hide
of
information. This is because the changes in these positions can’t be perceived by the human vision. So, it is obvious that analysis of these fixed redundant positions becomes the first choice for the task. Meanwhile, because these three
ro
cases of fixed position embedding happen in the different parts of the image file, we divide the image file into three parts:image file header, image data and image file tail to analyze and separately adopt different analytical strategies.
-p
Embedding in fixed positions of the image file header. The information of the image file header mainly describes properties(such as width, height, resolution, palette, etc.) of the image. We find that some of them may be changed
re
by steganography tools in this case. For example, the length of the file header of a BMP image will be increased if the image is embedded by Imagehide[14]; The resolution of a BMP image will be changed if the image is embedded
rn al P
by BMPSecret[14]. However, these changes may happen if the image is processed by other image processing tools. These phenomena are not unique, which are only produced by steganography tools. As a result, we can’t extract definite fingerprints from these modified values in stego-images. Fortunately, beside this, we find that some reserved positions can also be changed. Some extra marker-segments appear in the image file header of stego-images and many special byte sequences are contained in it. Yet, it does not happen when the image is processed by other image processing tools. So, these extra marker-segments can be seen as abnormal data which are brought by steganography tools, and there may be some common byte subsequences in these abnormal byte sequences extracted from different
Jo u
stego-images because of using the same embedding protocol. Thus, these common byte subsequences can be extracted as fingerprints. In actual operation, there is a difference between the BMP-image and JPEG-image. Most cases may choose the JPEG image as the operation object, because the JPEG image remain more reserved positions than BMP image, where we can see from the background knowledge of the BMP file and JPEG file structure. Therefore, we should pay more attention to the image file header when we meet the JPEG stego-files. Based on the analysis of this case, we give a general approach of fingerprint extraction as follows. • step1: Use black box tool to make samples, input the cover-images and other parameters and get the corresponding output stego-images. • step2: Decode the header of the cover images and stego-images according to the respective image structure.
6
Page 6 of 14
• step3: If the image is BMP file, then get values of the bfReserved1 and the bfReserved2 marker. Or if the image is JPEG file, get values of the reserved marker-segments: APPn, JPGn, RESn, COM, TEM. • step4: Compare these values of reserved positions in cover-images and stego-images. If the same changes exists in all pairs of cover-image and stego-image, then extract the abnoraml byte sequences from each stego-image. • step5: Choose the LCS(longest-common-subsequence)algorithm to extract the common byte sequence from these abnormal byte subsequences as the fingerprints of the steganography tools. Embedding in fixed positions of the image data. This manner is the chosen most by steganography tools which use
of
LSB replacement or LSB matching algorithm. Different from other manners, its steganographic trace cannot be found by decoding the image file into bytes. But it will also leave some fingerprints in the image data, in the process of
ro
embedding message, some unique tags of the steganography tools described in the embedding protocol will also be embedded into the image data. These tags contain the special byte or bit sequences which can be used as fingerprints. In this case, we find that some sequential LSBs(least significant bits) of pixels or DCT coefficients are replaced by
-p
embedding message. So, the possible bit sequences of embedding message can be acquired by extracting the LSBs of the pixels or DCT coefficients from the stego-images. But when in practice, some factors need to be considered,
re
which are the embedding orders and the choice of different channels chosen by steganography tools. The introduction of the embedding orders is described above and the different channels refer to R, G and B channel in the BMP image
rn al P
or Y, U and V channel in the JPEG image. Usually, we can’t learn about them in detail. Thus, in actual operation, we extract all possible bit sequences form stego-images according to different combinations of embedding orders and channels, 60(4 ∗ (C13 + C23 ∗ A22 + C33 ∗ A33 ))cases in total, and then remove error cases. For each case, we find that if the embedding method does not match the case, the corresponding extracted bit sequences will not hold the final common bit subsequence and the value of it will be null. Thus, we can remove the error cases by judging whether the final common bit subsequence exists. Finally, only one case will be left and the corresponding final common bit subsequence can be taken as fingerprints.
Jo u
In the process of extracting common bit subsequence, different from the traditional LCS (longest-commonsubsequence) algorithm, we have made some changes to the algorithm to improve its performance in this case. We find that the extracted bit subsequence is mainly composed of the following parts:fixed tags, embedding information, secret data and the left unused LSBs of pixels or DCT coefficients and their order is fixed. So, we can compare each bit value of two extracted bit subsequences separately to find the common bit subsequence. The modified algorithm used in this case is as follows. Meanwhile, the approach of fingerprint extraction to this case is as follows. • step1: Make enough samples of stego-image by the steganography tool. • step2: For each stego image, extract all possible bit sequences from the LSBs of the pixels in stego-bmp or the DCT coefficients in stego-jpeg according to the 60 different cases. 7
Page 7 of 14
• step3: For each case, iteratively use the modified LCS algorithm to get the common bit subsequence in the extracted bit sequences, until the extracted bit subsequence isn’t change again when you input the new extracted bit sequences from stego-images. • step4: Remove the error cases in which the value of the last common bit subsequence are null and remain the final correct case and take the extracted bit subsequence as fingerprint.
Jo u
rn al P
re
-p
ro
of
Algorithm 1: Modified LCS algorithm which gets the longest common bit subsequence from n bit sequences Input: n bit sequences set such as B1 = ”10100100....1111”, B2 = ”10100100.....0101”, ....., Bn = ”1010011.....0001” Output: the longest common bit subsequence R 1 1 len = strlen(B ); 1 2 Initialize a vector V = B ; 3 for j ← 2 and j ≤ n do 4 for i ← 0 and i ≤ len do 5 get element bi from B j ; 6 get element vi from V; 7 if bi ! = vi then 8 vi = null 9 end 10 end 11 end 12 /*Get the longest common bit subsequence R from the V vetor*/; 13 Initialize a temp vector set T and a vector R; 14 m = 0; 15 for i ← 0 and i ≤ len do 16 get element vi from V; 17 if vi ! = null then 18 push vi into T m ; 19 end 20 get the next element vi+1 from V; 21 if vi+1 == null then 22 m = m + 1; 23 if R.size() ≤ T m .size() then 24 R = Tm ; 25 end 26 end 27 end 28 Return R ;
Embedding in fixed positions behind the image file tail. The information of the image file tail is used to mark the end of the file. In JPEG file, the EOI marker is used to indicate the end of the file. Different from the JPEG file, the BMP file does not have a distinct tail marker. Yet, according to the decoding information of its image file header, we can get the length of the file and find the end position of the file easily. In this case, we can find that many extra byte sequences may be appended behind the end of the stego-images by decoding the image into bytes, which is unable to 8
Page 8 of 14
be discovered through the human eye. Beside this, if more bytes are appended behind the end of the image, the size of the image file will increase and is much larger than the size of normal image file. These two characteristics can be seen as the identification of the file mounting. Meanwhile, similar to the other two cases, the appended byte sequences usually hold the same byte subsequences which can be extracted as fingerprints. This is because the steganography tools embed them into images as the start and end mark of information embedding or other marks for extraction. In light of analysis above, we give a general approach of fingerprint extraction to this case. • step1: Use black box tool to make samples, input the cover-images and other parameters and get the corresponding output stego-images.
of
• step2: Search for the ending position of the image file by identifying the EOI marker in the JPEG image or
ro
calculating the length of the file in the BMP image.
• step3: Observe the ending position of cover-images and stego-images to find out if abnormal bytes exists. If some extra byte sequences exist behind the tail of stego-images, then extract these byte sequences from every
-p
stego-images.
re
• step4: Choose the LCS(longest-common-subsequence)algorithm to extract the common byte subsequence from
4. Experiments
rn al P
these byte sequences as the fingerprints of this steganography tool.
In order to test the effectiveness of the proposed approaches in fingerprint extraction, three typical, widely used
Jo u
steganography tools which match these three cases are analyzed here.
Figure 7: InvisibleSecrets4 tool
Figure 8: InvisibleSecrets4 embedding
9
Page 9 of 14
4.1. InvisibleSecrets4 InvisibleSecrets4 shown in figure8 is a widely used steganography tool, which can be got from the website[15]. It supports multiple embedding cases, multiple carrier formats and multiple encryption algorithms. In this test, we analyze the embedding manner used for JPEG images. In accordance with the previously proposed analysis strategy. We find this embedding manner matches the first case which embeds message in the reserved positions of the image file header. We compare the decoding bytes of cover-image with the decoding bytes of stego-image and find some abnormal bytes in COM marker-segment of the file header. Some extra COM marker-segments appear in the stego-image rather than the cover-image. As we can see
of
from the figure11, the stego-image has added two COM marker-segments and the last COM marker-segment ends with byte ”0xFF”. Then we have done more experiments and found that this phenomenon is common in stego-images, and the common ending byte ”0xFF” always exists. Based on this, the fingerprints of this steganography tool can consist
rn al P
re
-p
ro
of two factors, the stego-image contains two or more COM marker-segments and the common ending byte ”0xFF”.
Jo u
Figure 9: Message Smuggler tool
Figure 10: Message Smuggler embedding
Ending Flag
Figure 11: Compare the cover-image decoding bytes with the stegoimage decoding bytes in InvisibleSecrets4
Figure 12: Compare the cover-image decoding bytes with the stegoimage decoding bytes in Message Smuggler
10
Page 10 of 14
4.2. Message Smuggler Message Smuggler is another steganography tool which can be downloaded from the website[16]. It also supports embedding and extracting operations on multiple format carrier files. We choose the JPEG file as the test carrierobject. The embedding manner for JPEG files matches the third case which embeds message in the area behind the image file tail marker. Some abnormal bytes are found in the area behind the end of the file when decode the stego-images into bytes, like what we can see from the figure12. More experiments indicate that this steganography tool adopts file mount to embed message. Also, the common byte subsequence ”E9 E2 E4 F9 E6 E7 EB D5 F5 EE 8F C4 C6 C9 C5
of
B3 B5 B6 B8 C2 BC AE B0 B2 B4 B6 B8 BA BC BE C0” from the abnormal byte sequences of the stego-images
rn al P
re
-p
ro
has been extracted as the fingerprints based on the proposed approach.
Figure 13: ImageHide tool
4.3. ImageHide
Figure 14: ImageHide embedding
ImageHide[17] is a steganography tool which uses the lsb algorithm to embed message in the image. Usually, it
Jo u
converts an image to a spatial image, and then utilizes the sequential LSBs of image pixels to embed the secret data. So, it matches the second case. Based on the strategy of fingerprint extraction proposed above, we extract all possible LSBs sequences from the stego-images’ pixels and obtain the final ”00000001” bit subsequence as the fingerprints by using the modified LCS algorithm. 4.4. detection of three steganography tools To test the accuracy of fingerprint detection, we prepare 500 cover-images which are downloaded from the Google website and randomly choose some of them to make stego-images with every steganography tool. Then, for every 500 mixed test images, we detect them by fingerprint recognition which is described before. The result is shown in table1. What we can see from this result is that these extracted fingerprints get a high precision in detecting the stego-images. What’s more, the false alarm rate can be reduced to zero. 11
Page 11 of 14
Table 1 Detection of the three steganography tools embedding methods
False Detection Rate
True Positive Rate
False Alarm Rate
InvisibleSecrets4 COM marker extension and ending byte ”FF”
store secret data in reserved position of the image header
0%
100%
0%
Message Smuggler
”E9 E2 E4 F9 ....BA BC BE C0”
file mount behind the end of the file
0%
100%
0%
ImageHide
”00000001”
LSB replacement in sequential LSBs of the pixels
0%
100%
0%
of
fingerprint
ro
steganography tool
-p
5. Conclusion and future work
In this report, three approaches of fingerprint extraction for fixed embedding cases are proposed. Inspired of the test result, the approaches are effective. We think that they can be used as general approaches for fingerprint extraction
re
of steganography tools which embeds message in fixed positions. At the same time, the fingerprint detection shows a higher performance in detecting the stego-images, which is more convincing than the statistic steganalysis. In this
rn al P
report, we only summarize three approaches of fingerprint extraction for the cases of fixed position embedding and hope that this work can bring some help to some researchers in the future. Moreover, more work needs to be done on finding the approaches of fingerprint extraction. These approaches are not applicable to the fingerprint extraction of steganography tools which embed message in random positions. So, this problem will be studied in the future.
References
Jo u
[1] J. Lu, F. Liu, X. Luo, Recognizing f5-like stego images from multi-class JPEG stego images, KSII Transactions on Internet and Information Systems 8 (11) (2014) 4153–4169.
[2] F.Johnson, Steganography software, http://www.jjtc.com/Steganography/tools.html. [3] J. Fridrich, R. Du, M. Long, Staganalysis of LSB encoding in color images, in: IEEE International Conference on Multimedia and Expo, Vol. 3, New York, USA, 2000, pp. 1279–1282. [4] J. Fridrich, M. Goljan, D. Hogea, Attacking the outguess, in: Proceedings of the 2002 ACM Workshop on Multimedia and Security, Juanles-Pins, France, 2002, pp. 1279–1282. [5] R. B¨ohme, A. Westfeld, Breaking cauchy model-based JPEG steganography with first order statistics, in: Proceedings of the 9th European Symposium On Research in Computer Security, Vol. 3193, Sophia Antipolis, France, 2004, pp. 125–140. [6] J. J. Fridrich, M. Goljan, D. Hogea, Steganalysis of JPEG images: Breaking the F5 algorithm, in: Proceedings of the 5th Information Hiding Workshop, Vol. 2578, Noordwijkerhout, The Netherlands, 2002, pp. 310–323. [7] Y. Q. Shi, C. Chen, W. Chen, A markov process based approach to effective attacking JPEG steganography, in: Proceedings of the 8th Information Hiding Workshop, Vol. 4437, Alexandria, VA, USA, 2006, pp. 249–264.
12
Page 12 of 14
[8] T. Pevn´y, J. J. Fridrich, Merging markov and DCT features for multi-class JPEG steganalysis, in: Proceedings of SPIE: Electronic Imaging, Security, Steganography, and Watermarking of Multimedia Contents IX,, Vol. 6505, San Jose, CA, USA, 2007, pp. 3–14. [9] T. Pevn´y, P. Bas, J. J. Fridrich, Steganalysis by subtractive pixel adjacency matrix, IEEE Trans. Information Forensics and Security 5 (2) (2010) 215–224. [10] J. Miano, Compressed image file formats - JPEG, PNG, GIF, XBM, BMP, Addison-Wesley-Longman, 1999. [11] M. Rabbani, R. L. Joshi, An overview of the JPEG 2000 still image compression standard, Signal Processing: Image Communication 17 (1) (2002) 3–48. [12] W. Bender, D. Gruhl, N. Morimoto, A. Lu, Techniques for data hiding, IBM Systems Journal 35 (3/4) (1996) 313–336. [13] X. Li, B. Yang, D. Cheng, T. Zeng, A generalization of LSB matching, IEEE Signal Process. Lett. 16 (2) (2009) 69–72. [14] R. Guang, Analysis and attack of the popular network steganography software, Master’s thesis (2009). [15] East-Tec., Invisiblesecrets4, http://www.invisiblesecrets.com (2014).
of
[16] Keepsecretinpicture, Message smuggler, https://www.softpedia.com/get/Security/Encrypting/Message-Smuggler.shtml (2012).
Jo u
rn al P
re
-p
ro
[17] Dancemammal.Com, Imagehide, https://www.softpedia.com/get/Security/Encrypting/ImageHide.shtml (2017).
13
Page 13 of 14
Title Page Article Title: Approaches to obtaining fingerprints of steganography tools which embed essage in fixed positions
re
-p
ro of
Authors: Pengjie Caoa,b, Xiaolei Hea,b, Xianfeng Zhaoa,b, Jimin Zhanga,b Affiliations: a State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China b School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China Email address: [email protected] (Pengjie Cao) [email protected](Xiaolei He) [email protected] (Xianfeng Zhao) [email protected](Zhangjimin)
Jo ur na
lP
Corresponding author: XianFeng Zhao Email address: [email protected] (Xianfeng Zhao)
Page 14 of 14