Information hiding is a research domain that covers a wide spectrum of methods that are used to make (secret) data difficult to notice. Due to improvements in network defenses such techniques are recently gaining an increasing attention from actors like cybercriminals, terrorist and state-sponsored groups as they allow to store data or to conceal communication in a way that is not easily discoverable. Information-hiding techniques are used to hide the confidential or illegal data into innocent-looking material, for example, digital pictures.
Steganography is a well-known subfield of information hiding that aims is
to cloak secret data in a suitable carrier. The use of covert techniques grew
significantly during the two World Wars, in which the military developed
several methods to hide information in innocent-looking objects.
Modern information-hiding techniques can be divided based on their
application into two broad groups: covert data storage and covert data
communication
Covert data storage allows the application of data-hiding techniques to
conceal secret information in such a way that no one besides the involved
persons will know where the information is stored or how to extract it. Digital
media steganography and file/file system/mass storage steganography are the
most prominent classes belonging to this group.
Covert data
communication methods focus
on hiding the fact that any communication process took place and were initially
described as channels that were not foreseen for communication. This means that
involved parties can participate in a covert communication and, in principle, a
third-party observer would be unaware of it. The most important classes
belonging to this group include out-of-band covert channels, network
steganography (also known as network covert channels), as well as local covert
channels (that are limited in communication range to the single device).
Digital media steganography incorporates techniques to hide information
within digital images, audio files, and digital videos.
Network steganography deals with the concealment of information within
network transmissions. This means that network data that appears to be innocent
is actually carrying hidden data.
Steganalysis is the
technology that attempts to defeat steganography--by detecting the hidden
information and extracting or destroying it.
Detecting hidden
information
Steganography tools can
create stego-images in which the change or distortion in the carrier is not
obvious to the human eye. However, this distortion when detected can lead to
the tools used for steganography. Let us look at a few examples:
- Images: A
lot of image steganography tools use least significant bit (LSB)
modification to hide information. In low resolution images with 8 bit
color, the modification of LSB can cause a noticeable shift in the color
palette making it possible to detect hidden content. Another sign to the
presence of hidden information is padding or cropping of an image. The
Hide-and-Seek tool can only produce images of fixed sizes. If an image
does not fit into one of these sizes it is cropped or padded with black
spaces. StegoDos has a similar problem.
- Disks: Unused
areas on a disk that can be used to hide information. Tools like EnCase
and ILook Investigator look for hidden information in unused clusters or
partitions in storage devices.
- TCP/IP Packets: TCP/IP
packets have unused space in the packet headers. The TCP packet header has
six reserved or unused bits, and the IP packet header has two reserved
bits. Information can be hidden in these unused bits. Thousands of packets
are transmitted with each communication channel, which provide an
excellent way to communicate secretly. Filters can be applied, on
firewalls for example, to detect TCP/IP packets that contain hidden
information in places supposed to be unused.
Steganalysis methods
There are various
methods of analysis depending on what information is available:
- Stego-only attack: Only
the stego-object is available for analysis.
- Known cover attack: The
stego-object as well as the original medium is available. The stego-object
is compared with the original cover object to detect any hidden
information.
- Known message attack: The
hidden message and the corresponding stego-image are known. The analysis
of patterns that correspond to the hidden information could help decipher
such messages in future.
- Known stego attack:The
steganography algorithm is known and both the original and stego-object
are available.
- Chosen stego attack:The
steganography algorithm and stego-object are known.
- Chosen message attack:The
steganalyst generates a stego-object from some steganography tool or
algorithm of a chosen message. The goal in this attack is to determine
patterns in the stego-object that may point to the use of specific
steganography tools or algorithms.
No comments:
Post a Comment