Risk with Steganography and Importance of running Steganalysis with Network Systems

Steganography… what is that?

When people think about Information Security the first word that generally comes mind is “Hacking”, but there are many disciplines in security and one of them is called “Steganography”, an offshoot of encryption and “data hiding”.

The word “steganography” can be divided in two parts: stegano + graphy. “Stegano” comes from the Greek word “steganos” meaning “covered” and “graphy” which comes from the Greek word “graphein” meaning “writing:”. Thus, steganography literally means “covered writing”.

Steganography is an ancient art of covering messages in a secret way such that only the sender and receiver know the presence of the message. This allows one party to communicate with another party without the third party being aware that communication is occurring. Usually, the data is concealed inside an innocuous cover so that even if a third party discovers the cover, there are no suspicions about the data hiding inside the cover. If the hidden data is detected by a third party the steganography technique fails.

Steganography and cryptography are cousins in the spy craft family. However, cryptographic and steganographic techniques differ from each other. In cryptography, the original message is scrambled (i.e. its original structure is changed in order to make it meaningless). Thus, when an attacker discovers the message it is still difficult for him to get the original message back. Cryptography does not try to hide the message. In steganography, the message is secretly hidden inside a digital file, so there arises no suspicion to the attacker. Steganography does not attempt to scramble the original message but the intent is the same as in cryptography; to protect the original message. Steganography is sometimes combined with cryptography for added protection.

There is something really important about steganography: There must not be any easily perceived change in the file that is hiding the message.

Basic Steganographic Model

A basic steganographic model is shown in Figure 1. First we need to understand the three blocks in the left of the image:

  • Cover File, ‘X’: This is the file that we will use for hiding the information.
  • Message, ‘M’: This is the secret information that we want to hide into ‘X’.
  • Stego-Key, ‘K’: Some steganographic methods need to use specific keys, or data, for hiding and recovering ‘M’ from ‘X’.

Once we have this information, we can apply the steganographic method, ‘f(X,M,K)’. The output after applying the method is called “Stego-File”, denoted with ‘Z’.

For recovering the message, we will apply the inverse process using the same Stego-Key used for hiding the message. It is important to mention that the Cover File is not important after obtaining the secret message, so it does not matter if we cannot recover the data we modified for embedding the Message.

Figure 1. Basic Steganographic Model

LSB Method

The Least Significant Bit (LSB) method is a really common and famous steganographic method in which the secret information is hidden in the least significant bits of the image.

There are 2 different LSB steganographic methods: LSB Replacement and LSB Matching.

In LSB Replacement, all we need to do is to change the least significant bit with one bit of the secret message which we want to hide. It is really easy to detect if this method has been used because the algorithm complexity is almost null. In LSB Matching, we will also modify the LSB with one of the bits of the secret message but it uses some probabilistic and statistic operations for spreading the hidden information across the entire the cover file without modifying all the bits that contain part of the secret message.

Characteristics of Steganographic Techniques

In steganography, the message to be hidden inside the cover–media must consider the following features.

  • Hiding Capacity: This feature deals with the size of information that can be hidden inside the cover file. A larger hiding capacity allows use of a small cover and thus reduces the band-width required to transmit the stego–media. For example, if we have an RGB image with a size of 200 x 200 pixels, that means that we have 120,000 color values to be used as cover values for the secret message (200:width x 200:height x 3:R,G,B), then if we use only one bit per color channel for hiding the message we have a hiding capacity of 120,000 bits or 15,000 bytes, if we use 2 bits per color channel for hiding the message we have 30,000 bytes, but if we use only one color channel and one bit per pixel, the hiding capacity will be 40000 bits or 5000 bytes.
  • Perceptual Transparency: Perceptual transparency is an important feature of steganography. Each cover-media has certain information hiding capacity. If more information or data is hidden inside the cover, then it results in degradation of the cover–media. As a result, the stego–media and cover–media will appear to be different. If the attacker notices this distortion, then our steganographic technique fails and there is the possibility that our original message can be extracted or damaged by the attacker. Figure 2 illustrates the Perceptual Transparency concept, it is almost impossible to detect any difference between Figure 1.a and Figure 1.b only by watching them.
Figure 2. a) Image without any modification. B) Image after using steganography
  • Robustness: Robustness is the ability of the hidden message to remain undamaged even if the stego–media undergoes transformation, sharpening, linear and non-linear filtering, scaling and blurring, cropping and various other techniques.
  • Tamper–resistance: Of all the features, this feature is very important. This is because, if the attacker is successful in destroying the steganographic technique then the tamper–resistance property makes it difficult for the attacker or pirates to alter or damage the original data.

In the end, any application of strong steganography must ensure that the above features are satisfied, in other words they must ensure better perceptual transparency, robustness and tamper–resistance so that the integrity of the original work is maintained.

I discussed the art of embedding secret messages in any file so that only the sender and the receiver know about the presence of that message. This is called steganography. In this post I will write about the information security discipline that tries to discover this kind of messages.

Steganalysis, the Counterpart of Steganography

I discussed the art of embedding secret messages in any file so that only the sender and the receiver know about the presence of that message. This is called steganography. In this post I will write about the information security discipline that tries to discover this kind of messages.

Steganalysis is the counter part of steganography and it is defined as the art or science of discovering hidden data in cover objects. The people who works in this discipline are called steganalysts.

Nowadays, a lot of different techniques have recently appeared in steganalysis but they can be generally summarized by 3 branches:

  1. “Chi-square” Methods: The chi-square attack is a statistical test to measure if a given set of observed data and an expected set of data are similar or not. The original version of this attack could detect sequentially embedded messages and was later generalized to randomly scattered messages.
  2. Distinguishing Statistic Methods: In this approach, the steganalyst first carefully inspects the embedding algorithm and then identifies a quantity (the distinguishing statistics) that changes predictably with the length of the embedded message. The detection philosophy is not limited to any specific type of the embedding operation and works for randomly scattered messages as well. One disadvantage of this approach is that the detection needs to be customized to each embedding paradigm and the design of proper distinguishing statistics cannot be easily automatized.
  3. Blind Classifier Methods: First, a blind detector needs to learn what a typical, unmodified image looks like from multiple perspectives. Then, a classifier is trained to learn the differences between an unmodified image and a stegoimage (an image that has been modified). This methodology combined with a powerful classifier gives very impressive results.

It is really important to mention that the job of a steganalyst is to detect if there is a secret message hidden in a digital file. It is not their job to recover the secret message.

There are many different methods for detecting if an image has been modified. One of the easiest ones is developed by using the idea that cameras doesn’t use all the different colors in the nature. Cameras approximate some of the colors to a near color so they don’t need to manage a big amount of different values in the color palette. For example, let’s assume that we have a grey-scaled image with grey intensities from 0 to 255, it is easier to use only half of those values by rounding the odds values to the next even number.

Figure 1 shows the histogram for an image using this value compression method. An image histogram is a graphical representation of the number of pixels in an image as a function of their intensity. You can notice that there are values which never appears in the image, those are the ones that are rounded to another value for managing a smaller color palette.

Figure 1. Image histogram from a camera image.

Figure 2 shows the histogram for the same image after hiding a message. We can see that now there are more different values in the color palette. This happens because when we use a LSB steganographic method, we modify the last bit of every pixel, so the values that were not used in the original color palette appears in the histogram of the modified image.

Figure 2. Image histogram from a camera image after embedding a secret message

So, we can know if this kind of image has been modified simply by checking the histograms.While this has been just a brief introduction to steganalysis, it is a very deep and fascinating discipline.

And Then? Where is the Risk with Steganography?

I gave a quick introduction about what steganography and steganalysis are. I know it was full of mathematical terms so now it is time to explain a little more about how steganography is used in daily life.

Let’s give an example about how steganography can be a really big risk for our safety. Let’s suppose that a criminal group wants to send some messages between members. Of course, they do not want the police to realize the content of the messages. So, criminal A wants to give some details to Criminal B on how to kidnap a person, but needs to avoid being tracked by the police and realizing what they are planning. If criminal A hides the instructions in a normal image, like a sight seen, and send it using an IM application, it will be almost impossible to detect it since the image does not seem suspicious. Once the image arrives to criminal B, he can execute the inverse steganographic method, decode the secret message for obtaining all the instructions and commit the crime without alerting authorities.

Now let’s consider another scenario that might be more common in our daily life where steganography is used by an insider in order to leak sensitive company information. Almost all the common IT security protections cannot help us avoid this kind of problem since most of them do not have steganalysis features. Companies can lose important information (like customer lists, contracts, source code, etc.) without knowing about it.

Let’s suppose that employee A’s computer has a highly confidential file that contains some company’s secrets. He knows that if he sells that file to another company he will be paid a large bribe. The company has Data Loss Prevention (DLP) and other security tools in place that check all data leaving the company’s intranet. This means that employee A needs to find a way for cheating these tools. He uses a steganographic method for hiding the file in the company’s logo image and then sends an email with that image attached so it can exit the company intranet undetected. Once the information is outside of the intranet it is also outside company control and he can do whatever he needs with the information even sell it to whomever he wants.


We need to use a steganalysis module in our networks to prevent this kind of attack. The easiest way to implement it is to run a steganalysis suite in one of our devices which analyses the files that are trying to leave the intranet. The next image shows a basic network with a dedicated server for analyzing the files using a steganalysis module.


Unfortunately this ideal scenario does not really exist in reality. One of the problems that we have these days is that there are not a lot of tools that include steganalysis modules, so it is a little difficult to protect out networks from this kind of attacks. There are different tools for steganalysis but almost all of them require a person to manually use them. It is really important to start working a little more in this field for developing useful tools for preventing this kind of attack.

These are really simple examples about the use of steganography. I hope you understand a little more about it and can visualize the impact that it can have in our lives. Remember that we can lose a lot of valuable data if we are not prepared for these kinds of attacks. If you have any question please leave a comment and I will reply as soon as possible.