steg in the real world
DESCRIPTION
Steg in the Real World. Two examples that move the work of steganalysis out of the lab The massive data survey of Provos et al. 2003 The Stegi@work distributed steganalysis framework. Steg on the Web?. Provos et al. 2003* 2 million JPEG images from 1 million JPEG images from Usenet - PowerPoint PPT PresentationTRANSCRIPT
1IEEE-WVU, Anchorage - 2008
Steg in the Real World
• Two examples that move the work of steganalysis out of the lab– The massive data survey of Provos et al.
2003– The Stegi@work distributed steganalysis
framework
2IEEE-WVU, Anchorage - 2008
Steg on the Web?
• Provos et al. 2003*• 2 million JPEG images from• 1 million JPEG images from Usenet
– Images restricted in size between 20KB and 400KB
• stegdetect– Identified potential hidden content in 1% of
the images
*N. Provos and P. Honeyman, IEEE Security and Privacy Magazine, May/June 2003
3IEEE-WVU, Anchorage - 2008
Steg on the Web?
• Percentage of (false) positives – JPHide “detected” most often
Test Ebay Usenet
Jsteg 0.003 0.007
JPHide 1.0 2.1
Outguess 0.1 0.14
4IEEE-WVU, Anchorage - 2008
Steg on the Web?
• Verifying hidden content– Stegbreak
• Dictionary attack against Jsteg, JPHide, and Outguess
– Ebay: multi-lingual dictionary of 850,000 words
– Usenet: short PIN numbers and pass phrases; 1.8 millions words
5IEEE-WVU, Anchorage - 2008
Steg on the Web?
• Performance of Stegbreak
System One Image (words/second)
Fifty Images (words/second)
JPHide 4,500 8,700
Outguess 0.13b 18,000 34,000
Jsteg 36,000 47,000
1.2 GHz PIII
JPHide: 10 days
Outguess: ?
Jsteg: 8 days
6IEEE-WVU, Anchorage - 2008
Towards a larger steganalysis framework
• Disconcert - a distributed computing framework for loosely coupled workstations– Distribute indices into stegbreak’s dictionary
• Ebay: 60 nodes, 200,000 per second for JPHide
• Usenet: 230 nodes, 870,000 keys per second
7IEEE-WVU, Anchorage - 2008
Is anything out there???
• Conclusions of Provos et al. 2003– All steganographic systems users carefully
choose passwords that are not susceptible to dictionary attacks
– Images from sources not analyzed carry steganographic content
– Images carried content embedded by tools that stegdetect does not consider
– Messages are too small for detection
8IEEE-WVU, Anchorage - 2008
Distributed Steganalysis: Stegi@Work
• Objective– The development of an architecture for an
extensible distributed application for steganalsyis• User alerts• Facility for content destruction of quarantine• SOA to facilitate the inclusion of new and
improved steganalysis algorithms
9IEEE-WVU, Anchorage - 2008
Overall Architecture
Requester Client (RC)
Stegi Server
WorkstationM ainframe
Laptop
Firewal l
Stegi@Work System Distributed Processing Architecture
Internet or LAN
Send Job Packet
Pole Job Status
Retrieve Job
Requester Client (RC)
Firewal l
RC #1
RC #N
PC
Recieve Job Packet from RC
Job Status Request from RC
Retrieve Job Request from RC
Worker Clients(WC)
Firewal l
Request Job Packet
Send Job Status
Send Job
Data / Com m ands / Status
Data / Commands / Status
Note: The server never initiates transactions: the RC
and WC upload and download from the Server.
Firewal l
Server F u n ctio n sExecute Licensed Stegi T ools
Distribute Jobs on WC RequestT rack Database Results
Prioritize JobsDatabase WC Perform ance
F use Results
F ilter Job Requests vs. Stored Results with ChecksumStatistical F usion of Results
Client Software Updates (upon request)Client Stegi T ool Updates (upon request)
Decode WC Activity Status
Set up RC StatusSet up WC Status
M anage M ulti-WC Processing for Single JobSetup/m onitor GUI Interface
Assign a Unique Job Num ber (WWUID)World M ap GUI for T racking RCs/WCs
RC F u n ctio n sGUI User Interface
Job Packet CreationStatus Poling
Status DecodeLocal F usion
Run Local Stegi T ools (Local m ode)Pole T ool / Client Software Updates
Local Statistics
F ilter Job RequestsUpload Job Packet
Download Job ResultsRequest Priority
Retrieve Soft Update
Retrieve T ool Update
Send Job Packet
Pole Job Status
Retrieve Job
Retrieve Soft Update
Retrieve T ool Update
Retrieve Soft Update
Retrieve T ool Update
WC F u n ctio n sUser Interface
Report Creation
Destroy or Detect StegiPole Server Status for Jobs
Status DecodeDownload Job
Run Stegi T ools
Pole T ool / Client Software UpdatesUpload Report / Destroyed F ile
Pings Server with Job Activity StatusSetup/m onitor GUI Interface
10IEEE-WVU, Anchorage - 2008
Stegi@Work Communications
Requester Client (RC)Stegi Server
Stegi@Work Communications
Job Packet RequestFile(s)
Detect / DestroyPriority Level Request
Tool Selection / Auto-SelectReport - Brief / Detail
Execution = WC Internet / WC LAN / LocalOptional Proprietary Stegi ToolOptimization (speed vs. Detect)
Security / Password (1 way SSL)
Worker Client (WC)
Job ResultsDetroyed File(s) (if available)
Tools ExecutedElapsed Job Time
Job Execution TimeWC Identification
Tool ReportsSecurity / Password (1 way SSL)
WC Status to ServerJobs Queue (by job number)
Job PriorityElapsed Time from Job Download
Job Execution TimeElapsed Job Time
Available for New JobJob Number
Data / Commands / Status Data / Commands / Status
Server Status to RCReady for Job PacketPending Job Priority
Elapsed Time from Job DownloadJob Execution Time / Done
Elapsed Job TimeJob Number
Server Status to WCJob Packet Ready
Tools RequiredJob PriorityJob Number
11IEEE-WVU, Anchorage - 2008
Flexible Network Architectures
Requester Client (RC)
Stegi Server Local
Stegi@Home Classified System Grid / User Levels
Classified LAN
Worker Client (WC)
RC
WC
User LevelsStandard
IntermediateExpert
Classified Internet
Worker Client (WC)
WC
Requester Client (RC)
RC
Worker Client (WC) Worker Client (WC)
WCWC
GRID Level 0
GRID Level 1
GRID Level 2
Firewall
Stegi Serverl
12IEEE-WVU, Anchorage - 2008
Flexible Network Architectures
Requester Client (RC)
Stegi Server Local
Stegi@Home Commercial System Grid / User Levels
LAN
Worker Client (WC)
RC
WC
User LevelsStandard
IntermediateExpert
Internet
Worker Client (WC)
WC
Requester Client (RC)
RC
Worker Client (WC) Worker Client (WC)
WCWC
GRID Level 0
GRID Level 1
GRID Level 2
Firewall
Stegi Server
13IEEE-WVU, Anchorage - 2008
User Interface
Requester Client (RC)Stegi Server
Stegi@Home GUI Functions
Worker Client (WC)
Data / Com m ands / Status Data / Com m ands / Status
RC GUI F u n ctio n s
F ile ExplorerSelect Detect / Destroy
Results DisplayJob Packet Send Button
Run Pole ServerLocal F usion M enu
Job in Progress Status Display
Software / T ool Update M enu (auto m ode)
RC GUI F u n ctio n s
F ile ExplorerJob Queue Display
Run Pole Server (WC available)
Software / T ool Update M enu (auto m ode)
User Levels
StandardInterm ediate
Expert
14IEEE-WVU, Anchorage - 2008
Steganalysis Support
• Publicly available wrapped tools– Stegdetect (JPEG)– Digital Invisible Ink Toolkit (BMP, PNG)
• Detects LSB methods
– Custom “supertool”• Detects via signatures:
» In Plain View, S-Tools, Mandelsteg, Hide and Seek v.4 And v.5, Hide4PGP
• Statistical tests: 2 and 2 histogram
15IEEE-WVU, Anchorage - 2008
Steganalysis Tool Wrapping Support
• Full featured tool wrapping API– Tool wrapping support for C/C++, Java,
and Matlab programs– Network communication with XML
messages between worker clients and Stegi@Work server
16IEEE-WVU, Anchorage - 2008
Implementation Details
• Entire framework written in Java 5– Tool support in a variety of languages– JNI low-level system support for Linux and
Windows– JBOSS backend server– EJB 3 Object Model