Home > About Steganography >
"Blind" Steganography Detection
The blind detection approach to steganalysis has been around for a number of years.
Blind detection attempts to determine if a message may be hidden in a file without
any prior knowledge of the specific steganography application used to hide the information.
Several techniques may be employed to inspect suspect files including various visual,
structural, and statistical methods.
Visual analysis methods attempt to detect the presence of steganography through
visual inspection, either with the naked eye or with the assistance of automated
processes. Visual inspection with the naked eye can succeed when steganography is
inserted in relatively smooth areas with nearly equal pixel values. Automated computer
processes can, for example, decompose an image into its individual bit-planes. A
bit-plane consists of a single bit of memory for each pixel in an image, and is
a typical storage place for information hidden by steganography applications. Any
unusual appearance in the display of the least significant bit-plane would be expected
to indicate the existence of steganography.
Structural analysis methods attempt to reveal alterations in the format of the data
file. For example, a steganography application may append hidden information past
an image's end-of-file marker. An image that has been modified using this appending
technique is interpreted by the operating system just as if it were the original
carrier file. The two files are visually and digitally identical, because the image's
data bits have not been altered. The hidden information that is embedded past the
end-of-file marker is simply ignored by the operating system. Several automated
methods for conducting structural analysis have been developed in addition to the
manual process of investigating images with a hex editor.
Statistical analysis methods attempt to detect tiny alterations in a file's statistical
behavior caused by steganographic embedding. Statistical analysis of files can be
difficult and time consuming, since there are a variety of approaches to embedding—each
modifying the carrier file in a different way. Therefore, unified techniques for
detecting steganography using this method are difficult to find. Determining statistics
such as means, variances, and chi-square tests can measure the amount of redundant
information and/or deviation from the expected file characteristic. Current research
in blind detection steganalysis is focused on these statistical methods.
Complications of Blind Detection
In practice, even if the blind detection technique detects anomalies in suspect
files, it is not very likely that the hidden information can successfully be extracted.
It is often not possible to identify the particular steganography application used
to embed hidden information within the suspect file using current blind detection
algorithms. The suspect file may have characteristics similar to an anomaly that
will trigger a false positive result. Even if it is possible to extract the hidden
information, which is highly unlikely using only a blind detection approach, the
hidden information may have been encrypted prior to being embedded in the carrier
file.
The following four complications are possible when implementing blind detection
techniques for steganalysis:
- The suspect file may or may not have any information hidden in it in the first place
- The hidden message may have been encrypted before being hidden in the carrier file
- Some suspect files may have had noise or irrelevant data encoded in them which reduces
the stealth aspect (i.e., makes it easier to detect use of steganography) but makes
analysis very time-consuming
- Unless the hidden information can be found, completely recovered, and decrypted
(if encrypted), it is often not possible to be sure whether the suspect carrier
file contained a hidden message in the first place-all the user end up with is a
probability that the suspect carrier file may have something hidden within it