11.05.2023
7 min
2027
Steganography is used today not only by researchers, but also by attackers. It allows you to hide the very existence of a message, and not its content, as in classical cryptography. That is why attacks on systems of covert information transmission are becoming one of the key areas in cybersecurity. The article explains what steganography is, what methods exist for its implementation (images, audio, video, network protocols) and what types of attacks are most often used against such systems. Both passive observations and active interventions are considered: from container substitution to the destruction of covert communication channels.
Steganography is the ancient art of hiding information that has gained new life in the digital age. Unlike cryptography, where we encrypt the content of a message, steganography hides the fact that secret information exists.
Imagine: you send an innocent photo on a social network, but inside it is a message hidden that only the right person will see. Or you send a document that contains an invisible digital signature to confirm authorship. All these are examples of modern steganography.
Today, this method is used both for legal purposes (copyright protection, digital watermarks) and by attackers to bypass security systems. Therefore, it is important for information security specialists to understand the principles of steganographic systems and methods for their analysis.
In this article, we will analyze the basics of steganography, analyze possible attacks on stegosystems and means of protection against them.
When using steganography methods, secret information is disguised as ordinary data: images, text or other digital content. The secret message is embedded in a clear message in such a way that no one can suspect the existence of hidden information. This cryptography is actually translated from the ancient Greek words стеганоς (hidden) and γράφω (I write).
The first mention of steganography dates back to 440 BC. e. The Greek historian Herodotus described two methods of hiding information in his treatise “History”:
The Spartan king Demaratus warned the Greeks of a Persian invasion. He scratched a message on a wooden base of a wax tablet and then applied wax over it [Book VII, Chapter 139].
The slave’s head was shaved and a secret message was tattooed on his skin. Then, when the hair grew back, he was sent to the addressee. The slave’s head was shaved again to read the message [Book V, Chapter 35].
Nowadays, there are four main types of steganography:
Classical – uses physical methods of hiding data: cute ink, “Aesop’s tongue”, overlay stencils, radio communication at floating frequencies.
File – masks information inside files, using the features of their structure. A typical example is embedding a hidden message in metadata.
Digital – is based on hiding or adding additional information to digital objects. Most often these are multimedia objects, file objects and file system objects. The main thing in this method is not what objects (containers) it uses, but for what purpose. The goal of digital steganography is to create a signature to confirm authorship or, for example, the integrity of the file. A striking example is the technology of digital watermarks (digital watermark).
Network steganography, in which the information to be hidden is embedded in network protocols (TCP, UDP, ICMP).
Modern stegosystems often combine several methods of forming covert transmission channels. The basis of such a stegosystem is a container – an object inside which a secret message is hidden.
The security of the stegosystem depends on the correct choice of container for covert data transmission. Let us consider the vulnerability analysis using the example of a classical information security model.
Two prisoners, Alice and Bob, are sitting in different cells. To plan an escape, they exchange stegocontainers (a covert communication channel) over an open (visible to everyone) communication channel. A third party — the intruder Willy, who acts in this example as an attacker — controls the communication channel and tries to detect the fact of covert communication between the prisoners.
In steganography, there are three main types of violators:
A passive intruder can analyze the traffic passing through the channel, but is not able to change it. And here Willy’s main task is to detect the fact of the transmission of hidden information and block the communication channel in time.
An active intruder purposefully modifies all intercepted data to destroy potential hidden messages. As attacks, stegocontainer transformation can be used, for example: lossy compression or low-pass filtering.
A malicious intruder can not only detect the fact of hidden data transmission, but also introduce false messages into it, for example, trying to impersonate Alice or Bob.
The main threat to the stegosystem is the detection of a hidden communication channel. When an attacker discovers the fact of the transmission of secret messages, he moves from passive observation to active actions: intercepting data, replacing messages, or blocking the communication channel. At the same time, complex technical means are often not required to detect a stegochannel. It is enough for the attacker to systematically monitor the parameters of the open communication channel.
Steganographic transmission in a network communication channel can be detected by monitoring network packets and analyzing file exchange between users. However, it is possible to reliably detect hidden messages only using special traffic analysis methods: statistical or signature.
The signature method works on the principle of searching for anomalies in the data structure. Thus, the “Reserve” field in the TCP packet header usually contains 0 bytes. The appearance of two bytes in this field may mean that someone is using the packet as a container for hidden transmission.
Detecting a steganographic channel can be approached both from the signature side and from the behavioral analysis angle. An example from the literature:
Two colleagues who are on friendly terms come up with their own code for communicating in a work chat. For example, they post a meme with cats in a joint chat to show that they intend to get away from work and go on a break together. Other employees perceive this as an ordinary exchange of funny pictures and do not understand that it is actually a coffee break.
If some subscribers (for example, employees of the same company) simultaneously show interest in some things and begin to actively exchange materials on these topics, this may be indirect evidence, a hint that they are actually exchanging hidden messages.
If such communication ceases to be a secret, its participants will face the threat of receiving a hidden message. To implement it, the attacker needs special knowledge and skills in the field of stegoanalysis.
This threat can be avoided by keeping various components of the stegosystem secret: the key, embedding parameters, or, in this case, the very fact of the existence of the stegochannel.
Finally, there is the threat of destroying the hidden message. To do this, the attacker needs to change the stegocontainer so that the information in it is destroyed.
A vivid historical example of such an attack is the actions of American counterintelligence during World War II. Fearing Japanese and German spies, US intelligence agencies checked the international correspondence of their citizens.
In letters and telegrams, words were replaced with synonyms, the order of words and cases was changed, and sentences were built. Particular attention was paid to handwriting: all handwritten messages were reprinted on a typewriter to neutralize possible steganographic signs of writing letters. Such changes, which affect the obvious meaning of the message, effectively destroyed the steganographic channel.
A ban was also imposed on the sending of materials potentially suitable for transmitting hidden messages: crossword puzzles, sewing and embroidery patterns, descriptions of chess games.
The threat of hidden message substitution deserves special attention. If an attacker gains access to the container and understands how the recipient reacts to it, he can introduce his container with a modified message into the stegochannel. This allows him to manipulate the recipient’s behavior and provoke the attacker’s desired reaction.
Now let’s consider the possible types of attacks on stegosystems, depending on the level of activity of the attacker Willy. Let’s imagine that Alice and Bob are colleagues who send each other pictures with encrypted messages, and the astute Willy tries to bring them to light.
Known container attack. In this case, Willy is not yet completely sure that the stegochannel even exists, but he can compare the original image without changes with the one that Alice sends to Bob. If Willy can detect the hidden message and determine the steganographic method used by Alice, the stegochannel will be revealed. Such an attack is quite simple: to implement it, Willy does not even need to make changes to the container. Similar attacks can be implemented in systems that integrate DLP solutions.
Filled container attack. And here the attacker’s task is to prove whether the secret message is being transmitted. To do this, Willy compares a known filled container (a picture with a hidden message) with the one that Alice sends to Bob. This is done without corrupting the container being sent, simply by comparison.
Stegocontainer selection attack. In this attack, Willy knows several filled containers, and perhaps he knows how Bob reacts to some of them. In this case, he can impose his own message containers on Bob in order to achieve a certain reaction.
Message selection attack. This type of attack is similar to an attack on a cryptographic system, the so-called controlled channel. It works like this: in order to find out the secret key for correspondence, one of the subscribers is somehow inadvertently thrown a message, which he will most likely pass on to his accomplice in unchanged form. For example, if Willy knows that Alice and Bob do not really like to cross paths with him at work, he can throw Alice his shift schedule. Wanting to convey this information to Bob, Alice will give him this graph, and Willy will thus influence Bob’s behavior.
Message destruction attack. Aimed at stopping the possibility of secret correspondence. For example, with a DLP system, the administrator can make additional changes to the transmitted message to block the stegochannel.
To minimize the risk of the container being opened, you need to choose a reliable method of hiding information. Here are some ways to help increase the stability of the stegosystem:
Choosing the right container. Use files that are inherently highly redundant, such as BMP or WAV. These formats are less prone to loss when modified, allowing for more effective information hiding.
Modifying statistical qualities. Hide information so that changes to the container are minimally noticeable. For example, modify the least significant bits (LSBs) of pixels in images so that changes are not visible to the eye.
Using pseudo-random sequences. Use pseudo-random algorithms to choose the location where information will be hidden. This makes the data structure less predictable.
Avoiding patterns. Avoid using fixed locations for data insertion. Patterns can be discovered when analyzing files.
Adaptive methods. Develop algorithms that adapt to the contents of the container to minimize changes in its structure and visual perception.
Robustness testing. Test stegosystems against various types of analysis and attacks to identify vulnerabilities.
Regularly update your methods. Keep up with new research and steganography techniques and update your approaches to stay one step ahead of potential attackers.
To ensure the integrity of the message, it is possible to supplement its sending with a simple electronic digital signature (EDS). If we exclude the possibility that an attacker will damage the message, then forge the EDS, and then send a steganogram, we will get a stegosystem that eliminates the attacks under consideration.
In addition, to further strengthen the security of the stegosystem, we can resort to additional encryption (cryptography) methods. Thanks to them, it will be more difficult to establish the presence of a stegochannel, because opening the container does not give the text in plain text, but only the cryptogram.
Text data hiding is used to protect copyrights during electronic distribution of documents by allowing for the encryption of tags to prove authorship or ownership. It also helps control file processing: programs can treat text files differently depending on whether they contain hidden data. This can be used to prohibit sensitive documents.
The “white space” method. To encode data, additional spaces are inserted into the text. The method uses the concealment of a binary message in the text by placing one or two spaces after closing punctuation marks (periods, periods, question marks). One space is encoded as a “0” and two spaces as a “1”. The data is also encoded according to the specified number of spaces at the end of each line.
In the example below, the text has been selectively justified, and spaces have been added to the ends of lines to hide more data.
The advantage of the method is that any text can be used, and the changes will be invisible to ordinary readers. There are also disadvantages: for example, in some services, “extra” spaces can be removed due to built-in text formatting rules. In addition, the method is only suitable for digital documents – finding hidden data in printed text will be problematic.
There is also a method of using “white space” to hide data in aligned text. Data is encoded by adjusting where the additional space will be placed. One space between words is interpreted as “0”, two spaces as “1”. As a result, it turns out to encrypt several bits on each line.
Due to alignment constraints, not all spaces between words can be used as data. To determine which spaces represent hidden data, which is part of the original text, Manchester encoding must be used. Manchester code groups of two bits are interpreted as “01” as “1” and “10” as “0”. Bit strings “00” and “11” are ignored. For example, the encoded message “1000101101” is reduced to “001”, while “110011” is a null string.
Syntactic methods. Exploit opportunities for ambiguous punctuation or situations where incorrect punctuation is difficult to spot.
An example from linguistics. In the phrases “bread, butter, and milk” and “bread, butter and milk”, the comma before the conjunction “and” is optional and depends on the author’s linguistic preferences. This feature of the English language can be used as the basis for a cipher, where the choice between two punctuation options will represent binary data: if a comma is placed before the conjunction, we mean “1”, if it is not, we mean “0”.
Other examples include the controlled use of abbreviations and acronyms. The method should be used with caution, as changing punctuation can significantly affect the clarity or even the meaning of the text, and simply be noticeable.
Semantic methods. Involve the use of synonyms. For example, the adjectives “big” and “large” that are similar in meaning can be used for encryption: when decoding, “big” will be interpreted as “1”, “large” as “0”. Problems arise when replacing the original word with a synonym greatly distorts the meaning of the sentence.
Visual similarity method. It is based on the similarity of the writing of Cyrillic and Latin characters. For example, you can use the letters “a” and “a” of the Russian and English alphabets at the same time. Visually, they are indistinguishable, and the average reader will not notice the difference. Then, for example, the presence of the Russian letter “a” in the text can be interpreted as “1”, and the English “a” – as “0”.
The general principle of these methods is to replace the redundant, insignificant part of the image with bits of the secret message. To obtain the message, you need to know the algorithm by which the information to be hidden was placed in the container (image). In order not to stretch the article, we will not describe these methods, but simply list them. These are the methods:
least significant bit replacement (LSB);
pseudo-random interval;
block hiding;
image quantization;
Cutter-Jordan-Bossen;
Darmstadter-Delaigle-Quisquatter-Mack.
Visual stegoanalysis for image containers. If in a stegosystem the hidden message is encrypted before embedding, then each of its bits is practically equally likely and independent of the neighboring bits. In such a situation, the presence of a hidden message can be detected by comparing the image of the lower-order filled bits of the container and the empty natural containers.
In the example below, the least significant bits of the image elements are replaced by the bits of the hidden message. The embedded message bits replace the lower-order bits of the brightness component of each pixel in the image. There are correlations between the lower-order bits of neighboring elements of the natural containers. The image of a mill on the left is an empty container, on the right, the hidden message is sequentially embedded bit by bit in each NDB of the color component of the pixels.
Statistical stegoanalysis for image containers. Represents the introduction of hidden information into the container as a violation of the statistical regularities of natural containers and is probabilistic. The statistical characteristics of the sequence under study are analyzed and it is established whether they are similar to the characteristics of natural empty containers (if so, then there is no hidden transmission), or whether they are similar to the characteristics of filled containers (if so, then the fact of the existence of a hidden information transmission channel is revealed).
Statistical stegoanalysis methods use a variety of statistical characteristics, such as entropy estimation, correlation coefficients, probabilities of occurrence and dependence between sequence elements, conditional distributions, saliency distributions according to the Chi-square criterion, and many others.
As we have seen, modern steganographic systems are susceptible to a whole range of threats – from simple detection of a communication channel to complex active attacks with content substitution. In this case, the attacker can act at different levels of activity: from a passive observer to a malicious agent capable of interfering with the system.
However, the competent application of the considered protection methods – from the correct choice of container to the use of pseudo-random sequences and adaptive algorithms – allows you to create fairly stable stegosystems. The most effective is a comprehensive approach that combines steganography methods with classical cryptography and electronic signature mechanisms.
It is important to understand that in real conditions there are no absolutely reliable methods of hiding information: any system can be compromised if the attacker has enough resources. The developer’s task is to make the attack so complex and resource-intensive that it becomes economically inexpedient.
If you want to delve deeper into the topic, I also recommend paying attention to the emerging field of network steganography and machine learning methods in stegoanalysis – this is where the most interesting research is currently taking place.
Of particular interest in studying these disciplines are cybersecurity specialists, where steganography plays a dual role: on the one hand, it is an additional layer of protection when transmitting critical information, and on the other, it is a potential attack vector.
This duality is especially noticeable in the example of the interaction between the Red Team and the Blue Team:
For the Red Team, steganography opens up wide possibilities for creating hidden control channels and data exfiltration, which can be used when testing system security.
For the Blue Team, it is important to have both an in-depth understanding of methods for secure information transmission and the skills to detect steganographic channels, especially in the context of detecting malware C2 channels.
That is why it is so important to develop expertise in steganography in the information security community. Ultimately, this will allow not only to more effectively counteract new threats, but also to develop more advanced protection methods.
