Text-only Preview

USHA B.A.* et al ISSN: 2319 - 1163
Volume: 1 Issue: 2 148 - 151


Usha B.A1, Dr. N K Srinath2, Dr. N K Cauvery3
1,2,3Asst Professor, Prof and HOD, Professor,Dept of CSE,R V College of Engineering, Bangalore, India
[email protected], [email protected], [email protected]

Steganography is the art concealing information to transmit it in such a way that nobody but the intended receiver knows the existence
of the message. Steganalysis techniques work on eliminating suspicion about the existence of a message. If suspicion is raised, then
the message cannot be passed covertly. One of the ways to detect the hidden message is to view the statistical properties of the image
or medium in which the message is hidden. This is called a statistical attack. In this paper, we explain the nature of such attacks and
present our conclusions based on reviews of existing methods of defense against statistical attacks.

Keywords- Steganalysis, Steganography, statistical attacks, JPEG images, OutGuess

The tools used in this group include StegoDos, S-Tools, Hide
and Seek, Hide4PGP and Steganos among others. There is no
Steganography comes from Greek words meaning "covered
loss in the image formats used in such steganography and it
writing". Over the ages, it has developed into an art of hiding
allows data to be directly manipulated and recovered. This
the very existence of a message when it is being relayed. Any
approach also comprises including additional components such
code that can be represented digitally can act as a carrier for a
as masks or image objects to watermark an image.
message. This could be text, an image, a video or any other

such "innocent looking" media. A message is the information
ii) The transform domain tools involve manipulation of
hidden in anything that can be embedded into a bit stream like
algorithms and image transforms such as discrete cosine
plain text, cipher text or even another image. A stego-carrier is
transformation (DCT) and wavelet transformation. These
the name given to the cover carrier and the embedded message
methods hide messages in more significant areas of the
together. A stegokey is any additional hidden information, such
covering image medium and hence may end up manipulating
as a password, required to be able to send a message. A
image properties such as brightness. Watermarking tools
possible formula of the process may be represented as: [1]
belong to this category. Software that implements this approach

includes PictureMarc, JK-PGS, SysCop, and SureSign. This
Cover medium + embedded message + stegokey = stego-
approach is more robust than bit-wise techniques but there
exists a tradeoff between this robustness and the amount of

information that can feasibly be added to the image. [1]
1.1 Methods Used

Due to their omnipresence in the World Wide Web, images
JPEG images use the Discrete Cosine Transform (DCT) to
provide excellent carriers for hidden information. Many
achieve image compression. The compressed data is stored as
different techniques have been introduced till date [2]. Each of
integers; however, if we need to quantize the data to encode a
these can be used to test detection properties and robustness in
message, all the calculations required involve floating point
the effort to destroy or disable the embedded message. These
data. Information is hidden in the JPEG image by modulating
techniques can be broadly categorized into two groups: those in
the rounding choices either up or down in the DCT coefficients.
Detection of such an embedded message would seem to be
the Image Domain and those in the Transform Domain.
quite difficult. In this rounding off, errors may occur and this

leads to the losses in this method. The tool Jpeg-Jsteg is a
i) Image Domain tools make use of bit-wise methods that apply
steganography tool that makes use of this property. In
least significant bit (LSB) insertion and noise manipulation.
steganography when we divide the image into 8x8 sub-images,
These "simple system" approaches in steganography [3] set the
the boundaries of these sub-images may become visible,
least significant bits of image pixels equal to those of the
leading to a disjoint image. This is called blocking artifact and
message text.
DCT is used to minimize it. [4]

IJRET | OCT 2012, Available @

USHA B.A.* et al ISSN: 2319 - 1163
Volume: 1 Issue: 2 148 - 151

We can also use tools whose approach combines image and
2 makes use of the generalized Euler Gamma function and has
transform domain tools. These may include approaches like
a rigorous mathematical proof.
patchwork and masking which make the hidden information

seem redundant. [3] Hence the steganography is successful and
The generalised 2 attack does not calculate an estimation of
independent of effects like cropping and rotation. Patchwork
the message length and can be sometimes wrong if the message
uses a pseudo-random technique to select multiple patches of
has a significant difference in the number of zeros compared to
an image for marking with a watermark so that even if one is
lost, the entire message is not lost. Masks use image domain

tactics since they are just an extra component or image object.
Pairs analysis was designed specifically for GIF images but
They also use transform domain tools for adjusting image
works well for greyscale BMP images as well and can estimate
properties or transforming them.
the length of the message embedded. [5]

1.2 Steganalytic Detection
For a person applying steganalysis to determine the presence of
At present, there are two approaches to the problem of
a message, the method he will use is called a steganalytic
steganalysis, one where there exists a specific steganographic
attack. There are five main types of attacks possible, namely
technique for a specific steganographic algorithm or one where
stego-only, known cover, known message, chosen stego, and
the technique is independent of it. The success of these
chosen message. A stego-only attack is one where only the
algorithms depends on its capacity to detect the presence of an
stego-medium is available for analysis. If the "original" cover-
image. Decoding of a message can be cumbersome if strong
media and stego-media are both available, then a known cover
cryptographic tools have been used. If the individual is able to
attack is available. A known message attack is used when the
detect the presence of a message, then the steganographic
hidden message is revealed at some later date, and an attacker
system is said to be insecure [7] and we need to find ways to
may attempt to analyze the stego-media for future attacks. The
ensure secure transmission of secret messages.
chosen stego attack is one where the steganography algorithm

and stego-media are known. A chosen message attack is one
Here, the authors discuss the possibilities of deterministic and
where the steganalyst generates stego-media from some
steganography tool or algorithm and a known message so that
deterministic method proves to be ineffective if both the stego
he can find out which tools and algorithms are used based on
and the cover are known to a third person that wants to break
the patterns he can detect.
into the system. In [7], we see that it is impossible to have

secure data in such cases. Thus, indeterminism is introduced in
the embedding operation. This results in randomness each time
the process is computed thus introducing uncertainty. Thus, if
2.1. Characteristics Of A Statistical Attack
the attacker is aware of the stego and the cover (S and C
While embedding the message in a medium, there are certain
respectively), then when S is known, C is uncertain, such that
statistical properties of the medium that need to be maintained.
H(C/S) > 0 where H denotes the entropy. To ensure this, the
If not maintained, they can reveal the existence of a hidden
authors in [7] introduce another variable CS from which the
message. For example if the medium is an image, examples of
actual cover is selected. They assume that the steganographic
such properties would include PoVs. A PoV or pair of values is
function, CS and the stego are publicly known whereas the key
a tuple (2i, 2i +1) that indicates that the bit denoted by 2i is
and cover are unknown to the attackers. They prove that the
transformed onto the bit 2i+1 after encoding the message within
cover must contain an uncertainty for the attacker to allow
the image. These PoVs are automatically generated when the
secure steganography between sender and recipient. Thus, to
image is encoded and can be stored. Then, for the kth pixel, the
ensure security, the embedding process must be split into two:
frequency histogram of the image, denoted by Yk will change
non - deterministic and deterministic parts, which are
and then the presence of the message will become apparent.
indistinguishable to the attacker.
Hence we need to maintain that Y2i+Y2i+1 remains a constant.

If not, this type of attack is called a statistical attack.
For instance, an image taken using a camera can easily portray

the area where the image was captured and the features of the
The main types of statistical analysis include histographic, chi-
camera. But, the position of the camera or the direction of the
square, generalized chi-square and pairs analysis.
camera while capturing the image cannot be predicted

accurately. Thus, the attacker is unaware of the image details
Histographic analysis on JPEG sequential and pseudo-random
and cannot distinguish between an original image and a
embedding type stegosystems, such as JSteg and Outguess 0.1
steganographic one. Thus, we can say that preprocessing i.e.
can effectively estimate the length of the message embedded
positioning of the camera initiates randomness into the cover
and it is based on the loss of histogram symmetry after

IJRET | OCT 2012, Available @

USHA B.A.* et al ISSN: 2319 - 1163
Volume: 1 Issue: 2 148 - 151

Another method to ensure secure data sending illustrates the
colour pallet is sorted such that the colour differences between
idea of a trusted domain. In [7], we see that ISDN allows secure
consecutive colors is minimized. The message bits are then
communication with steganography with the aid of bit
embedded in the LSB of the indices. Since similar pixels,
transparent transportation of digital data. Here, the attacker fails
which can modify due to the embedding process, get mapped to
to encode the secret message without the key even if he knows
the neighboring colors in the palette, visual artifacts are
the source and the embedding function. The characteristic of
minimal and hard to observe.
the output (stego or cover) cannot be determined from outside

in this method.
4.3 JPEG Images

Information hiding begins by modifying the redundant bits,
JPEG format is one of the most widely used formats these days
which can change the statistical properties of the cover. For
and is subjected to constant research in terms of steganalysis
instance, equal likelihood of 1's and 0's occurs. But, redundant
and steganography. One of the most frequently used algorithms
data tends to converge towards one of them. Embedding data
is the OutGuess Embedding Program proposed by Fridrich.
thus weakens the correlation. [9] Thus, for secure

steganography, the key and the actual cover must remain
It embeds the data in LSB of the DCT coefficients randomly,
unknown to the attacker. We also need to apply additional
leaving some coefficients unchanged. In order to preserve the
transforms to the redundant data, which correct measurable
original histogram of DCT coefficients, the remaining
deviations in the embedding process. This is possible by
coefficients are adjusted. Thus, the method that involves
concealing the key with a symmetric cryptosystem. The
estimation of the original histogram proves to be ineffective.
embedding of the message in the image must also allow for
We discuss the OutGuess program again briefly. [6]
randomness to enhance security. One must also be aware of the

implementation of messages.
In [9], the author discusses embedding techniques that

distribute the hidden message uniformly across the image.
Provos [9] explains that this process can be split into two stages
Identification of redundant bits and selection of bits where the
data is to be placed.
Based on the images they operate on, the algorithms can be

classified into three types - raw images, palette based and
Provos [9] emphasizes that the image format plays an important
JPEG images.
role in identifying the redundant bits. He also discusses the

importance of pseudo random number generator (PRNG) that
4.1 Raw Images
introduces randomness. For bit selection, a cipher is used. We
understand this process from [9]. We realize that since the
We understand that the simple LSB (Least Significant Bit)
PRNG has a secret key, it is impossible to detect the message
embedding method operates on raw images, where the message
without the key.
is embedded in a subset of the LSB plane of the image usually

after encryption [6]. As discussed earlier, this introduces
partitioning of the image into PoVs. Since the values are
mapped, it provides statistical flattening of the distribution of
By determining that an image's statistical properties that
deviate from a norm, we can figure out whether an image has

been modified steganographically. Certain tests do this by
However, the major drawback of this technique is the length
measuring the entropy of the redundant data, which is higher if
constraint as it embedding can be detected only when the length
the image has a hidden message. [8]
is comparable to the number of pixels in the image. Analysis

from [6] shows that only with prior knowledge of where the
We realize that DCT coefficients play a significant role in the
message is placed, messages of shorter length can be detected
embedding process as observed by the authors in [8]. The
which is too strong an assumption to make.
different steganographic systems in use include -JSteg, JSteg-
4.2 Palette Based Images
Shell and JPHide and OutGuess. These are popular systems for

JPEG images. These systems utilize a form of least- significant
In case of palette based images [6], we see that by observing
bit embedding and are detectable by statistical analysis except
the palette tables in GIF images and the anomalies caused by
for the OutGuess. The authors have discussed various aspects
stego tools that perform LSB embedding in GIF images, we can
on these systems in [8].
distinguish between stego and cover images.

[8] In the JSteg system, the DCT coefficients are modified
The author emphasizes that in order to reduce the distortion
continuously from the beginning of the image. It does not
caused by embedding as proposed by EzStego in [10], the
support encryption and has no random bit selection. Here, the
IJRET | OCT 2012, Available @

USHA B.A.* et al ISSN: 2319 - 1163
Volume: 1 Issue: 2 148 - 151

first five bits of the header contain the size of the length field in
attacks and hence the governments of various countries, as well
bits and the remaining ones express the size of the embedded
as anti terrorism organizations, intelligence and espionage
data. [8] In case of JPHide, detecting content is more difficult a
bureaus need to be able to pass steganographically-encoded
task as the DCT coefficients isn't selected continuously from
information without its being threatened by statistical attacks.
the beginning unlike the first system JSteg. It uses a fixed table
Even to send nuclear, defence weapons, military tactics,
that defines classes of DCT coefficients to determine the order
espionage and foreign strategy related messages; defence
in which the coefficients are to be modified. In this technique,
against statistical attack is definitely the need of the hour.
the next class is chosen only after the coefficients in the current

class are used. This ensures information hiding in the class even
after the entire message has been embedded. This ensures
enhanced security as the all the DCT coefficients involved are
In this paper we have recorded and summarized the current
modified even if the message is only 8 bits long (approx. 5000
scenario in the highly stimulating field of steganalysis. Defence
co-eff.). Using this technique, we can modify the second least
against statistical attacks in steganalysis holds great potential
significant bits of the DCT coefficients apart from the usual
for future research considering its vast scope and extremely
least significant bits.
important applications.The methods used in status quo are

sufficiently advanced and can provide suitable defence against
On the other hand, we find the OutGuess technique to be more
current attacks. However, with growing awareness about
efficient than the previous two discussed in [8]. This chooses
steganography and the abundance of transmission media for
the DCT coefficients with a pseudo-random number generator.
images and hidden information, it can only be predicted that
A user-supplied pass phrase initializes a stream cipher (which
methods of attack will only become more sophisticated. In such
encrypts the content) and a pseudo-random number generator,
a scenario we need to constantly observe new forms of attack
both based on RC4. The authors observe that the newer version
and keep coming up with new techniques of defense against
OutGuess 0.2 preserves statistical properties unlike the version
0.13b which is vulnerable. When the OutGuess 0.2 technique is

used, the 2-test discussed earlier fails. In [9], Provos
demonstrates how the OutGuess program preserves the
[1] Johnson, N.F., Jajodia, S., Steganalysis of Images Created
statistical properties of the image. Thus, we can preserve data
using Current Steganography Software, Workshop on
in the image and ensure effective communication without the
Information Hiding Proceedings, Portland, Oregon, USA, 15 -
attacker knowing the content.
17 April 1998.

[2] Johnson, N.F., Jajodia, S: Exploring Steganography: Seeing
the Unseen, IEEE Computer, February (1998) 26-34
[3] Anderson, R., Petitcolas, F.: On the Limits of
Steganography, IEEE Journal on Selected Areas in
Steganography is a growing field with serious applications in
Communications, Vol. 16, No. 4, May
the world today. There is no way to control the huge number or
[4] Gonzalez, R.C., Woods, R.E.: Digital Image Processing.
type of images being sent over the Internet and hence we have
Addison-Wesley. Reading, MA, (1992)
no way to individually inspect each of them to ascertain the
presence of a hidden message. This could lead to dire
consequences like terrorist activities, financial scams or even
[6] Mehdi Kharrazi, Husrev T. Sencar, and Nasir Memon,
large-scale brainwashing. For example, in 2001, US officials
Image Steganography: Concepts and Practice, WSPC Lecture
stated that they have suspicions that terrorists communicate
Notes, April 2004
using steganography via the Internet.

R.Piotraschke, A.Westfeld, G.Wicke, G.Wolf, Modeling the
"Hidden in the X-rated pictures on several pornographic Web
security of steganographic systems, Proceedings, 2nd workshop
sites and the posted comments on sports chat rooms may lie the
on Information Hiding, April 1998, Portland
encrypted blueprints of the next terrorist attack against the
[8] Niels Provos, Peter Honeyman, Detecting Steganographic
United States or its allies. It sounds far fetched, but U.S.
Content on the Internet, Center for Information Technology
officials and experts say it's the latest method of
Integration, University of Michigan
communication being used by Osama bin Laden and his
[9] Niels Provos, Defending Against Statistical Steganalysis,
associates to outfox law enforcement. Bin Laden, indicted in
CITI Technical Report 01-4, Center for Information
the bombing in 1998 of two U.S. embassies in East Africa, and
Technology Integration, University of Michigan
others are hiding maps and photographs of terrorist targets and
[10]R. Machado, "Ezstego,", 2001.
posting instructions for terrorist activities on sports chat rooms,
pornographic bulletin boards and other Web sites, U.S. and
foreign officials say." Such situations require identical counter
IJRET | OCT 2012, Available @