1.

INTRODUCTION: encryption algorithms, equally difficult to

1.1. DEFINITION:
Steganography is defined by Markus
Kahn as follows, "Steganography is the art and
science of communicating in a way which hides the
existence of the communication."
(OR)
Steganography is an art and science of
hiding information within other information.
(OR)
We can define steganography as
cryptography with the additional property that its
output looks unobtrusively.
Figure showing Steganography + Cryptography
Steganography is a useful tool that allows covert
(hidden) transmission of information over an overt
(not hidden) communications channel. The covert
channel concept was first introduced by Lampson
as “a channel used for information transmission,
The encoding step of a steganographic system
but not designed nor intended for communication.
identifies redundant bits and then replaces a subset
Both Steganography and Cryptography are
of them with data from a secret message.
excellent means by which to accomplish this but
neither technology alone is perfect and both can be
broken. It is for this reason that most experts would
suggest using both to add multiple layers of
security. Many governments have created laws that
either limit the strength of cryptosystems or
prohibit them completely. So this leaves the
personnel to not have enough security for the
intended data to be sent. SO in order to provide
multiple layers of security and to subside problems
with crypto versus law, its a good practise to
combine steganography and cryptography.
decipher
C. Steganography can be an effective means
that enables concealed data to be
transferred inside of seemingly innocuous
(not harmful) carrier files.
D. The purpose of steganography is to
convey a message inside of a conduit of
misrepresentation such that the existence
of the message is both hidden and difficult
to recover when discovered.
E. Steganography : Greek language derived
word, STEGOS: HIDDEN/ COVERED,
GRAPHIA: WRITING
F. Steganography clearly fits within
cryptography.
G. For steganography to remain undetected,
the unmodified cover medium must be
kept secret, because if it is exposed, a
comparison between the cover and stego
media immediately reveals the changes.
H. Similar in nature to the slight of
hand used in traditional magic,
steganography uses the illusion
of normality to mask the
existence of covert activity. The
illusion is manifested through the
use of a myriad of forms including
written documents, photographs,
paintings, music, sounds, physical
items, and even the human body.
Two parts of the system are
required to accomplish the
objective, successful masking of
the message and keeping the key
to its location and/or deciphering
a secret.

A. Steganography enables the user to

transmit the user to transmit information
masked inside a file in plain view.
B. The hidden data is both difficult to detect
and when combined with known
 Modern Steganographic Communication.
1.2. HISTORICAL EXAMPLES:
The earliest recordings of Steganography were by
the Greek historian Herodotus in his chronicles
known as "Histories" and date back to around 440
BC.
• Classical examples include King Darius of
Susa, who shaved the head of a slave
tattooing a message on his scalp. When
the slave’s hair grew back, the King
dispatched the slave to deliver the hidden
message to its intended recipient
• Ancient Greeks covered tablets with wax
and used them to write on. The tablets
were composed of wooden slabs. A layer
of melted wax was poured over the wood
and allowed to harden as it dried. Hidden
messages could be carved into the wood
prior to covering the slab. When the
melted wax was poured over the slab, the
now concealed message was later revealed
by the recipient when they re-melted the
wax and poured it from the tablet.
• From the 1st century (Romans) through
World War II invisible inks(based on
natural substances such as fruit juices and
milk) were often used to conceal hidden
messages. At first, the inks were organic
substances that oxidized when heated. The
heat reaction revealed the hidden message.
As time passed, compounds and
substances were chosen based on desirable
chemical reactions. When the recipient
mixed the compounds used to write the
invisible message with a reactive agent,
the resulting chemical reaction revealed
the hidden data. Today, some commonly
used compounds are visible when placed
under an ultraviolet light.
• A microdot is a document or photograph
reduced in size until it is as small as a
pencil dot (about the size of the period at
the end of this sentence). Between World
War I and II Germany used microdots for
steganographic messaging purposes and
later many countries passed these
microdot messages through insecure
postal channels.
• During the times of world war I and world
war II null ciphers( taking the 3rd letter
from each word in a harmless message to
create a hidden message) were also
introduced.
But as we see in all these historical examples,
just by knowing how the message in being passed
on i.e., either by shaving the head of a everyone
passing through a check point, or melting the wax
off any discovered tablets reveals not only the
existence of a hidden message but the message
itself.
2. FUNCTIONAL OVERVIEW:
The basic principle of steganography ensures that
modifications to the data in the cover file must
have insignificant or no impact to the final
presentation, insignificantor no impact on final
presentation means changes so minor in nature that
the casual observer cannot tell that a hidden
message is even present.
Every digital file is composed of a sequence of
binary digits (0 or 1). It is also a relatively simple
task to modify the content of a file by changing a
single bit in the sequence. Accomplishing the
modification without changing the presentation or
the final form of the file is altogether a different
task. For example, the binary value of the decimal
number 13 consists of 4 bits (1101), changing one
bit in the sequence changes the decimal value of
the number it represents and ultimately changes the
meaning of the value, (i.e. 1100 is the decimal
equivalent of the number 12 not 13).
Example:
An electric signal conducted on a wire can contain
varying voltage levels over time. When using a
single bit to sample the voltage level, we can only
represent two states for any given time interval (off
or on _ 0 or 1). We cannot represent a specific
value such as +3.3v unless the value happens to be
a boundary condition (i.e. the high voltage of this
signal is +3.3v). By adding bits to the
representation of the measurement we can
reproduce measurements between the boundary
values. Two bits can define up to four states (0, 1.1,
2.2, and 3.3v for example), three can define eight,
four bits define sixteen, and so on. The level of
precision used in the measurement is proportional
to the number of bits used in the binary
representation of the voltage level.
Additional bits can eventually become unnecessary
when the accuracy of the waveform has been
achieved. A trade off between file size and sample
accuracy is often performed and the bit depth
(number of bits per sample) chosen based on an
amicable medium. It is also possible to graphically
represent the waveform in a voltage vs. time plot.
With enough bits to provide fidelity to the
measurement, a close approximation of the actual
signal can be reproduced. In the following
example, 8 bits will be chosen to represent a value
between -5 and +5 volts with the most significant
bit determining the sign (+/-) of the measurement.
The remaining seven bits provide 128 discrete
values for the amplitude of the sampled voltage.
A plot of our hypothetical wave form is displayed
in figure 1. Six randomly selected samples
(represented by eight binary digits) are included
below simply to illustrate that the binary data
changes over the time interval.
Figure1(before modification)
By modifying the least significant bit of each
sample, it is possible to embed information into the
waveform without having significant impact to the
graphical representation of the data. By using 7 bits
to represent 5 volts of amplitude, we create a
relatively small division between values (0.04V).
By modifying the least significant bit (LSB) of any
datum we can only change its reproduced value by
the same amount (0.04V). This imperceptible
change means that intentional modifications to the
LSB of every sample may go unnoticed and allow
data to be embedded into the bit sequence.
When viewing the waveform after modification,
the difference in voltage at any given datum is
imperceptible to the naked eye. To illustrate
consider the following illustrative bit stream:
01001010, 01001011, 01001100, 01001101,
01001110,
01001111, 01010000, 01010001 …
In the event we wished to inject the 8 bit message
(11110000) into the data, we would modify the
corresponding LSBs of the above bit stream to
match our message. The resulting steganographic
data stream would become
01001011, 01001011, 01001101, 01001101,
01001110,
01001110, 01010000, 01010000
Where the modified bits are in blue bold typeset.
Note that while the carrier data has changed, what
is represented or displayed in the final form (i.e. the
form delivered to the end user) has been modified
only in an imperceptible manner. Figure 2 shows
our example waveform embedded with the
following ASCII message after conversion to
binary: “The truth shall set you free”. The existence
of the embedded message can only be seen in the
blow-up of the first few samples of the reproduced
waveform.
Figure 2 (After modification to waveform)
3. TYPICAL STEGOSYSTEMS:
Any file that requires multiple bits to reasonably
quantify itsmessage such that minor changes to the
data are imperceptible when the file is presented in
final form is an acceptable candidate for a carrier.
Three different aspects in information-hiding
systems contend with each other: capacity, security,
and robustness. Capacity refers to the amount of
information that can be hidden in the cover
medium, security to an eavesdropper’s inability to
detect hidden information, and robustness to the
amount of modification the stego medium can
withstand before an adversary can destroy hidden
information. When considered broadly there are
two types of stegosystems.
A. Passive Warden
B. Active Warden
3.1. PASSIVE WARDEN:
Passive warder just monitors the
communication channel. He can pass the
cover texts through several statistical tests,
but do not modify them. It is the same
situation as when the network packets go
through Intrusion Detect System.
3.2. ACTIVE WARDEN:
Active warden manipulates cover
texts in order to preclude the possibility of
hidden communication. Typical real-life
application is watermarking and
fingerprinting. Watermark is a small piece
of embedded information which can proof
copyrighted material. Fingerprint is very
similar, but is intended to track the
concrete copy of copyrighted data.
Digital Stegosystems: Image, Video and
Soundfiles, Data can even beembedded in standard
TCP/IP packet headers.
The mostcommon image formats include BMP,
GIF, and JPEG.
The majority of software applications designed
for steganography utilize the JPEG image file
format as the carrier.
3.3. TEXT & PRINTED
DOCUMENTS:
Text documents of all types can contain
embedded messagesthat are difficult if not
impossible to locate. This paragraphcontains a
hidden message that can be decoded using a
decodingkey provided at the end. In the case of
this paragraph, thedecoding is performed by
referencing a character in each line byits
position and using the character’s numeric
location as the keyto the hidden message. This
type of data embedding is identical to one time
pad cryptography where a key is used to
extract themessage from a stream of data.
Steganography is not theencryption
methodology, but rather the means by which
toconceal the message. The message contained
in this paragraphreads “secret”, and is
decoded using the following key (14, 3,21, 2,
2, 11) – theletters in the paragraphabove have a
bluetypeset for ease oflocation.
We can also embed a letter in a string by just
moving the position of a letter in a word by
very small distance.
For example:
Consider embedding the binary
value of the ASCII letter “T” – 01010100 into the
word “Singular.” We can inject the binary string by
varying the spacing between the letters to indicate
azero or a one. For comparison, a fixed or naturally
spacedversion of the word is displayed below the
encoded version.Grey lines have been added to
more easily identify thecharacters that have been
shifted to represent a binary value ofone. In the
example below, all non-shifted (i.e. normally
spacedand not touching the reference line)
characters are assumed torepresent a zero.
Note that the “i", “g”, and the “l” are touching grey
lines thusindicating a high state or the binary value
one for that position.When pieced back together the
values are as follows S-0, i-1, n-0, g-1, u-0, l-1, a-0,
r-0 or 01010100.
Other methods are like:
Stepped character approach (where the
message is conveyed with embeddedcharacters
separated by a fixed number or constant step).
Addition or subtraction of white space
and/or carriage returns atthe end of every line.
Example of stepped character approach:
Consider encoding “secret words” into a
carrier sentence using aseven character stepping
algorithm (again the characters are inblue typeset
for clarity).
“This is much easier curing roses;each petal hadtoo
fewdewdrop awards for sicknesses …”
The primary focus of linguistic steganography field
is in the area of automating the selection
ofsynonyms for common words to embed data in
writing such thatit eliminates the unnatural and/or
awkward wording problems
3.4. STILL AND MOTION
IMAGE FILES:
Images consistof pixels with contributions from
primary colors (red, green, and blue) adding to the
total color composition of the pixel. Mostimages
are represented as triples (Red contribution,
Greencontribution, Blue contribution). Depending
on the depth ofcolor desired in the final image,
each component is representedby a separate
number of bits. In the case of a 24 bit bitmap,
eachcolor component has eight bits.
When closely viewing any specific color, single
digitmodifications to the contribution level are
imperceptible to the human eye. (i.e., a pixel with a
value of (255, 255, 0) isindistinguishable from
(254, 255, 0).
Least Significant Byte (LSB) substitution is well
known and widely used method. Take for example
a True-Colour BMP image format. A colour of
pixel is coded in 3 byte array of indices to RGB
palette. If you change only LSB bit in each colour
element, then the picture will seem still the same,
but is not. It carries hidden information. A picture
with size 120x100 pixels can hold approximately
up to 4500B of hidden data, if this method is used.
We can use some conventional random
number generator. Supplied password will serve as
initial seed. Generated numbers will specify which
pixel to use for encoding next 3 bits of embedded
data. The intruder/adversary, even with complete
knowledge of stegosystems, cannot extract the
hidden message without knowing the password.
Similar procedures can be successfully applied to
wide variety of multimedia formats. Only instead
of the colour indices we slightly modify the
Discrete Cosine Transformation (DCT) or Fourier
Transformation (FT) coefficients.
3.4.1. REASON FOR USING MOSTLY
JPEG:
When using the LSB of the discrete coefficients for
any givenblock, the modifications to a single
coefficient affect the valuesof each of the 64
discrete pixels. This translates into 64
minorchanges to a single block and that results in a
smoother colortransition between blocks. Some of
the picture formats (such asGIF) embed
information pertaining to the visual
representationto the color palette which affects all
of the bit layers in theimage. Steganographic
systems that use these formats and modify the LSB
to embed data, often impart noticeable changesto
the reproduced image and that serves as a cue
indicating theexistence of embedded data. Because
JPEG images do notdistribute the image
information across the entire image, butrather to
discrete 8 * 8 pixel blocks, the format is
lesssusceptible to those visual attacks.
3.5. AUDIO FILES:
The human ear can distinguish frequencies between
20 Hz and 20 kHz. By embedding a stream of data
into an audio signalat frequencies above those, the
effect is inaudible and cannot be detected by the
human ear.
Not only does the carrier’s reproduction of the data
sound identical to that of the original, but the only
impact the added data has is an increase to the size
of the file.
A frequency spectrum analyser or a calculation of
the total amount of data required to produce the
same audible spectrum over that time interval
would be able to detect the presence of the
additional information.
LSB modification of the bit stream can also be used
but has anoticeable detrimental impact to the
carrier file when it isreproduced.
3.6. TCP/IP HEADERS:
If the capability to generate and read the contents
of well-formed TCP/IP packets exists at both ends
of a communication channel, it is possible for the
two parties covertly pass hidden data.
Theexploitation modifies several of the fields in a
standard IPv4packet header to carry information
over a covert channel.
Specifically, the flags and sequence number fields
of the IPv4header are particularly susceptible to
manipulations that servethis purpose.
The flags field in the IPv4 header containsthree
bits; a reserved bit, a DF bit (do not fragment), and
finallya MF(more fragmentation) bit. Provided that
the parties wishingto communicate covertly both
know the maximum transmittableunit (MTU) of the
network, they can manipulate the flags fieldto carry
a message within standard TCP/IP packets that
containinnocuous data. By keeping the total packet
size below theMTU, modification of the DF bit has
no impact the transmissionof the cover message.
Alternatively, packets exceeding the MTUwith the
DF flag set are returned to the sender as
undeliverable. By keeping the size of the cover
packets below the MTU for the given network, the
DF flag can be arbitrarily assignedallowing the
field to carry binary data covertly. Conversely, by
exceeding the MTU of the packet, the sender is
able to transmitpackets that will arrive out of
sequence and thus, can conveybinary information
through the order of packet arrival.If the order of
arrival of the cover message packets isunimportant,
individuals can take advantage of the
packetsequence number field to relay covert
information to thereceiver. An algorithm that
packetizes the cover message andthen transmits the
packets in an altered sequence can indicatebinary
data by either transmitting a sequential packet to
indicatea zero, or an out of sequence packet to
indicate a one. Further, aprogram that controls the
composition of packets can transmitall packets in
the correct order but modify the sequence
numberof each transmitted packet when needed (to
indicate a change instate). Both of these approaches
can embed binary data inside of an overt
communications channel.
4. STEGANOGRAPHY TECHNIQUES:
Christian Cachin proposed an information-theoretic
model for steganography that considers the security
of steganographic systems against passive
eavesdroppers. In this model, you assume that the
adversary has complete knowledge of the encoding
system but does not know the secret key. His or her
task is to devise a model for the probability
distribution PC of all possible cover media and PS
of all possible stego media. The adversary can then
use detection theory to decide between hypothesis
C (that a message contains no hidden information)
and hypothesis S (that a message carries hidden
content). A system is perfectly secure if no decision
rule exists that can perform better than random
guessing. Essentially, steganographic
communication senders and receivers agree on a
steganographic system and a shared secret key that
determines how a message is encoded in the cover
medium.
4.1. METHODS IN SPATIAL DOMAIN:
A basic classification of steganographic algorithms
operating in the spatial domain as the method for
selecting the pixels distinguishes three main types:
non-filtering algorithms, randomized algorithms
and filtering algorithms.
4.1.1. NON-FILTERING ALGORITHM:
This is the simplest steganographic method based
in the use of LSB, and therefore the most
vulnerable. The embedding process consists of the
sequential substitution of each least significant bit
of the image pixel for each bit of the message. For
its simplicity, this method can camouflage a great
volume of information. This technique is quite
simple. It is necessary only a sequential LSB
reading, starting from the first image pixel, to
extract the secret message. This method also
generates an unbalanced distribution of the changed
pixels, because the message is embedded at the first
pixels of the image, leaving unchanged the
remaining pixels.
4.1.2. RANDOMIZED ALGORITHM:
This technique was born as a solution for the
problems of the previous method. Each one, the
sender and the receiver of the image has a
password denominated stego-key that is employed
as the seed for a pseudo-random number generator.
This creates a sequence which is used as the index
to have access to the image pixel. The message bit
is embedded in the pixel of the cover image as the
index given by the pseudo-random number
generator. The two main features of the pseudo-
random permutation methods are the use of
password to have access to the message, and the
well-spread message bits over the image.
4.1.3. FILTERING ALGORITHM:
This algorithm filters the cover image by using a
default filter and hides information in those areas
that get a better rate. The filter is applied to the
most significant bits of every pixel, leaving the less
significant to hide information. The filter ensures
the choice of areas of the image in the least impact
with the inclusion of information, which affects a
greater difficulty of detecting the presence of
hidden messages [10]. The retrieval of information
is ensured because the bits used for filtering are not
changed, implying that the reapply the filter will
select the same bits in the process of concealment.
It is the most efficient method to hide information.
The algorithm SLSB belongs to this type.
Description of the Algorithm SLSB:

Where Q (u,v) is a 64 element quantization table.

When 24 bits (8 bits per colour) are input into the
DCT, the information describing any given pixel
can be reduced from 24 bits to as little as 3.
Depending on the number of bits used to represent
the DCT coefficients, the resulting compression of
data describing the pixel can reduce the total size of
the file without noticeably altering its final form.
JPEG steganography uses the least significant bit of
the DCT coefficients to hide the desired message.
Since the coefficient represents the relative
difference from the grids quantized value,
modifying the LSB of each coefficient changes the
value of the entire grid and has an imperceptible
impact to the reproduced image.

4.2. DISCRETE COSINE

TRANSFORM:
(OR)
JPEG ENCODING ALGORITHM:
The JPEG encoding algorithm sections the
input image into 8 * 8 grids containing 64 pixels
per grid. Within each grid adiscrete cosine
transform coefficient for every color componentin
the pixel is calculated. Thus, the data in each grid is
an 8 *8matrix of 64 DCT coefficients for each
color. The formula usedto calculate the DCT
coefficient F(u, v) of an 8 *8 grid ofimage pixels
f(x, y) is:

Where C(x) = 1/1.414 when x=0 and C(x)= 1 at
values x other than 1.
To determine the grid bias or colour offset, a
follow-on function must be employed. The
following formula; where Q (u, v) defines the
quantization table for the internal elements is used:
Embedded information in a JPEG.
(a) The unmodified original picture;
(b) The picture with the first chapter of The
Hunting of the Snark embedded in it.

4.3. SEQUENTIAL:
Derek Upham’s JSteg was the first publicly
available steganographic system for JPEG images.
Its embedding algorithm sequentially replaces the
least-significant bit of DCT coefficients with the
message’s data. The algorithm does not require a
shared secret; as a result, anyone who knows the
steganographic system can retrieve the message
hidden by JSteg. Andreas Westfeld and Andreas
Pfitzmann noticed that steganographic systems that
change least-significant bits sequentially cause
distortions detectable by steganalysis.8
They observed that for a given image, the
embedding of high-entropy data (often due to
encryption) changed the histogram of colour
frequencies in a predictable way.
In the simple case, the embedding step changes the
least-significant bit of colours in an image. The
colours are addressed by their indices i in the
colour table; we refer to their respective
frequencies before and after embedding as ni and
ni*. Given uniformly distributed message bits, if
n2i> n2i+1, then pixels with colour 2i are changed
more frequently to colour 2i + 1 than pixels with
colour 2i + 1 are changed to colour 2i. As a result,
the following relation is likely to hold:
In other words, embedding uniformly distributed
message bits reduces the frequency difference
between adjacent colours. The same is true in the
JPEG data format. Instead of measuring colour
frequencies, we observe differences in the DCT
coefficients’ frequency.
Frequency histograms.
Sequential changes to the
(a) Original and
(b) Modified image’s least-sequential bit of
discrete cosine transform coefficients
tends to equalize the frequency of adjacent
DCT coefficients in the histograms.
Above figure displays the histogram before and
after a hidden message is embedded in a JPEG
image. We see a reduction in the frequency
difference between coefficient –1 and its adjacent
DCT coefficient –2. We can see a similar reduction
in frequency difference between coefficients 2 and
3. Westfeld and Pfitzmann used a -test to
determine whether the observed frequency
distribution yi in an image matches a distribution yi
* that shows distortion from embedding hidden
data. Although we do not know the cover image,
we know that the sum of adjacent DCT coefficients
remains invariant, which lets us compute the
expected distribution yi * from the stego image.
Letting ni be the DCT histogram, we compute the
arithmetic mean to determine the expected
distribution and compare it against the observed
distribution.
The value for the difference between the
distributions is given as

Where v is the degrees of freedom—that is, one
less than the number of different categories in the
histogram. It might be necessary to sum adjacent
values from the expected distribution and the
observed distribution to ensure that each category
has enough counts. Combining two adjacent
categories reduces the degrees of freedom by one.
The probability p that the two distributions are
equal is given by the complement of the cumulative
distribution function,
where Γ is the Euler Gamma function.
The probability of embedding is determined by
calculating p for a sample from the DCT
coefficients. The samples start at the beginning of
the image; for each measurement the sample size is
increased.
Above figure shows the probability of embedding
for a stego image created by JSteg.
The high probability at the beginning of the image
reveals the presence of a hidden message; the point
at which the probability drops indicates the end of
the message.
4.3.1. JSTEG ALGORITHM:
Input: message, cover image
Output: stego image
While data left to embed do get next DCT
coefficient from cover image
If DCT ≠0 and DCT ≠1 then get next LSB
from message replace DCT LSB with
message LSB
end if
insert DCT into stego image
end while
4.4. PSUEDO RANDOM:
OutGuess 0.1 (created by Niels Provos) is a
steganographic system that improves the encoding
step by using a pseudo-random number generator
to select DCT coefficients at random. The least-
significant bit of a selected DCT coefficient is
replaced with encrypted message data. The χ2-test
for JSteg does not detect data that is randomly
distributed across the redundant data and, for that
reason, it cannot find steganographic content
hidden by OutGuess 0.1. However, it is possible to
extend the χ2- test to be more sensitive to local
distortions in an image. Two identical distributions
produce about the same χ2 values in any part of the
distribution. Instead of increasing the sample size
and applying the test at a constant position, we use
a constant sample size but slide the position where
the samples are taken over the image’s entire range.
Using the extended test, we can detect pseudo-
randomly distributed hidden data. Given a constant
sample size, we take samples at the beginning of
the image and increase the sample position by 1
percent for every χ2 calculation. We then take the
sum of the probability of embedding for all
samples. If the sum is greater than the detection
threshold, the test indicates that an image contains
a hidden message. To find an appropriate sample
size, we select an expected distribution for the
extended χ2-test that should cause a negative test
result. Instead of calculating the arithmetic mean of
coefficients and their adjacent ones, we take the
arithmetic mean of two unrelated coefficients,
A binary search on the sample size helps find a
value for which the extended χ2-test does not show
a correlation to the expected distribution derived
from unrelated coefficients.

Above figure shows an analysis of the extended χ2-
test for different false-positive rates. Its detection
rate depends on the hidden data’s size and the
number of DCT coefficients in an image. We
characterize their respective relation by using the
change rate—the fraction of DCT coefficients
available for embedding a hidden message that
have been modified. With a false-positive rate of
less than 0.1 percent, the extended χ2-test starts
detecting embedded content for change rates
greater than 5 percent. We improve the detection
rate by using a heuristic that eliminates coefficients
likely to lead to false negatives. Due to the
heuristic, the detection rate for embedded content
with a change rate of 5 percent is greater than 40
percent for a 1 percent false-positive rate. Niels
Provos showed that applying correcting transforms
to the embedding step could defeat steganalysis
based on the χ2-test.12 He observed that not all the
redundant bits were used when embedding a hidden
message. If the statistical tests used to examine an
image for steganographic content are known, it is
possible to use the remaining redundant bits to
correct statistical deviations that the embedding
step created. In this case, preserving the DCT
frequency histogram prevents steganalysis via the
χ2-test. Siwei Lyu and Hany Farid suggested a
different approach based on discrimination of two
classes: stego image and non-stego image.10,11
Statistics collected from images in a training set
determine a function that discriminates between the
two classes. The discrimination function
determines the class of a new image that is not part
of the training set. The set of statistics used by the
discrimination function is called the feature vector.
Lyu and his colleague used a support vector
machine (SVM) to create a nonlinear
discrimination function. Here, we present a less
sophisticated but easier to understand method for
determining a linear discrimination function,
of the measured image statistics X= (x1, x2, …,
xk)T that, for appropriately chosen bi, discriminates
between the two classes.
For a new image X, the discriminant function Λ
lets us decide between two hypotheses: the
hypothesis H0 that the new image contains no
steganographic content and the hypothesis H1 that
the new image contains a hidden message.
For the binary hypothesis problem, detection theory
provides us with the Neyman-Pearson criterion,
which shows that the likelihood ratio test
maximizes the detection rate PD for a fixed false-
negative rate PF,14 where px|H1 (X|H1) and px|
H0(X|H0) denote the joint probability functions for
(x1, x2, …, xk) under H1 and H0, respectively. The
constant η is the detection threshold.
To choose the weights bi, we assume that the set xi
of non-stego images and the set yi of stego images
are independently and normally distributed. This
assumption lets us calculate the probability
functions px|H1 (X|H1) and px|H0 (X|H0), which
we use to derive the weights bi. Determining the
discrimination functions is straightforward, but
finding a good feature vector is difficult. Farid
created a feature vector with a wavelet-like
decomposition that builds higher-order statistical
models of natural images.10 He derived the
statistics by applying separable low- and high-pass
filters along the image axes generating vertical,
horizontal, and diagonal subbands, which are
denoted Vi(x,y), Hi(x,y) and Di(x,y), respectively,
for different scales i = 1, …, n.
The first set of statistics for the feature vector is
given by the mean, variance, skewness, and
kurtosis of the subband coefficients at each
orientation and at scales i = 1… n – 1.
The second set of statistics is based on the errors in
an optimal linear predictor of coefficient
magnitude. For each subband and scale, the error’s
distribution is characterized by its mean, variance,
skewness, and kurtosis resulting in a total size of
24(n – 1) for the feature vector. Lyu and Farid’s
training set consists of 1,800 nonstego images and
a random subset of 1,800 stego images that contain
images as hidden content. Using four different
scales, a program (or a researcher) calculates a 72-
length feature vector for each image in the training
set.

where i enumerates the number of blocks in the

image, and k enumerates the rows or columns in a
Table 1 shows their achieved detection rate using a
single block. For each distribution, we calculate the
nonlinear SVM for false-positive rates 0.0 percent
mean and its first three central moments, resulting
and 1.0 percent and different message sizes.
in 64 measurements for a single image.
The discrimination function works well only if the
training set captures the image space’s useful
characteristics. For different types of images—for
example, nature scenes and indoor photographs—
the detection rate could decrease when using a
single training set. Improving the training set by
selecting images that match the type of image
we’re analyzing might be possible. The probability
models for clutter in natural images that Ulf
Grenander and Anuj Srivastava15 first proposed let
us select similar images from the training set
automatically. We can improve the detection
quality rate by using a feature vector based on
different statistics. Instead of using a wavelet-like
decomposition, we look at the distribution of
squared differences,

Above figure compares the linear discrimination

functions derived from the two feature vectors.
Figure a shows receiver- operating characteristics
(ROC) for OutGuess messages and their
corresponding change rates; Figure 8b shows the
ROCs for F5 messages (described in more detail
later). For OutGuess, the feature vectors show
comparable detection performance. However, for
F5, the squared differences feature vector
outperforms the wavelet feature vector.
Using a discrimination function does not help us
determine a hidden message’s length. Jessica
Fridrich and her colleagues made a steganalytic
attack on OutGuess that can determine a hidden
message’s length.16 Out- Guess preserves the first-
order statistics of the DCT coefficients, so Fridrich
and her group devised a steganalytic method
independent of the DCT histogram. They used
discontinuities along the boundaries of 8 × 8 pixel
blocks as a macroscopic quantity that increases
with the hidden message’s length. The discontinues
are measured by the blockiness formula
where gij are pixel values in an M*N greyscale
image. Experimental evidence shows that the
blockiness B increases monotonically with the
number of flipped least-sequential bits in the DCT
coefficients. Its first derivative decreases with the
hidden message’s length, meaning that the
blockiness function’s slope is maximal for the
cover image and decreases for an image that
already contains a message.
Using the blockiness measure, the algorithm to
detect
OutGuess proceeds as follows:
1. Determine the blockiness BS(0) of the
decompressed stego image.
2. Using OutGuess, embed a maximal length
message and calculate the resulting stego image’s
blockiness BS(1).
3. Crop the stego image by four pixels to
reconstruct an image similar to the cover image.
Compress the resulting image using the same JPEG
quantization matrix as the stego image and
calculate the blockiness B(0).
4. Using OutGuess, embed a maximal length
message into the cropped image and calculate the
resulting blockiness B(1).
5. Using OutGuess, embed a maximal length
message into the stego image from the previous
step and compute the resulting blockiness B1(1).
6. The slope S0 = B(1) – B(0) corresponds to the
original cover image, and S1 = B1(1) – (1) is the
slope for an image with an embedded, maximal
length message.
The stego image’s slope S = BS(1) – BS(0) is
between the two slopes S0 and S1. The hidden
message’s length is then determined as
Where p = 0 corresponds to the cover image and p
= 1 to an image with the maximal embedded
message length. To counter randomness in the
OutGuess embedding algorithm, we repeat the
detection algorithm 10 times. The average of the p-
values is taken as the final message length.
Fridrich and her group tested their algorithm on 70
images of which 24 contained hidden messages.
Their analysis showed an error in the estimated
message length of –0.48 percent ± 6 percent. This
approach has two advantages over class
discrimination: it does not require a training set and
it determines the length of hidden messages.
4.4.1. OUTGUESS 1.0 ALGORITHM:
Input: message, shared secret, cover image
Output: stego image
initialize PRNG with shared secret
while data left to embed do
get pseudo-random DCT coefficient from
cover image
if DCT ≠ 0 and DCT ≠ 1 then
get next LSB from message
replace DCT LSB with message LSB
end if
insert DCT into stego image
end while
4.5. SUBTRACTION:
Instead of replacing the least-significant bit of a
DCT coefficient with message data, F5 decrements
its absolute value in a process called matrix
encoding. As a result, there is no coupling of any
fixed pair of DCT coefficients, meaning the χ2-test
cannot detect F5. Matrix encoding computes an
appropriate (1, (2k – 1), k) Hamming code by
calculating the message block size k from the
message length and the number of nonzero non-
DC coefficients. The Hamming code (1, 2k– 1, k)
encodes a k-bit message word m into an n-bit code
word a with n = 2k – 1. It can recover from a single
bit error in the code word. F5 uses the decoding
function f(a) = ⊕ni=1 ai ⋅ i and the Hamming
distance d. With matrix encoding, embedding any
k-bit message into any n-bit code word changing it
at most by one bit. In other words, we can find a
suitable code word a′ for every code word a and
every message word m so that m = f(a′) and d(a, a′)
≤ 1. Given a code word a and message word m, we
calculate the difference s = m⊕f(a) and get the new
code word as
4.5.1. F5 ALGORITHM:
Input: message, shared secret, cover image
Output: stego image
initialize PRNG with shared secret
permutate DCT coefficients with PRNG
determine k from image capacity
calculate code word length n←2k – 1
while data left to embed do
get next k-bit message block
repeat
G←{n non-zero AC coefficients}
s←k-bit hash f of LSB in G
s←s⊕k-bit message block
if s ≠ 0 then
decrement absolute value of DCT
coefficient Gs
insert Gs into stego image
end if
until s = 0 or Gs ≠ 0
insert DCT coefficients from Ginto stego
image
end while
4.5.2. IMPLEMENTATION OF F5:
First, the DCT coefficients are permuted by a
keyed pseudo-random number generator (PRNG),
then arranged into groups of n while skipping zero
and DC coefficients. The message is split into k-bit
blocks. For every message block m, we get an n-bit
code word a by concatenating the least significant
bit of the current coefficients’ absolute value. If
the message block m and the decoding f(a) are the
same, the message block can be embedded without
any changes; otherwise, we use s = m⊕f(a) to
determine which coefficient needs to change (its
absolute value is decremented by one). If the
coefficient becomes zero, shrinkage happens, and it
is discarded from the coefficient group. The group
is filled with the next nonzero coefficient and the
process repeats until the message can be embedded.
For smaller messages, matrix encoding lets F5
reduce the number of changes to the image—for
example, for k = 3, every change embeds 3.43
message bits while the total code size more than
doubles. Because F5 decrements DCT coefficients,
the sum of adjacent coefficients is no longer
invariant, and the χ2 test cannot detect F5-
embedded messages. However, Fridrich and her
group presented a steganalytic method that does
detect images with F5 content. They estimated the
cover-image histogram from the stego image and
compared statistics from the estimated histogram
against the actual histogram. As a result, they found
it possible to get a modification rate β that indicates
if F5 modified an image.
Fridrich and her colleagues’ steganalysis
determined how F5’s embedding step changes the
cover image’s AC coefficients. Let

huv(d) := |{F(u,v)| d = |F(u,v)|, u + v ≠ 0}|

be the total number of AC DCT coefficients in the

cover image with frequency (u,v) whose absolute
value equals d. Huv(d) is the corresponding
function for the stego image. If F5 changes n AC
coefficients, the change rate β is n/P, where P is the
total number of AC coefficients. As F5 changes
coefficients pseudo randomly, we expect the
histogram values for the stego image to be

Huv(d) < (1 – β)huv(d) + β huv(d + 1), for d > 0

Huv(0) < huv(0) + β huv(1), for d = 0.

Fridrich and her group used this estimate to

calculate the expected change rate β from the cover
image histogram. They found the best
correspondence when using d = 0 and d = 1
because these coefficient values change the most
during the embedding step. This leads to the
approximation.
The above figure shows the ROC for a test set of
500 nonstego and 500 stego images. In the first
test, both types of images are double-compressed
due to F5. The only difference is that the stego
images contain a steganographic message. Notice
that the false-positive rate is fairly high compared
to the detection rate. The second test uses the
The final value of β is calculated as the average of
original JPEG images without double compression
βuv for the frequencies (u,v) ∈{(1,2),(2,1),(2,2)}. as reference.
The histogram values for the cover image are
unknown and must be estimated from the stego
image. We do this by decompressing the stego 4.6. COLOUR CLIPPING:
image into the spatial domain. The resulting image Depending on the rounding used in quantization, it
is then cropped by four pixels on each side to move is possible that the reconstructed image data may
the errors at the block boundaries. We recompress be outside the expected range which is often known
the cropped image using the same quantization as color overflowing.
tables as the stego image, getting the estimates for
the cover image histogram from the recompressed
image. Because many images are stored already in
the JPEG format, embedding information with F5
leads to double compression, which could confuse
this detection algorithm. Fridrich and her group
proposed a method for eliminating the effects of
double compression by estimating the quality factor
used to compress the cover image. Unfortunately,
they based their evaluation of the detection
algorithm on only 20 images. To get a better
understanding of its accuracy, we present an
evaluation of the algorithm based on our own
implementation.

Many JPEG steganographic techniques embed
message into the quantized DCT coefficients in the
compression process. For example, JSteg embeds
the message by modulating the least significant bit
of the non-zero and non-one quantized DCT
coefficients. This embedding process as well as the
rounding one degrades the image quality.
Accordingly, the number of color clipping in the
decompression process also increases.
4.7. TRANSLATION BASED
STEGANOGRAPHY:
4.7.1. PROTOCOL:
The sender first needs to obtain a cover in the
source language. The cover does not have to be
secret and can be obtained from public sources - for
example, a news website. The sender then
translates the sentences in the source text into the
target language using the steganographic encoder.
The steganographic encoder essentially creates
multiple translations for each sentence and selects
one of these to encode bits from the hidden
message. The translated text is then transmitted to
the receiver, together with information that is
sufficient to obtain the source text. This can either
be the source text itself or a reference to the source.
The receiver then also performs the translation of
the source text using the same steganographic
encoder configuration. By comparing the resulting
sentences, the receiver reconstructs the bit stream
of the hidden message. As with most
steganographic systems, the hidden message itself
can be encrypted with a secret key, making it
harder for the adversary to perform guessing
attacks on the secret configuration
4.7.2. SELECTING A TRANSLATION:
When selecting a translation to encode the hidden
message, the encoder first builds a Huffman tree of
the available translations using the probabilities
assigned by the generator algorithm. Then the
algorithm selects the sentence that corresponds to
the bit-sequence that is to be encoded.
Using a Huffman tree to select sentences in
accordance with their translation quality estimate
ensures that sentences that are assumed to have a
low translation quality are selected less often.
Furthermore, the lower the quality of the selected
translation, the higher the number of transmitted
bits. This reduces the total amount of cover text
required and thus the amount of text the adversary
can analyze. The encoder can use a lower limit on
the relative translation quality to eliminate
sentences from consideration where the estimated
translation quality is below a certain threshold, in
which case that threshold becomes part of the
shared secret between sender and receiver.
HUFFMAN TREE
4.7.3. PRODUCING TRANSLATIONS:
The first step for both sender and receiver after
obtaining the source text is to produce multiple
translations of the source text using the same
algorithm. The goal of this step is to
deterministically produce multiple different
translations of the source text. The simplest
approach to achieve this is to apply (a subset of) all
available MT systems on each sentence in the
source text. If the parties have full access to the
code of a statistical MT system, they can generate
multiple MT systems from the same codebase by
training it with different corpora. In addition to
generating different sentences using multiple
translation systems
it is also possible to apply post-processing on the
resulting translations to obtain additional
variations. Such post-processing includes
transformations that mimic the noise inherent in
any (MT) translation.
4.7.4. KEEPING SOURCE TEXT
SECRET:
The presented scheme can be adapted to be suitable
for watermarking where it would be desirable to
keep the source text secret. This can be achieved as
follows.
The encoder computes a (cryptographic) hash of
each translated sentence. It then selects a sentence
such that the last bit of the hash of the translated
sentence corresponds to the next bit in the hidden
message that is to be transmitted. The decoder then
just computes the hash codes of the received
sentences and concatenates the respective lowest
bits to obtain the hidden message. This scheme
assumes that sentences are long enough to almost
always have enough variation to obtain a hash with
the desired lowest bit. Error-correcting codes must
be used to correct errors whenever none of the
sentences produces an acceptable hash code. Using
this variation reduces the bitrate that can be
achieved by the encoding. More details on this can
be found in our technical report
5. SOFTWARES AVAILABLE:
5.1. STEGANOGRAPHY ANALYZER
ARTIFACT SCANNER
(StegAlyzerAS):
StegAlyzerAS gives you the capability to
scan the entire file system, or individual directories,
on suspect media for the presence of
Steganography application artifacts. And, unlike
other popular forensic tools, you can perform an
automated or manual search of the Windows
Registry to determine whether or not any Registry
keys or values exist that can be associated with a
particular Steganography application.
5.2. STEGANOGRAPHY
ANALYZER SIGNATURE SCANNER
(StegAlyzerSS):
StegAlyzerSS gives you the capability to
scan every file on the suspect media for the
presence of hexadecimal byte patterns, or
signatures, of particular Steganography
applications in the files. If a known signature is
detected, it may be possible to extract information
hidden with the Steganography application
associated with the signature.
5.3. DIGITAL INVISIBLE INK
TOOLKIT:
This project provides a simple Java-based
steganography tool that can hide a message inside a
24-bit color image so that knowing how it was
embedded, or performing statistical analysis, does
not make it any easier to find the concealed
information.
Apart from these there are numerous other software
available for different types of Steganography.
• Hidden directories can be created that are
not included in the allocation tables of the
main operating system. Files are stored in
these directories through a ghost or mirror
OS directory structure that is managed by
the software.
When the file containing the embedded information
is provided to the recipient, only the correct
password and decoding algorithm will produce the
decoding sequence or decrypt the embedded file.
The most popular piece of software used to perform
this Steganography in documents is a piece of
software called SNOW.
a) picture of a Word document before
using SNOW
b) picture of a Word document after
using SNOW
As seen in both the images, there’s practically no
visible change in document before and after usage
of SNOW.
An overview of the different types of software
available for Steganography:
• Gif-It-Up: Hides information in GIF
carrier files
• JPHide-&-Seek: Hides information in
JPEG carrier files
• MP3Stego: Hides information in MP3
carrier files
• S-Tools: Hides information in BMP, GIF,
or WAV carrier files
• Stash: Hides information in BMP, PCX,
PNG, and TIFF carrier files
• Stegotif: Hides information in TIFF carrier
files
• Stegowav: Hides information in WAV
carrier files
6. DETECTION AND RECOVERY
ANALYSIS:
Steganalysis is the art and science behind the
detection of the use of Steganography by a third
party. The process of finding these distortions is
called statistical steganalysis.The basic function of
steganalysis is to first detect or estimate the
probability that hidden information is present in
any given file. The detection and estimation is
based only on the data presented in its observable
form.
6.1. STEGANALYSIS:
Simply detecting the presence of hidden data may
not be sufficient, steganalysis also covers the
functions of extracting the message, disabling
and/or destroying the hidden message so that it
cannot be extracted, and finally, altering the hidden
message such that misinformation can be sent to
the intended recipient instead of the original
message.
The steganalysis is attack methods can be broken
into six types:
6.1.1. Steganography-only attack:
Only the file with the embedded data
is available for analysis.
6.1.2. Known-carrier attack: Both the
original carrier file and the final
(hidden message embedded) files are
available for analysis.
6.1.3. Known-message attack: The
original message prior to embedding
in the carrier is known.
6.1.4. Chosen-Steganography attack:
Both the algorithm used to embed the
data and the final (hidden message
embedded) file are known and
available for analysis.
6.1.5. Chosen-message attack: The
original message and the algorithm
used to embed the message are
 available, but neither the carrier nor
the final (hidden message embedded)
file are. This attack is used by the
analyst for comparison to future files.

6.1.6. Known-Steganography attack:

All components of the system (the
original message, the carrier message,
and the algorithm) are available for
analysis.

The success of any steganalysis technique relies on

the amount of information known about the file
prior to investigation. As more information about
the file is known prior to investigation, the
investigator can move from simply detecting to
modifying or altering the hidden message before
sending it on to the intended recipient.

In Steganography only attack the purpose is only to

detect the existence of message, but without
knowing the message prior to decryption, it takes
excess amount of time to recover the message.

If we just know the carrier file and final file, then

we can recover by just comparing both the files.
The steganography-only attack can be
accomplished through the use of statistical analysis
performed on the final medium.

EXAMPLE:
The colour contents of JPEG images are examined.
A modification to each coefficient’s LSB produces
variations in the data that results in deviations to
the histogram for the given file. If the deviations
are large enough to produce noticeable aberrations,
the embedded file’s of the file (containing 42,886
colours). histogram can identify the existence of the
hidden message. Likewise, LSB modifications to
palette-based images (GIF, etc.) cause duplications
of the colours in the palette with identical or nearly
identical colours appearing. This duplication of
colours can also serve as an indicator pointing to
the existence of hidden data. When examining the
greyscale histograms for an original and a
steganographically embedded JPEG (such as in
Figure 4), slight deviations in the histograms are
noticeable. The greyscale histogram provides a
cumulative value for all three colour channels (red,
green, and blue) at each brightness level (0-255).
Figure 5 compares the same photograph in its
original form (containing 42,784 colours) to an
embedded version
The arrows in the embedded histogram indicate
two obvious differences in the waveform.
Steganalysis takes this phenomenon one
step further by comparing the normalized
distribution of colours against a predicted value.
For palette based images, a normal distribution of
colour frequency is likely. A scalable standard bell
curve can be assumed as the comparison
benchmark against the suspect file. Changes to the
LSBs for any given pixel can create duplicate (or
near duplicate) colors in the image’s color palette.
The duplicate colours increase the frequency for
that value and can create a spike in the distribution
exceeding the benchmark reference. Any large
deviations from the benchmark can be an indicator
of anomalies or modifications to the contents of the
file.
The process for JPEGs can be a bit more
complicated. Because the JPEG format does not
use a palette based encoding algorithm, a second
step is necessary to compare DCT frequency to a
benchmark. Algorithms that sequentially modify
the DCT coefficients in JPEG files tend to cause
distortions in the histogram that flatten out the
frequency values of adjacent DCTs. To compensate
for this issue, newer algorithms do not sequentially
embed the data but rather use a password or key to false-negative rate is preferable to a high false-
generate a random order for DCT or LSB positive rate.
modifications.
Westfeld and Pfitzmann used a test to predict the
probability that an image contained steganographic
content by comparing the expected distribution (the
null hypothesis) against the sampled values. If the
measured value produced a deviation from the
expected, then the amplitude of the deviation was
proportional to the probability of steganographic
content at that point in the file. Because their
algorithm ran on sequential bytes with an
increasing sample size for each calculation, when
the probability dropped, the size of the hidden
message was often revealed as well.
After detection of hidden content with a carrier file,
the next step is recovery of the hidden message
itself. Because modifications to the data comprising
the carrier file are made without incorporating a
mapping back to the original values, recovery of
the original carrier file is difficult and sometimes
impossible. For digital pictures, audio, video, and
even file slack space, steganographic modifications
to the original contents often destroy the integrity
of the carrier file in the process.
6.2. STEGANOGRAPHY
DETECTION ON INTERNET:
6.2.2. VERIFYING CONTENT:
To assess claims that steganographic content is The statistical tests used to find steganographic
regularly posted to the Internet. To find out if such content in images indicate nothing more than a
claims are true, we have a steganography detection likelihood that content is embedded. Because of
framework that gets JPEG images off the Internet that, Stegdetect cannot guarantee a hidden
and uses steganalysis to identify subsets of the message’s existence. To verify that the detected
images likely to contain steganographic content. images have hidden content,
Stegbreak must launch a dictionary attack against
6.2.1. DETECTION FRAMEWORK: the JPEG files. JSteg-Shell, JPHide, or Outguess all
Stegdetect is an automated utility that can analyze hide content based on a user-supplied password, so
JPEG images that have content hidden with JSteg, an attacker can try to guess the password by taking
JPHide, and OutGuess 0.13b. Stegdetect’s output a large dictionary and trying to use every single
lists the steganographic systems it finds in each word in it to retrieve the hidden message. In
image or writes “negative” if it couldn’t detect any. addition to message data, the three systems also
Stegdetect’s false-negative rate depends on the embed header information, so attackers can verify a
steganographic system and the embedded guessed password using header information such as
message’s size. The smaller the message, the message length. For a dictionary attack28 to work,
harder it is to detect by statistical means. Stegdetect the steganographic system’s user must select a
is very reliable in finding images that have content weak password.
embedded with JSteg. For JPHide, detection
depends also on the size and the compression
quality of the JPEG images. Furthermore, JPHide
0.5 reduces the hidden message size by employing
compression. For JSteg, we cannot detect messages
smaller than 50 bytes. The false-negative rate in
such cases is almost 100 percent. However, once
the message size is larger than 150 bytes, our false-
negative rate is less than 10 percent. For JPHide,
the detection rate is independent of the message
size, and the false-negative rate is at least 20
percent in all cases. Although the false-negative
rate for OutGuess is around 60 percent, a high
 send a top secret, private or highly sensitive
document over an open systems environment such
as the Internet.

7.2. EMBEDDED DATA:

By embedding the hidden data into the
cover message and sending it, you can gain a sense
of security by the fact that no one knows you have
sent more than a harmless message other than the
intended recipients.

6.2.3. DISTRIBUTED DICTIONARY
ATTACK:
Stegbreak is too slow to run a dictionary
attack against JPHide on a single computer.
Because a dictionary attack is inherently parallel,
distributing it to many workstations is possible. To
distribute Stegbreak jobs and data sets, we
developed Disconcert, a distributed computing
framework for loosely coupled workstations.
There are two natural ways to parallelize a
dictionary attack: each node is assigned its own set
of images or each node is assigned its own part of
the dictionary. With more words existing than
images, the latter approach permits finer
segmentation of the work. To run the dictionary
attack, Disconcert hands out work units to
workstations in the form of an index into the
dictionary. After a node completes a work unit, it
receives a new index to work on.
7. APPLICATIONS:
The three most popular and researched uses for
steganography in an open systems environment are
• Covert channels,
• Embedded data and
• Digital watermarking.
7.3. DIGITAL
WATERMARKING:
Although not a pure steganographic
technique, digital watermarking is very common in
today's world and does use Steganographic
techniques to embed information into documents.
Digital watermarking is usually used for copy write
reasons by companies or entities that wish to
protect their property by either embedding their
trademark into their property or by concealing
serial numbers/license information in software, etc.
Digital watermarking is very important in the
detection and prosecution of software
pirates/digital thieves.
Hydan programme by Rakan El-Khalil exploits
redundancy in Intel x86 instruction set. Instruction
addl $20, % eax can be altered to subl $-20, % eax
and vice versa. Then let the add means logical 1,
sub means logical 0 and a solid base for
stegosystem has born.

7.1. COVERT CHANNELS:

Covert channels in TCP/IP involve
masking identification information in the TCP/IP
headers to hide the true identity of one or more
systems. This can be very useful for any secure
communications needs over open systems such as
the Internet when absolute secrecy is needed for an
entire communication process and not just one
document. Using containers (cover messages) to
embed secret messages into is by far the most
popular use of Steganography today. This method
of Steganography is very useful when a party must
 8. DENYING STEGANOGRAPHY:
Proving that the files contain differences can be
done through the use of a cryptographic hashing
algorithm that verifies differences indeed exist.
The use of a guard processor at the entry and exit
point(s) of the systems network could accomplish
this task. An MD5 128-bit hash provides a high
degree of confidence that different inputs produce
different hash outputs. Thus, differences in MD5
hashes provide a high level of certainty that the
given inputs (the binary contents composing the
two photos) contain differences. The photograph
with the embedded data (Kids_steg.bmp) is the
same size, contains the same number of pixels, and a) Kids_orig b) Kids_steg
the same depth as the original but the binary Visually, the two files appear to be identical but the
contents of the file are different than the original MD5 sum provides credible evidence that that is
(Kids_orig.bmp). not the case.
To illustrate how to defeat the steganographic
mechanism, the final file (Kids_steg.bmp) was
converted into a JPEG by opening it in Microsoft
Paint and using the “save as” feature to save it in
the JPEG format. Note that the MD5 sum of
Kids_steg.jpg does not match either the original or
the embedded version of the photograph. An
expected and noticeable reduction in file size is
achieved when using JPEG compression. In this
case, once the final file is converted into a new
format, the embedded message is destroyed and the
covert steganographic channel is effectively denied.
The final step to proving this is the case was to
reconvert the JPEG image back into a bitmap.
Again Microsoft Paint was used
to open the JPEG image and the “save as” feature
was used to save it in the bitmap format. Note that
the recovered image (Kids_recov.bmp) has
identical properties to the original and
steganographic files, but contains a different MD5
sum. The recovered image no longer contains the
hidden message and it is not the same file as the
original. The modifications to the original file when
the Microsoft Office Excel spreadsheet was
embedded made irrecoverable changes to the bits
defining each pixel.
For video and audio files the process
outlined above remains the same. Convert the file
to another format that requires a conversion, such
as a lossy compression or expansion routine, and
the embedded data will be destroyed in the process.
With the exception of high compression data
formats, the resulting “cleaned” reproduction of the
file should show no noticeable deviations from the
original.
For text based denial techniques, the process can be
a bit more complicated. These steganographic
insertions can be defeated using standard original
character recognition software to rebuild the
original file from the OCR output. Synonyms can
also be used to replace the awkward text often
found when words are substituted in stepped
character routines. This approach not only denies
the steganographic channel, but leaves the intended
message in the carrier intact and can make the
document more pleasant to read.
The injection of bits into the headers of TCP/IP
packets does not modify the content of the payload
in any way. Steganographic covert channels
utilizing techniques such as this are easily defeated
through the use of monitoring features at the switch
or router level. Malformed packets can be screened
out or modified to conform to a specific rule set.
Consider packets with the do not fragment (DF) bit
manipulated so that the packets carry a covert
message. A history or state based rule set could
trigger on packets going to the same destination
under the same protocol but having inconsistent DF
bits. Other network Steganography denial
techniques could include a security specification
stating that the DF bit on every packet leaving the
switch/router should have a value of one and all
packets entering should have a value of zero. At a
more rudimentary level (knowing that it could be
detrimental to some fragment sensitive
applications) network security could be achieved
by forcing the above conditions and modifying the
flags.
9. SHORT COMINGS OF
STEGANOGRAPHY:
Because steganography has gained popularity only
in the past decade, there are many flaws and
vulnerabilities that still need to be addressed.
9.1. REVEALING THE
EXISTENCE OF DATA:
Because steganography modifies an existing file
that is most likely in circulation on the internet, a
bitwise comparison of a given file with the “same”
file suspected of containing hidden information can
reveal use of steganography. Additionally, two
communicating parties can be easily identified as
communicating covertly if files that normally
would not be exchanged suddenly are. For
example, two business executives frequently
exchanging photographs of cars over a period of
time could arouse suspicion.
9.2. RENDERING DATA
USELESS:
Once a file is identified as possibly containing
hidden data, one can either attempt to recover the
information if the algorithm is known, or to destroy
the data without affecting the quality of the original
file. An altered bitmap converted to JPEG would
compress the file and remove unnecessary bits of
information, therefore removing any hidden data.
Converting to any other format may not necessarily
cause the image to lose information, but would
change the bit composition of the data, making any
hidden data unreadable.
10. FUTURE SCOPE:
Steganography can be used to design a
steganographic file system, where an adversary
cannot deduce existence of any file. Surely, raw
disk looks suspicious, but one can only guess if
there are any files inside and what their names are.
There have been few proposals in recent years.
Anderson introduced two ideas. User has to supply
a file name and associated password to access the
desired file in both schemes.
The first scheme initializes the file system with
several randomly generated cover files. Newly
created object is embedded as the exclusive-or of a
subset of cover files. The subset is selected by the
password and file name.
The second construction fills the whole disk with
random bits. Then the blocks of new objects are
written to absolute disk addresses given by some
pseudorandom process. Other construction used
HweeHwa Pang. His scheme supports plain and
hidden files at the same time. By hash value
obtained from a file name and password a position
of header of hidden file is located.
The header contains a link to an inode table that
indexes all the data blocks in the hidden file.
Additionally the header is encrypted. Then there
are various blocks whose type and location confuse
an adversary.
Next interesting application of steganography is
developing a scheme, where the content is
encrypted with one key and can be decrypted with
several other keys. The relative entropy between
encrypt and one specific decrypt key corresponds
to the amount of information, which can be used to
fingerprint the obtained data. Such fingerprinted
data can be later easily tracked. This idea together
with partial extraction was presented at FEE CTU
Poster 2004.
A possible problem that the presented
steganographic encoding might face in the future is
significant progress in machine translation. If
machine translation were
to become substantially more accurate, the possible
margin of plausible mistakes might get smaller.
However, one large category of current machine
translation errors results from the lack of context
that the machine translator takes into consideration.
In order to significantly improve existing machine
translation systems, one necessary feature would be
the preservation of context information from one
sentence to the next. Only with that information
will it be possible to eliminate certain errors. But
introducing this context into the machine
translation system also brings new opportunities for
hiding messages in translations. Once machine
translation software starts to keep context, it would
be possible for the two parties that use the
steganographic protocol to use this context as a
secret key. By seeding their respective translation
engines with k-bits of context they can make
deviations in the translations plausible, forcing the
adversary to potentially try 2k possible contextual
inputs in order to even establish the possibility that
the mechanism was used. This is similar to the idea
of splitting the corpus based
11. CONCLUSION:
Steganography is not a threat in general, but it
always remains to be POTENTIAL THREAT to
the society. It is in a familiar to deadly weapons,
the person using it and the intended purpose makes
it useful or Deadly. People should be focusing on
the important aspects of Steganography, such as
what it is really used for, instead of believing
propaganda put out by the media.
Computer forensic professionals need to be aware
of the difficulties in identifying the use of
steganography in any investigation. As with many
digital age technologies, steganography techniques
are becoming increasingly more sophisticated and
difficult to reliably detect. Once use is detected or
discovered, obtaining the ability to recover the
embedded content is becoming difficult as well.
Acquiring knowledge of current steganographic
techniques, along with their associated data types,
can provide a critical advantage to an investigator
by adding valuable tools to their forensic toolkit.
12. REFERENCES:
a. Steganography
http://en.wikipedia.org/wiki/Steganog
raphy.
b. Steganography By Neil F Johnson
http://www.jjtc.com/stegdoc/.
c. Steganography - A few tools to
discover hidden data.
http://www.guillermito2.net/stegano/t
ools/index.html.
d. JSteg- Steganography and
Steganalysis.
http://csis.bits-
pilani.ac.in/faculty/murali/netsec-
09/seminar/refs/anuroopsrep.pdf
e. F5- A Steganographic Algorithm
http://os.inf.tu-
dresden.de/~westfeld/publikationen/f
5.pdf.
f. SLSB: Improving the Steganographic
Algorithm LSB
http://www.fing.edu.uy/inco/eventos/
cibsi09/docs/Papers/CIBSI-Dia3-
Sesion9(1).pdf
g. An Overview of Steganography for
the Computer Forensics Examiner.
http://www.garykessler.net/library/fsc
_stego.html
h. Steganography And Steganalysis
http://www.sans.org/reading_room/w
hitepapers/stenganography/steganogra
phy-steganalysis-overview_553.
i. Seminar on Steganography
http://www.scribd.com/doc/20529/Se
minar-on-Steganography.
j. Modern Steganography
http://www.scycore.com/papers/ow04
_paper.pdf.
k. Hide and Seek: An Introduction to
Steganography
http://www.citi.umich.edu/u/provos/p
apers/practical.pdf
l. Principles of steganography
http://www.math.ucsd.edu/~crypto/Pr
ojects/MaxWeiss/steganography.pdf.
m. Chameleon-Image Steganography.
http://faculty.ksu.edu.sa/ghazy/Steg/R
eferences/ref13.pdf.
n. Translation Based Steganography.
http://www.google.co.in/search?
hl=en&q=translation+based+steganog
raphy&aq=0v&aqi=g-
v1&aql=&oq=Translation+Based+S
o. Steganography FAQ.
http://www.infosecwriters.com/text_r
esources/pdf/Steganography_AManga
rae.pdf