As discussed in the section on $UWL¿FLDO6WHJR Noise there are two primary approaches to steg- anography: spatial domain and transform domain PHWKRGV7KH¿UVWLQFOXGHVWHFKQLTXHVVXFKDV ±k and LSB that require the use of raw images. The second includes techniques such as F5 or JSteg, which require JPEG images. Each has a VLPSOHLQWXLWLYHPHWKRGRIDWWDFN¿UVWWKHGHOH- tion of bits for spatial methods, and second, the re-compression of a JPEG image. In this section, we explore the ability to detect these methods and the effectiveness of each applied to four common steganography methods.
The two spatial methods of steganography introduced in the section on $UWL¿FLDO6WHJR1RLVH
are LSB and ±k. These methods are notoriously easy for an attacker to destroy. Simple deletion of bits is enough to destroy the message. The ques- WLRQUHPDLQVLVGHOHWLQJRUVKXIÀLQJDELWSODQHD valid method of removing the hidden information while preserving the image? Can the recipient GHWHFWWKLVPRGL¿FDWLRQ"
Perceptually, a human cannot perceive the LSB in an 8-bit image. In fact, for a human observer, WKHGHOHWLRQRIDQ\RIWKH¿UVWELWSODQHVLVQRW perceivable for many images. However, using even the simplest statistical techniques the deletion of a bitplane becomes easy to identify. Figure 10
shows the histograms and images resulting from deleting one to four bits from the image.
6LPSOH/6%LVOHVVGLI¿FXOWWRPRGLI\WKDQ ±k. Since a potential steganalyst does not know the value of k, they cannot simply delete the kth
bit-plane. Instead, they would need to delete all bit-planes, effectively destroying the communica- tion channel. Making a reasonable assumption that RQO\WKH¿UVWIRXUELWVDUHSRVVLEOHKLGLQJDUHDV simply deleting all these bits leaves a clear signa- ture, as shown in Figure 10. The histograms of each
bit deleted¿JXUHVKRZVDspiky behavior as some values no longer appear in the image. This regular lack of some pixel values is a highly unnatural occurrence, even in compressed images.
In general, the deletion of bits is not an ef- fective approach for attacking a steganography technique. The measurable change to the image is YHU\GLVWLQFWDQGVXI¿FLHQWWRWLSRII$OLFHRU%RE that messages are actively being changed. Once tipped off, they are free to adjust tactics to defeat this deletion. Beyond its detectability, the premise of deleting a bit-plane relies on knowing where all the embedded information will reside. This relies on knowing the embedding mechanism, which may or may not be a realistic assumption.
Another method of attacking a spatial embed- GLQJPHWKRGLVWRVKXIÀHWKHELWVLQWKHDSSURSULDWH bit-plane, or inject randomized bits. This approach is equivalent to the original steganography prob- OHPDVHPEHGGLQJQRLVHRUVKXIÀLQJELWVLVHIIHF- tively hiding new information in the same image. The effectiveness of the technique applied to the active warden scenario depends on knowledge of the original embedding mechanism. Embed- ding the wrong bit-plane will not be an effective attack. While embedding in the correct bit-plane assumes a level of knowledge about the embedding mechanism that may not be realistic.
While spatial domain methods are important, JPEG-based media dominate the Internet. Three
transform domain techniques were introduced in the section, $UWL¿FLDO6WHJR1RLVH, both using JPEG-based methods. JSteg, F5, and model-based
embedding are all techniques for hiding in the FRHI¿FLHQWVRIWKHFRVLQHGRPDLQ
While transform domain methods are gener- ally considered more robust, since they should EHOHVVVHQVLWLYHWRWKHVSDWLDO/6%PRGL¿FDWLRQV discussed in the previous section. In both cases studied here, JSteg and model-based are extremely VHQVLWLYHWRFKDQJHVWRWKH-3(*FRHI¿FLHQWV,IWKH spatial domain changes enough to modify JPEG FRHI¿FLHQWVRUWKH-3(*FRHI¿FLHQWVWKHPVHOYHV are changed, the results are disastrous for the embedded data.
$ VLPSOH PHWKRG RI FKDQJLQJ -3(* FRHI¿- cients is to re-encode the image. The process of JPEG compression is a lossy process. Passing a compressed image through compression a second time will not result in the same image. The reason can be seen in Figure 11. While the results of the two non-invertible processes shown will be the same if applied to the same raw image, applying a second time to a compressed image will most likely change the image further. This is dependent on the exact values produced by the inverse cosine transform. If these values are close to integers, the
)LJXUH0HDVXULQJWKHHIIHFWVRIELWGHOHWLRQRQWKHLPDJHWRSWRERWWRPGHOHWLQJELWVWKUXOHIW WRULJKWWKHLPDJHWKHIXOOKLVWRJUDPDQGWKHKLVWRJUDPRIELWVWKURXJK
conversion to integer will not have much impact so the second encoding will result in the same im- age. In the more likely case of being non-integer, then the second encoding will operate on different numbers than those created by the inverse cosine transform, causing the quantization to be applied differently, and further changing the image.
7KLVVOLJKWFKDQJHLQFRHI¿FLHQWVFDQEHGHY- astating for recovering a hidden message. An ex- ample of this phenomenon is shown in Figures 12 and 13. In this example, the model-based method has been used to embed a stego-image at near maximum capacity. The stego-embedded image was read and re-encoded using the same quality, as well as the same quantization table. This resulted in changes to nearly half of the embedded bits. In the case of Figure 12, part of the message can be recovered, (the white area on the left of the image) while the rest is not recognizable. This highlights the fact that a change of ±1 in a single LPSRUWDQW-3(*FRHI¿FLHQWLVHQRXJKWRWKURZ the model-based stego-decoder off and corrupt all of the data received. Again, in Figure 12 the left portion of the message is correctly recovered, as QRLPSRUWDQW-3(*FRHI¿FLHQWVDUHFKDQJHGZLWKLQ
that part of the message. Though, the remainder of the message is completely lost.
A critical feature of this method of attack is the maintained quality of the image. While re- encoding with a new quantization table is known to be a detectable operation (Fridrich, Goljan, & Du, 2001), encoding with the same table has not. A drawback to this approach is the uncertainty RI ZKLFK FRHI¿FLHQWV ZLOO EH FKDQJHG :KLFK FRHI¿FLHQWVZLOOEHDIIHFWHGFDQQRWEHSUHGLFWHG Therefore, which part of the message will be cor- rupted cannot be controlled, nor can it be predicted whether any of the message will be changed at all. It is even possible to design images insensi- tive to this attack.