Christian Kraetzer

Communications and Multimedia Security

We propose to establish a standardised tool in fingerprint recognition robustness assessment, which is able to simulate a wide class of acquisition conditions, applicable to any given dataset and also of potential interest in forensic analysis. As an example, StirMark image manipulations (as being developed in the context of watermarking robustness assessment) are applied to fingerprint data to generate test data for robustness evaluations, thereby interpreting certain image manipulations as being highly related to realistic fingerprint acquisition conditions. Experimental results involving three types of fingerprint features and matching schemes (i.e. correlation-based, ridge feature-based, and minutiaebased) applied to FVC2004 data underline the need for standardised testing and a corresponding simulation toolset.

Digital audio forensics: a first practical evaluation on microphone and environment classification

In this paper a first approach for digital media forensics is presented to determine the used microphones and the environments of recorded digital audio samples by using known audio steganalysis features. Our first evaluation is based on a limited exemplary test set of 10 different audio reference signals recorded as mono audio data by four microphones in 10 different rooms with 44.1 kHz sampling rate and 16 bit quantisation. Note that, of course, a generalisation of the results cannot be achieved. Motivated by the syntactical and semantical analysis of information and in particular by known audio steganalysis approaches, a first set of specific features are selected for classification to evaluate, whether this first feature set can support correct classifications. The idea was mainly driven by the existing steganalysis features and the question of applicability within a first and limited test set. In the tests presented in this paper, an inter-device analysis with different device characteristics is performed while intra-device evaluations (identical microphone models of the same manufacturer) are not considered. For classification the data mining tool WEKA with K-means as a clustering and Naive Bayes as a classification technique are applied with the goal to evaluate their classification in regard to the classification accuracy on known audio steganalysis features. Our results show, that for our test set, the used classification techniques and selected steganalysis features, microphones can be better classified than environments. These first tests show promising results but of course are based on a limited test and training set as well a specific test set generation. Therefore additional and enhanced features with different test set generation strategies are necessary to generalise the findings.

Microphone Classification Using Fourier Coefficients

Media forensics tries to determine the originating device of a signal. We apply this paradigm to microphone forensics, determining the microphone model used to record a given audio sample. Our approach is to extract a Fourier coefficient histogram of near-silence segments of the recording as the feature vector and to use machine learning techniques for the classification. Our test goals are to determine whether attempting microphone forensics is indeed a sensible approach and which one of the six different classification techniques tested is the most suitable one for that task. The experimental results, achieved using two different FFT window sizes (256 and 2048 frequency coefficients) and nine different thresholds for near-silence detection, show a high accuracy of up to 93.5% correct classifications for the case of 2048 frequency coefficients in a test set of seven microphones classified with linear logistic regression models. This positive tendency motivates further experiments with larger test sets and further studies for microphone identification.

Pros and cons of mel-cepstrum based audio steganalysis using SVM classification

While image steganalysis has become a well researched domain in the last years, audio steganalysis still lacks a large scale attentiveness. This is astonishing since digital audio signals are, due to their stream-like composition and the high data rate, appropriate covers for steganographic methods. In this work one of the first case studies in audio steganalysis with a large number of information hiding algorithms is conducted. The applied trained detector approach, using a SVM (support vector machine) based classification on feature sets generated by fusion of time domain and Mel-cepstral domain features, is evaluated for its quality as a universal steganalysis tool as well as a application specific steganalysis tool for VoIP steganography (considering selected signal modifications with and without steganographic processing of audio data). The results from these evaluations are used to derive important directions for further research for universal and application specific audio steganalysis.

Unweighted fusion in microphone forensics using a decision tree and linear logistic regression models

For the exemplarily chosen domain of microphone forensics we show that media forensics can strongly benefit from combining statistical pattern recognition (using supervised classification) and unweighted information fusion (on the example of match-, rank- and decision level fusion). The practical results presented show that, by using a carefully selected fusion strategy and two multi-class classifiers (a decision tree and linear logistic regression models), the accuracy achieved in practical testing can be increased to 100%. This result is based on first tests on two sets of four and seven different microphones. For each of those microphones ten reference samples are recorded in ten different locations and are used in the ratio 80% to 20% for supervised training and testing by the two classifiers. The overall positive tendency indicates that microphone forensics might become an important security mechanism for the verification of source authenticity. Recent gunshot classification approaches, which try to determine the gun used in gunshot audio recordings, have the problem that they rely on carefully controlled conditions, amongst them the fact that the microphone used for all evaluations has to remain the same. A microphone classification approach as introduced here would allow for similarity estimation for microphones and thereby would enable exchanging microphones in such a gunshot classification approach without complete loss of confidence. Furthermore microphone forensics could be used in provenance verification of digital audio media to verify the microphone used for recordings to be submitted into secure long term archiving systems.

A Context Model for Microphone Forensics and its Application in Evaluations

In this paper we first design a suitable context model for microphone recordings, formalising and describing the involved signal processing pipeline and the corresponding influence factors. As a second contribution we apply the context model to devise empirical investigations about: a) the identification of suitable classification algorithms for statistical pattern recognition based microphone forensics, evaluating 74 supervised classification techniques and 8 clusterers; b) the determination of suitable features for the pattern recognition (with very good results for second order derivative MFCC based features), showing that a reduction to the 20 best features has no negative influence to the classification accuracy, but increases the processing speed by factor 30; c) the determination of the influence of changes in the microphone orientation and mounting on the classification performance, showing that the first has no detectable influence, while the latter shows a strong impact under certain circumstances; d) the performance achieved in using the statistical pattern recognition based microphone forensics approach for the detection of audio signal compositions.

Transparency benchmarking on audio watermarks and steganography

The evaluation of transparency plays an important role in the context of watermarking and steganography algorithms. This paper introduces a general definition of the term transparency in the context of steganography, digital watermarking and attack based evaluation of digital watermarking algorithms. For this purpose the term transparency is first considered individually for each of the three application fields (steganography, digital watermarking and watermarking algorithm evaluation). From the three results a general definition for the overall context is derived in a second step. The relevance and applicability of the definition given is evaluated in practise using existing audio watermarking and steganography algorithms (which work in time, frequency and wavelet domain) as well as an attack based evaluation suite for audio watermarking benchmarking - StirMark for Audio (SMBA). For this purpose selected attacks from the SMBA suite are modified by adding transparency enhancing measures using a psychoacoustic model. The transparency and robustness of the evaluated audio watermarking algorithms by using the original and modifid attacks are compared. The results of this paper show hat transparency benchmarking will lead to new information regarding the algorithms under observation and their usage. This information can result in concrete recommendations for modification, like the ones resulting from the tests performed here.

Printed fingerprints: a framework and first results towards detection of artificially printed latent fingerprints for forensics

In Schwarz 1 an amino acid model for printing latent fingerprints to porous surfaces is introduced, motivated by the need for reproducibility tests of different development techniques for forensic investigations. However, this technique also enables the fabrication of artificial traces constituting a possible threat to security, motivating a need for research of appropriate detection techniques. In this paper a new framework for modelling the properties of a generic fingerprint examination process is introduced. Based on the framework, examination properties and detection properties are derived by a subjective evaluation. We suggest a first formalisation of exemplary properties, which can be easily extended to fit different needs. We present a first experimental setup limited to two printers and the Schwarz amino acid model using absorbing and non-absorbing material with first results to show tendencies and underline the necessity for further research.

Statistical detection of malicious PE-Executables for fast offline analysis

While conventional malware detection approaches increasingly fail, modern heuristic strategies often perform dynamically, which is not possible in many applications due to related effort and the quantity of files. Based on existing work from [1] and [2] we analyse an approach towards statistical malware detection of PE executables. One benefit is its simplicity (evaluating 23 static features with moderate resource constrains), so it might support the application on large file amounts, e.g. for network-operators or a posteriori analyses in archival systems. After identifying promising features and their typical values, a custom hypothesis-based classification model and a statistical classification approach using the WEKA machine learning tool [3] are generated and evaluated. The results of large-scale classifications are compared showing that the custom, hypothesis based approach performs better on the chosen setup than the general purpose statistical algorithms. Concluding, malicious samples often have special characteristics so existing malware-scanners can effectively be supported.

Mel-cepstrum based steganalysis for VoIP steganography

Steganography and steganalysis in VoIP applications are important research topics as speech data is an appropriate cover to hide messages or comprehensive documents. In our paper we introduce a Mel-cepstrum based analysis known from speaker and speech recognition to perform a detection of embedded hidden messages. In particular we combine known and established audio steganalysis features with the features derived from Melcepstrum based analysis for an investigation on the improvement of the detection performance. Our main focus considers the application environment of VoIP-steganography scenarios. The evaluation of the enhanced feature space is performed for classical steganographic as well as for watermarking algorithms. With this strategy we show how general forensic approaches can detect information hiding techniques in the field of hidden communication as well as for DRM applications. For the later the detection of the presence of a potential watermark in a specific feature space can lead to new attacks or to a better design of the watermarking pattern. Following that the usefulness of Mel-cepstrum domain based features for detection is discussed in detail.