Jan Kodovský

Statistically undetectable jpeg steganography: dead ends challenges, and opportunities

The goal of this paper is to determine the steganographic capacity of JPEG images (the largest payload that can be undetectably embedded) with respect to current best steganalytic methods. Additionally, by testing selected steganographic algorithms we evaluate the influence of specific design elements and principles, such as the choice of the JPEG compressor, matrix embedding, adaptive content-dependent selection channels, and minimal distortion steganography using side information at the sender. From our experiments, we conclude that the average steganographic capacity of grayscale JPEG images with quality factor 70 is approximately 0.05 bits per non-zero AC DCT coefficient.

Calibration revisited

Calibration was first introduced in 2002 as a new concept to attack the F5 algorithm [3]. Since then, it became an essential part of many feature-based blind and targeted steganalyzers in JPEG as well as spatial domain. The purpose of this paper is to shed more light on how, why, and when calibration works. In particular, this paper challenges the thesis that the purpose of calibration is to estimate cover image features from the stego image. We classify calibration according to its internal mechanism into several canonical examples, including the case when calibration hurts the detection performance. All examples are demonstrated on specific steganographic schemes and steganalysis features. Furthermore, we propose a modified calibration procedure that improves practical steganalysis.

Steganalysis of JPEG images using rich models

In this paper, we propose a rich model of DCT coefficients in a JPEG file for the purpose of detecting steganographic embedding changes. The model is built systematically as a union of smaller submodels formed as joint distributions of DCT coefficients from their frequency and spatial neighborhoods covering a wide range of statistical dependencies. Due to its high dimensionality, we combine the rich model with ensemble classifiers and construct detectors for six modern JPEG domain steganographic schemes: nsF5, model-based steganography, YASS, and schemes that use side information at the embedder in the form of the uncompressed image: MME, BCH, and BCHopt. The resulting performance is contrasted with previously proposed feature sets of both low and high dimensionality. We also investigate the performance of individual submodels when grouped by their type as well as the effect of Cartesian calibration. The proposed rich model delivers superior performance across all tested algorithms and payloads.

Steganalysis of content-adaptive steganography in spatial domain

Content-adaptive steganography constrains its embedding changes to those parts of covers that are difficult to model, such as textured or noisy regions. When combined with advanced coding techniques, adaptive steganographic methods can embed rather large payloads with low statistical detectability at least when measured using feature-based steganalyzers trained on a given cover source. The recently proposed steganographic algorithm HUGO is an example of this approach. The goal of this paper is to subject this newly proposed algorithm to analysis, identify features capable of detecting payload embedded using such schemes and obtain a better picture regarding the benefit of adaptive steganography with public selection channels. This work describes the technical details of our attack on HUGO as part of the BOSS challenge.

Modern steganalysis can detect YASS

YASS is a steganographic algorithm for digital images that hides messages robustly in a key-dependent transform domain so that the stego image can be subsequently compressed and distributed as JPEG. Given the fact that state-of-the-art blind steganalysis methods of 2007, when YASS was proposed, were unable to reliably detect YASS, in this paper we steganalyze YASS using several recently proposed general-purpose steganalysis feature sets. The focus is on blind attacks that do not capitalize on any weakness of a specific implementation of the embedding algorithm. We demonstrate experimentally that twelve different settings of YASS can be reliably detected even for small embedding rates and in small images. Since none of the steganalysis feature sets is in any way targeted to the embedding of YASS, future modifications of YASS will likely be detectable by them as well.

The square root law of steganographic capacity

There are a number of recent information theoretic results demonstrating (under certain conditions) a sublinear relationship between the number of cover objects and their total steganographic capacity. In this paper we explain how these results may be adapted to the steganographic capacity of a single cover object, which under the right conditions should be proportional to the square root of the cover size. Then we perform some experiments using three genuine steganography methods in digital images, covering both spatial and DCT domains. Measuring detectability under four different steganalysis methods, for a variety of payload and cover sizes, we observe close accordance with a square root law.

Breaking HUGO: the process discovery

This paper describes our experience with the BOSS competition in chronological order. The intention is to reveal all details of our effort focused on breaking HUGO - one of the most advanced steganographic systems ever published. We believe that researchers working in steganalysis of digital media and related fields will find it interesting, inspiring, and perhaps even entertaining to read about the details of our journey, including the dead ends, false hopes, surprises, obstacles, and lessons learned. This information is usually not found in technical papers that only show the final polished approach. This work accompanies our other paper in this volume [9].

On completeness of feature spaces in blind steganalysis

Blind steganalyzers can be used for many diverse applications in steganography that go well beyond a mere detection of stego content. A blind steganalyzer can also be used for constructing targeted attacks or as an oracle for designing steganographic methods. The feature space itself provides a low-dimensional model of covers useful for benchmarking. These applications require the feature space to be complete in the sense that the features fully characterize the space of covers. Incomplete feature sets may skew benchmarking scores and lead to poor steganalysis. As a simple test of completeness, we propose a general approach for constructing steganographic methods that approximately preserve the whole feature vector and thus become practically undetectable by any steganalyzer that uses the same feature set. We demonstrate the plausibility of this approach, which we call the Feature Correction Method (FCM) by constructing the FCM for a 274-dimensional feature set from a state-of-the-art blind steganalyzer for JPEG images.

Study of cover source mismatch in steganalysis and ways to mitigate its impact

When a steganalysis detector trained on one cover source is applied to images from a different source, generally the detection error increases due to the mismatch between both sources. In steganography, this situation is recognized as the so-called cover source mismatch (CSM). The drop in detection accuracy depends on many factors, including the properties of both sources, the detector construction, the feature space used to represent the covers, and the steganographic algorithm. Although well recognized as the single most important factor negatively affecting the performance of steganalyzers in practice, the CSM received surprisingly little attention from researchers. One of the reasons for this is the diversity with which the CSM can manifest. On a series of experiments in the spatial and JPEG domains, we refute some of the common misconceptions that the severity of the CSM is tied to the feature dimensionality or their “fragility.” The CSM impact on detection appears too difficult to predict due to the effect of complex dependencies among the features. We also investigate ways to mitigate the negative effect of the CSM using simple measures, such as by enlarging the diversity of the training set (training on a mixture of sources) and by employing a bank of detectors trained on multiple different sources and testing on a detector trained on the closest source.

Steganalysis of LSB replacement using parity-aware features

Detection of LSB replacement in digital images has received quite a bit of attention in the past ten years. In particular, structural detectors together with variants of Weighted Stego-image (WS) analysis have materialized as the most accurate. In this paper, we show that further surprisingly significant improvement is possible with machine---learning based detectors utilizing co-occurrences of neighboring noise residuals as features. Such features can leverage dependencies among adjacent residual samples in contrast to the WS detector, which implicitly assumes that the residuals are mutually independent. Further improvement is achieved by adapting the features for detection of LSB replacement by making them aware of pixel parity. To this end, we introduce two key novel concepts --- calibration by parity and parity-aware residuals. It is shown that, at least for a known cover source when a binary classifier can be built, its accuracy is markedly better in comparison with the best structural and WS detectors in both uncompressed images and in decompressed JPEGs. This improvement is especially significant for very small change rates. A simple feature selection algorithm is used to obtain interesting insight that reveals potentially novel directions in structural steganalysis.