JPEG Steganography: Hiding in Plain Sight

Hasan Fayyad-Kazan1*, Elissa Saba2, Hussin J Hejase3, Ali El Dirani4 and Hassan Rkein4

Keywords: Steganography; Steganalysis; JPEG; LSB; DCT; Stego-Image

Introduction

The word Steganography is derived from the Greek words “stegos” meaning “cover” and “grafia” meaning “writing” defining it as “covered writing”, and is a long-practiced form of hiding information, and it has long been regarded as a tool used for illicit and destructive purposes such as crime and warfare [1].

With the outrageous evolution of the digital media, people are easily using it today as a form of invisible communication, in such a way that no one apart from the sender and the intended receiver could possibly know that a message has been sent, nor detect it using his human visual system (HVS). It is the science and art of secret communication between two sides that attempts to conceal the existence of the message [2]. So it’s hiding confidential information in plain sight.

Steganography concept is often confused with the one of cryptography and that’s because both were used throughout history as a way to protect valuable data. The difference between two is that cryptography simply encrypts the information without hiding its presence, steganography, on the other hand, hides the message and its existence so it appears that no information is hidden at all. One conceals the contents of the message, whereas the other conceals the existence of the message.

Steganography has a long history, going back to the ancient Greek and Roman Civilizations. Messengers tattooed messages on their shaved heads and the messages remain invisible when their hair grows [3], other practices used waxed tables where messages were etched on wood then covered with wax, invisible inks were also used to accomplish the same goal.

The basic structure of Steganography is made up of three components, The “Carrier”, the “Message”, and the “key” [4]. A key can be used to assure more security. Today, thanks to modern technology, steganography is used on text, images, sound, signals, and more [5]. Digital images are large enough used as cover media due to their high degree of redundancy in modern communication and on the worldwide Internet. JPEG images are widely used in image steganography as there are various JPEG steganographic tools freely available to use. F5, Outguess, StegHide, MBSteg, JSteg, JSteg-Shell, and JPhide [6], are steganographic programs that have been developed recently for hiding data inside JPEG image format.

With the widespread illicit usage of steganography, steganalysis has garnered much attention from researchers. The aim of steganalysis is to identify the existence of the hidden message. It is mainly done by comparing the encrypted cover with the original copy.

This paper intends to critically review how a secret communication is carried on between a sender and a receiver, using a LSB steganographic method, the outguess algorithm. Thus the process of embedding secret data inside the DCT coefficients of JPEG image file, and its extraction.

Related Work

There are many research work on data hiding methods in DCT coefficients. A brief overview of some of those methods conducted in the past 10 years is given in this section.

In 2012, Gurmeet, et al. presented a comparative analysis by computing Mean square error (MSE) and Peak Signal to Noise Ratio (PSNR), Processing time, and security.

The analysis shows that the BER and PSNR is improved in the LSB Method but security sake DCT is the best method [7].

In 2013, Sohag, et al. analyzed various existing system and implemented a dynamic substitution based Image Steganography (IS) with a secret key. The proposed method is more difficult to attack because of message bits are not inserted into the fixed position but into deeper layer depending on the environment of the host image and a secret key resulting increased robustness. The robustness specially would be increased against those intentional attacks which try to reveal the hidden message [8]. At the same year, Eltyeb, et al. compared and analyzed Least Significant Bit algorithm using the cover object as an image with a focus on two types: BMP and JPEG. The comparison and analysis are done with respect to a number of criteria to understand their strengths and weaknesses [9].

In 2014, Pan, et al. presented a class of new distortion functions known as uniform embedding distortion function (UED) for both side-informed and non-side-informed secure JPEG steganography. By incorporating the syndrome trellis coding, the best code word with minimal distortion for a given message is determined with UED, which, instead of random modification, tries to spread the embedding modification uniformly to quantized discrete cosine transform (DCT) coefficients of all possible magnitudes. In this way, less statistical detectability is achieved, owing to the reduction of the average changes of the first- and second-order statistics for DCT coefficients as a whole. The effectiveness of the proposed scheme is verified with evidence obtained from exhaustive experiments using popular steganalyzers with various feature sets on the BOSS base database. Compared with prior arts, the proposed scheme gains favorable performance in terms of secure embedding capacity against steganalysis [10].

In 2015, Hiney, et al. explored a method to minimize the disruption so JPEG images can be used as steganography carriers on Facebook [11].

In 2016, Sugandhi, et al. proposed a new steganography approach for data hiding. In this approach they hide data in the encrypted image using LSB (least significant bit) technique. The hidden data in the binary form is replaced to the LSB position of the encrypted image binary data. The hidden data will be recovered by the receiver using the secret key. Thus this method provides double staging security. Thus it will be used to reduce the chance of detecting the encrypted image and then provides advanced security level of the encrypted image [12].

In 2017, Denemark, et al, imposed multivariate Gaussian model on acquisition noise and estimated its parameters from the available precover. The embedding is then designed to minimize the KL divergence between cover and stego distributions. In contrast to existing heuristic algorithms that modulate the embedding costs by 1–2|e|, where e is the rounding error, in their model-based approach the sender should modulate the steganographic Fisher information, which is a loose equivalent of embedding costs, by (1– 2|e|)^2. Experiments with uncompressed and JPEG images show promise of this theoretically well-founded approach [13].

In 2018, Li, et al. inspected the embedding change from the spatial domain and propose a principle of Block Boundary Continuity (BBC) for defining JPEG joint distortion, which aims to restrain blocking artifacts caused by inter-block adjacent modifications and thus effectively preserve the spatial continuity at block boundaries. According to BBC, whether inter-block adjacent modifications should be synchronized or desynchronized is related to the DCT mode and the adjacent direction of inter-block coefficients (horizontal or vertical). When built into $DeJoin$, experiments demonstrate that BBC does help improve state-of- the-art additive distortion schemes in terms of relatively large embedding payloads against modern JPEG steganalyzers [14].

In 2019, Ansari, et al. presented the comparative study and performance analysis of different image Steganography methods using various types of cover media (like BMP/ JPEG/PNG etc.) with the discussion of their file formats. We also discuss the embedding domains along with a discussion on salient technical properties, applications, limitations, and Steganalysis [15].

In 2020, Giboulot, et al. proposed a method to better estimate the variances of DCT coefficients by taking into account the dependencies between pixels that come from the development pipeline. Using this estimate, we are able to extend statistically-informed steganographic schemes to the JPEG domain while significantly outperforming the current state-of-the-art JPEG steganography. An extension of Gaussian Embedding in the JPEG domain using quantization error as side-information is also formulated and shown to attain state-of-the-art performances [16].

In 2021, Wang, et al. presented a new principle, called block boundary maintenance (BBM), to minimize the modifications on the spatial block boundaries. In theory, they deduced the BBM principle on how to modify a pair of DCT coefficients of the intra-block to reduce the modifications on the spatial block boundary. According to the BBM principle, they designed a new strategy to define non-additive cost functions for JPEG steganography by exploiting the coefficient correlation of the intra-block in the DCT domain. The experimental results show that the BBM-based strategy can minimize modifications on the spatial block boundaries and thus achieve a high-security level when resisting modern JPEG steganalysis. Furthermore, the two principles of BBC and BBM can be fused to further improve the empirical security [17].

Background

In this section, we will provide a general overview of image steganography, image definition as well as image compression.

Experiments and Results

in order to embed one bit of confidential information, and then the embedded image coefficients are compressed using entropy encoding to finally produce the JPEG stego image as shown in Figure2. We should note that the receiver extracts the hidden message bits by reading the coefficients in the same sequence that the sender has used to embed it into the cover image and by using the same embedding algorithm.

Click to enlarge

We are going to show you how terrorists communicate online; a sender using the outguess algorithm to hide messages inside JPEG image files. And a receiver retrieving the message using the same algorithm. Experiments were conducted on an image dataset consisting of three JPEG images freely available in public domain on internet. The JPEG image’s properties are shown in Table 1.

It is important to note that for our experiments, Oracle Virtual box version 5.2.8.21009 was used. Before selecting the steganographic algorithms to be used, it is important to consider the aspect of algorithm reputation either in spatial or transform domain, and the type of images we are using. Taking this information into consideration, the selected method is: Outguess, direct command in Ubuntu Linux.

The OutGuess steganographic algorithm was proposed by Neils Provos [21] to counter the statistical chi-square attack [22]. It hides messages in JPEG files, and works in two phases- embedding and correction steps. In the first pass, OutGuess embeds message bits along a random walk into the LSBs of quantized DCT coefficients while skipping 0’s and 1’s and flips the LSBs of coefficients to match them with the secret data bits. The embedding process will change the histogram of the quantized DCT coefficients, thus, the image is processed again while correcting the coefficients to make the stego image histogram match the cover image histogram. The chi-square attack and its generalized versions cannot detect messages embedded using OutGuess.

Steganography in Real Criminal Cases

Secret information exchange has been taking place since ancient times but the present digital and technological era provides numerous ways and choices to share such confidential messages. Criminals today are using steganography in order to communicate with other criminals, to share classified information and even to perform computer hacks, it is also used for illegal purposes such as crime, child pornography, cash drops and organizing terrorist attacks. In the business world steganography can be used to hide a secret chemical formula or plans for a new invention [23]. All of this is done in a way to make the information sharing inaccessible to law enforcement and to prevent any unauthorized persons to be aware of its existence. Currently, digital tools are widely available to ordinary computer users with basic computer skills also. The stego images can be shared using Social Media Sites such as Instagram, Facebook and Twitter or Online Social Networks (OSNs), which make them available to a very large number of individuals. We will be presenting specific cases in which steganography was used.

The first confirmed case of data concealment in real life was reported in 2010 by NBC [24]. Russian spies were using steganography to embed messages inside images then the stego images were uploaded to public websites. The huge number of pictures on the web and the endless stream of communications transmitted daily through it makes it hard for an investigator to detect the presence of the message and who it is aimed at.

Many articles claimed that after the September 11, 2001 attacks there were rumors that al Qaeda members used steganography to coordinate their actions, and for promoting child pornography although it was never confirmed.

NBC reported that German security officials caught a Pakistani Al Qaeda operative with a memory disk containing a pornographic video that embedded over 100 documents outlining plans for terror attacks through Europe [25].

An internet pedophile ring known as the “Shadowz Brotherhood” used steganography to transfer child pornographic material [26].

Digital steganography has been used by terrorists to facilitate secret intra-group communication as has been claimed. This is because terrorist use of digital steganography is both technically and operationally implausible [27].

Steganalysis Techniques for Computer Forensic Investigation

In today’s society crime and cybercrime are considered as very challenging topics for law enforcement. Studying steganography covers and how they are transferred on online social networks is important because most of the time they are used for causing harm and for illicit purposes. Social media has become increasingly important and useful in solving crimes. Understanding how people might use steganography and social media for harm or even just as a means of communication could lead to breakthroughs in cases [28].

Steganalysis is emerging out as a process of detecting steganography. We should note that Steganalysis is mostly about discovering and identifying the existence of a concealed message, it essentially deals with the detection of hidden data. Digital forensics is the investigation of the steganography practiced by criminals on the network channel like TCP/IT protocol, to perform criminal communications, fraud, hacking electronic payments, gambling and pornography, harassment, viruses, pedophilia. So the first step for a forensic examiner would be to identify the existence of the hidden message, and for the extraction considered as a second step it may be indeed complex and difficult, sometimes impossible if we have no idea about the tool or technique used for the steganopgraphy. Even if the steganographic tool was somehow discovered, extracting the hidden information can prove to be rather daunting as most algorithms employ cryptographic techniques to scramble the secret message when it is embedded [29]. Therefore it would be so challenging for the forensic investigator to recover the hidden information.

There are several types of steganographic attacks based on the information available for analysis. Some of them are as follows:

• Known carrier attack: The original cover file and stego object are both available for analysis. Steganography only attack: only stego object is available for analysis.
• Known message attack: The hidden message is known in this case.
• Known steganography attack: The cover file, stego object as well as the steganographic tool or algorithm, are known.

However in forensic investigations, the most likely situation the investigator will be in is when only the steganographic object is available, and that is assuming if an object can be classified as a steganographic object in the first place [29].

Steganalysis and steganography are two sides of the same coin, similar to cryptography and cryptanalysis, and computer viruses and antivirus software. The threat today is so serious because cybercrime is continuing to grow and the criminals are getting smarter and looking for ways to create malicious tools and software without getting exposed. Research in steganography involves both developing new techniques for hiding content and developing new tools for the detection and deciphering of hidden content. This duality is similar to biologic warfare, where the development of new biological weapons goes hand in hand with the research of their antidotes.

Forensic Tools for Steganography Detection

The plausibility of steganographic target formats increases with the amount of data transmitted in the respective format. JPEG images are widely used over internet and therefore they are an ideal target format for steganography [9]. Most of the steganalytic methods concentrate on one operation; feature extraction. We will show some examples of currently available softwares that can detect the presence of steganography programs, detect suspect carrier files, and disrupt steganographically hidden messages.

StegoArchive.com lists many steganalysis programs [30].

Discussion

Our experimental study has shown how easy hiding secret information using steganography methods are. It doesn’t require so many skills, just some basic research and knowledge about the subject, what made it available and possible for any normal person to use. But the question remains, how far a forensic examiner can detect the presence of the hidden messages using forensic steganalysis methods because the variety of steganographic methods may be considered as an obstacle and the steganalysis techniques might be able to detect some of the embedding methods and not detect others. Some methods with a very good performance for detecting exclusively transform domain steganographic methods [31, 32] are available. We have other methods that outperform one steganographic method and underperform over another [33]. Steganalysis methods may be capable to reliably detect steganography only for specific embedding rates. For instance, this can be shown in the results of a recent experiment [34]. Many steganalysis software and tools are available but they show numerous challenges and difficulties so it would be of great value to check even more and more of them.

Conclusion

In recent years, Steganography has emerged as a growingly active research topic. The past few years have seen an increasing interest in using images as cover media for steganographic communication, mostly JPEG image file format.

However, while implementing image steganography is important, the steganalysis methods to detect and embed the secret message are far more complex than actually doing the steganography itself and it needs to be an area of ongoing research. Today’s steganographic programs can hide any type of secret data into various types of cover media. It is so difficult, nearly impossible to predict whether there is a secret message to begin with at first place. Given this fact, there is a lot of research working on discovering new techniques for steganalysis, and it would be interesting to see how accurate they will be at detecting Steganography.

Finally, it is clear that the use of steganography by terrorists and criminals is likely to increase in the future, posing a problem for law enforcement agencies. Steganalysis needs to be further developed to help counter high tech terrorism and cases of child pornography and others.