On Dangers of Overtraining Steganography to Incomplete Cover Model Jan Kodovský, Jessica Fridrich, Vojtˇ ech Holub September 30, 2011 / MMSEC On Dangers of Overtraining Steganography to Incomplete Cover Model 1 / 14
Steganography Steganography by cover modification Cover images Stego images Embedding x ∼ P c y ∼ P s algorithm x , y ∈ C . . . space of images, e.g. C = { 0 , . . . , 255 } 512 × 512 Goal: keep P s close to P c (minimize KL divergence) Steganographer’s options: Map everything into feature space F and preserve cover pdf there Minimize distortion function D ( x , y ) On Dangers of Overtraining Steganography to Incomplete Cover Model 2 / 14
OutGuess JPEG domain steganographic algorithm [Provos 2001] Feature space F . . . histogram of DCT coefficients Statistical restoration (LSB embedding + correction) Fully preserves cover pdf in F ⇒ undetectable within F Problem: first order statistics is a poor model of cover images Successful attacks using higher order statistics [2002-2011] Overtrained to incomplete model On Dangers of Overtraining Steganography to Incomplete Cover Model 3 / 14
Feature Correction Method (FCM) General framework for steganography that approximately preserves given feature vector [Kodovský 2008, Chonev 2011] Minimize distortion function defined in F : n ( x i − y i ) 2 n . . . number of features � D ( x , y ) = var i . . . variance of the i th feature var i i =1 Two-pass procedure, greedy approach, already in the first phase make ± 1 changes to minimize distortion Implemented for the case of 274 PEV features [Pevný 2007] Captures both inter- and intra-block dependencies Local histograms, co-occurences, Markov models On Dangers of Overtraining Steganography to Incomplete Cover Model 4 / 14
Feature Correction Method (FCM) 0.50 Classification error P E Performance in F 0.40 Different cropping 0.30 F ≡ 274 PEV 0.20 SVM classifier 0.10 P FA + P MD P E = min 0 2 0 0.05 0.10 0.15 0.20 P FA Payload (bpac) Overtrained to incomplete model On Dangers of Overtraining Steganography to Incomplete Cover Model 5 / 14
Optimized ± 1 embedding in JPEG domain Minimal-distortion steganography [Filler 2011] Adaptive scheme with empirically designed distortion function: N N . . . number of changeable � D ( x , y ) = ρ i ( x , y i ) , coefficients i =1 where ρ i ( x , y i ) ∈ R is the cost of changing x i → y i Costs are functions of inter- and intra-block neighbors optimized w.r.t. given model (feature space) Will be abbreviated MOD (Model Optimized Distortion) On Dangers of Overtraining Steganography to Incomplete Cover Model 6 / 14
Details of MOD algorithm Optimize parameters of the cost function To minimize the margin of linear SVM in F Nelder-Mead simplex-reflection algorithm Fixed misclassification cost C Less than 100 images needed Feature space F ≡ 548-dim CC-PEV [Kodovský 2009] CC-PEV = PEV enhanced by Cartesian calibration Preliminary experiments showed no indication of overtraining Different calibration cropping CDF = CC-PEV + SPAM features [Pevný 2009] On Dangers of Overtraining Steganography to Incomplete Cover Model 7 / 14
Histogram of changed DCT coefficients Payload 0.10 bpac 60 Histogram 40 20 0 -30 -20 -10 -2 2 10 20 30 Changed DCT coefficient x i CC-PEV: inter-block co-occurences are constrained to [-2,2] 95% of changes are made out of the model On Dangers of Overtraining Steganography to Incomplete Cover Model 8 / 14
Extending the model 0.5 SVM classifier CC-PEV Classification error P E 0.4 P FA + P MD 0.3 P E = min 2 P FA 0.2 co-occurence 0.1 model out of model Dimension (2 T + 1) 2 0 0 2 4 6 8 10 Range of the co-occurence matrix T Extending inter-block co-occurences compromises the security We can extend the range of other parts of the CC-PEV model On Dangers of Overtraining Steganography to Incomplete Cover Model 9 / 14
Attacking MOD algorithm 0.50 Performance in F Classification error 0.40 Out of model 0.30 F ≡ 548 CC-PEV 0.20 Extended co-occurence and Markov features 0.10 Dimension 882 0 0 0.05 0.10 0.15 0.20 Payload (bpac) Optimization moved changes out of the incomplete model On Dangers of Overtraining Steganography to Incomplete Cover Model 10 / 14
HUGO Minimal distortion steganography in spatial domain [Pevný 2010] BOSS (Break Our Steganographic System) F . . . 3D co-occurence matrices of pixel differences For differences d = ( d 1 , d 2 , d 3 ) . . . co-occurence bin value C d ( x ) T = 90 ⇒ dimension 2(2 T + 1) 3 = 11 , 859 , 482 Distortion function - weighted L 1 -norm in F T 1 � D ( x , y ) = · | C d ( x ) − C d ( y ) | 1 + || d || 2 d 1 ,d 2 ,d 3 = − T On Dangers of Overtraining Steganography to Incomplete Cover Model 11 / 14
Model weakness Abrupt end at T = 90 ⇒ model treats pixels above T differently 3D co-occurence is sparse around T = 90 ⇒ form marginals h i ( x ) . . . number of adjacent pixel pairs whose difference is i 200 cover 180 Count 160 140 120 100 84 86 88 90 92 94 96 98 Histogram bin h i On Dangers of Overtraining Steganography to Incomplete Cover Model 12 / 14
Model weakness Abrupt end at T = 90 ⇒ model treats pixels above T differently 3D co-occurence is sparse around T = 90 ⇒ form marginals h i ( x ) . . . number of adjacent pixel pairs whose difference is i 200 cover 180 stego (0.4 bpp) Count 160 140 120 100 84 86 88 90 92 94 96 98 Histogram bin h i On Dangers of Overtraining Steganography to Incomplete Cover Model 12 / 14
Attacking HUGO with 4 features Almost payload-independent detection Works better on noisy and textured images Abrupt end of model creates security weakness 0.50 Classification error P E 0.40 0.30 Features { h 89 , h 90 , h 91 , h 92 } 0.20 0.10 0 0 0.10 0.20 0.30 0.40 0.50 Payload (bpp) On Dangers of Overtraining Steganography to Incomplete Cover Model 13 / 14
Conclusions Overtraining to simplified cover model seems to be a common security flaw of modern schemes It is difficult to find a good (complete) model for cover images Steganography: high dimension is not sufficient Steganalysis: high dimension is not necessary Straightforward security improvements: HUGO . . . increase T = 255 MOD embedding . . . increase range in CC-PEV Suggestion: use rich and diverse models On Dangers of Overtraining Steganography to Incomplete Cover Model 14 / 14
Recommend
More recommend
