I have seen some of the algorithms which are used to detect if a file is a stego-file or not, but all those algorithms check for specific patterns and are not universal. Maybe there are universal detection systems, but I have not seen them yet.
Situation:
When a message is hidden in an image, I want to check for all the possible ways that it may be a stego-file - given that I don't have the original file.
Problem:
I have no idea where to start.
Any help will be appreciated. Thanks
There can be no universal algorithm to detect steganography.
You can implement a series of tests against every known specific steganographic system in existence. But an attacker can use that as a test to develop a new form of steganography that bypasses all existing tests.
What you'll need to do is start researching all the various known forms of stenography in existence today, and provide tests that identify each one. Least Significant Bit is just one of dozens of known techniques.
Alternately, you can look to tools that others have developed. See outguess.org for a ten-year-old project that tried to do something like this. One novel thing the authors of stegdetect did was to be able to provide a set of plain images, then include samples of those images known to contain steganography. Using linear discriminant analysis, they are able to create a detection function based on the differences.
Steganography relies on the latent noise-to-signal ratio of the analogue source material. The "least significant" bits (actual bits will depend on codec) are overwritten by an encrypted stream of secondary "stego" bits such that the primary public content of the image is not destroyed or distorted with notable artefacts.
If the steganographic tool didn't perform histogram analysis on the noise patterns of the least significant bits and then adjust the secret payload accordingly (with a corresponding reduction of max payload size) - then a scanner can simply check for least significant bits that are too random. That is, due to the pseudo-random nature of most encryption protocols of a steganographic toolkit instead of natural CCD noise.
And often even if the exact pre-altered original image isn't available, the scanner does have a database of similar images and histogram profiles. So if the histogram for that class of image (e.g. photo of fireworks at night) is suspect, the image can be flagged as possibly altered.
Of course the scanner doesn't have to be passive if the scanner has the authority to alter images! If it can alter images, it can simply mangle the least significant bit range to destroy any steganographic data without needing to know if there was any.
Even saving from one lossy format to another can mangle the least significant bit range. This is in fact the problem that "secret" digital watermarks have versus visible digital watermarks.
The whole point of steganography is to avoid detection. A "universal test" for steganography would be a constructive proof that steganography is not possible. However, no proof (constructive or not) of the impossibility of steganography is currently known. This implies that no "universal test" for steganography is currently known -- and it is not known whether such a test is even possible.
We can still say a few things. For instance, steganography relies on:
Variability in data. There must be some room for encoding the hidden message. If the complete message format is fixed down to the last bit, then there is no way to include an extra message. That variability must not alter the apparent meaning of the data.
A secret convention. The recipient of the data must know that there is a hidden message, and how to find it.
Among the tools for steganography, an important one is encryption: symmetric encryption has the ability to transform arbitrary data into a sequence of bits which will have the same probability distribution as random noise. The message recipient, of course, knows the decryption key: it is part of the secret convention. Thus, a good steganography tool will begin by an encryption layer. A consequence is that if the medium is in a format which "naturally" allows for some random noise to appear (e.g. a photograph), then steganography will be possible and very hard to detect, even if the method is completely known (because nothing looks more like random noise than random noise).
A common tool against steganography is compression. The basic premise of lossy compression (as is used for media files, e.g. MP3 or JPG) is that irrelevant details can be removed from the file, where "irrelevant" means "does not alter the perceived meaning of the data". Random noise will be tracked and removed by compression. Therefore, compression tends to be at odds with steganography. If you write a filter which automatically recompresses (aggressively) all pictures sent by email, then you will not detect steganography, but you will have made it much harder. In that sense, steganography shares some characteristics with watermarking.
However, some kinds of steganography seem impossible to detect and defeat. For instance, I can use the following convention with a correspondent: next week, I will send him a binary information (a "yes/no") hidden in a photograph of a cat; the binary information will be "yes" if the cat looks to the left of the photograph, and "no" if the cat looks to the right.
That's really the million dollar question. The NSA and other organizations have spent lots of money trying to come up with reliable ways to recognize them. I'm not sure the current state of the art, but I know a mathematician that was actually working on analyzing steganography back in the early 2000s to try to identify a reliable way to identify what images contain messages.
I don't know what progress he made for obvious reasons, but the entire point of a steganography system is to conceal the message with as little noticeable change as possible. If the system is poorly designed, it may leave evidence behind of it's alteration, but a well done solution shouldn't leave a statistical trace that can be identified without knowing what you are looking for.
There's a TED talk addressing the issue of manipulated photos being published as originals. I can't find it at the moment.
The speaker developed a way to identify manipulated photos by comparing the pixels of a JPG image. I suspect this could be used to detect steganography. I also suspect this isn't relevant to other image types.
You can check this by the way, that steganography is mostly
For example, in case of a picture, we could see as we smaller and smaller details of the picture analyze (mostly, but not always, the least significant bits), we get noisier and noisier data. If there is some type of hidden information, we will found a sudden redundancy in this region.
