Home // SECURWARE 2023, The Seventeenth International Conference on Emerging Security Information, Systems and Technologies // View article
Authors:
Bernhard Birnbaum
Christian Kraetzer
Jana Dittmann
Keywords: stego-malware communication scenario; multi-class steganalysis and attribution
Abstract:
Stego malware, which hides malicious functionality using steganographic communication channels, is becoming increasingly common in today’s attack scenarios. Cybersecurity capabilities against such malware include prevention, detection, response and attribution tasks. In this paper, we focus on JPEG images and the attribution task by investigating a set of very simple signature-based steganalysis features for stego-malware attribution by attempting to identify the embedding algorithm used in a multi-class problem. First, the communication scenario in stego-malware is discussed by showing how the warden (observer) setting differs from the typical communication setup in steganography (known as the ‘Alice and Bob (A-B) scenario’) to be used for a simple (non-blind) cover-stego pair analysis besides blind steganalysis. For our considered stego-malware case, the stego communication is redefined as an attacker-to-attacker (A-A) scenario by extending the capabilities of the warden. Second, due to the very simple nature of stego approaches often used in malware, basic assumptions in steganography are not well incorporated in the malware design. This motivates us to study simple, classically known steganography approaches to simulate stego-malware attribution capabilities using five long-standing, well-known steganography tools. Four simple signature-based and two content-based features are derived for the attribution of five stego algorithms and their performance is validated in a multi-class comparison. Using a test set of 1000 randomly selected original cover images from the Alaska2 dataset, the feature set for attribution of the five algorithms used and their individualisation properties are investigated exemplarily for two different capacities (low: 26 bytes and high: 2.1 kBytes) and two different embedding keys (one long and one short), also considering a recompression case for the low capacity. A single and double recompression of the 1000 Alaska2 images used and the Flickr dataset with its 31,783 images are performed to determine the false positive detection performance within image data without steganographic embedding. The results show the differences in stego-algorithm attribution performance per feature and algorithm.
Pages: 33 to 42
Copyright: Copyright (c) IARIA, 2023
Publication date: September 25, 2023
Published in: conference
ISSN: 2162-2116
ISBN: 978-1-68558-092-6
Location: Porto, Portugal
Dates: from September 25, 2023 to September 29, 2023