Stegdetect 0.4 released and results from USENET search available
Arnold G. Reinhold
reinhold at world.std.com
Fri Dec 28 13:41:36 EST 2001
At 4:33 AM -0500 12/28/01, Niels Provos wrote:
>In message <v04210101b84eca7963ad@[192.168.0.3]>, "Arnold G. Reinhold" writes:
>>I don't think you can conclude much from the failure of your
>>dictionary attack to decrypt any messages.
>We are offering various explanations. One of them is that there is no
>significant use of steganography. If you read the recent article in
>the New York Times [1], you will find claims that "about 0.6 percent
>of millions of pictures on auction and pornography sites had hidden
>messages."
I certainly can't imagine any group or activity that would generate
the hundreds of thousands of stego messages a 0.6 percent rate
implies.
>
>>2. The signature graphs you presented for several of the stego
>>methods seemed very strong. I wonder if there is more pattern
>>recognition possible to determine highly likely candidates. I would
>>be interested in seeing what the graphs look like for the putative
>>false alarms you found. It also might be interesting to run the
>>detection program on a corpus of JPEGs known NOT to contain stego,
>>such as a clip art CD.
>The following slides contain examples of false-positives
>
> http://www.citi.umich.edu/u/provos/papers/detecting-csl/mgp00023.html
> http://www.citi.umich.edu/u/provos/papers/detecting-csl/mgp00024.html
>
>In my experience, eliminating false-positives is not quite that easy.
>Some graphs look like they should have steganographic content even
>though they do not. Any test will have a false-positive rate, the
>goal is to keep it very low.
In general you are of course correct. But this particular case may be
an exception. I am not a stego maven, and before reading your paper,
it never occurred to me that some stego software would be designed to
place message bits in the first n available slots. Spreading them
pseudo-randomly seems so easy and so obvious a win. However, since
much software out there does use first n slot message placement,
detection of such messages may be possible with a very high signal to
noise ratio. The graphs in your papers, with very flat tops and
bottoms and steep skirts suggest that to me. They are very different
from the false-positive graphs in the slides above. It may possible
to distinguish them with high enough confidence to be able to assert
the presence of stego messages even if they cannot be decrypted.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list