Stegdetect 0.4 released and results from USENET search available

Arnold G. Reinhold reinhold at
Fri Dec 28 13:41:36 EST 2001

At 4:33 AM -0500 12/28/01, Niels Provos wrote:
>In message <v04210101b84eca7963ad@[]>, "Arnold G. Reinhold" writes:
>>I don't think you can conclude much from the failure of your
>>dictionary attack to decrypt any messages.
>We are offering various explanations.  One of them is that there is no
>significant use of steganography.  If you read the recent article in
>the New York Times [1], you will find claims that "about 0.6 percent
>of millions of pictures on auction and pornography sites had hidden

I certainly can't imagine any group or activity that would generate 
the hundreds of thousands of stego messages a 0.6 percent rate 

>>2. The signature graphs you presented for several of the stego
>>methods seemed very strong. I wonder if there is more pattern
>>recognition possible to determine highly likely candidates. I would
>>be interested in seeing what the graphs look like for the putative
>>false alarms you found. It also might be interesting to run the
>>detection program on a corpus of JPEGs known NOT to contain stego,
>>such as a clip art CD.
>The following slides contain examples of false-positives
>In my experience, eliminating false-positives is not quite that easy.
>Some graphs look like they should have steganographic content even
>though they do not.  Any test will have a false-positive rate, the
>goal is to keep it very low.

In general you are of course correct. But this particular case may be 
an exception. I am not a stego maven, and before reading your paper, 
it never occurred to me that some stego software would be designed to 
place message bits in the first n available slots. Spreading them 
pseudo-randomly seems so easy and so obvious a win.  However, since 
much software out there does use first n slot message placement, 
detection of such messages may be possible with a very high signal to 
noise ratio. The graphs in your papers, with very flat tops and 
bottoms and steep skirts suggest that to me.  They are very different 
from the false-positive graphs in the slides above. It may possible 
to distinguish them with high enough confidence to be able to assert 
the presence of stego messages even if they cannot be decrypted.

Arnold Reinhold

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list