Thesis about stenography

Instead, it could be fake cover documents that are designed to mislead the adversary. In this manner, digital steganography can be used legitimately as a covert channel to conceal the existence of encrypted communications Wendzel et al. CIKR vulnerabilities Wendzel et al. Which specific APT groups are using digital steganography to evade malware detection is much less important than the fact that this practice has, in fact, been discovered on multiple occasions, thus confirming that it is a serious cyber threat that warrants monitoring.

English Stenography: Lesson 01

This anomaly may be partly due to a lack of centrally-located malware reporting, with each AV company, LE and IC agency maintaining their own repository. However, it is more likely due to the difficulty of cyber attribution for each unique piece of malware discovered on the Internet. APT groups with skilled malware authors are not typically in the habit of leaving a breadcrumb trail that makes it easy to attribute malware back to its source.

The highly sophisticated examples of malware are designed for custom modification even after deployment by APT groups that may be spying on behalf of Nation-states. The days of simple Morris worms and Melissa viruses Potter, are over, enter the dawn of a new era. An era of polymorphic malware that hides itself using digital steganography and spreads itself invisibly through insecurely-designed network protocols. The impetus for investing such a great deal of time and resources to develop this highly sophisticated Nation-state APT malware is proportional to the effort invested in attempting to hide the existence of the malware.

No APT group wants to invest substantial precious resources of work hours, money, and effort into developing a sophisticated malware toolkit only to have it be discovered by adversaries or an AV software company within a few weeks of initial deployment. There can be no mistaking the fact that APT-level malware such as Regin is purposely designed to avoid detection for as long as possible through the use of information hiding techniques accomplished through the use of digital steganography. The HTML or. Malware authors have already begun to see the full potential of incorporating digital steganography into their malware code, a trend that will surely continue to expand over time as its popularity increases.

Digital steganography is already known to have been used for data exfiltration e. The cybercriminals behind AdGholas cleverly employed the services of over a hundred different online digital ad exchanges to propagate image-based advertisements. They then used digital steganography as the means to hide the existence of encrypted JavaScript code i.

The AdGholas example demonstrates the creative lengths malware developers will go to escape AV detection and also highlights the underlying theme which is that most malware is created purely for profit. For any malware campaign to be effective, it needs to use commonly accessed data and network traffic protocols distributed by trusted sources to remain undetected and achieve maximum payload effect.

Over time the digital steganography compression algorithms and steganographic software application-embedding techniques continue to improve such that developers have made near-noiseless i. Social media networks such as Facebook, Twitter, Instagram, and YouTube all operate with enormous user bases numbering over 2 billion users for Facebook alone. These user bases consist of personally-created user accounts that may require as little as a first and last name, a chosen username, an email address, and a password to access the account.

It is not surprising that many users do not use their real names on these types of social media platforms for security reasons or if the user has something to hide. It is possible to write custom scripts that will automatically generate bot accounts with different usernames and user characteristics that are controlled by a botmaster. The apparent concern within this context is the human psychological tendency of people to be susceptible to peer pressure. The implications are rather substantial if enough of these bot accounts were controlled by a botmaster and potentially used to sway popular opinion on political matters such as is alleged to have occurred by the Russian GRU Intelligence organization during the U.

Presidential election Shane, Traditionally, network forensic investigations have yielded evidence supporting the fact that botnets have primarily been controlled by botmasters via Internet Relay Chat IRC or Peer-to-Peer P2P network protocols Venkatachalam, , p.

  1. Learning Difficulties in Shorthand.
  2. phd thesis working capital management.
  3. logic and critical thinking course outline lums.

However, network security analysts are not able to detect and monitor malicious network traffic when digital steganography is used in combination with malware. The potential for social media Stegobots to be used by adversary Nation-state Intelligence organizations, such as the Russian GRU, as a political mechanism to sway popular opinion on important issues is not a threat that should be taken lightly. The Russians have proven to be very adept at cyber espionage techniques in attempts to hijack several international democratic elections in the recent past, the U.

Presidential election notwithstanding. The problem is exacerbated by the potential for normal user accounts to become infected with malware, perhaps by unsuspectingly clicking on a news article link within a Facebook post or even merely viewing an image will download the image to the computer thereby infecting it with the hidden malware Soltani, et al. This phenomena is reported to have happened to a verified Twitter user that stopped using her account in and who unbeknownst to her, learned that the account was hacked in November and used for political propaganda purposes to spam targeted Twitter users such as Presidential candidate realDonaldTrump who could sway popular opinion during the U.

Whether digital steganography played a part in this is not known, but it is certainly plausible that it could have been used in combination with malware to compromise social media accounts. If not detected and stopped by the social media platform system administrators or reported by suspicious users, the Stegobot army could grow exponentially unabated, eventually consisting of tens or hundreds of thousands of Stegobot social media accounts.

Facebook and Twitter have reportedly identified and shutdown thousands of suspected Russian bot accounts in the wake of the U. This type of cyber attack is known as an information warfare attack which has been happening for several years between the U. It is possible to analyze social media account profile feature attributes to determine if the user account is real or possibly a bot account. However, it is not feasible to conduct such a level of analytic scrutiny on a widescale basis without some automated scanning tool such as an application programming interface API Venkatachalam, , p.

Network forensic analysts can detect a Stegobot by utilizing a form of steganalysis that involves Discrete Cosine Transform DCT feature analysis that compares the binary bit composition of image files and known digital steganography compression algorithms while also analyzing noise frequency to detect the presence of stego-file content Venkatachalam, , p. Countering Digital Steganography with Steganalysis. Whereas the goal of steganography is to hide information in plain sight within cover files, steganalysis is the science of detecting steganography.

The sheer number of steganography applications available, many of them free for download on the Internet today number more than twelve-hundred with significantly fewer steganalysis applications available. This imbalance demonstrates the difficulty of successful digital steganography detection using the available steganalysis application tools.

These three different blind steganalysis detection techniques each offer a measure of accuracy in detecting a stego-payload and sometimes merely detecting the presence of digital steganography in a carrier file alone is sufficient to achieve the desired effect of altering the file and thus rendering the hidden information unreadable by the intended recipient Wingate et al. Steganalysis detection is equivalent to a compromise of secrecy. Another steganalysis detection technique is signature-based detection which is similar to AV software virus and malware signatures that are used in scans to detect known viruses and malware on a protected computer.

If the file hashes are different, then a user knows that the file has been altered in some way. An altered file could represent the presence of digital steganography.


Hashing has long been used by software vendors who post software on websites so that users know that the file downloaded is authentic after hashing it and comparing the two values prior to installation. It is possible, however, that an attacker could hack the website and replace the downloadable file with malware and post a hash of the malware executable file making it appear legitimate to potential users wanting to download what would otherwise appear as a normal program.

Unless the vendor is actively auditing the Web server logs, it would not necessarily become aware of the fact that it was hacked and the malware downloads would continue until it was determined later that the file had been swapped out. Albeit, this is not a digital steganography example, it does provide another perspective into how devastating plain view attacks can potentially be without proper safeguards in place.

The more advanced versions of preventive network devices such as firewalls and reactive AV software perform both signature or string-based scanning and heuristic, or behavior-based, malware detection analysis of key components of the computer operating system such as the file registry Do, et al.

Technological advancements in anti-malware detection are important because malware costs the world economy hundreds of billions of dollars per year and wastes billions of hours to respond to and fix Do, et al. Different threat analysis models and formulas can be used to mitigate risk to the greatest extent possible. Game theory, for instance, can be used for juxtaposition of two opposing forces such as cyber attackers and cybersecurity defenders Do, et al. Think of it as a game of mud football where each team attempts to stack the deck in their favor by selecting the best players that will help achieve victory over the other team.

Game theory then pits each action and predicted counter-action against each other until the expected outcome is derived that demonstrates the balance relationship between cyber attacker and defender Do, et al. Game theoretical approaches to digital steganography can be applied by assigning a set of numerical values to the steganographer and the steganalyst which indicate their respective abilities to modify file content and detect file modification that help to evaluate design options for steganalysis detection tools Do, et al. There are stego-only attacks, known-cover attacks, known-message attacks, known-stego attack, chosen-stego attack, chosen-message attacks, and disabling or active attacks EC-Council, , pp.

Each of these different classifications of steganography attacks involve different elements of either the cover medium file, the hidden message, or the stego-file. Disabling or active attacks include some amount of image blurring, noise reduction, sharpening images, rotation, resampling, and softening of images used to embed hidden messages to further reduce the chances of steganalysis detection EC-Council, , p. NIST specifically addressed the threat of digital steganography in three different security controls for protection against the covert exfiltration of information across network boundaries [SC-7 7 ], malicious code hidden through the use of digital steganography SI-3 , and information system monitoring [SI-4 18 ] to detect covert data exfiltration Wingate, To date, however, the only commercial enterprise to develop a product capable of performing real-time network scanning for digital steganography application signatures is Backbone Security Wingate, These services are provided for a subscription fee and the fact that there is only one company offering this service makes it a very lucrative position to capitalize on considering NIST publishes cybersecurity guidance and requirements for the entire Federal government to include the Department of Defense DoD.

follow link


Certainly there are other steganalysis application vendors that organizations can choose from, but none of them offer the real-time network scanning service tied to its repository database that Backbone Security offers. The purpose of this section is to explain the research methodology and design approach that will be used to create the detailed research plan for this study. This section is strategically compartmentalized to cover research questions, hypothesis, identification and operationalization of variables, data collection, summary, and limitations of the research involved in this study which, albeit some of which were previously mentioned in the paper, were not sufficiently explained heretofore.

Digital steganography by itself is a challenging subject to study due to its extremely technical nature and the rarity of detection in the wild which does not lend itself towards an abundance of relevant case studies. Further narrowing of the research aperture when combining instances wherein digital steganography was used in conjunction with malware specifically as a mechanism for escaping detection makes research exponentially more challenging. However, there are enough documented cases of digital steganography-infused malware that may be used for this study. It is for this reason that research of cases in which digital steganography was used to evade malware detection must then be considered predominantly academic and theoretical due to the rarity of available case studies.

Research for this study focused on a somewhat limited pool of published scholarly and peer-reviewed literature that details instances where and when digital steganography was found to have been used as an advanced malware detection evasion technique.

Additionally, controlled experiments involving the injection of a cover medium file containing embedded stego-file data to the Internet via various ISP sites such as YouTube, Facebook, and Twitter will provide invaluable research results on whether digital steganography application signatures are being scanned for by some of the most popular ISPs Barwise, The primary thesis research question for this study is:.

Is digital steganography being used by malware developers as an advanced evasion technique? Given the path that the primary thesis research question begins with, logically it can be further dissected into the following supplemental research questions, such as:. Is it probable that popular Internet content host sites are being used to propagate malware using digital steganography?

Does adversarial use of malware that incorporates digital steganography to evade detection pose significant threat implications for U. This study intends to prove or disprove three hypotheses that are derived from the study research questions. These hypotheses will be evaluated qualitatively through analysis of the historical data gathered during the literature review and also quantitatively by conducting controlled experimental tests that involve stego-file injection uploads to various selected ISP website platforms. If there is enough recent and relevant evidence to suggest that malware creators are incorporating digital steganography as an advanced malware detection evasion technique, then it can be assumed that its use has become a new widespread malware creator evasion tactic.

If ISPs do not have the means to or choose not to scan for digital steganography, then cyber threat actors will use these ISP platforms to post illegal content or propagate malware using digital steganography. If cyber threat actors are successfully employing digital steganography to hide malware within seemingly normal data traffic that evades malware detection, then the United States CIKR, private industry, and ISPs are all at risk of malware infection that could potentially cripple the entire nation.

Note Taking as Stenography

Qualitative analysis of the results of the literature review and controlled comparative experiments that are quantitatively analyzed will determine if it is currently possible to inject hidden data in cover medium files and upload the modified files to popular social media sites.

Qualitative analysis will be used to study the prevalence of malware that used digital steganography to evade malware detection on the Internet. A comparative experimental research design is the best design option for finding the prevalence of a phenomenon such as malware that incorporates digital steganography on the Internet and comparing data files that may or may not contain steganography.

This study will make use of analysis of information, historical data, and controlled experiments to either prove or disprove the given hypotheses. For this study, the research will focus primarily on malware that has been discovered to incorporate digital steganography for the specific purpose of evading anti-malware software detection. Identification and Operationalization of Variables. Research variables were identified during the literature review. The major variable at play in this study is digital steganography-infused malware. Other variables involved are the multitude of Internet content host provider sites a.

This research study also attempts to establish a correlation between digital steganography-infused malware and cyber threat implications to U. Cryptography is an extraneous variable that when combined with digital steganography further exacerbates the difficulty of accessing embedded encrypted data following steganalytic detection. Comparative and exploratory methodologies are used to identify instances where digital steganography was used as an advanced malware detection evasion technique on the open Internet Kumar, , p.

Each of the three research questions of the study are addressed in different sections in this thesis. The primary research question of whether digital steganography is being used by malware developers as an advanced evasion technique is addressed by citing specific examples discovered in the literature review.