Stego Intrusion Detection System

Authors: Michael Sieffert, Rodney Forbes, Charles Green, Leonard Popyack, Thomas Blake

Link: dfrws.org/2004/day3/D3-Sieffert-SIDS.pdf

Importance to my research: Low

MY REVIEW

Stego Intrusion Detection System (SIDS) is place inside the firewall. SIDS is a gateway to the internet means in out traffic is monitored. It is not clear that SIDS is installed on every computer of the organization or on the server only. In case of end node installation, SIDS deamon takes its share of cpu cycles and probably works on the top layer of network model. SIDS has developed in modular design approach so that newly steganalysis algorithms can be dynamically integrate.

Many limitations has been discussed

1. Images used for stego purposes have various format like JPEG, BMP etc. SIDS is lacked to develop a layer which converts input image into its standard format.

2. It can not work on multiple segments, because it does not support port mapper.

3. It works on application layer, so encryption may not be identified.

Cite this article as
Critical Review on” Stego Intrusion Detection System”by I.sajid, 20th Mar, 2008. Available

Design & Implementation of a secret key steganographic micro-architecture employing FPGA.

Authors-Hala Farouk, Magdy Saeb

Year – 2004

Year – Proceedings of the Design, Automation and Test in Europe Conference and Exhibition Designers’ Forum (DATE’04)

Link:- csdl.computer.org/comp/proceedings/asp-dac/2004/2543/00/25430577.pdf

Importance to my Research – Very High

MY REVIEW

In this paper stego alogorithm has been implemented on FPGA. The basic objective of this algorithm is to select 2-bit of message and then replace zero and eight bits of covers by message bits.

Micro-architecture (MA) for algo implementation has been discussed.  MA divided into embedded processor (EP) and SDRAM. EP consists of address generator, Stegoblock, Status and state register, message cache, key cache, counters, multipliers, address extender and control unit.    Address generator (AG) is further divided into memory of pointer, shuffler and shift & concatenation.

MP: It has 64 of eight bits counters.

Shuffler: It received 512 bit from MP and 8 bit from key. On the bases of these 520 bits, it transmits one counter to shifter. Shuffler can select one counter out of 64 by help of 8 bits from key. What is the use of 512 bits? The issue of range and non-uniform distribution key counter has been discussed well.

Stegoblock:  It just hides two bits of message in the frame.

Status and state registers: On the basis of message counter and key counter 10 bits feeded to status register, then these bits set or reset and send to controller. Controller generates 3-bits to state register.

Message cache: Block of 256 words starts from 131072 memory location has been cached. Author claimed that addressing word in SDRAM takes 8 to 9 cycles while to access to words in cache requires just one cycle.

Key cache: 8-bits out of 32-bits key has been used for selection of block. Big question is here about the selection of 32-bits. Either it is random process or fixed or formula based. In last two cases it would be trivial and in case of random process. It will open another door of complexity.

Counters: Message and key counters are used to know the status message has hidden under cover. The counter value decides about the new block of message to be loaded in to cache or whole message has hidden under cover.

Address and data multiplier: The control unit feed in signals to multiplexers in order to select appropriate data and address in memory.

Control unit: It consists of decoder, state register and logic gates. It produces 7-bits for data and 3-bits for address multiplexer.

SDRAM: 16MB SDRAM is organized in 4096 rows x 512 columns x 4 banks.

My Finding:

Message and key interfaces are not cleared in this micro-architecture. Message is present already at 131072 memory location, this location should be encrypted by certain formula. Cover word is also fixed at 5544hex location of SDRAM. The whole story is to replace two fixed bits of cover with message. The following confusion arises:

1. When message and cover is present in SDRAM, why extra cycles consumed for to take these data first in caches then updated and finally writes back.
2. The interface of input video/audio frame and their interfaces.
3. Nothing is clear about the message data. For example its statistical nature, means message values should be of which range.

Cite this article as
Critical Review on “design & implementation of a secret key steganograhic micro-architecture employing FPGA” by I.Sajid  10 march, 2008.

Steganalysis Based on Differential Statistics

Authors: Zugen Liu, Lingdi Ping, Jian Chen, Jimin Wang, and Xuezeng Pan

year- 2006

Published in – CANS 2006, LNCS 4301, pp. 224–240, 2006.

Link – www.springerlink.com/index/28740k00w2901219.pdf

Importance to my Research – High

MY REVIEW Steganography is art to hide data in multimedia files for unauthorized communication. Steganalysis is the reverse process of steganography, throgh which hidden data is identified. Network steganography intrusion detection system (SIDS) has been introduced for security purposes.

Targeted SIDS is specific to a algorithm, therefore its scope is narrow while efficient. On the other hand blind strategy is based on assumption that images are correlated. In this paper different techniques like histogram character function (HCF), centre of mass (COM), least significant bit (LSB) have been discussed. Differential statistics (DS) and multi-domain (MD) have been proposed by using HCF & COM.

Secure speed spectrum watermarking (SSSW) and DCT-based watermarking (DCTW) have been applied for grayscale raw images while feature based & multi class techniques were applied for JPEG images. Differential operator is treated as high pass filter therefore variable parts are identified which was changed possibly through stenography. Histogram was used to count the frequencies of high order differentiations. Differences between histograms reflect the hidden data. In some situation hidden data is not clear through above technique, then co-occurrence matrix is used. Co-occurrence matrix is a relation of higher order differentiation & their locations. Co-occurrence matrices with high order differentiations have shown clear covered data.

In DCT domain, secret data has been embedded in non-zero and low frequency co-efficient, because DCT(0,0) is DC co-efficient of 8 x 8 DCT block. DCT(0,0) contains significant fraction of the total image energy.

In spatial domain, secret data frequently embed in the DCT boundaries co-efficient and high order differential statistic is the solution to capture the hidden data.

Three stegnos MB1, MB2 and Steghide were introduced. MB1 is modifying value for JPEG, while MB2 uses same strategy along with one half capacity reserves for modification. Differential statistic (DS) and MD are steganalytic algorithms with two parameters fasle positive and detection rate have been demonstrated.

The method of calculating feature vector of HCF and COM for grayscale and JPEG images has been discussed in this paper. The dimensionality of features vector is reduced to 3-D by applying Principal Component Analysis (PCA) method. Three principal eigen values contains above 99% weight of the total feature vector. PCA uses principal values for the classification. The distribution of CorelDraw and Washington covers with variation of alpha (parameter) has done in 3-D space due to PCA. Linear classifier can apply for CorelDraw covers in figure-4.

In figure 5(b), author has shown distribution for CorelDraw using steghide with 64 x 64 only. Distribution for other steghide and other stegnos should also be considered for complete analysis. Similarly fig 5(b) has not been demonstrated with variation of stegnos and alpha parameters.

Cite this article as

Critical Review on “Steganalysis Based on Differential Statistics” by I. Sajid 5th Mar, 2008.

Discussion on Hardware based Steganalysis

The author claimed to achieved “full parallel mode” in staganography detector. Architecture of RSDE depicts 3-stage pipeline implementation. Second stage “discrimination value calculation” basically calculate variance and it could be multi-cycle operation stage or very become big circuit (consuming more power). This stage should be implemented in LUTs as well.

Throughput of hardware implementation without consideration of pipieline hazard compared with pure software based on general purpose machine (AMD athlon).