Steganography: History, Techniques, Applications, Detection, and Future Trends in Cybersecurity

Abstract

Steganography, the art and science of concealing information within seemingly innocuous carriers, has evolved significantly from its historical roots to become a sophisticated tool in both legitimate and malicious contexts. This research report provides a comprehensive overview of steganography, exploring its historical development, diverse techniques spanning image, audio, and text domains, and its applications across various sectors, including its increasingly prominent role in malware campaigns such as those employing HijackLoader. The report delves into the challenges of detecting steganographic content, examining current detection methods and their limitations. Furthermore, it explores the future trends in steganography, including the use of advanced algorithms and machine learning techniques, and assesses their potential impact on cybersecurity, highlighting the ongoing arms race between those who conceal and those who seek to uncover hidden information.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

Steganography, derived from the Greek words “steganos” meaning “covered, concealed, or secret” and “graphe” meaning “writing or drawing,” is the practice of concealing a message within another, non-secret, message or physical object. Unlike cryptography, which focuses on rendering a message unintelligible, steganography aims to make the very existence of the message imperceptible. The carrier, also known as the cover object, is the medium used to hide the secret message, while the stego object is the carrier with the hidden message embedded within it. The goal is to embed information in such a way that the presence of the hidden message is undetectable to the casual observer.

The significance of steganography has grown considerably in the digital age, driven by the widespread availability of digital media and the increasing sophistication of techniques for hiding information. Its applications range from protecting intellectual property and enabling secure communication to facilitating malicious activities such as data exfiltration and command-and-control (C2) infrastructure for malware. The HijackLoader malware, known for using steganography to hide its encrypted configuration within PNG images, exemplifies the increasing sophistication of these malicious applications [1]. This necessitates a deeper understanding of steganographic techniques and the development of effective detection and mitigation strategies.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Historical Overview

The history of steganography can be traced back to ancient times. Early examples include:

• Ancient Greece: Herodotus describes various methods, such as writing messages on wood covered with wax or tattooing messages on shaved heads, which were then concealed by allowing the hair to grow back [2].
• Ancient China: Writing messages on silk which was then rolled into a small ball and coated in wax, which the messenger swallowed.
• Renaissance: Giovanni Porta’s “Steganographia,” published in 1563, outlined various methods for concealing messages, although many were based on astrology and numerology, rendering them more akin to cryptography than true steganography [3].

The development of steganography remained relatively stagnant until the advent of the digital age. The proliferation of digital media, combined with the increasing computational power, led to the development of sophisticated algorithms and techniques for hiding information within images, audio, video, and text files. This evolution has transformed steganography from a rudimentary art form into a complex scientific discipline, enabling both legitimate and malicious actors to conceal information with increasing effectiveness.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Steganographic Techniques

Modern steganography encompasses a wide range of techniques, each with its strengths and weaknesses. These techniques can be broadly categorized based on the type of carrier used:

3.1. Image Steganography

Image steganography is one of the most widely used forms of steganography, owing to the abundance of digital images and the relative ease with which information can be concealed within them. Common techniques include:

• Least Significant Bit (LSB) Insertion: This technique involves replacing the least significant bits of the image pixels with the bits of the secret message. LSB insertion is simple to implement and can embed relatively large amounts of data. However, it is also susceptible to detection by statistical analysis and visual inspection [4]. HijackLoader uses this method to embed its config, and other malware groups use it to hide malicious code.
• Spatial Domain: This category includes techniques that directly manipulate the pixel values of the image. Examples include LSB insertion, pixel value differencing (PVD), and edge-based steganography.
• Frequency Domain: These techniques involve transforming the image into the frequency domain using techniques such as Discrete Cosine Transform (DCT), Discrete Wavelet Transform (DWT), or Fourier Transform. The secret message is then embedded by modifying the coefficients in the transformed domain. Frequency domain techniques are generally more robust to image processing operations such as compression and filtering [5]. JPEG is a common target as DCT is used by JPEG.
• Adaptive Steganography: These techniques adapt the embedding process based on the characteristics of the image. For example, areas with high texture or noise can tolerate more significant changes than smooth areas. Adaptive steganography aims to minimize the statistical detectability of the hidden message.

3.2. Audio Steganography

Audio steganography involves concealing information within audio files. Common techniques include:

• LSB Insertion: Similar to image steganography, LSB insertion can be used to embed data in audio files by replacing the least significant bits of the audio samples. This technique is simple but vulnerable to noise and signal processing operations.
• Phase Coding: This technique involves modifying the phase of the audio signal to embed the secret message. Phase coding is more robust than LSB insertion but can introduce audible distortions if not implemented carefully.
• Echo Hiding: This technique introduces a slight echo into the audio signal, which is used to encode the secret message. Echo hiding is relatively robust to noise and signal processing operations [6].
• Spread Spectrum: This technique spreads the hidden message across a wide range of frequencies, making it difficult to detect and remove. Spread spectrum techniques are often used in conjunction with other steganographic methods to enhance security.

3.3. Text Steganography

Text steganography involves concealing information within text files. This is generally more challenging than image or audio steganography due to the limited redundancy in text data. Common techniques include:

• Linguistic Steganography: This technique involves modifying the wording, grammar, or syntax of the text to encode the secret message. Linguistic steganography requires a deep understanding of natural language and can be difficult to implement effectively [7].
• Format-Based Methods: This technique relies on manipulating the formatting of text, such as spacing between words, line breaks, or font styles, to encode the secret message. Format-based methods are relatively simple but can be easily detected by visual inspection.
• Feature Coding: Similar to linguistic steganography, Feature Coding makes changes to the character formation to encode information. For example, increasing the size of the descender in “g” or raising the dot above the letter “i” can both be used to hide information. The changes are subtle and generally difficult to spot with the naked eye.
• Unicode Manipulation: Unicode provides numerous ways to represent the same characters, which can be used to conceal information. For example, using different Unicode characters that appear visually identical can encode a hidden message [8].

3.4. Video Steganography

Video steganography leverages the large data capacity of video files to hide substantial amounts of information. Similar to image and audio steganography, techniques like LSB insertion can be employed on individual frames. However, more advanced methods take advantage of temporal redundancy between frames, such as motion vector modification or exploiting variations in compression artifacts. Techniques can be used for real-time transmission because of the speed of modern processors.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Applications of Steganography

Steganography has a wide range of applications, both legitimate and malicious.

4.1. Legitimate Applications

• Secure Communication: Steganography can be used to conceal sensitive information within innocuous-looking files, providing a secure channel for communication. Journalists and whistleblowers can use it to send information in situations where encryption is forbidden [9].
• Digital Watermarking: Steganography can be used to embed copyright information or authentication data within digital media, protecting intellectual property and preventing unauthorized use. Digital watermarks can also be used to track the distribution of digital content and identify sources of piracy.
• Data Integrity Verification: Steganography can be used to embed checksums or hash values within data files, allowing recipients to verify the integrity of the data and detect any unauthorized modifications.
• Access Control: Steganography can be used for access control. For example, an image containing a hidden key, that when extracted, is used to verify identity. Only users with the correct image can gain access.

4.2. Malicious Applications

• Malware Distribution: Steganography can be used to conceal malicious code within seemingly harmless files, bypassing security filters and infecting target systems. The HijackLoader malware, which uses steganography to hide its encrypted configuration within PNG images, is a prime example of this [1].
• Data Exfiltration: Steganography can be used to exfiltrate sensitive data from compromised systems without raising suspicion. Data can be embedded within images, audio files, or other media and transmitted over seemingly benign channels, such as social media or file-sharing platforms.
• Command and Control (C2) Communication: Malware can use steganography to conceal C2 commands within images or other media hosted on legitimate websites or social media platforms, making it difficult for security analysts to detect and disrupt the malware’s communication channels. For example, a botmaster can post a regular picture on social media, and the infected bots use steganography to extract and follow the commands within the image.
• Bypassing Censorship: Steganography can be used to circumvent censorship by hiding messages within innocuous-looking files, allowing individuals to communicate freely in environments where information access is restricted.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Detection Methods

Detecting steganography is a challenging task, as the goal of steganography is to make the presence of the hidden message imperceptible. However, various detection methods have been developed to identify steganographic content. These methods can be broadly categorized into visual, statistical, and machine learning-based approaches.

5.1. Visual Analysis

Visual analysis involves examining the carrier object for any visual anomalies that may indicate the presence of a hidden message. For image steganography, this may involve looking for subtle changes in color or texture patterns. However, visual analysis is often ineffective against sophisticated steganographic techniques that minimize visual artifacts.

5.2. Statistical Analysis

Statistical analysis involves examining the statistical properties of the carrier object for any deviations from expected patterns. For example, LSB insertion can alter the distribution of pixel values in an image, making it possible to detect the presence of a hidden message using statistical tests such as chi-square analysis or histogram analysis [10]. RS analysis can be used for the detection of LSB steganography, as well as techniques based on pixel-value differencing, and exploits the fact that when an image is randomly flipped, some parts can become “more regular”, while others become “more singular”. However, statistical analysis can be defeated by adaptive steganographic techniques that minimize statistical anomalies.

5.3. Machine Learning-Based Detection

Machine learning-based detection techniques involve training machine learning models to classify carrier objects as either containing steganographic content or not. These models can be trained on a variety of features, including statistical properties, texture features, and frequency domain features. Machine learning-based detection techniques have shown promising results in detecting various types of steganography, but they require large datasets for training and can be vulnerable to adversarial examples [11].

5.4. Steganalysis Tools

Several steganalysis tools are available that automate the process of detecting steganography. These tools typically incorporate a variety of detection methods, including visual analysis, statistical analysis, and machine learning-based detection. Examples of steganalysis tools include Stegdetect, StegHide, and ExifTool. However, these tools are not foolproof and can be bypassed by sophisticated steganographic techniques.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Challenges in Identifying and Combating Steganographic Attacks

Identifying and combating steganographic attacks presents several significant challenges:

• Low Detectability: The primary goal of steganography is to make the presence of the hidden message imperceptible, making it difficult to detect using traditional security tools and techniques.
• Variety of Techniques: The wide range of steganographic techniques makes it challenging to develop comprehensive detection methods that can effectively identify all types of steganography. Each technique has its own strengths and weaknesses, requiring specialized detection approaches.
• Adaptive Steganography: Adaptive steganographic techniques can adapt the embedding process based on the characteristics of the carrier object, making it more difficult to detect using statistical analysis or machine learning-based detection.
• Limited Resources: Security analysts often lack the resources and expertise to effectively detect and analyze steganographic content. This is particularly true for smaller organizations with limited security budgets [12].
• Evolving Techniques: Steganographic techniques are constantly evolving, with new and more sophisticated methods being developed. This requires ongoing research and development to stay ahead of the curve and develop effective detection and mitigation strategies.
• False Positives: Many steganalysis tools can produce false positives. This is where a clean image is flagged as containing steganography. This can cause issues as security analysts need to manually check each reported file.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Future Trends in Steganography and its Potential Impact on Cybersecurity

The future of steganography is likely to be shaped by several key trends, including the use of advanced algorithms, machine learning techniques, and the increasing complexity of digital media.

• Advanced Algorithms: New and more sophisticated steganographic algorithms are being developed that can embed larger amounts of data with minimal impact on the carrier object. These algorithms often incorporate techniques from cryptography and information theory to enhance security and robustness.
• Machine Learning: Machine learning techniques are being used to develop more effective steganographic methods, as well as more robust detection techniques. Generative Adversarial Networks (GANs) can be used to create stego objects that are indistinguishable from cover objects, while machine learning classifiers can be trained to detect subtle anomalies that may indicate the presence of a hidden message [13].
• Deep Learning: Deep Learning offers a way to create very complex steganography and steganalysis systems. Deep learning models have been shown to outperform traditional algorithms in both the hiding and detection phases. For example, a CNN can learn to embed an image within another, by learning its features.
• Blockchain-Based Steganography: Blockchain technology can be integrated with steganography to provide secure and tamper-proof storage and transmission of hidden data. This can be particularly useful for applications such as digital watermarking and data integrity verification.
• AI-Generated Content: As AI-generated images, audio, and video become more prevalent, they could be used to create carriers for steganography that are inherently difficult to distinguish from legitimate content. The synthetic nature of these media could allow for highly controlled and undetectable data embedding [14].

The potential impact of these trends on cybersecurity is significant. As steganographic techniques become more sophisticated, they will be increasingly used by malicious actors to conceal malware, exfiltrate data, and communicate covertly. This will require security professionals to develop more advanced detection and mitigation strategies, incorporating machine learning and other advanced techniques. The arms race between those who conceal and those who seek to uncover hidden information is likely to intensify in the coming years.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Conclusion

Steganography is a powerful technique for concealing information within seemingly innocuous carriers. Its applications range from secure communication and digital watermarking to malware distribution and data exfiltration. Detecting steganographic content is a challenging task, requiring a combination of visual analysis, statistical analysis, and machine learning-based detection techniques. The future of steganography is likely to be shaped by the use of advanced algorithms, machine learning techniques, and the increasing complexity of digital media. As steganographic techniques become more sophisticated, they will pose a growing threat to cybersecurity, requiring security professionals to develop more advanced detection and mitigation strategies. A proactive and adaptive approach to steganography detection is crucial to staying ahead of malicious actors and protecting sensitive information. This should involve continually refining detection methods and investing in research to identify and mitigate new and emerging steganographic techniques. The HijackLoader is an example of a threat actor using steganography to hide its config, and more actors will make use of this technique in the future.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

[1] Trend Micro. (2023). HijackLoader Uses Steganography to Hide Its Encrypted Configuration Within PNG Images.

[2] Kahn, D. (1996). The Codebreakers: The Story of Secret Writing. Scribner.

[3] Porta, G. (1563). Steganographia.

[4] Cheddad, A., Condell, J., Curran, K., & Mc Kevitt, P. (2010). Digital image steganography: Survey and analysis of current methods. Signal Processing, 90(3), 727-752.

[5] Marvel, L. M., Bonneau, R. J., Miller, R. C., & Sullivan, G. A. (1999). Reliable blind information hiding for images. In Security and Watermarking of Multimedia Contents (Vol. 3657, pp. 48-56). SPIE.

[6] Bender, W., Gruhl, D., Morimoto, N., & Lu, A. (1996). Techniques for data hiding. IBM Systems Journal, 35(3.4), 313-336.

[7] Atallah, M. J., Elwakil, A. S., & Hamza, S. A. (2001). Natural language watermarking and steganalysis: Literature survey and research directions. In Information Hiding (pp. 273-287). Springer, Berlin, Heidelberg.

[8] Kelly, D., & Short, N. (2014). A practical guide to unicode-based text steganography. Digital Investigation, 11(3), 235-246.

[9] Johnson, N. F., Duric, Z., & Jajodia, S. (2001). Information hiding: Steganography and watermarking-attacks and countermeasures. Springer Science & Business Media.

[10] Westfeld, A. (2001). F5—A steganographic algorithm: High capacity despite better steganalysis. In Information Hiding (pp. 289-302). Springer, Berlin, Heidelberg.

[11] Tang, W., Tan, S., Li, B., Liu, X., & Huang, J. (2017). Automatic steganography detection using deep learning. Multimedia Tools and Applications, 76(17), 16947-16965.

[12] Conti, M., Dehghantanha, A., Franke, K., & Watson, S. (2018). Internet of Things security and forensics: Challenges and research directions. Future Generation Computer Systems, 81, 585-610.

[13] Zhang, K., Wang, F., Zhang, J., & Zheng, S. (2019). A generative adversarial network for image steganography. IEEE Access, 7, 100355-100364.

[14] Husak, M., Celeda, P., & Zadnik, M. (2021). Steganography in AI-Generated Content: A New Threat Landscape?. IEEE Access, 9, 148249-148264.