Information similarity metrics in information security and forensics

We study two information similarity measures, relative entropy and the similarity metric, and methods for estimating them. Relative entropy can be readily estimated with existing algorithms based on compression. The similarity metric, based on algorithmic complexity, proves to be more difficult to estimate due to the fact that algorithmic complexity itself is not computable. We again turn to compression for estimating the similarity metric. Previous studies rely on the compression ratio as an indicator for choosing compressors to estimate the similarity metric. This assumption, however, is fundamentally flawed. We propose a new method to benchmark compressors for estimating the similarity metric. To demonstrate its use, we propose to quantify the security of a stegosystem using the similarity metric. Unlike other measures of steganographic security, the similarity metric is not only a true distance metric, but it is also universal in the sense that it is asymptotically minimal among all computable metrics between two objects. Therefore, it accounts for all similarities between two objects. In contrast, relative entropy, a widely accepted steganographic security definition, only takes into consideration the statistical similarity between two random variables. As an application, we present a general method for benchmarking stegosystems. The method is general in the sense that it is not restricted to any covertext medium and therefore, can be applied to a wide range of stegosystems. For demonstration, we analyze several image stegosystems using the newly proposed similarity metric as the security metric. The results show the true security limits of stegosystems regardless of the chosen security metric or the existence of steganalysis detectors. In other words, this makes it possible to show that a stegosystem with a large similarity metric is inherently insecure, even if it has not yet been broken

The XBOX 360 and Steganography: How Criminals and Terrorists Could Be Going Dark

Video game consoles have evolved from single-player embedded systems with rudimentary processing and graphics capabilities to multipurpose devices that provide users with parallel functionality to contemporary desktop and laptop computers. Besides offering video games with rich graphics and multiuser network play, today\u27s gaming consoles give users the ability to communicate via email, video and text chat; transfer pictures, videos, and file;, and surf the World-Wide-Web. These communication capabilities have, unfortunately, been exploited by people to plan and commit a variety of criminal activities. In an attempt to cover the digital tracks of these unlawful undertakings, anti-forensic techniques, such as steganography, may be utilized to hide or alter evidence. This paper will explore how criminals and terrorists might be using the Xbox 360 to convey messages and files using steganographic techniques. Specific attention will be paid to the going dark problem and the disjoint between forensic capabilities for analyzing traditional computers and forensic capabilities for analyzing video game consoles. Forensic approaches for examining Microsoft\u27s Xbox 360 will be detailed and the resulting evidentiary capabilities will be discussed. Keywords: Digital Forensics, Xbox Gaming Console, Steganography, Terrorism, Cyber Crim

Spatio-temporal rich model-based video steganalysis on cross sections of motion vector planes.

A rich model-based motion vector (MV) steganalysis benefiting from both temporal and spatial correlations of MVs is proposed in this paper. The proposed steganalysis method has a substantially superior detection accuracy than the previous methods, even the targeted ones. The improvement in detection accuracy lies in several novel approaches introduced in this paper. First, it is shown that there is a strong correlation, not only spatially but also temporally, among neighbouring MVs for longer distances. Therefore, temporal MV dependency alongside the spatial dependency is utilized for rigorous MV steganalysis. Second, unlike the filters previously used, which were heuristically designed against a specific MV steganography, a diverse set of many filters, which can capture aberrations introduced by various MV steganography methods is used. The variety and also the number of the filter kernels are substantially more than that of used in the previous ones. Besides that, filters up to fifth order are employed whereas the previous methods use at most second order filters. As a result of these, the proposed system captures various decorrelations in a wide spatio-temporal range and provides a better cover model. The proposed method is tested against the most prominent MV steganalysis and steganography methods. To the best knowledge of the authors, the experiments section has the most comprehensive tests in MV steganalysis field, including five stego and seven steganalysis methods. Test results show that the proposed method yields around 20% detection accuracy increase in low payloads and 5% in higher payloads.Engineering and Physical Sciences Research Council through the CSIT 2 Project under Grant EP/N508664/1

The Automation of the Extraction of Evidence masked by Steganographic Techniques in WAV and MP3 Audio Files

Antiforensics techniques and particularly steganography and cryptography have become increasingly pressing issues that affect the current digital forensics practice, both techniques are widely researched and developed as considered in the heart of the modern digital era but remain double edged swords standing between the privacy conscious and the criminally malicious, dependent on the severity of the methods deployed. This paper advances the automation of hidden evidence extraction in the context of audio files enabling the correlation between unprocessed evidence artefacts and extreme Steganographic and Cryptographic techniques using the Least Significant Bits extraction method (LSB). The research generates an in-depth review of current digital forensic toolkit and systems and formally address their capabilities in handling steganography-related cases, we opted for experimental research methodology in the form of quantitative analysis of the efficiency of detecting and extraction of hidden artefacts in WAV and MP3 audio files by comparing standard industry software. This work establishes an environment for the practical implementation and testing of the proposed approach and the new toolkit for extracting evidence hidden by Cryptographic and Steganographic techniques during forensics investigations. The proposed multi-approach automation demonstrated a huge positive impact in terms of efficiency and accuracy and notably on large audio files (MP3 and WAV) which the forensics analysis is time-consuming and requires significant computational resources and memory. However, the proposed automation may occasionally produce false positives (detecting steganography where none exists) or false negatives (failing to detect steganography that is present) but overall achieve a balance between detecting hidden data accurately along with minimising the false alarms.Comment: Wires Forensics Sciences Under Revie