Steganalysis of Hydan

Hydan is a steganographic tool which can be used to hide any kind of information inside executable files. In this work, we present an efficient distinguisher for it: We have developed a system that is able to detect executable files with embedded information through Hydan. Our system uses statistical analysis of instruction set distribution to distinguish between files with no hidden information and files that have been modified with Hydan. We have tested our algorithm against a mix of clean and stego-executable files. The proposed distinguisher is able to tell apart these files with a 0 ratio of false positives and negatives, thus detecting all files with hidden information through Hydan

An Overview of Steganography for the Computer Forensics Examiner (Updated Version, February 2015)

Steganography is the art of covered or hidden writing. The purpose of steganography is covert communication-to hide the existence of a message from a third party. This paper is intended as a high-level technical introduction to steganography for those unfamiliar with the field. It is directed at forensic computer examiners who need a practical understanding of steganography without delving into the mathematics, although references are provided to some of the ongoing research for the person who needs or wants additional detail. Although this paper provides a historical context for steganography, the emphasis is on digital applications, focusing on hiding information in online image or audio files. Examples of software tools that employ steganography to hide data inside of other files as well as software to detect such hidden files will also be presented. An edited version originally published in the July 2004 issues of Forensic Science Communications

Information leakage and steganography: detecting and blocking covert channels

This PhD Thesis explores the threat of information theft perpetrated by malicious insiders. As opposite to outsiders, insiders have access to information assets belonging the organization, know the organization infrastructure and more importantly, know the value of the different assets the organization holds. The risk created by malicious insiders have led both the research community and commercial providers to spend efforts on creating mechanisms and solutions to reduce it. However, the lack of certain controls by current proposals may led security administrators to a false sense of security that could actually ease information theft attempts. As a first step of this dissertation, a study of current state of the art proposals regarding information leakage protections has been performed. This study has allowed to identify the main weaknesses of current proposals which are mainly the usage of steganographic algorithms, the lack of control of modern mobile devices and the lack of control of the action the insiders perform inside the different trusted applications they commonly use. Each of these drawbacks have been explored during this dissertation. Regarding the usage of steganographic algorithms, two different steganographic systems have been proposed. First, a steganographic algorithm that transforms source code into innocuous text has been presented. This system uses free context grammars and to parse the source code to be hidden and produce an innocuous text. This system could be used to extract valuable source code from software development environments, where security restrictions are usually softened. Second, a steganographic application for iOS devices has also been presented. This application, called “Hide It In” allows to embed images into other innocuous images and send those images through the device email account. This application includes a cover mode that allows to take pictures without showing that fact in the device screen. The usage of these kinds of applications is suitable in most of the environments which handle sensitive information, as most of them do not incorporate mechanisms to control the usage of advanced mobile devices. The application, which is already available at the Apple App Store, has been downloaded more than 5.000 times. In order to protect organizations against the malicious usage of steganography, several techniques can be implemented. In this thesis two different approaches are presented. First, steganographic detectors could be deployed along the organization to detect possible transmissions of stego-objects outside the organization perimeter. In this regard, a proposal to detect hidden information inside executable files has been presented. The proposed detector, which measures the assembler instruction selection made by compilers, is able to correctly identify stego-objects created through the tool Hydan. Second, steganographic sanitizers could be deployed over the organization infrastructure to reduce the capacity of covert channels that can transmit information outside the organization. In this regard, a framework to avoid the usage of steganography over the HTTP protocol has been proposed. The presented framework, diassembles HTTP messages, overwrites the possible carriers of hidden information with random noise and assembles the HTTP message again. Obtained results show that it is possible to highly reduce the capacity of covert channels created through HTTP. However, the system introduces a considerable delay in communications. Besides steganography, this thesis has also addressed the usage of trusted applications to extract information from organizations. Although applications execution inside an organization can be restricted, trusted applications used to perform daily tasks are generally executed without any restrictions. However, the complexity of such applications can be used by an insider to transform information in such a way that deployed information protection solutions are not able to detect the transformed information as sensitive. In this thesis, a method to encrypt sensitive information using trusted applications is presented. Once the information has been encrypted it is possible to extract it outside the organization without raising any alarm in the deployed security systems. This technique has been successfully evaluated against a state of the art commercial data leakage protection solution. Besides the presented evasion technique, several improvements to enhance the security of current DLP solutions are presented. These are specifically focused in avoiding information leakage through the usage of trusted applications. The contributions of this dissertation have shown that current information leakage protection mechanisms do not fully address all the possible attacks that a malicious insider can commit to steal sensitive information. However, it has been shown that it is possible to implement mechanisms to avoid the extraction of sensitive information by malicious insiders. Obviously, avoiding such attacks does not mean that all possible threats created by malicious insiders are addressed. It is necessary then, to continue studying the threats that malicious insiders pose to the confidentiality of information assets and the possible mechanisms to mitigate them. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Esta tesis doctoral explora la amenaza creada por los empleados maliciosos en lo referente a la confidencialidad de la información sensible (o privilegiada) en posesión de una organización. Al contrario que los atacantes externos a la organización, los atacantes internos poseen de acceso a los activos de información pertenecientes a la organización, conocen la infraestructura de la misma y lo más importante, conocen el valor de los mismos. El riesgo creado por los empleados maliciosos (o en general atacantes internos) ha llevado tanto a la comunidad investigadora como a los proveedores comerciales de seguridad de la información a la creación de mecanismos y soluciones para reducir estas amenazas. Sin embargo, la falta de controles por parte de ciertas propuestas actuales pueden inducir una falsa sensación de seguridad en los administradores de seguridad de las organizaciones, facilitando los posibles intentos de robo de información. Para la realización de esta tesis doctoral, en primer lugar se ha realizado un estudio de las propuestas actuales con respecto a la protección de fugas de información. Este estudio ha permitido identificar las principales debilidades de las mismas, que son principalmente la falta de control sobre el uso de algoritmos esteganográficos, la falta de control de sobre dispositivos móviles avanzados y la falta de control sobre las acciones que realizan los empleados en el interior de las organizaciones. Cada uno de los problemas identificados ha sido explorado durante la realización de esta tesis doctoral. En lo que respecta al uso de algoritmos esteganográficos, esta tesis incluye la propuesta de dos sistemas de ocultación de información. En primer lugar, se presenta un algoritmo esteganográfico que transforma código fuente en texto inocuo. Este sistema utiliza gramáticas libres de contexto para transformar el código fuente a ocultar en un texto inocuo. Este sistema podría ser utilizado para extraer código fuente valioso de entornos donde se realiza desarrollo de software (donde las restricciones de seguridad suelen ser menores). En segundo lugar, se propone una aplicación esteganográfica para dispositivos móviles (concretamente iOS). Esta aplicación, llamada “Hide It In” permite incrustar imágenes en otras inocuas y enviar el estegoobjeto resultante a través de la cuenta de correo electrónico del dispositivo. Esta aplicación incluye un modo encubierto, que permite tomar imágenes mostrando en el propio dispositivo elementos del interfaz diferentes a los de a cámara, lo que permite tomar fotografías de forma inadvertida. Este tipo de aplicaciones podrían ser utilizadas por empleados malicios en la mayoría de los entornos que manejan información sensible, ya que estos no suelen incorporar mecanismos para controlar el uso de dispositivos móviles avanzados. La aplicación, que ya está disponible en la App Store de Apple, ha sido descargada más de 5.000 veces. Otro objetivo de la tesis ha sido prevenir el uso malintencionado de técnicas esteganográficas. A este respecto, esta tesis presenta dos enfoques diferentes. En primer lugar, se pueden desplegar diferentes detectores esteganográficos a lo largo de la organización. De esta forma, se podrían detectar las posibles transmisiones de estego-objetos fuera del ámbito de la misma. En este sentido, esta tesis presenta un algoritmo de estegoanálisis para la detección de información oculta en archivos ejecutables. El detector propuesto, que mide la selección de instrucciones realizada por los compiladores, es capaz de identificar correctamente estego-objetos creados a través de la herramienta de Hydan. En segundo lugar, los “sanitizadores” esteganográficos podrían ser desplegados a lo largo de la infraestructura de la organización para reducir la capacidad de los posibles canales encubiertos que pueden ser utilizados para transmitir información sensible de forma descontrolada.. En este sentido, se ha propuesto un marco para evitar el uso de la esteganografía a través del protocolo HTTP. El marco presentado, descompone los mensajes HTTP, sobrescribe los posibles portadores de información oculta mediante la inclusión de ruido aleatorio y reconstruye los mensajes HTTP de nuevo. Los resultados obtenidos muestran que es posible reducir drásticamente la capacidad de los canales encubiertos creados a través de HTTP. Sin embargo, el sistema introduce un retraso considerable en las comunicaciones. Además de la esteganografía, esta tesis ha abordado también el uso de aplicaciones de confianza para extraer información sensible de las organizaciones. Aunque la ejecución de aplicaciones dentro de una organización puede ser restringida, las aplicaciones de confianza, que se utilizan generalmente para realizar tareas cotidianas dentro de la organización, se ejecutan normalmente sin ninguna restricción. Sin embargo, la complejidad de estas aplicaciones puede ser utilizada para transformar la información de tal manera que las soluciones de protección ante fugas de información desplegadas no sean capaces de detectar la información transformada como sensibles. En esta tesis, se presenta un método para cifrar información sensible mediante el uso de aplicaciones de confianza. Una vez que la información ha sido cifrada, es posible extraerla de la organización sin generar alarmas en los sistemas de seguridad implementados. Esta técnica ha sido evaluada con éxito contra de una solución comercial para la prevención de fugas de información. Además de esta técnica de evasión, se han presentado varias mejoras en lo que respecta a la seguridad de las actuales soluciones DLP. Estas, se centran específicamente en evitar la fuga de información a través del uso de aplicaciones de confianza. Las contribuciones de esta tesis han demostrado que los actuales mecanismos para la protección ante fugas de información no responden plenamente a todos los posibles ataques que puedan ejecutar empleados maliciosos. Sin embargo, también se ha demostrado que es posible implementar mecanismos para evitar la extracción de información sensible mediante los mencionados ataques. Obviamente, esto no significa que todas las posibles amenazas creadas por empleados maliciosos hayan sido abordadas. Es necesario por lo tanto, continuar el estudio de las amenazas en lo que respecta a la confidencialidad de los activos de información y los posibles mecanismos para mitigar las mismas

Διερεύνηση ύπαρξης κρυμμένου περιεχομένου βασισμένη στον νόμο του Benford

Παρατηρήσεις έκδοσης: κακέκτυπες σελίδες

Digital Steganography for Executables

Tato bakalářská práce se zabývá steganografickým ukrýváním libovolných dat do spustitelných souborů. Nejprve hovoří obecně, zejména o injekčních a substitučních steganografických metodách nad různými typy krycích objektů. Poté se zaměřuje na spustitelné soubory formátu ELF a rodinu instrukčních sad x86 ; zmiňuje permutační metody nad instrukcemi a řetězy základních bloků a dopodrobna rozebírá substituční metodu ekvivalenčních tříd instrukcí. Následně je popsán návrh, implementace, testování a optimalizace vlastního řešení založeného na poslední ze zmíněných metod. Posléze jsou popsány metody a výstupy experimentů s vlastním řešením.This bachelor's thesis concerns itself with steganographic concealment of arbitrary data in executable files . Initially it speaks in general terms , mainly about injection - and substitution - based steganographic methods for various types of cover - objects . Afterwards , the focus is on executable files in the ELF format and the x86 ISA family ; permutation - based methods for instructions and basic block chains are mentioned and the substitution - based method of instruction equivalence classes is examined . Consequently , the design, implementation , testing and optimization of a custom solution based on the last mentioned method are described . Finally , the methods and outcomes of experimenting with the custom solution are described .

Sırörtülü ses dosyalarının yapay zeka yöntemleri yardımıyla çözümlenmesi

06.03.2018 tarihli ve 30352 sayılı Resmi Gazetede yayımlanan “Yükseköğretim Kanunu İle Bazı Kanun Ve Kanun Hükmünde Kararnamelerde Değişiklik Yapılması Hakkında Kanun” ile 18.06.2018 tarihli “Lisansüstü Tezlerin Elektronik Ortamda Toplanması, Düzenlenmesi ve Erişime Açılmasına İlişkin Yönerge” gereğince tam metin erişime açılmıştır.Bu çalışmada bugüne kadar yapılmış olan sırörtme çalışmalarının aksine sıraçma teknikleri üzerine yoğunlaşılmıştır. Sıraçma konusunda resim dosyaları üzerine birçok çalışma yapılmıştır. Fakat ses dosyaları üzerine çok fazla çalışma bulunmamaktadır. Bu tezde ses dosyalarında sıraçma işlemleri üzerinde durulmuştur. Sıraçma saldırısında gizleme algoritmasının bilindiği sıraçma saldırı yöntemi kullanılmıştır. Bu yöntem ses dosyalarına LSB sırörtme yöntemi kullanılarak oluşturulmuş sırlı nesnelere yönelik bir saldırı şeklidir. Geliştirilen sıraçma yönteminde, ses dosyalarının son bitlerine gömülmüş veriler analiz edilerek veri çıkartma işlemi yapılmaya çalışılmıştır. Genelde sıraçma yöntemlerinde sezme (detection) yani gizli verinin varlığını anlama işlemi yapılabilmektedir. Oysa geliştirilen yöntemde gizli veri içeren dosyalar için ?dosyadaki gizli veri oranı? sorusuna cevap aranmaktadır.In this study, we have focused on steganalysis in contrast to steganography literature. There have been many studies on image driven steganalysis, but a very few on audio-file driven steganalysis. In this thesis, we have focused on audio-file driven steganalysis studies. We have used stego-object steganalysis known attack methods through our attack algorithm. This method of audio file created using LSB steganography method is a form of an attack on the stego object. In our steganalysis methods, there has been made an analysis of data extraction process for data embedded in the last bit of audio files.Steganalysis detection methods in general (insight) that can be done there, or do not have the data in this file can be hidden. Here, we have investigated the answers for question of `What percentage of hidden data is in such a file?

Steganography and steganalysis: data hiding in Vorbis audio streams

The goal of the current work is to introduce ourselves in the world of steganography and steganalysis, centering our efforts in acoustic signals, a branch of steganography and steganalysis which has received much less attention than steganography and steganalysis for images. With this purpose in mind, it’s essential to get first a basic level of understanding of signal theory and the properties of the Human Auditory System, and we will dedicate ourselves to that aim during the first part of this work. Once established those basis, in the second part, we will obtain a precise image of the state of the art in steganographic and steganalytic sciences, from which we will be able to establish or deduce some good practices guides. With both previous subjects in mind, we will be able to create, design and implement a stego-system over Vorbis audio codec and, finally, as conclusion, analyze it using the principles studied during the first and second parts

Evaluation of steganographic cost for covert communication in IP networks

Network steganography encompasses the information hiding techniques that can be applied in communication network environments and that utilize hidden data carriers for this purpose. When describing a network steganography method despite the features like steganographic bandwidth, undetectability and robustness also steganographic cost should be considered. It is used as an indicator for the degradation or distortion of the carrier caused by the application of the steganographic method. In this master thesis we are going to evaluate how steganographic cost is affected in two different scenarios when using different steganographic methods, either separated or combined. We want to check the existence of two phenomena that can take place when combining two or more steganographic methods: superposition steganography and zero cost steganography.Ingeniería de TelecomunicaciónTelekomunikazio Ingeniaritz