On Dangers of Overtraining Steganography to Incomplete Cover Model - - PowerPoint PPT Presentation

on dangers of overtraining steganography to incomplete
SMART_READER_LITE
LIVE PREVIEW

On Dangers of Overtraining Steganography to Incomplete Cover Model - - PowerPoint PPT Presentation

Jul 19, 2023 95 likes •264 views

On Dangers of Overtraining Steganography to Incomplete Cover Model Jan Kodovsk, Jessica Fridrich, Vojt ech Holub September 30, 2011 / MMSEC On Dangers of Overtraining Steganography to Incomplete Cover Model 1 / 14 Steganography

slide-1
SLIDE 1

On Dangers of Overtraining Steganography to Incomplete Cover Model

Jan Kodovský, Jessica Fridrich, Vojtˇ ech Holub September 30, 2011 / MMSEC

1 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-2
SLIDE 2

Steganography

Steganography by cover modification

Embedding algorithm x ∼ Pc Cover images y ∼ Ps Stego images

x, y ∈ C . . . space of images, e.g. C = {0, . . . , 255}512×512 Goal: keep Ps close to Pc (minimize KL divergence) Steganographer’s options:

Map everything into feature space F and preserve cover pdf there Minimize distortion function D(x, y)

2 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-3
SLIDE 3

OutGuess

JPEG domain steganographic algorithm [Provos 2001] Feature space F . . . histogram of DCT coefficients Statistical restoration (LSB embedding + correction) Fully preserves cover pdf in F ⇒ undetectable within F Problem: first order statistics is a poor model of cover images Successful attacks using higher order statistics [2002-2011]

Overtrained to incomplete model

3 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-4
SLIDE 4

Feature Correction Method (FCM)

General framework for steganography that approximately preserves given feature vector [Kodovský 2008, Chonev 2011] Minimize distortion function defined in F: D(x, y) =

n

  • i=1

(xi − yi)2 vari Two-pass procedure, greedy approach, already in the first phase make ±1 changes to minimize distortion Implemented for the case of 274 PEV features [Pevný 2007]

Captures both inter- and intra-block dependencies Local histograms, co-occurences, Markov models vari . . . variance of the ith feature

n . . . number of features

4 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-5
SLIDE 5

Feature Correction Method (FCM)

0.05 0.10 0.15 0.20 0.10 0.20 0.30 0.40 0.50 Payload (bpac) Classification error PE

Performance in F Different cropping

F ≡ 274 PEV SVM classifier PE = min

PFA

PFA + PMD 2

Overtrained to incomplete model

5 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-6
SLIDE 6

Optimized ±1 embedding in JPEG domain

Minimal-distortion steganography [Filler 2011] Adaptive scheme with empirically designed distortion function: D(x, y) =

N

  • i=1

ρi(x, yi), where ρi(x, yi) ∈ R is the cost of changing xi → yi Costs are functions of inter- and intra-block neighbors

  • ptimized w.r.t. given model (feature space)

Will be abbreviated MOD (Model Optimized Distortion)

N . . . number of changeable coefficients

6 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-7
SLIDE 7

Details of MOD algorithm

Optimize parameters of the cost function

To minimize the margin of linear SVM in F Nelder-Mead simplex-reflection algorithm Fixed misclassification cost C Less than 100 images needed

Feature space F ≡548-dim CC-PEV [Kodovský 2009]

CC-PEV = PEV enhanced by Cartesian calibration

Preliminary experiments showed no indication of overtraining

Different calibration cropping CDF = CC-PEV + SPAM features [Pevný 2009]

7 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-8
SLIDE 8

Histogram of changed DCT coefficients

  • 30
  • 20
  • 10
  • 2

2 10 20 30 20 40 60 Payload 0.10 bpac Changed DCT coefficient xi Histogram

CC-PEV: inter-block co-occurences are constrained to [-2,2] 95% of changes are made out of the model

8 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-9
SLIDE 9

Extending the model

2 4 6 8 10 0.1 0.2 0.3 0.4 0.5

  • ut of model

model

CC-PEV co-occurence Range of the co-occurence matrix T Classification error PE Dimension (2T + 1)2 SVM classifier

PE = min

PFA

PFA + PMD 2 Extending inter-block co-occurences compromises the security We can extend the range of other parts of the CC-PEV model

9 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-10
SLIDE 10

Attacking MOD algorithm

0.05 0.10 0.15 0.20 0.10 0.20 0.30 0.40 0.50 Payload (bpac) Classification error

Performance in F Out of model

F ≡ 548 CC-PEV Extended co-occurence and Markov features Dimension 882

Optimization moved changes out of the incomplete model

10 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-11
SLIDE 11

HUGO

Minimal distortion steganography in spatial domain [Pevný 2010] BOSS (Break Our Steganographic System) F . . . 3D co-occurence matrices of pixel differences

For differences d = (d1, d2, d3) . . . co-occurence bin value Cd(x) T = 90 ⇒ dimension 2(2T + 1)3 = 11, 859, 482

Distortion function - weighted L1-norm in F D(x, y) =

T

  • d1,d2,d3=−T

1 1 + ||d||2 · |Cd(x) − Cd(y)|

11 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-12
SLIDE 12

Model weakness

Abrupt end at T = 90 ⇒ model treats pixels above T differently 3D co-occurence is sparse around T = 90 ⇒ form marginals hi(x) . . . number of adjacent pixel pairs whose difference is i

84 86 88 90 92 94 96 98 100 120 140 160 180 200 Histogram bin hi Count

cover

12 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-13
SLIDE 13

Model weakness

Abrupt end at T = 90 ⇒ model treats pixels above T differently 3D co-occurence is sparse around T = 90 ⇒ form marginals hi(x) . . . number of adjacent pixel pairs whose difference is i

84 86 88 90 92 94 96 98 100 120 140 160 180 200 Histogram bin hi Count

cover stego (0.4 bpp)

12 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-14
SLIDE 14

Attacking HUGO with 4 features

Almost payload-independent detection Works better on noisy and textured images

Abrupt end of model creates security weakness

0.10 0.20 0.30 0.40 0.50 0.10 0.20 0.30 0.40 0.50 Payload (bpp) Classification error PE Features {h89, h90, h91, h92}

13 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model

slide-15
SLIDE 15

Conclusions

Overtraining to simplified cover model seems to be a common security flaw of modern schemes It is difficult to find a good (complete) model for cover images Steganography: high dimension is not sufficient Steganalysis: high dimension is not necessary Straightforward security improvements: HUGO . . . increase T = 255 MOD embedding . . . increase range in CC-PEV Suggestion: use rich and diverse models

14 / 14 On Dangers of Overtraining Steganography to Incomplete Cover Model