The Community for Technology Leaders

Steganalysis Gets Past the Hype


Shortly before the terrorist attacks of 11 September 2001, the popular US newspaper, USA Today, featured a story ( in which US government officials claimed al Qaeda terrorists were using steganography—the technology of hiding messages in visible data—to spread their plans via pornography Web sites and sports chat rooms. Shortly after the attacks, the same newspaper reported al Qaeda was likely using images on eBay to send its hidden messages.

Terrorism still predominates the public perception of the technology, even though University of Michigan doctoral student Niels Provos researched 2 million images on eBay and 1 million images on Usenet and found no hidden messages. Furthermore, the reporter who wrote those stories, Jack Kelley, later resigned under a cloud of controversy over fabricating reports.

The public fear created by mainstream press reports, often featuring US intelligence agents claiming it a virtual certainty that terrorists are using steganography, might backlash on researchers. Legislators in several states have either considered or already passed laws prohibiting the use and dissemination of technology to conceal data. Michigan recently passed a law, based on broader intellectual copyright arguments by the motion picture and recording industries, that forced Provos to publish his steganography ( data on a Web site in the Netherlands.

Provos says the public's failure to connect research with security has allowed legislators to rush through bad law, perhaps on the strength of these uncorroborated mainstream reports.

"It seems these reports are so biased the connection to the research is not happening at all," Provos, now a software engineer at Google, says.

Who's really using it?

At the same time, however, the greater public awareness has led to more funding in general for security initiatives. This funding has filtered into the research community exploring technology that breaks steganography, formally called steganalysis.

For example, Charles Boncelet, a professor of electrical and computer engineering at the University of Delaware, recently received a $167,000 steganalysis grant ( from the National Science Foundation.

"If somebody were to tell me the NSF was getting the money for this grant from one of the other agencies, I wouldn't be surprised," Boncelet says. "I don't know that, but I wouldn't be surprised if, say, the Department of Homeland Security was providing the money."

Boncelet says he has no inside information about whether terrorists have actually used steganography. "Certainly they have the possibility of doing so," he says, "and if you're trying to track the actions of potential terrorists you have to worry about the possibility of steganography being used."

Other security experts disagree. Robert Bagnall, then a senior security engineer with Counterpane Internet Security, in a 2002 report written for the SANS Institute (, advanced three reasons why he thought terror organizations would opt for simpler methods of communication than steganography:

  • Steganography is limited in scope. It requires specific tools and knowledge for using them. While both are readily attainable, they require some effort to master. In the case of terrorist cells, disseminating this knowledge poses the significant risk of establishing a traceable link among groups that otherwise might not (or should not) know each other exists.
  • Steganography is easily traceable since it requires specific tools to function properly. Thus, computer systems that include such tools would normally signify a user with advanced knowledge to mask and then unmask data within images and perhaps a more sinister goal than typical end users.
  • Steganography can be undone by others with similar tool sets or other forensic capabilities. Thus, the mere presence of data hidden within a system's images allows law enforcement authorities to make certain assumptions and take their investigation to the next level.

"It doesn't make a lot of operational sense to use steganography," says Counterpane co-founder, Bruce Schneier, who has long believed the fears about steganography far outweigh its likely use. "The terrorist angle is a way to get money for any research project these days."

In a 1998 essay he wrote for his Crypto-gram newsletter (, Schneier said many aspects of using steganography, such as loading the appropriate software and establishing innocuous communications routines to cover for steganographic messages, could be more problematic than useful.

Despite these cautions, steganographic researchers say the new techniques they are developing might someday have a crossover effect on emerging industrial and military technologies such as digital watermarking or secure military communications.

An invisible arms race

Much current steganalysis research is being conducted on still digital images, particularly common graphics protocols such as JPEG and GIF.

JPEG steganography is particularly effective, as the human eye can't detect the minute changes caused by the steganographic application. Each color component of the JPEG image format uses a discrete cosine transform (DCT) to change successive 8 `8 pixel blocks into 64 DCT coefficients. To hide a message in a JPEG image, a sender uses a steganography tool with anembedding algorithm that replaces the least significant, most redundant bit of DCT coefficients with the message's data. The bigger the message, the more images a savvy steganographer will use to reduce the chance of having these changed bits detected.

Steganalyists have been concentrating their research on these embedding algorithms.

"One approach I hope we can do in this is to look at broad classes of steganographic algorithms and try to find signatures that are left behind," Boncelet says of his project, which is funded through the end of 2006. "There is a trade-off between invisibility and how much information you can hide. If somebody tries to hide too much information in an object, then the invisibility starts to become questionable, and maybe there are signatures or small features we can start to detect. If somebody is careful and only hiding a small amount of information in a large object, we may have little chance of detecting that. We need people to get greedy and make mistakes."

Jessica Fridrich, a research professor at the State University of New York at Binghamton, has published widely on steganography and steganalysis (, and says much steganalysis research is based in detecting these algorithm classes rather than hunting for specific mechanisms.

"There are not that many ways to hide data in images," Fridrich says. "The difference is somehow superficial. Steganalysis techniques may be targeted to a specific opening mechanism, but this mechanism could be shared by many steganographic opening applications on the Internet. My guess is about 80 percent of the programs on the Internet use this embedding, anyway."

Fridrich describes a technique called blind steganalysis, which is based on feature space. "You analyze what an average statistical digital image looks like," she explains, "and look for outliers in the feature space. It's actually a general technique that can be used to detect any steganography technique. You don't have to know how it's exactly done."

Fridrich and her students work concurrently on steganalysis and steganographic techniques: "It's two sides of one coin, you can't be doing one or the other." Provos calls the constant developments in one technology or its counterpart an "arms race."

One factor that might make steganography harder to pass off would be more widespread deployment of the JPEG 2000 format ( JPEG 2000 eliminates much of the "noise" found in JPEG images at high compression rates, in which steganographers hide information. However, it has yet to gain significant support among browser makers, and is not backward-compatible with JPEG.

"Roughly speaking, JPEG 2000 is twice as good as JPEG," Boncelet says, "but it's not widely used on the Internet, the reason being that for most applications JPEG is good enough. Everybody's browser in the world, for all practical purposes, can read a JPEG but not a JPEG 2000, so not many content providers use it. So there's a chicken-egg thing here so far."


Unless somebody can show irrefutable proof of widespread criminal or hostile intelligence use of steganography, the latest wave of bigger grants and mainstream media reports will probably fade, and the relatively small community of researchers will continue the work they found fascinating before the spotlight shone on them.

And perhaps the public will never know steganography is being used, even if some astute intelligence agency detects it.

"When USA Today published without actually quoting sources," Fridrich says, "people constantly asked me, 'How bad is it? Do you decode secret messages in images every day?' I said, 'We don't do any of that, we're a public university, we publish papers, we develop techniques and make them available to the Air Force and law enforcement, and they do their job with them.'

"What exactly they find I'm not even allowed to know. But it's an important issue."

Cite this article: Greg Goth, "Steganalysis Gets Past the Hype," IEEE Distributed Systems Online, vol. 6, no. 4, 2005.

104 ms
(Ver 3.x)