Stegware Destruction Using Showering Methods

Abstract

A. LSB Bit Flipping This is a simple method in which we check the value of pixels or the RGB component and flip its LSB. We do this for all the pixels of the image. This method assures that we overwrite any data that might have been embedded using any type of LSB embedding. B. Double Stegging As our aim is to destroy the embedded data and not extract and analyze it, the complexity of our work decreases. We re-embed random data into the LSBs of the harmful image. Here, we use the same method to embed data into the image two times. The second time is considered as double stegging. Once this step is done, we try to extract the information which is the malware and try to execute it. Steganalysis techniques used for analysis-A. Histogram analysis This is a rather simple and very effective analysis technique for detection of steganography. Here, we draw a histogram to depict the overall pixel distribution. For a RGB image we draw three histograms for each of the planes. B. StegExpose StegExpose is a steganalysis tool developed by Benedikt Boehm specialized in detecting LSB steganography in images. It has a command line interface and is designed to analyze images in bulk while providing reporting. StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based steganalysis methods. C. Regular Singular (RS) steganalysis It has been observed that the smoothness of an image is influenced by randomizing the LSB of the images. It has been found that LSB plane is not completely random rather that it is related to every other bit plane. Message embedding in the LSB plane can be considered to be the same as randomizing the LSB plane. The one advantage that this analysis has over others is that not only determines the existence of a message but also gives us its length [6]. IV. EXPERIMENTAL RESULTS To conduct the experiments, we used 10 images from the Caltech dataset. These images were then embedded with varying payload (100%, 50%, 30%, 5%) of image size to create a diverse dataset. All stego images were subjected to RS steganalysis. There values were recorded for future comparison with the images after showering was done. We created the stegware by using Stegosuit, InvokePSI [10] and also by writing our own code in JAVA and MATLAB. InvokePSI allowed us to embed a PowerShell script in it and execute it with a one liner. It also has the capability to execute script when the infected image is open on a web browser on a victim's system. After the creation of the stegware, we used StegExpose to determine the nature of the images and RS steganalysis to determine the length of the message. Once this was done, we proceeded with the destruction of the embedded data using showering methods. After this process we again applied StegExpose and RS Steganalysis to evaluate the performance of our methods. Fig. 1. Normal Image Fig. 2. Image with hidden data made using Stegosuite Fig. 2. Shows the image created using StegoSuite and we found that the quality of the image is 92.165 dB. Fig. 3. Normal Image Fig. 4. Image hidden with data using InvokePSI Fig. 4. shows the image created using InvokePSI and we found that the quality of the image is 31.625 dB. Fig. 5. RGB Histogram of normal image