Protecting Against Malicious Steganography

Unfortunately, all of the methods mentioned above can also be

used to hide illicit, unauthorized or unwanted activity. What can

you do to prevent or detect issues with stego? There is no easy answer.

If someone has decided to hide their data, they will probably be able

to do so fairly easily. The only way to detect steganography is to be

actively looking for in specific files, or to get very lucky. Sometimes

an actively enforced security policy can provide the answer: this

would require the implementation of company wide acceptable use

policies that restrict the installation of unauthorized programs on

company computers.

Using the tools that you already have to detect movement and

behavior of traffic on your network may also be helpful. Network

intrusion detection systems can help administrators to gain an

understanding of normal traffic in and around your network and can

thus assist in detecting any type of anomaly, especially with any

changes in the behavior of increased movement of large images

around your network. If the administrator is aware of this sort of

anomalous activity, it may warrant further investigation. Host based

intrusion detection systems deployed on computers may also help

to identify anomalous storage of image and/or video files.

A research paper by Stefan Hetzel cites two methods of attacking

steganography, which really are also methods of detecting it. They are

the visual attack (actually seeing the differences in the files that are

encoded) and the statistical attack: “The idea of the statistical attack

is to compare the frequency distribution of the colors of a potential

stego file with the theoretically expected frequency distribution for a

stego file.” It might not be the quickest method of protection, but if

you suspect this type of activity, it might be the most effective. For

JPEG files specifically, a tool called Stegdetect, which looks for signs

of steganography in JPEG files, can be employed. Stegbreak, a

companion tool to Stegdetect, works to decrypt possible messages

encoded in a suspected steganographic file, should that be the path

you wish to take once the stego has been detected.