Johnson and Jajodia have attempted various attacks against steganographic software, both for detection and destruction of the embedded message.
Detection schemes can be known-cover and chosen-message attacks, where the added informations can be emphasized by subtraction, or we must analyze a number of images to get an "average" image with respect to some properties changed by steganography, and then proceed by subtraction again.
After this process the embedded message is seen as exaggerated noise compared to the normal or "average" image.
Tools that manipulate LSBs usually leave a signature in the palette, because of their need to change it to avoid the changed colors to become visible. Some programs reduce the palette to 32 colors, and each of them is replicated 8 times, giving a clear mark of their action.
One attack related to watermarking is a kind of spoofing, in which the malicious entity inserts a new watermark in the place of the old one. This is usually possible due to the orthogonality of watermarking techniques, which allow more than one embedded message to be included.
Attempts at destruction, instead, are possible due to the same assumption that we made in the introduction about the limits imposed to steganography. If an embedding algorithm can make an invisible change to a medium and conceal some data, then another algorithm can make another invisible change and usually destroy the first embedded message. [JJ98-2]
The collusion attack aims at fingerprints, where we have copies of the same medium that differ only in the watermark. The algorithm works by comparing the different media and modifying all the bits that are found to change, while keeping the constant ones. In moving images, the same attack would reconstruct the sequence taking frames from different copies, so that the fingerprint is destroyed. [LQR98]
When the watermarking uses a "black-box" device to block the use of unauthorized material, the attacker can use an adaptive attack to gain knowledge of the bits for which the algorithm is sensitive and maybe create a fraudulent mark. [LQR98]
Studies have proved that such attacks are far from being "computationally infeasible", since their complexity is O(N), with N being the number of bytes in the data. [LD98]
The jitter attack has been developed by Petitcolas, Anderson and Kuhn [PAK98] and has proved to work against all of the watermarking techniques, except echo insertion in audio data. It basically tries to break the synchronization needed by the decoding processes by replacing tiny parts of the data with other ones. With audio the system works by splitting the whole file in small chunks and deleting or adding one sample to each of them. With images, it takes one small row or column of pixels from a part of the picture, and places it somewhere else. The result is a file of the same size, but the watermark can't be retrieved anymore.
The same two authors have written a sample program, too, called Stirmark, that can be used to test the robustness of digital watermarking techniques. Its algorithms apply a resampling to the images similar to the one that occurs after printing and scanning them with good devices. Moreover, they make small geometric manipulations of the image, similar to those applied by morphing techniques, changing the grid of the picture. These changes, however invisible, usually destroy watermarks. Because they displace pixels and change their values.
Another technique that works against soft-bots that try to find copyrighted images on the web is the mosaic attack, and it exploits the habit of internet browsers to join together juxtaposed images. The original picture is broken in many smaller ones, and they are placed on the web page in the same order, so that the splitting is invisible, but the decoder has a much harder job to extract the watermark. [PAK98]
[PAK98]
[LD98]
[LQR98]
[JJ98-2]
Previous: watermarking
Next: conclusion
Matteo Fortini