Blind steganalysis using fractal features

Date of Award


Degree Type


Degree Name

Doctor of Philosophy


School of Science

First Advisor

Professor Craig Valli

Second Advisor

Associate Professor Mike Johnstone


This thesis investigates the effectiveness of using features based on fractals to perform blind steganalysis. The research has focused on investigating the performance of blind steganalysis of selected steganographic techniques and its effectiveness consequent to the fractal features.

Steganography has its roots firmly in covert communication, which has been around for hundreds of years. The steganographic techniques we have today have come a long way compared to its predecessors in terms of complexity and sophistication. Some of the earliest techniques include; using invisible ink to hide a message in plain sight, masking secret messages within inconspicuous text (Pieprzyk, Hardjono, & Seberry, 2003). Some very extreme techniques involved shaving the head of the messenger and tattooing the message so that it would be hidden once the hair grew back (Schneier, 2000). These and many more forms of secret communication have evolved through the centuries to two specific sciences, cryptography and steganography.

Cryptography deals with rendering the secret message illegible to anyone other than the intended recipient. The recipient would require a specific tool or secret key to decipher the message, and it would have been provided by the sender prior to the secret communication. Steganography on the other hand, fundamentally intends to hide the existence of the secret message within an electronic cover medium such as text, image, audio or video file. An unsuspecting party would not be aware of the presence of a secret message even if they came to possess the embedded cover medium. However, if the presence of the hidden message was discovered, then the goal of steganography would be defeated. This form of discovery, attack, or detection, often used synonymously, is formally called steganalysis.

With the emerging popularity of steganography due to various motives, its complexity has also increased over the recent years. As a result, there is a growing interest among researchers to discover more robust steganographic and steganalysis techniques. While some within the security community believe there is a rise in usage of steganography for criminal purposes, critics remain sceptical about its practical use (Higgins, 2007). However, the former view seems less than farfetched based on what is being reported in the media:

  • “…News reports said U.S. officials were worried that operatives of accused terrorist Osama bin Laden now use steganographic applications to pass messages through sports chat rooms, sexually explicit bulletin boards and other sites." (McCullagh, 2001)
  • “He used a technique called `steganography' which enabled him to encrypt and send data inside music and picture _les using third-party steganography software." (Phadnis, 2007)
  • “…preliminary data from a new steganography study underway at Purdue University indicates that some criminals indeed may be using steganography tools, mainly in child pornography and _nancial fraud cases." (Higgins, 2007)
  • “According to U.S. Department of Justice legal filings, the defendants used a steganography tool, one that is not available commercially, to conceal their electronic communiques with Russian officials..." (Higgins, 2010)

What is evident from the previously quoted literature is that there are enough reported incidents that suggest the plausibility of steganography being used with criminal intent. Since 2010, there have been more recent developments in using steganography for criminal purposes. The following are two such cases in particular:

  • Stegosploit demonstrated by Shah (2015), was able to hide the malicious code in JPEG or PNG images using steganography along with simple JavaScript embedded in the image headers. The embedded JavaScript can then retrieve and execute the steganographic payload on the client side by exploiting the capabilities of HTML5- Canvas element. The steganography is a fairly simple form of least significant bit (LSB) embedding, however this form of attack is quite effective due its application and ability to penetrate the internal network directly onto the user's Web browser.
  • Early 2015, FireEye (2015) discovered HAMMERTOSS, a stealthy malware in the wild by the Russian threat group (APT29), that used two different approaches (Uploader and tDiscoverer) to acquire an image that has malicious commands hidden using steganography. The APT29 group were able to combine multiple Internet services such as GitHub and Twitter as vectors for the attack.

Both the Stegosploit (Shah, 2015) and HAMMERTOSS (FireEye, 2015) attacks show that malicious use of steganography are not media hype, but already occurring. This fact was stated by Kessler and Hosmer (2011) in the following quote:

“Today's truth, however, may not even matter; the use of stego is sure to increase and will be a growing hurdle for law enforcement and antiterrorism activities." (Kessler & Hosmer, 2011, p. 102)

According to Gantz and Reinsel (2012), the digital data consumed in a single year, the digital universe, will grow from 130 exabytes to 40,000 exabytes between 2005 and 2020. They reported that in 2012, 68% of the information in the digital universe included interactions in social media such as sending camera phone images and video among others, which were predominantly generated by consumers. This significant growth in media content that are potential vectors for steganography, coupled with freely available steganographic tools amplify the challenge faced by law enforcement agencies and other authorities. Presently, the most reliable form steganalysis has been to detect steganographic tools that have already been discovered in the past (Kessler, 2004). However, different motives driven by either academia, industry, or even the general public; have led the continuous development of new techniques with great complexity and sophistication for steganography. This renders existing methods ineffective in detecting new or unknown techniques. Blind steganalysis is intended to deal with detecting this unknown. However, in practice, it is still far from perfect and will be evident in the discussions presented in Chapter 2. These challenges mentioned above lead to the motivations behind the chosen research topic, which are twofold. First, the need to thwart and/or detect covert communication by criminals. Second, the author's belief in the improvement of blind steganalysis to break out of the current cat-and-mouse game to always trying to catch up with novel steganography.

Access to this thesis is restricted. Please see the Access Note below for access details.