Purdue University Purdue e-Pubs Open Access Dissertations Theses and Dissertations Winter 2015 Synthetic steganography: Methods for generating and detecting covert channels in generated media Philip Carson Ritchey Purdue University Follow this and additional works at:https://docs.lib.purdue.edu/open_access_dissertations Part of theComputer Sciences Commons Recommended Citation Ritchey, Philip Carson, "Synthetic steganography: Methods for generating and detecting covert channels in generated media" (2015). Open Access Dissertations. 549. https://docs.lib.purdue.edu/open_access_dissertations/549 This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact [email protected] for additional information. Graduate School Form 30 Updated 1/15/2015 PURDUE UNIVERSITY GRADUATE SCHOOL Thesis/Dissertation Acceptance This is to certify that the thesis/dissertation prepared Philip Carson Ritchey By Entitled Synthetic Steganography: Methods for Generating and Detecting Covert Channels in Generated Media Doctor of Philosophy For the degree of Is approved by the final examining committee: Vernon Rego Aditya Mathur Samuel Wagstaff Wojciech Szpankowski To the best of my knowledge and as understood by the student in the Thesis/Dissertation Agreement, Publication Delay, and Certification Disclaimer (Graduate School Form 32), this thesis/dissertation adheres to the provisions of Purdue University’s “Policy of Integrity in Research” and the use of copyright material. Vernon Rego Approved by Major Professor(s): William Gorman 2/11/2015 Approved by: Head of the Departmental Graduate Program Date SYNTHETIC STEGANOGRAPHY: METHODS FOR GENERATING AND DETECTING COVERT CHANNELS IN GENERATED MEDIA A Dissertation Submitted to the Faculty of Purdue University by Philip Carson Ritchey In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy May 2015 Purdue University West Lafayette, Indiana ii It’s not about winning, it’s about sending a message. iii ACKNOWLEDGMENTS I would like to thank my advisor, Professor Vernon Rego, for his support and advice throughout my studies at Purdue University. I would also like to thank my committee, Professors Wojciech Szpankowski, Samuel Wagstaff, and Aditya Mathur for their guidance in this work. I would like to extend a special thank you to Professors Sunil Prabhakar, Susanne Hambrusch, and Greg Frederickson for providing me with the opportunity to teach and the motivation to finish. Finally, I would like to thank my wife, Niki Ritchey, my parents, Pete Ritchey and Maggie Carson, and my brother, Paul Ritchey, for their continued support. I could not have done this without them. Financial support for this work was provided by the National Science Foundation through the Center for the Science of Information, a Science and Technology Center at Purdue University (Grant No. CCF-0939370), and Grant No. CNS-0716398. iv TABLE OF CONTENTS Page LIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 Information Hiding . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Secure Covert Channels in Structured Interactions . . . . . . . . . . 5 1.3 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Literature Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1 Cover Generation Methods . . . . . . . . . . . . . . . . . . . . . . . 10 2.2 Covert Channels in Games . . . . . . . . . . . . . . . . . . . . . . . 12 2.3 Modeling Human Gameplaying Behavior . . . . . . . . . . . . . . . 16 3 Synthetic Steganography in Time Series . . . . . . . . . . . . . . . . . . . 19 3.1 A Simple Steganographic System . . . . . . . . . . . . . . . . . . . 20 3.1.1 Embedding Function . . . . . . . . . . . . . . . . . . . . . . 21 3.1.2 Extracting Function . . . . . . . . . . . . . . . . . . . . . . 23 3.1.3 Good Cell Widths . . . . . . . . . . . . . . . . . . . . . . . 24 3.2 Methods For Modeling Time Series . . . . . . . . . . . . . . . . . . 25 3.2.1 Autoregressive Model . . . . . . . . . . . . . . . . . . . . . . 25 3.3 Steganography with AR Models . . . . . . . . . . . . . . . . . . . . 26 3.3.1 Embedding and Extracting . . . . . . . . . . . . . . . . . . . 27 3.4 Modeling Time Series With TES . . . . . . . . . . . . . . . . . . . 27 3.4.1 TES Methodology Outline . . . . . . . . . . . . . . . . . . . 27 3.4.2 Empirical CDF . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.4.3 Stitching Transformations . . . . . . . . . . . . . . . . . . . 30 3.4.4 Innovation Sequence . . . . . . . . . . . . . . . . . . . . . . 31 3.4.5 Innovation Density . . . . . . . . . . . . . . . . . . . . . . . 31 3.4.6 Background Process . . . . . . . . . . . . . . . . . . . . . . 32 3.4.7 Foreground Process . . . . . . . . . . . . . . . . . . . . . . . 32 3.5 Steganography with TES . . . . . . . . . . . . . . . . . . . . . . . . 34 3.5.1 Data-hiding locales . . . . . . . . . . . . . . . . . . . . . . . 35 3.6 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 v Page 4 A Context Sensitive Tiling System for Information Hiding . . . . . . . . 41 4.1 A Context Sensitive Tiling System . . . . . . . . . . . . . . . . . . 41 4.2 Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.2.1 An Example of the Proposed Scheme . . . . . . . . . . . . . 45 4.3 Steganalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.3.1 Markov Chain Equivalence Test . . . . . . . . . . . . . . . . 50 4.3.2 Chi-Square Test . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 51 4.4.1 Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.4.2 Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 4.4.4 Markov Chain Equivalence Test . . . . . . . . . . . . . . . . 59 4.4.5 Chi-Square Test . . . . . . . . . . . . . . . . . . . . . . . . . 59 4.4.6 Analysis of Security Results . . . . . . . . . . . . . . . . . . 62 4.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5 Hiding Secret Messages in Huffman Trees . . . . . . . . . . . . . . . . . . 64 5.1 Hiding in Huffman Trees . . . . . . . . . . . . . . . . . . . . . . . . 66 5.2 Capacity, Robustness and Security . . . . . . . . . . . . . . . . . . 71 5.2.1 Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 5.2.2 Robustness . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 5.2.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 5.3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 6 StegoDoku: Data Hiding in Sudoku Puzzles . . . . . . . . . . . . . . . . 83 6.1 Generating and Decoding StegoDoku Boards . . . . . . . . . . . . . 85 6.1.1 Enhancements to StegoDoku Boards . . . . . . . . . . . . . 87 6.2 Generating and Decoding StegoDoku Puzzles . . . . . . . . . . . . . 91 6.2.1 Deterministic Greedy Heuristic Puzzle Making . . . . . . . . 93 6.3 Analysis and Discussion . . . . . . . . . . . . . . . . . . . . . . . . 97 6.3.1 Backtracking Error . . . . . . . . . . . . . . . . . . . . . . . 97 6.3.2 Puzzle Generation . . . . . . . . . . . . . . . . . . . . . . . 99 6.3.3 Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 6.3.4 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 6.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 7 Tic-Tac-Stego: Covert Channels in Combinatorial Games . . . . . . . . . 115 7.1 Tic-Tac-Stego Methodology . . . . . . . . . . . . . . . . . . . . . . 116 7.2 Tic-tac-toe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 7.2.1 Tic-tac-toe as a Covert Channel . . . . . . . . . . . . . . . . 120 7.2.2 Properties of the Channel . . . . . . . . . . . . . . . . . . . 121 7.3 Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 7.4 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 126 vi Page 7.4.1 Capacity Results . . . . . . . . . . . . . . . . . . . . . . . . 126 7.4.2 Security Results . . . . . . . . . . . . . . . . . . . . . . . . . 127 7.5 Other Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 7.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 8 Anomaly Detection for Steganalysis of Games . . . . . . . . . . . . . . . 135 8.1 Human Gameplay Data Collection . . . . . . . . . . . . . . . . . . 135 8.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 138 8.2.1 Rules-Based Detection . . . . . . . . . . . . . . . . . . . . . 140 8.2.2 Feature-Based Detection . . . . . . . . . . . . . . . . . . . . 144 8.2.3 Probabilistic Model-Based Detection . . . . . . . . . . . . . 150 8.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 9 STASI: a Software Testbed for Analyzing Steganographic Interactions . . 156 9.1 Design Specifications for STASI . . . . . . . . . . . . . . . . . . . . 157 9.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 9.2.1 Core Functions . . . . . . . . . . . . . . . . . . . . . . . . . 158 9.2.2 Interaction Specifications . . . . . . . . . . . . . . . . . . . . 159 9.2.3 Data Generating Agents . . . . . . . . . . . . . . . . . . . . 161 9.2.4 Adding New Interactions to STASI . . . . . . . . . . . . . . 162 9.2.5 Adding New Agents to STASI . . . . . . . . . . . . . . . . . 166 9.2.6 Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 168 9.2.7 User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 172 9.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 172 9.3.1 Basic Timing Results . . . . . . . . . . . . . . . . . . . . . . 173 9.3.2 Example of Analysis Using STASI . . . . . . . . . . . . . . . 176 9.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 10.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 10.2 Suggestions for Future Work . . . . . . . . . . . . . . . . . . . . . . 184 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 A Accessing the Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . 193 VITA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 vii LIST OF TABLES Table Page 4.1 Embedding capacity of the tiling systems . . . . . . . . . . . . . . . . . 55 6.1 Number of backtracks during generation (N = 10000). . . . . . . . . . 98 6.2 Backtracking error (N = 10000). . . . . . . . . . . . . . . . . . . . . . 99 6.3 Sudoku board generation time (N = 10000). . . . . . . . . . . . . . . . 100 6.4 StegoDoku embedding capacity (N = 10000). . . . . . . . . . . . . . . 103 6.5 StegoDoku detection accuracy. . . . . . . . . . . . . . . . . . . . . . . . 111 7.1 Analytical Tic-tac-toe channel capacity. . . . . . . . . . . . . . . . . . 123 9.1 Time required to simulate 10000 games. . . . . . . . . . . . . . . . . . 174 9.2 Time required to measure the capacity of 10000 games. . . . . . . . . . 175 9.3 Steganographic capacity of interactions. . . . . . . . . . . . . . . . . . 177 9.4 Detection accuracy of feature-based detector on Tic-tac-toe. . . . . . . 178