A New Steganographic Method Based on the Run Length of the Stego-Message Eyas El-Qawasmeh and Alaa Alomari Jordan

University of Science and Technology eyas@just.edu.jo

Abstract. This work will propose a new method called threshold based method to conserve and hide a message in a cover image using least significant bits of colored image. This method is based on the Run-Length of the secret message. However, the runs-down will be stored in the red components of the image, while the runs-up will be stored in the green components of the image. The blue component has a special use, i.e. it is used as a parity bit to ensure that the hidden message did not face any distortion or modification and to indicate the end of the hidden message. The proposed method is not robust against modification, and it can hide large amount of data inside the cover image. Experimental results of this method showed that the suggested method has a very good image quality when comparing it with other tools. Keywords: threshold, Run-Length, run-down, run-up. 1- Introduction Steganography is a combination of two Greek words which are stegano which means secret or covered, and graphy which means writing [3, 16]. Steganography prevents intruders from recognizing a secret message or secret communication, i.e. it is a way to hide the existence of communication [16]. A famous example is the prisoner problem [1]; in this problem Alice and Bob are arrested in a jail. They plan how to escape from the jail by exchanging images between them. Thus, they communicate via images by hiding the secret message inside the transmitted image. But any sent image will be checked by Wendy, the warden. Wendy may be an active or passive warden. In the case of a passive warden, she examines the image carefully, if she has any evidence that the image is a stego image, she will take the appropriate action. But if the image sounds free from a hidden message, she will pass it as it is (without any modification). On the other hand, if Wendy plays the role of an active warden, she will alter and modify the image even if she does not note anything in the sent image. There are four key terms in steganography and they should be known for whomever reads about steganography. The first term is the cover medium which is the medium that is used to hide the secret message inside it. The second one is the secret or embedded message which is the data that need to be hidden in the cover medium and sometimes it is called stego-message. The third term is the stego-medium which is the output of embedding the secret message inside the cover medium. The last term is the stegokey which is the key point in security, and it is used to extract the stego message from the stego medium [15]. 1

Steganography may use any cover medium to hide the stego message. The cover medium can be an image, sound, video, text or network packet, or any file format that resists the small changes in its bit sequences. However, the image is the most suitable cover medium since it can hide a large amount of data in the cover image [8]. We should note that the cover-medium and the stego-medium must be of the same type, but the embedded-message (stego-message) may be of a different type. The stego-key is not of the backbone of the steganography system because the assumption that the eavesdropper does not have any information or background about the used algorithm in the steganography [11]. Any steganography technique should focus on two main constraints: 12Difficulty in detecting the stego message and extracting it in cases that the attacker has complete knowledge about the algorithm of embedding which refers to Kerckhoffs principle [5, 9, 13, 15]. Maximizing the amount of data that can be hidden in the cover medium [9, 15].

Steganography can be classified into two main categories which are technical steganography and linguistic steganography. Technical steganography depends on a scientific methods such as invisible ink, while linguistic steganography uses a cover message to transfer the stego message [8]. This paper is organized as follows: section two shows some steganographic tools. Section three shows the proposed method. Section four is the performance analysis. And section five is the conclusion. 2 Current Related Work and Steganographic Tools There are a lot of software products and tools used to hide a secret message inside a cover medium, audio or image. Some of these image Steganographic products are shown in table 1 [2, 7, 10, 14], and some of them will be represented briefly. Software Hide and Seek Mandelsteg Steganos StegoDos S-Tools Stego Ezstego White Noise Storm Jpeg/Jsteg JPHide Outguess PictureMarc SysCop Technique Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Image Domain (LSB) Transform Domain Transform Domain Transform Domain Transform Domain Transform Domain Autour Colin Maroney Henry Hastur Steganos GmbH Back Wolf Andrew Brown Romana Machado Romana Machado Ray Arachelian Derek Upham Allan Latham Niels Provos Digimarc Corporation MediaSec Image format GIF GIF BMP GIF, PCX BMP, GIF GIF GIF, PICT PCX JPEG JPEG JPEG, PNG JPEG MPEG-1,

Technologies LLC Table 1: List of some steganographic tools 2-4-1 Jpeg/Jsteg

MPEG-2

JSTEG is a tool introduced by Derek Upham to work with a different platform. JSTEG does not support any encryption level to the hidden message, and it uses the LSB of the DCT coefficients which are scaled using the quantization table. JSTEG scans the block in a zigzag order that is shown in figure 2-2, where the used coefficients in the hiding process are neither -1, 0, nor 1. After inserting the sub-stream bits in the block, the jpeg compression is accomplished normally, and the stego-image is obtained [4, 10, 14].

1 3 4 10 11 21 22 36

2 6 7 15 16 28 5 8 14 17 27 30 9 13 18 26 31 42 12 19 25 32 41 45 20 24 33 40 46 53 23 34 39 47 52 56 35 38 48 51 57 60 37 49 50 58 59 63 Figure 2-2: Zigzag scanning method

29 43 44 54 55 61 62 64

Korejwa has developed a new tool derived from JSTEG to work as windows user interface. This tool is called JSTEG-Shell. Here, an encryption is applied to the secret message to work as a second level of security. Stream Cipher RC4 with a key space restricted to 40 bits is the encryption algorithm that is used in the JSTEG-Shell [14]. 2-4-2 JPHide JPHIDE Tool is more modern than JSTEG, and it has two versions; 3 and 5. Version 5 provides an additional compression to the stego message. As in JSTEG, it uses the quantized DCT coefficients. But the coefficients used here are selected pseudo randomly according to a fixed table that contains the coefficients. These coefficients are sorted downwardly by the probability of having a high value, (the coefficients are sorted in a way that selects the most probably numerically high at first). The advantage of JPHide over JSTEG is that the use of pseudo random makes the message that hidden by JPHide more difficult to be detected [10, 14]. 2-4-3 Steganos Maybe, this is the most powerful security tool [12]. It is a security suit that uses a second level of security by applying encryption standard AES with 128 bits. This 3

security tool includes file encryption and hiding, e-mail encryption, and password manager and generator [6]. Steganos hides the secret message in the LSB of the image spatial domain of BMP file. In addition, it can hide the secret message inside DIB, VOC, WAVE, ASCII, and HTML files. 2-4-4 S-Tools This tool seems to be the easiest tool. It uses the RGB of the image to hide the secret message [12]. The cover medium can be GIF, WAV, or BMP files. S-Tools can hide more than one file in the same cover medium. To encrypt the secret file, it uses IDEA, DES, Triple DES, or MDC encryption algorithm. However, this tool compresses the secret files (if the compression process is required) and then hides them in the bit-stream of the cover medium. 3- Proposed method The proposed method is based on the idea of identifying a threshold for R, a threshold for G, and a threshold for B. These thresholds may be considered as a key between the sender and receiver. They are also used to identify the embeddable pixels. Pseudorandom number generator can be used to identify the location of a pixel in the embeddable area. However, this method depends on the computation of run up and down of the message to indicate the number of bits that will be used in the hidden process from any embeddable pixel. Run is the sequence of observations or data of the same category occurred consecutively; run down is a sequence of zeros and the run up is the sequence of ones occurred successively. The following algorithm expresses the fundamental operations employed in the hiding process of this method. Algorithm Threshold_Method Begin 1- Determine the thresholds for R, G, and B (user defined thresholds). By using these thresholds, the embeddable area can be recognized. Any pixel that has values for R, G and B less than the given threshold for R, G and B respectively will be considered an embeddable pixel. Otherwise, this pixel is not an embeddable pixel. //minimize the required space of the image that will be used to hide the stego //message by adapting the number of bits that will be used in the embedding //process. 2- Compute runs up and runs down to the binary representation of the stego message to detect the number of bits (E) that will be used to embed the message. //choose the least one, two, or three significant bits will depend on the message //itself. 4

3- Choose exactly the least significant E bits of each embeddable pixel to store the data inside. 4- Start the hiding process as follows: a. The first embeddable pixel will identify the number of bits used to perform the hiding process. If (L1SB ( R ) = 1) and (L1SB ( G ) = L1SB ( B ) = 0) then Use L1SB. If (L1SB ( R ) = L1SB ( G ) = 1) and the (L1SB ( B ) = 0) then Use L2SB. If L1SB ( R ) = L1SB ( G ) = L1SB ( B ) = 1 Use L3SB. b. The number of bits that will be used in the hiding process will be specified only for R and G. While in the B spectrum, only the L1SB will be always used, and this bit will be used as a parity bit to ensure that the data is hidden correctly in the extraction process, this parity bit will be zero if the count of the hidden bits (from the secret message) in R and G is odd, and one if the count of the hidden bits is even. // in any embeddable pixel, the R part will be used to hide the current run //down or part of it, and the G part will be used to hide the current run up //or part of it. c. Store the number of consecutive 0s of the stego-message inside the least E bits of the red component of the selected pixels. It is expected that at most 2E 1 consecutive 0s can be stored in the red component of one pixel. In case that the number of consecutive 0s is greater than 2E 1, the remainder of 0s bits is stored at the next pixel in the red component. d. Store the number of consecutive 1s of the stego-message inside the least E bits of the green component of the selected pixels. It is expected that at most 2E 1 consecutive 1s can be stored in the green component of one pixel, in case of the number of consecutive 1s is greater than 2E 1, the remainder of 0s bits is stored at the next pixel in the green part. e. If (the stego message bit stream is completely hidden) then stop the hiding process by making the number of the hidden bits in the current embeddable pixel equal to zero (i.e. LSB(s) of R and G are zeros) and the parity bit is also zero (i.e. L1SB (B) is zero). End

Extracting the message is simply accomplished by using the same thresholds for R, G and B, and by using the same pseudo-random number generator. Thus, the receiver will extract the specified number of bits from each traversed pixel (the specified number is determined by the first embedding pixel which identifies the number of bits used in the hiding process). Note that, if the thresholds which have been defined are (X, Y, Z) for RGB respectively, then the algorithm avoids hiding part of the secret message inside any pixel with one of the following cases: 1- Red component value X 2E. 2- Green component Y 2E. 3- Blue component Z 2. This is because the argument of the pixel may exceed the given threshold after hiding part of data inside it. For example assume that the defined threshold for the red component is 129 and the E value is 2 (where 2 is the number of bits that will be used from the red and green components). In the case of encountering a pixel with R=128 = (10000000)b and hiding run down of length 3 inside it, the new value for R will be (10000011)b = 131. Thus, this pixel will not be recognized as an embeddable pixel during the extraction process because the red value exceeds the given red threshold. So, if the algorithm encounters any pixel with this case, it will store a run down of length zero inside the red component of this pixel, store a run up of length zero inside green component of it and so the blue component (parity bit) will be one. 4 Performance analysis This section introduces a comparison between the proposed method (Threshold based method) and some steganographic tools. This comparison compares the proposed method with JPHide steganographic tool. The type of images that were used in the comparison are JPEG images with image quality factor equal to 95% and image dimensions equal to 125 x 125. S-Tools will be used to compare the threshold method for BMP images with image dimensions equal to 125 x 125. The measurements which are used to prove the efficiency of the proposed method are Mean Square Error (MSE), Peak Signal to Noise Ratio (PSNR), Pearson Correlation Coefficient (Corr.), and Structural Content (SC). MSE is the expected value for the square error between the input and output images, the smaller value for MSE is, the better image quality and the smallest distortion on the image will be. PSNR is used to represent the ratio between the maximum value of the signal and the quantity of distortion or noise. It is measured by decibel which is abbreviated by dB. Here, the larger value for PSNR indicates the better image quality. Pearson Correlation Coefficient is a statistical and numerical measurement for the linear relationship between the input and the output images. Correlation value may be ranged from -1 to 1 where the perfect negative correlation is at -1, no correlation is at zero, and the perfect positive correlation is at 1.

the Structural Content (SC) is a correlation based measurement. Here, this measure measures the similarity between the input and the output image. Thus, it works as complementary for measurements which based on pixel difference like MSE and PSNR the first experiment was to do comparison with the JPHide tool. The image shown in figure 4-1-a is the Lena image and it is stored as JPEG image with a 95% image quality factor. After embedding 512 bytes in the image, the stego images were as is shown in figure 4-1-b and 4-1-c, and the image quality measures are shown in table 4-1.

c: JPEG Stego image a: Original JPEG b: JPEG Stego image image using Threshold using JPHide Figure 4-1: JPEG cover and stego image Table 4-1 points out that the Threshold based method is the better than JPHide.. However, to ensure the obtained indication, other comparisons are performed with 128, 256, and 384 bytes. Note that the comparison cannot be applied for 1024 bytes, this is because JPHide cannot hold this amount of hidden data inside Lena test image. The results of the full comparison are shown in the same table. MSE Method 128 256 384 512 0.082 0.086 0.087 0.082 JPHide 0.018 0.036 0.054 0.072 Threshold PSNR Method 128 256 384 512 58.983 58.744 58.695 58.963 JPHide 65.490 62.505 60.791 59.553 Threshold Corr Method 128 256 384 512 0.99998 0.99998 0.99998 0.99998 JPHide 0.99999 0.99999 0.99998 0.99998 Threshold SC Method 128 256 384 512 0.99985 0.99988 0.99989 0.99991 JPHide 0.99992 0.99983 0.99974 1.00024 Threshold Table 4-1: comparison between JPHide and Threshold

The second part of experiment is to compare our suggested approach with S-Tools. Figure 4-2 part a shows a 125 x 125 BMP image that is used in the comparison with S-Tools.

a: Original BMP b: BMP Stego image c: BMP Stego image image using S-Tools using Threshold Figure 4-2: BMP cover and stego images After embedding 512 bytes in the image that appears in figure 4-3, the obtained result is shown in table 4-2 and figure 4-2: As for JPHide a full comparison is shown in table 4-3. The results obtained from the table show that the threshold method is comparable with S-Tools MSE Method 128 256 384 512 0.009792 0.0091306 0.011456 0.012053333 S-Tools 0.072085 Threshold 0.01819733 0.0357547 0.053696 PSNR Method 128 256 384 512 S-Tools 68.2220895 68.525778 67.540474 67.31973194 59.55233 Threshold 65.5307261 62.597476 60.831384 Corr Method 128 256 384 512 0.9999974 0.9999976 0.999997 0.999996988 S-Tools 0.99998 Threshold 0.99999565 0.9999916 0.9999879 SC Method 128 256 384 512 S-Tools 1.00000001 0.9999991 1.0000098 0.999997405 Threshold 0.99991828 0.999825 0.9997343 0.999645574 Table 4-3: comparison between S-Tools and Threshold 5 Conclusions The proposed steganographic method, which is called threshold method aims to hide a secret message in the spatial domain of the cover image. Threshold method is based on the run length of the secret message. In this method the key will be the threshold values that are used to identify the embedding pixels. Threshold method may use PRNG to improve security, i.e. by using PRNG the hiding process chooses the embeddable pixels from the embeddable area in a random manner. However, in this method, one of the encryption algorithms can be used to encrypt the secret message in order to improve the security.

A comparison was performed between the threshold method with JPHide and STools. The result of the comparison with JPHide (hiding in a JPEG image) shows that the threshold method gives the better image quality. While the result of comparison with S-Tools (hiding in a BMP image) points out that the threshold method is comparable with S-Tools. However, when hiding a secret message in the spatial domain of a JPEG image, it should be stored with a high image quality in order to maximize the robustness against detection. References Avcibas I., Memon N., and Sankur B.: Steganalysis Using Image Quality Metrics. IEEE Transactions On Image Processing, Vol. 12 No. 2 (2003) P.P. 221 229. Bayer P., and Widenfors H.: Information Hiding Steganographic Content in Streaming Media. Master thesis, Blekinge Institute of Technology, Sweden (2002). Besdok, E.: Hiding Information In Multispectral Spatial Images. International Journal AEU of Electronics and Communications, Vol. 59 (2005) P.P.15 24. Chang C.C., Chen T.S., and Chung L.Z.: A Steganographic Method Based Upon JPEG And Quantization Table Modification. An International Journal of Information Sciences Vol. 141 (2002) P.P. 123 138. Fridrich J.: A New Steganographic Method for Palette-Based Images. IS&T PICS, Savannah, Georgia (1999) P.P. 285289. Information about Steganos tool (online) [accessed 2005 august]. Available from URL http://www.snapfiles.com/get/steganos.html. Johnson N.F., and Jajodia S.: Exploring Steganography: Seeing the Unseen. IEEE Computer Magazine Vol. 31 No. 2 (1998) P.P. 26 34. Kessler G.C.: An Overview of Steganography for the Computer Forensics Examiner. FBI Forensic Science Communications, Vol. 6 No. 3 (2004) P.P. 1 29. Lenti J.: Steganographic Methods. Periodica Polytechnica Ser. El. Eng. Vol. 44 No. 3-4 (2000) P.P. 249 258. McBride B.T., Peterson G.L., and Gustafson SC.: A New Blind Method for Detecting Novel Steganography. Digital Invstigation Vol. 2 (2005) P.P. 50 70.

Moskowitz I.S., Longdon G.E., and Chang L.W.: A New Paradigm Hidden in Steganography. Proceedings of the 2000 Workshop on New Security Paradigms, New York (2000) P.P. 4150. Phrack Magazine. Steganography Thumbprinting. 26, 1998, article 08 of 20. Volume 8, Issue 52 January

Popa R.: An Analysis Of Steganographic Techniques. Master Thesis, The "Politehnica" University of Timisoara, Romania (1998). Provos N, and Honeyman P.: Detecting Steganographic Content on the Internet. CITI Technical Report 01-11; Center for Information Technology Integration. University of Michigan (2001). Steganography and Digital watermarking: a global view. (online) [accessed august 2005]; available from URL http://lia.deis.unibo.it/Courses/RetiDiCalcolatori/Progetti00/fortini/project.pdf Toz F.G., Palanciog u H.M., and Besdok E.: Hidden Communication in l Frequency Domain For Information Exchange, Proceedings of ISPRS 2004, Istanbul, Turkey (2004) P.P. 326 330..

10