| Steganography forensics has become one of the serious challenges in computer forensics. In the course of forensics, if the investigator is able to identify steganography software in the target, then he can avoid the common problems existing in current blind steganography forensics, viz. unknown steganographic algorithm or software. And the identified steganography software is the important clue or evidence to detect the stego objects detection and extract the secret message.Based on the state of the arts of steganography software identification and related software features, steganography software identification, which is one of the important parts of steganography forensics, is discussed in depth. The major contributions of this thesis are as follows.1) From the perspective of steganography forensics process, the original procedure is extended by bringing steganography software identification into it, which can enrich the means of steganography forensic and expand the connotation of steganography forensic.2) Based on the code division, three methods of code division are proposed. Also a steganography software identification framework based on code division is established. The framework can divide a complex program (or software) into several simple code fragments, in which way the complexity of program comprehension can be reduced.3) A steganography software identification algorithm based on instruction-words is proposed. Firstly, instruction-words are formed by dividing program instruction opcode sequences into several code fragments, which are simple and functional. Secondly, a feature vector based on the instruction-words is constructed by the instruction-words with high frequency of occurrence in steganography software. Finally, the similarity between target software and software to be identified is descripted by cosine similarity. Experiment shows that the proposed algorithm can distinguish the target steganography software from other softwares and can identify a kind of steganography software in the method of obfuscation transformation accurately.4) A steganography software identification algorithm based on register dependence is proposed. Firstly, register dependence graph of a program is divided into several paths according to the dependence among registers and the instruction sequence on each path is considered as a code module. Secondly, the similarity between modules of target software and software to be identified is descripted by the maximum common subsequence and the similarity between target software and software to be identified is classified based on the idea of dimidiate graph matching. Experiment shows good results on identification of variations of steganography software.Finally, we have a conclusion of our work and discuss the blueprint of steganography software identification. |
PDF Full Text Request