Research On Identification Of Steganography Software Based On Model Checking

The research of steganography forensics is of great theoretical value and practical significance for discovering, determining and tracking behaviors of covert communication based on information steganography. Existing researches on steganography forensics are mainly dependent on the existence detection of secret messages in carriers, the means of which is single. Image steganography forensics is researched with an angle of steganography software identification in this thesis. Specifically, the contents of this thesis are as follows.(1)A framework of steganography software identification based on model checking is proposed. Beginning from steganography algorithms, this framework firstly analyzes different implementations of a steganography algorithm and builds semantics-level automaton for each implementation for formalization description. Secondly, each semantics-level automaton is converted into instruction-level automaton through middle language automaton. And the steganography behavior automaton is got by incorporating the instruction-level automatons. When a software will be identified, the disassembling code of the software is obtained through reverse analysis technology and the obtained disassembly code is used to build a control flow automaton to describe the state space of software that is to be identified. Then the control flow automaton is simplifyed. Lastly, whether there is a steganography behavior in the software is verified by doing the model checking with steganography behavior automaton and a control flow automaton of the software to be identified.(2) A method is proposed for LSB replacement steganography software identification based on model checking. This method uses the above-mentioned framework. Firstly, three implementations of the operation which the LSB replacement steganography conducts are analyzed. Secondly the steganography behavior automaton is built according to the three implementations. Thirdly the control flow automaton is built in accordance with the control flow relationship between the disassembly instructions. Lastly, whether there is a steganography behavior is verified by using the model checking method based on automaton theory. In the experiment the softwares of LSB replacement, the softwares of other algorithm and the softwares of others are used to be identifyed. The result of the experiment indicates that the method can identify LSB replacement steganography softwares of several implementations and reimplementations of LSB replacement steganography softwares, and having a high reliability.(3) A method is proposed for MLSB replacement steganography software identification based on model checking. This method uses the proposed framework to build a description of an implementation of MLSB replacement algorithm then the steganography behavior in software is identified with the description. In the experiment, the variants are generated through the obfuscation of known MLSB replacement steganography software. The variants and the reimplementions of MLSB replacement steganography software are identified. The result of the experiment indicates that the method can identify MLSB replacement steganography software variants and reimplementations of MLSB replacement steganography softwares.Finally, a conclusion with a discussion of future researches is drawn.