A steganographer is not only hiding a payload inside their cover, they are also hiding themselves amongst the non-steganographers. In this paper we study asymptotic rates of growth for steganographic data -- analogous to the classical Square-Root Law -- in the context of a 'crowd' of K actors, one of whom is a steganographer. This converts steganalysis from a binary to a K-class classification problem, and requires some new information-theoretic tools. Intuition suggests that larger K should enable the steganographer to hide a larger payload, since their stego signal is mixed in with larger amounts of cover noise from the other actors. We show that this is indeed the case, in a simple independent-pixel model, with payload growing at O(√(log K)) times the classical Square-Root capacity in the case of homogeneous actors. Further, examining the effects of heterogeneity reveals a subtle dependence on the detector's knowledge about the payload size, and the need for them to use negative as well as positive information to identify the steganographer.
{"title":"Capacity Laws for Steganography in a Crowd","authors":"Andrew D. Ker","doi":"10.1145/3531536.3532948","DOIUrl":"https://doi.org/10.1145/3531536.3532948","url":null,"abstract":"A steganographer is not only hiding a payload inside their cover, they are also hiding themselves amongst the non-steganographers. In this paper we study asymptotic rates of growth for steganographic data -- analogous to the classical Square-Root Law -- in the context of a 'crowd' of K actors, one of whom is a steganographer. This converts steganalysis from a binary to a K-class classification problem, and requires some new information-theoretic tools. Intuition suggests that larger K should enable the steganographer to hide a larger payload, since their stego signal is mixed in with larger amounts of cover noise from the other actors. We show that this is indeed the case, in a simple independent-pixel model, with payload growing at O(√(log K)) times the classical Square-Root capacity in the case of homogeneous actors. Further, examining the effects of heterogeneity reveals a subtle dependence on the detector's knowledge about the payload size, and the need for them to use negative as well as positive information to identify the steganographer.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115138755","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Command-and-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.
RFC8915中规定的NTS (Network Time Security)是一种以NTP (Network Time Protocol)为基础,为时钟同步提供加密安全的机制。通过使用TLS (Transport Layer Security)和AEAD (Authenticated Encryption with Associated Data)技术,NTS可以保证服务器和客户端同步时间的完整性和真实性。然而,过去的研究表明,时间同步协议,如网络时间协议(NTP)和精确时间协议(PTP)可能被用作隐蔽通道的载体,潜在地渗透或泄露信息,或在恶意软件感染的情况下用作命令和控制通道。通过系统地分析NTS规范,我们确定了12个潜在的隐蔽通道,并在本文中进行了描述和讨论。从12个通道中,我们选择了一种客户端方法,使用NTS随机uid进行概念验证实现。此外,我们分析和调查了潜在的对策,并提出了一种能够减轻本文中描述的隐蔽通道的主动监狱长的设计。
{"title":"Covert Channels in Network Time Security","authors":"Kevin Lamshöft, J. Dittmann","doi":"10.1145/3531536.3532947","DOIUrl":"https://doi.org/10.1145/3531536.3532947","url":null,"abstract":"Network Time Security (NTS) specified in RFC8915 is a mechanism to provide cryptographic security for clock synchronization using the Network Time Protocol (NTP) as foundation. By using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) NTS is able to ensure integrity and authenticity between server and clients synchronizing time. However, in the past it was shown that time synchronisation protocols such as the Network Time Protocol (NTP) and the Precision Time Protocol (PTP) might be leveraged as carrier for covert channels, potentially infiltrating or exfiltrating information or to be used as Command-and-Control channels in case of malware infections. By systematically analyzing the NTS specification, we identified 12 potential covert channels, which we describe and discuss in this paper. From the 12 channels, we exemplary selected an client-side approach for a proof-of-concept implementation using NTS random UIDs. Further, we analyze and investigate potential countermeasures and propose a design for an active warden capable of mitigating the covert channels described in this paper.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"137 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127425331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 4: Steganography I","authors":"J. Fridrich","doi":"10.1145/3545214","DOIUrl":"https://doi.org/10.1145/3545214","url":null,"abstract":"","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127202533","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Machine learning techniques have been widely applied in modern financial activities. Participants in the field are aware of the importance of data privacy. Vertical federated learning (VFL) was proposed as a solution to multi-party secure computation for machine learning to obtain the huge data required by the models as well as keep the privacy of the data holders. However, previous research majorly analyzed the algorithms under ideal conditions. Data imbalance in VFL is still an open problem. In this paper, we propose a privacy-preserving sampling strategy for imbalanced VFL based on federated graph embedding of the samples, without leaking any distribution information. The participants of the federation provide partial neighbor information for each sample during the intersection stage and the controversial negative sample will be filtered out. Experiments were conducted on commonly used financial datasets and one real-world dataset. Our proposed approach obtained the leading F1 score on all tested datasets on comparing with the baseline under sampling strategies for VFL.
{"title":"A Nearest Neighbor Under-sampling Strategy for Vertical Federated Learning in Financial Domain","authors":"Denghao Li, Jianzong Wang, Lingwei Kong, Shijing Si, Zhangcheng Huang, Chenyu Huang, Jing Xiao","doi":"10.1145/3531536.3532960","DOIUrl":"https://doi.org/10.1145/3531536.3532960","url":null,"abstract":"Machine learning techniques have been widely applied in modern financial activities. Participants in the field are aware of the importance of data privacy. Vertical federated learning (VFL) was proposed as a solution to multi-party secure computation for machine learning to obtain the huge data required by the models as well as keep the privacy of the data holders. However, previous research majorly analyzed the algorithms under ideal conditions. Data imbalance in VFL is still an open problem. In this paper, we propose a privacy-preserving sampling strategy for imbalanced VFL based on federated graph embedding of the samples, without leaking any distribution information. The participants of the federation provide partial neighbor information for each sample during the intersection stage and the controversial negative sample will be filtered out. Experiments were conducted on commonly used financial datasets and one real-world dataset. Our proposed approach obtained the leading F1 score on all tested datasets on comparing with the baseline under sampling strategies for VFL.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131156312","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Watermarking neural networks (NNs) for ownership protection has received considerable attention recently. Resisting both model pruning and fine-tuning is commonly considered to evaluate the robustness of a watermarked NN. However, the rationale behind such a robustness is still relatively unexplored in the literature. In this paper, we study this problem to propose a so-called sparse trigger pattern (STP) guided deep learning model watermarking method. We provide empirical evidence to show that trigger patterns are able to make the distribution of model parameters compact, and thus exhibit interpretable resilience to model pruning and fine-tuning. We find the effect of STP can also be technically interpreted as the first layer dropout. Extensive experiments demonstrate the robustness of our method.
{"title":"Sparse Trigger Pattern Guided Deep Learning Model Watermarking","authors":"Chun-Shien Lu","doi":"10.1145/3531536.3532961","DOIUrl":"https://doi.org/10.1145/3531536.3532961","url":null,"abstract":"Watermarking neural networks (NNs) for ownership protection has received considerable attention recently. Resisting both model pruning and fine-tuning is commonly considered to evaluate the robustness of a watermarked NN. However, the rationale behind such a robustness is still relatively unexplored in the literature. In this paper, we study this problem to propose a so-called sparse trigger pattern (STP) guided deep learning model watermarking method. We provide empirical evidence to show that trigger patterns are able to make the distribution of model parameters compact, and thus exhibit interpretable resilience to model pruning and fine-tuning. We find the effect of STP can also be technically interpreted as the first layer dropout. Extensive experiments demonstrate the robustness of our method.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134555329","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing AMR (Adaptive Multi-Rate) steganalysis algorithms based on pitch delay have low detection accuracy on samples with short time or low embedding rate, and the model shows fragility under the attack of adversarial samples. To solve this problem, we design an advanced AMR steganalysis method based on adversarial Bi-GRU (Bi-directional Gated Recurrent Unit) and data distillation. First, Gaussian white noise is randomly added to part of the original speech to form adversarial data set, then artificially annotate a small amount of voice to train the model. Second, perform three transformations of 1.5 times speed, 0.5 times speed, and mirror flip on the remaining original voice data, then put them into Bi-GRU for classification, and the final predicted label obtained by the decision fusion corresponds to the original data. All data with the label is put back into the Bi-GRU model for final training at last. What needs to be pointed out is that each batch of final training data includes normal and adversarial samples. This method adopts a semi-supervised learning method, which greatly saves the resources consumed by manual labeling, and introduces adversarial Bi-GRU, which can realize the two-direction analysis of samples for a long time. Based on improving the detection accuracy, the safety and robustness of the model are greatly improved. The experimental results show that for normal and adversarial samples, the algorithm can achieve accuracy of 96.73% and 95.6% respectively.
{"title":"AMR Steganalysis based on Adversarial Bi-GRU and Data Distillation","authors":"Z. Wu, Junjun Guo","doi":"10.1145/3531536.3532958","DOIUrl":"https://doi.org/10.1145/3531536.3532958","url":null,"abstract":"Existing AMR (Adaptive Multi-Rate) steganalysis algorithms based on pitch delay have low detection accuracy on samples with short time or low embedding rate, and the model shows fragility under the attack of adversarial samples. To solve this problem, we design an advanced AMR steganalysis method based on adversarial Bi-GRU (Bi-directional Gated Recurrent Unit) and data distillation. First, Gaussian white noise is randomly added to part of the original speech to form adversarial data set, then artificially annotate a small amount of voice to train the model. Second, perform three transformations of 1.5 times speed, 0.5 times speed, and mirror flip on the remaining original voice data, then put them into Bi-GRU for classification, and the final predicted label obtained by the decision fusion corresponds to the original data. All data with the label is put back into the Bi-GRU model for final training at last. What needs to be pointed out is that each batch of final training data includes normal and adversarial samples. This method adopts a semi-supervised learning method, which greatly saves the resources consumed by manual labeling, and introduces adversarial Bi-GRU, which can realize the two-direction analysis of samples for a long time. Based on improving the detection accuracy, the safety and robustness of the model are greatly improved. The experimental results show that for normal and adversarial samples, the algorithm can achieve accuracy of 96.73% and 95.6% respectively.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133941457","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yiming Xue, Boya Yang, Yaqian Deng, Wanli Peng, Juan Wen
Traditional text steganalysis methods rely on a large amount of labeled data. At the same time, the test data should be independent and identically distributed with the training data. However, in practice, a large number of text types make it difficult to satisfy the i.i.d condition between the training set and the test set, which leads to the problem of domain mismatch and significantly reduces the detection performance. In this paper, we draw on the ideas of domain adaptation and transductive learning to design a novel text steganalysis method. In this method, we design a distributed adaptation layer and adopt three loss functions to achieve domain adaptation, so that the model can learn the domain-invariant text features. The experimental results show that the method has better steganalysis performance in the case of domain mismatch.
{"title":"Domain Adaptational Text Steganalysis Based on Transductive Learning","authors":"Yiming Xue, Boya Yang, Yaqian Deng, Wanli Peng, Juan Wen","doi":"10.1145/3531536.3532963","DOIUrl":"https://doi.org/10.1145/3531536.3532963","url":null,"abstract":"Traditional text steganalysis methods rely on a large amount of labeled data. At the same time, the test data should be independent and identically distributed with the training data. However, in practice, a large number of text types make it difficult to satisfy the i.i.d condition between the training set and the test set, which leads to the problem of domain mismatch and significantly reduces the detection performance. In this paper, we draw on the ideas of domain adaptation and transductive learning to design a novel text steganalysis method. In this method, we design a distributed adaptation layer and adopt three loss functions to achieve domain adaptation, so that the model can learn the domain-invariant text features. The experimental results show that the method has better steganalysis performance in the case of domain mismatch.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123728156","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Session details: Session 2: Security of Machine Learning","authors":"Yassine Yousfi","doi":"10.1145/3545212","DOIUrl":"https://doi.org/10.1145/3545212","url":null,"abstract":"","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132518028","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this work we aim to design a steganographic scheme undetectable by the Reverse JPEG Compatibility Attack (RJCA). The RJCA, while only effective for JPEG images compressed with quality factors 99 and 100, was shown to work mainly due to change in variance of the rounding errors after decompression of the DCT coefficients, which is induced by embedding changes incompatible with the JPEG format. One remedy to preserve the aforementioned format is utilizing during the embedding the rounding errors created during the JPEG compression, but no steganographic method is known to be resilient to RJCA without this knowledge. Inspecting the effect of embedding changes on variance and also mean of decompression rounding errors, we propose a steganographic method allowing resistance against RJCA without any side-information. To resist RJCA, we propose a distortion metric making all embedding changes within a DCT block dependent, resulting in a lattice-based embedding. Then it turns out it is enough to cleverly pick the side of the (binary) embedding changes through inspection of their effect on the variance of decompression rounding errors and simply use uniform costs in order to enforce their sparsity across DCT blocks. To increase security against detectors in the spatial (pixel) domain, we show an easy way of combining the proposed methodology with steganography designed for spatial domain security, further improving the undetectability for quality factor 99. The improvements over existing non-informed steganography are up to 40% in terms of detector's accuracy.
{"title":"Fighting the Reverse JPEG Compatibility Attack: Pick your Side","authors":"Jan Butora, P. Bas","doi":"10.1145/3531536.3532955","DOIUrl":"https://doi.org/10.1145/3531536.3532955","url":null,"abstract":"In this work we aim to design a steganographic scheme undetectable by the Reverse JPEG Compatibility Attack (RJCA). The RJCA, while only effective for JPEG images compressed with quality factors 99 and 100, was shown to work mainly due to change in variance of the rounding errors after decompression of the DCT coefficients, which is induced by embedding changes incompatible with the JPEG format. One remedy to preserve the aforementioned format is utilizing during the embedding the rounding errors created during the JPEG compression, but no steganographic method is known to be resilient to RJCA without this knowledge. Inspecting the effect of embedding changes on variance and also mean of decompression rounding errors, we propose a steganographic method allowing resistance against RJCA without any side-information. To resist RJCA, we propose a distortion metric making all embedding changes within a DCT block dependent, resulting in a lattice-based embedding. Then it turns out it is enough to cleverly pick the side of the (binary) embedding changes through inspection of their effect on the variance of decompression rounding errors and simply use uniform costs in order to enforce their sparsity across DCT blocks. To increase security against detectors in the spatial (pixel) domain, we show an easy way of combining the proposed methodology with steganography designed for spatial domain security, further improving the undetectability for quality factor 99. The improvements over existing non-informed steganography are up to 40% in terms of detector's accuracy.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133766318","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Alberto Ibarrondo, H. Chabanne, V. Despiegel, Melek Önen
This paper proposes a novel collaborative decryption protocol for the Brakerski-Fan-Vercauteren (BFV) homomorphic encryption scheme in a multiparty distributed setting, and puts it to use in designing a leakage-resilient biometric identification solution. Allowing the computation of standard homomorphic operations over encrypted data, our protocol reveals only one least significant bit (LSB) of a scalar/vectorized result resorting to a pool of N parties. By employing additively shared masking, our solution preserves the privacy of all the remaining bits in the result as long as one party remains honest. We formalize the protocol, prove it secure in several adversarial models, implement it on top of the open-source library Lattigo and showcase its applicability as part of a biometric access control scenario.
{"title":"Colmade: Collaborative Masking in Auditable Decryption for BFV-based Homomorphic Encryption","authors":"Alberto Ibarrondo, H. Chabanne, V. Despiegel, Melek Önen","doi":"10.1145/3531536.3532952","DOIUrl":"https://doi.org/10.1145/3531536.3532952","url":null,"abstract":"This paper proposes a novel collaborative decryption protocol for the Brakerski-Fan-Vercauteren (BFV) homomorphic encryption scheme in a multiparty distributed setting, and puts it to use in designing a leakage-resilient biometric identification solution. Allowing the computation of standard homomorphic operations over encrypted data, our protocol reveals only one least significant bit (LSB) of a scalar/vectorized result resorting to a pool of N parties. By employing additively shared masking, our solution preserves the privacy of all the remaining bits in the result as long as one party remains honest. We formalize the protocol, prove it secure in several adversarial models, implement it on top of the open-source library Lattigo and showcase its applicability as part of a biometric access control scenario.","PeriodicalId":164949,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-06-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128112917","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: