you're reading...
Deep Packet Analysis, Hacking / Counter Intelligence, Lawful Intercept

Audio Steganography PT5: Estimating Size of Data Hidden by MP3Stego

Analyzing the size of the hidden information

After confirming MP3Stego encoder, the size of the hidden information can be determined by calculating the changes of block length’ variance, because the variance changes obviously between the mp3 data with or without information-hiding. Let x denote the block length, and ∑x denote the summation of n blocks length, ∑ 2 x denote the summation of square of n blocks length, the calculating formula of the block length variance is:


Let n=8. After calculating the variance sequence of the block length of the whole MP3 file, we can distinctly find the secret information hidden in the MP3 file, where the variances have a large value. The x-axis in the figure is the index of the block length variance sequence, and the y-axis is the block length variance.

To calculate the size of the hidden information, we set threshold=5000. Because there are some unexpected value in the sequence, we set “8 sequent variance less than 5000” as a judgment to figure out the end of hidden data and the capacity (bits) is the summary of the blocks. Because MP3Stego adopts the SHA hash function to hide information, only about 60% blocks are used for information-hiding, so Real capacity of information-hiding=60% * summary of hiding blocks.

Detection result

In order to examine the detection formula obtained in the last sector, 90 MP3 files were downloaded stochastically from the Internet, and 10 MP3 files were added, in which the secret information was hidden by the MP3Stego encoder. Then these 100 MP3 files were detected by our method, the result of which was shown as below.

Figure 6 The result of the MP3Stego detection

It could be seen clearly that the statistics R of the MP3 files using MP3Stego to hide information were equal to about 1. The statistics of the most MP3 files from the Internet were bigger than 0 slightly, and some MP3 files’ statistics were between 0.1 to 0.3. Through this detecting formula, the MP3 files that use MP3Stego to hide information could be distinguished clearly. According to the block length variance formula and the method to calculate the hidden information size, the hidden sizes of these 10 MP3 files were estimated. Table 2 shows the comparison between the estimated sizes and the real values.

The estimated hidden sizes and the real sizes of MP3Stego
The size of txt file 1 66 307 560 985 1428 2097 3992 5192
The size after compression real size 0 24 96 280 384 584 816 1176 2096 2752
The estimated hidden size 1 29 102 283 389 590 820 1183 2101 2742

You can see that after the MP3Stego encoder was detected, the hidden information size could be estimated accurately by computing the entire MP3 file’s block length variance sequence.

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: