fesa (framework for enterprise steganalysis )

FESA(Framework for Enterprise StegAnalysis)

Charles D. George, Jr.Masters Project

Fall Semester 2012

Background

• Steganography – art of hiding messages such that only the sender and recipient are aware

• Steganalysis – art of detecting messages hidden with steganography

• The relationship between steganography and steganalysis is similar to that of cryptography and cryptanalysis.

Steganography

• Digital steganography (1985)• Media files images, audio, video, ect• Images are the most popular– JPEG– TIFF– PNG– GIF– BMP

• Thousands of tools exist

Steganalysis

• Statistical analysis– Spectrum– Inconsistencies with compression

• Signatures– Specific bit patterns– Identifiable header information, ect

• Most tools are one-off and try to detect specific algorithms

• Cat and mouse game as new steg algorithms emerge

FESA

• Utilize existing research on steganography detection

• Modular, extensible, robust• Plugin framework for steganography detection

algorithms• Suitable for an Enterprise• Scalable

Enterprise Technologies

• Enterprise JavaBeans (EJBs)• JavaServer Faces (JSF)• Java DB (Derby)• RESTful WS (JAX-RS)• CDI (Web Beans)• Java Persistence (JPA)• Java Web Start (JavaWS)

Design

Design :: Plugin Framework

• Rolled my own plugin framework• Reuses parts of Java ServiceProvider

mechanism• Dynamically adds/removes plugins at runtime• Plugins represented as third-party jars– Implement a service provider interface

• Each plugin loaded into it’s own classloader• Internal map tracks current plugins

Design :: Business Logic

• Encapsulates all the functionality of the system

• Plugin management• Invoking plugins for steganography detection• Database communication• Security

Design :: PluginsBean

• Singleton JavaBean (One instance)– There should only be one view of the plugins

• Loads plugins from plugins directory• Listens on that directory for files being created/deleted• Manages adding, removing, and querying plugins• Processes a PluginRequest and responds with a

PluginResponse.• Has defined roles “PluginAdmin”– Only users of this group can modify plugins

PluginBean :: PluginRequest

PluginBean :: PluginResponse

PluginBean :: Security

• PluginBean is annotated with @DeclaredRoles and @RolesAllowed

• Security enforced by GlassFish• Users are created and placed in groups• Groups are mapped to roles• Only users in group “PluginAdmin” have

access to modify plugins

Design :: DetectionBean

• Stateless bean– New instance per request (detection request)– Automatically thread for performance ect

• Computes mime type and hash• Database interaction for previous results• Invokes all plugins that match the file’s mime type• Processes DetectionRequest and responds with a

DetectionResponse

DetectionBean :: DetectionRequest

DetectionBean :: DetectionResponse

Design :: REST Web Services

• Two web service methods are available– Handle plugin and detection requests

• Produce/Consume XML• Use contexts and dependency inject to call a bean to

process the request (Plugin/Detection)– @EJB annotation is used for CDI

• XML requests/responses are automaticalled converted into objects with JAXB– Java classes (POJOs) are annotated with JAXB annotations

• These objects are passed to the beans

Design :: Database

• Used to store results of files that have been processed

• Efficient since duplicate files don’t need to be reprocessed

• Dirty flag is enabled when plugins change which will require reprocessing

• DetectionResponse class is annotated as an Entity that maps to the database schema– Allows for injection of persistence context and easily

persist/retrieve results

Database :: Detection Response

Database :: Detection Technique Result

Code Walk Through

Demonstration

Questions?