FESA (Framework for Enterprise StegAnalysis) Charles D. George, Jr. Masters Project Fall Semester 2012

Background Steganography – art of hiding messages such that only the sender and recipient are aware Steganalysis – art of detecting messages hidden with steganography The relationship between steganography and steganalysis is similar to that of cryptography and cryptanalysis.

Steganography Digital steganography (1985) Media files images, audio, video, ect Images are the most popular – JPEG – TIFF – PNG – GIF – BMP Thousands of tools exist

Steganalysis Statistical analysis – Spectrum – Inconsistencies with compression Signatures – Specific bit patterns – Identifiable header information, ect Most tools are one-off and try to detect specific algorithms Cat and mouse game as new steg algorithms emerge

FESA Utilize existing research on steganography detection Modular, extensible, robust Plugin framework for steganography detection algorithms Suitable for an Enterprise Scalable

Enterprise Technologies Enterprise JavaBeans (EJBs) JavaServer Faces (JSF) Java DB (Derby) RESTful WS (JAX-RS) CDI (Web Beans) Java Persistence (JPA) Java Web Start (JavaWS)

Design

Design :: Plugin Framework Rolled my own plugin framework Reuses parts of Java ServiceProvider mechanism Dynamically adds/removes plugins at runtime Plugins represented as third-party jars – Implement a service provider interface Each plugin loaded into it’s own classloader Internal map tracks current plugins

Design :: Business Logic Encapsulates all the functionality of the system Plugin management Invoking plugins for steganography detection Database communication Security

Design :: PluginsBean Singleton JavaBean (One instance) – There should only be one view of the plugins Loads plugins from plugins directory Listens on that directory for files being created/deleted Manages adding, removing, and querying plugins Processes a PluginRequest and responds with a PluginResponse. Has defined roles “PluginAdmin” – Only users of this group can modify plugins

PluginBean :: PluginRequest

PluginBean :: PluginResponse

PluginBean :: Security PluginBean is annotated Security enforced by GlassFish Users are created and placed in groups Groups are mapped to roles Only users in group “PluginAdmin” have access to modify plugins

Design :: DetectionBean Stateless bean – New instance per request (detection request) – Automatically thread for performance ect Computes mime type and hash Database interaction for previous results Invokes all plugins that match the file’s mime type Processes DetectionRequest and responds with a DetectionResponse

DetectionBean :: DetectionRequest

DetectionBean :: DetectionResponse

Design :: REST Web Services Two web service methods are available – Handle plugin and detection requests Produce/Consume XML Use contexts and dependency inject to call a bean to process the request (Plugin/Detection) annotation is used for CDI XML requests/responses are automaticalled converted into objects with JAXB – Java classes (POJOs) are annotated with JAXB annotations These objects are passed to the beans

Design :: Database Used to store results of files that have been processed Efficient since duplicate files don’t need to be reprocessed Dirty flag is enabled when plugins change which will require reprocessing DetectionResponse class is annotated as an Entity that maps to the database schema – Allows for injection of persistence context and easily persist/retrieve results

Database :: Detection Response

Database :: Detection Technique Result

Code Walk Through

Demonstration

Questions?