Steganalysis of Chat based Steganography

1. Background

Steganalysis is the practice of discovering hidden secrets within other open, clear information as presented by Nissar, A., and Mir, A. H. (2010) [1], as well as Johnson, N. F., and Jajodia, S. (1998) [2],. Steganography and Steganalysis are both used to improve security because steganography hides information in the presence of an adversary, whereas Steganalysis uncovers or deciphers hidden information in the case of suspected secret communication flows among suspected criminals.

As part of privacy protection act enacted by most Country’s constitution, an individual has a right to privacy presented in an article by Kakungulu-Mayambala, R. (2008) [4] and Atuhaire, E. (2021) [5] as well as covert communication article by Okello, M. O. (2022) [3]. However, at times such right are violated by many especially those with bad intention for example criminal might concealed their communication meanwhile plotting to do activities which might be totally against the law or harmful to one another as explained in paper by Elsadig et el. (2022) [6].

Steganalysis aid in identifying and if possible extract/recover or decrypt and if it’s impossible to decrypt, preferably destroy the suspected payload to disorient such covert communication among parties that would otherwise misuse the right to privacy as presented in an article by Mivule, K., & Turner, C. (2012) [7]. By this, an appropriate measure can be taken early enough.

2. Related Work

This work is basically about detection of timing Steganography in network especially in chat based online application.

For example a work by Gianvecchio etc el. (2007) [8], on network timing detection uses statistical method which detects small variation in signal noise.

A sample of timing steganography work is presented by Liu, G. et el (2012) [9]. Which utilities inter-arrival time of network packets by varying it to hide information.

However, this proposed method is aimed at detecting chat based timing steganography which is presented in a paper by Okello.M (2018) [10], and another paper by Okello.O.M (2021) [11]. These paper uses time interval between two successive time of transmission or texting in the case of online chatting and a single time instance steganography to hides secretes information respectively which can be used in many platform like online chat application, video time codec, network packets timing, audio timing etc.

In this paper, our main focus is on online chat application timing.

3. Methodology

This proposed method is based on the idea that user behaviors when chatting and attempting to perform timing with an intention to hid information is affected by their intention to send a particular text at a particular instance.

Let time for receiving a message be $t_1$

Time for checking/reading message be $t_2$

Time for start typing $t_3$

Time for stop typing $t_4$

Time for sending message $t_5$

Total word count in a text $N$

Total time for reading text $t_6=t_3-t_2$

Total time for typing $t_7=t_4-t_3$

Total time from end of typing to sending text $t_8=t_5-t_4$

We can set a known average typing speed (mean) $\mu$ words per second

With allowable deviation of $\sigma$ for very fast typist or very slow typist. So $\left(\mu -\sigma \right)\le \mu \le \mu +\sigma$

Since this methodology reply on typing speed, here we look into some of the few factor such as keyboard arrangements, keyboard types etc. that affects typing speed as explained in the work by William Soukoreff, etc el (1995) [12] which shows that typing speed using Quartz keyboard and other keyboard type affect proficient typist with an average of 30 words per minute meanwhile an inexperienced typist decreases to about 18 words per minute.

3.1. Detection Phase

3.1.1. Typing Speed $\left({\mathrm{t}}_9\right)$

In this phase, we set an average typing speed of word per second. Therefore.

$$t_9=N/t_7$$

(1)

So, for a given number of word typed ($N$), divide by total time spent typing${ t}_6$, we get a value which we compare against a set of known average (mean$\mu$) typing speed. But this mean value has minimum and maximum set value to accommodate for slow and very fast typist.

Condition

$$\delta =\left\{\begin{array}{c}{t}_9<(\mu -\sigma ), {\delta }^{-} \\ t_9>\left(\mu +\sigma \right), {\delta }^{+}\\ \left(\mu -\sigma \right)\le t_9\le \left(\mu +\sigma \right), {\delta }^0\end{array}\right.$$

(2)

Interpretation of results:

If Typing result is negative (${\delta }^{-}$), implies that the typing rate is very slow, i.e slower than the average mean value. So it can also mean that the typist is trying to slow down typing speed in order to meet a targeted desired time. Hence possible intend of timing and Steganography detected.

But if Typing result is positive (${\delta }^{+}$), implies that the typing rate is very fast, i.e., faster than the average mean value. So it can also mean that the typist is trying to increase the typing speed in order to meet a targeted desired time. Hence possible intend of timing and Steganography detected. In addition, if typing speed is very high, it could also mean typist just copied and pasted text which was typed somewhere else and just waited for a perfect time to send (timing steganography) and simply copy and past the pre-typed text and send.

And lastly, if Typing result is zero (${\delta }^0$), implies that the typing rate is normal, i.e within the average mean value. So it can also mean that the typist is typing at normal speed, hence no steganography detected

However, the problem with this method is that, setting average mean value can be difficult as different typist have different typing rate, hence may lead to fault or inaccurate detection.

3.1.2. Time for Sending (${\mathit{t}}_8$)

For this part we target time which a typist finishes typing $t_4$ to time of sending text $t_5$

We know that average reading speed of an individual can be set as $\gamma$words per minute with a deviation of $\sigma$ words per minute

i.e.,

$$t_8=t_5-t_4$$

(3)

Conditions

$$\delta =\left\{\begin{array}{c}{t}_8>(\gamma +\sigma ), {\delta }^{-}\\ {0\le t}_8\le \left(\gamma +\sigma \right), { \delta }^0 \end{array}\right.$$

(4)

Interpretation of Results:

If sending time is negative, ${\delta }^{-}$, implies that the typist took some time or delays too much after finishing typing to send the typed text. Hence, possible intend to wait for a specific time to send a given text. And Steganography detected.

But if sending time is zero, ${\delta }^0$, implies that the sender did not delay that much to send a text after finishing typing, probably was reading to proof read the text before sending or just sent the text without proof reading hence no possible intention, and no steganography detected.

However, the challenges with this method is that sometime, it can be hard to differentiate a typist who unintentionally due to some condition couldn’t send a finished text on time. Or the one who would wish to proof read their text after finishing writing.

3.1.3. Reading Speed (${\mathit{t}}_{10}$)

This section is only applicable for a received text in situation where there is need to reply for text and also a possible proof reading of typed text after finishing typing before sending, we know that one can spend total time $t_6$ reading a given text, supposed a known average/mean for reading text is given as $\gamma =N/t_6$, but according to an article by Brysbaert, M. (2019) [13], an average adult reading speed is about 250 words per minute.

$$t_{10}={N/t}_6$$

(5)

Conditions

$$\delta =\left\{\begin{array}{c}{t}_{10}<(\gamma -\sigma ), {\delta }^{-} \\ t_{10}>(\gamma +\sigma ), {\delta }^{+}\\ {\left(\gamma -\sigma \right)\le t}_{10}\le (\gamma +\sigma ), {\delta }^0\end{array}\right.$$

(6)

Interpretation of results:

If result is negative (${\delta }^{-}$), implies that the reading rate is very slow, i.e slower than the average mean value. So it can also mean that the typist is no reading, just delaying in order to meet a targeted desired time. Hence possible intend of timing and Steganography detected.

But if result is positive (${\delta }^{+}$), implies that the reading rate is very fast, i.e., faster than the average mean value. So it can also mean that the typist didn’t read sent text, they simply reply in order to meet a targeted desired time. In this case there could even be possible mismatch of replied text to the received one. Hence possible intend of timing and Steganography detected.

And last if result is zero (${\delta }^0$), implies that the reading rate is normal, i.e within the average mean value. So it can also mean that the typist is reading at normal speed, hence no steganography detected

However, the problem with this method is that, setting average mean value can be difficult as different reader implies different treading rate, hence may lead to fault or inaccurate detection.

4. Test Data

In this sub-section, we presents sample data from two different approach. The first one in Table 1 is when typist composes a text to send to someone, and we try to detect this typist typing behavior based on typing abnormalities as a result of their behavior. 1.08333

For testing purposes, we used data from a website blog written by admin [14] which indicates different typing speed based on profession, gender, age etc. The average used here is 50 words per minute or 5/6 words per second in Table 1 and Table 2 just for testing purposes. A deviation of about 15 words per minute was used to get the boundary limits

A range of 35 to 65 words per minute about 1.0833~0.5833 words per second.

For reading speed, an average of 250 words per minute with a deviation of about 30 words per minute. About 220 to 270 words per minute and about 4.5~3.6667 words per second. For the highlighted cell in both Table 1 and Table 2 indicates detected possible timing.

And in the second Table 2, here the target is on someone who received a text message on an online application and replied the text. We also detect the typist behavior to identify any abnormality. Table Cell where it’s highlighted gray is the one with some extreme abnormality hence forming a basis of detection.

5. Discussion

This method although it prove very good, such as detection of the targets correctly. There are some drawback of the method which still hinder its performance. For example.

At times, user may start writing and paused due to some urgent need to do something else, however this method may not be in position to distinguish this delay and the one caused due to an intended timing, purposely to encode message.

Typing speed varies from one person to another depending on several factors such as someone still learning to type, slow typist, external factors affecting typing speed etc. Hence this may lead to faults detection as it will be difficult to set an accurate mean value and range for normal typing activities. Similarly, reading speed of an individual varies depending on individual familiarity with the language being read, age of reader, complexity of the text such as fiction etc. and other outside factors which affects readers

The method also is also restricted to only online text based chat application and use of timing in different scenario or platform such video based timing and other network based timing may render this method ineffective.

6. Conclusion

This paper presents methodology about Steganalysis which focuses on Chat based timing Steganography.

The method which rely on user/Typist behaviors during typing when chatting such as a recorded time taken to type a given total number of words in a text, time taken after finishing typing to sending text, time taken to read a given text etc.

The method was tested with sample chat on simulated application software and it proved effective as presented, although there are some challenges that hinder the effectiveness of the method which are also discussed in sub-section “Discussion”.

I hope as more work on this advances such that a more accurate average mean value for both typing speed and reading speed can be achieved and also the use of artificial intelligence or any other method to detect correlation between two chat text replying to one another will further enhance detection of this method.

At this stage, the method is still not yet hundred percent perfect at detection.